Download Understanding hIpaa: What It Protects and What It Permits

CEU for CCM & CDMS
Approved for 2 hours of CCM and CDMS education credit
Exclusively for ACCM Members
Understanding HIPAA:
What It Protects and What It Permits
By Carol Levine
I
t is hard to keep a secret in a digital
world, as celebrities and other
prominent citizens have learned to
their dismay. True, many people
delight in sharing intimate details about
their lives, from the most trivial to the
most significant, on Facebook, Twitter,
and other social media. In health care,
some patients, especially those with rare
or difficult-to-treat illnesses, maintain
or contribute to websites that detail
every aspect of their diagnosis and
treatment. Others provide less specific
updates on blogs.
Still, most patients do not want
their medical information available to
anyone who does not need it in order
to provide, assist with, or pay for their
care. They are particularly concerned
that this information not be given to
employers, marketers, or fundraisers.
And they certainly don’t want reporters,
business competitors, or nosy neighbors
or coworkers to have it.
Recognizing the importance of
respecting personal autonomy and
dignity, ethical codes of conduct
for every health care profession
Carol Levine directs the Families and Health
Care Project at the United Hospital Fund.
She is the editor of Always On Call: When
Illness Turns Families into Caregivers
(Vanderbilt University Press, 2004; and, with
Thomas Murray, co-editor of The Cultures of
Caregiving: Conflict and Common Ground
Among Families, Health Professionals,
and Policy Makers (Johns Hopkins University
Press, 2004).
stress confidentiality. The National
Association of Social Workers’ standards for social work case managers,
for example, states: “The social work
case manager shall ensure the client’s
right to privacy and ensure appropriate confidentiality when information
about the client is released to others” (Standard 4).1 The American
Nurses Association has two standards:
“Privacy (3.1): The nurse safeguards the
patient’s right to privacy. The need for
health care does not justify unwanted
intrusion into the patient’s life.” This
is followed by “Confidentiality (3.2):
Associated with the right to privacy, the
nurse has a duty to maintain confidentiality of all patient information.” 2
If patients and professionals agree
in principle, why is privacy such a problem in health care? Part of the reason
lies in the details. Who is entitled to
medical information? What standards
should guide disclosure? How can
medical records be kept secure from
hackers or careless employees? And
what are the consequences of inappropriate disclosures?
These are not theoretical questions.
They come up all the time in practice.
Case managers are often faced with
patients and families who come to
them after dealing with other staff who
have given them unclear, conflicting,
or no information. Sometimes patients
and families are being asked to make
major decisions without all the relevant
facts. Sometimes case managers have
to weigh institutional priorities against
individual needs or preferences. For
case managers, then, it is essential to
have a solid grounding in what the privacy law, as well as professional ethics,
requires and–equally important—what
they permit.
Definitions
Privacy and confidentiality are often
used interchangeably, but there are
differences in interpretation. Even
privacy can have different meanings.
One meaning relates to the person.
Curtains may be drawn around a
patient’s bed to protect his or her privacy while undergoing an examination.
Significant discussions with patient and
family may take place in a private area
so that others are not able to hear. In
the legal context, privacy extends from
the person’s physical being to information about the person gathered in the
course of medical care. Confidentiality
refers to the obligation of professionals
to prevent the information from being
disclosed unless authorized by the
patient or required by law or clinical
judgment. Elevator talk about a patient,
for example, is a violation of confidentiality. So is disclosure to the media
that a celebrity is a hospital patient.
Disclosures may be inadvertent or deliberate; whatever the cause, they may
result in harm to a person’s livelihood,
reputation, or personal relationships.
In protecting privacy and assuring
confidentiality, a third element—security—becomes critical. Security refers
to the technical or practical measures
February/March 2013 CareManagement 11
CEU for CCM & CDMS
Approved for 2 hours of CCM and CDMS education credit
Regardless of the trainers’ intent, staff members who attended these sessions
clearly heard the message, “If you want to be safe, don’t tell anyone anything.”
used to prevent unauthorized access,
use, and dissemination. Security can be
addressed by policies that restrict access
to information, safe storage, and limits
on employees’ off-site use of information, as well as by electronic systems
that encrypt information.
What HIPAA (and Now HITECH)
Cover
The federal Health Insurance
Portability and Accountability Act of
1996 (Public Law 104-191, known as
HIPAA) and the Privacy Rule of 2003
(45 C.F.R, 164.510[b], the regulation
implementing HIPAA) form the legal
basis of safeguarding protected health
information (PHI). Before HIPAA,
confidentiality of medical information
was covered by a patchwork of state
laws and regulations that sometimes
conflicted and certainly confused
practitioners as well as patients. HIPAA
was primarily intended to give workers
and their families the right to transfer
their health care insurance from one
job to another without penalties and
to simplify administrative processes in
transmitting information, especially
electronically. HIPAA was included as
the final section of the law, although
it has come to be its most familiar segment. Inevitably, the legislative process
involved compromises and ambiguities
and only set out the framework.
The Privacy Rule, finalized in 2003
and revised several times since then,
was intended to sort out these problems
and give providers clear direction. In
2009, as part of the American Recovery
and Reinvestment Act (ARRA), the
expansion of health information technology was included as the Health
12 CareManagement February/March 2013
Information Technology for Clinical
and Economic Health Act (HITECH).
This act significantly increased the
enforcement provisions of HIPAA, especially around security and transfer of
electronic PHI.3
Basically, HIPAA requires “covered
entitities” (health care providers, health
plans, physician practices, pharmacies,
and their business partners) to ensure
that there are safeguards to protect
the security of PHI they gather in the
course of doing business. Covered
entitities and their employees are
allowed to disclose this information
only to those who have a legitimate
need to know to care for the patient or
to pay for care.
The “HIPAA Scare” and
Enforcement
So far, so good. In many institutions,
however, HIPAA was introduced by
lawyers and risk managers who stressed
the legal and financial consequences
of failing to comply with regulations.
Regardless of the trainers’ intent, staff
members who attended these sessions
clearly heard the message, “If you want
to be safe, don’t tell anyone anything.”
The result was what has been called
the “HIPAA scare,” a situation in which
even patients were not given information about their condition because of
fears that the nurse or doctor would
get into trouble. (Patients’ inability to
access their own information is the
third most common problem reported
to the United States Department of
Health and Human Services’ Office of
Civil Rights, which is HIPAA’s enforcement arm.) That fear has been passed
on to new employees who may trust
what they learn through informal communication more than what they are
told in formal trainings.
At the same time, fears have been
reinforced by reports that institutions have been fined and employees
censured or fired because of HIPAA
violations. The most publicized violations have been failures to protect large
amounts of data, not unwarranted disclosures of individual patient information. In February 2011, Massachusetts
General Hospital agreed to pay the
government $1 million and to revise its
security rules after a hospital employee
left the records of 192 patients with
infectious diseases, including HIV/
AIDS, on a subway car. In March 2012,
BlueCross BlueShield of Tennessee
agreed to pay $1.5 million for violations
under the HITECH breach notification
rule after 57 hard drives containing the
medical records of a million patients
were stolen from a leased facility.4 After
a year-long examination of cybersecurity and vulnerability to hackers,
the Washington Post concluded that
health care is among the most vulnerable industries in the country, in part
because of aging technology and failures to fix known software flaws.5
Some HIPAA violations have
involved outright theft—stealing medical records not for the clinical data,
but for access to Social Security or
credit card numbers or other financial
information. Such examples were illegal before HIPAA and are prosecuted
by local authorities. Some violations
have occurred when staff members not
assigned to a particular patient looked
at the medical record because of some
personal relationship—an ex-spouse or
Exclusively for ACCM Members
Of the more than 76,000 HIPAA complaints the Office of Civil Rights has received since
April 2003, 91% have been resolved, 18,000 of them through requiring changes in privacy
practices and other corrective actions, mostly system changes that affect all patients.
to consult with its privacy officer before
any disclosures.8
With increasing attention under
HITECH to breaches of confidentiality and increased penalties, it is possible that a new “HITECH scare” may
emerge. While there is ample reason
for concern about lax security, it would
be unfortunate if this new wave of
compliance anxiety overshadowed basic
principles of communication and good
clinical care.
HIPAA’S Chilling Effect on
Communication
Health care currently focuses on
encouraging patients and families to
become more “engaged,” “activated,”
“self-reliant” in care. These efforts, as
well as HIPAA itself, assume an adult
patient in complete control of decisionmaking, not an elderly patient who is
confused or demented. But many of the
patients most at risk for poor outcomes
and hospital readmissions—older
adults with multiple chronic conditions,
including cognitive deficits—are not
able to become actively engaged. They
rely on a family member or friend to
help them at home and to manage or
provide follow-up care. Family caregivers—defined as individuals who are
responsible for providing or managing
care for a chronically ill or disabled
person—provide more than 80 percent
of long-term care in the community.
They are essential to the well-being of
patients once they leave the hospital
or other facility. They manage doctor
appointments, transportation, supplies,
and other necessities. In effect, they are
care managers without portfolio.
Increasingly they are also expected
to perform many complex tasks, such as
managing multiple medications, doing
wound care, and operating and monitoring equipment. A national survey
conducted by the United Hospital Fund
and the AARP Public Policy Institute
found that nearly half of the family
caregivers performed one or more
“medical/nursing” tasks, in addition
to personal care or household chores.9
Yet 61% of those who found medication management hard said that they
learned on their own.
Without family involvement, these
patients are likely to return to the
Emergency Department and be readmitted, often with the first few weeks
after discharge. For patients with heart
attack, heart failure, and pneumonia,
these readmissions within 30 days can
cost the hospital a financial penalty. But
when family members ask questions on
behalf of the patient and themselves,
they are all too often told, “I can’t tell
you because of HIPAA.”
HIPAA is not the only reason for
the lack of training, of course, but it is
part of the general climate that protects
staff from real or imagined problems by
closing off communication with family
caregivers. The task of communicating
difficult or time-consuming information is handed off to the next provider,
or questions go unanswered until a
problem arises. For family caregivers
HIPAA fits into the unhappy category
of a Law of Unintended Consequences.
What HIPAA Really Says About
Sharing Information With Family
As interpreted by the Office of Civil
Rights, “HIPAA does not cut off
all communications between
t
a nasty neighbor, for example.
According to the Department of
Health & Human Services’ Office of
Civil Rights, as of November 30, 2012,
the most frequent sites where instances
of noncompliance have been investigated are private practices, general hospitals, outpatient facilities, health plans,
and pharmacies. Of the more than
76,000 HIPAA complaints the Office
of Civil Rights has received since April
2003, 91% have been resolved, 18,000
of them through requiring changes in
privacy practices and other corrective
actions, mostly system changes that
affect all patients.6
Fears that an individual doctor
or nurse can be sued for disclosing
information are common but exaggerated. An individual who believes that
protected health information has been
inappropriately disclosed has no legal
recourse under HIPAA other than a
complaint to the Office of Civil Rights.
Although HIPAA creates a right to privacy, there is no right to sue a doctor,
nurse, or hospital. The individual can
file a lawsuit under state law alleging
violation of privacy, and would bear the
burden of proving harm, but HIPAA
would not be a factor. State investigations can, however, result in fines. In
a California case, a woman discussed
with a reporter what she believed to
be fraudulent claims to Medicare for a
condition she did not have (kwashiorkor, a condition found primarily in malnourished children in poor countries).
To defend their claims, hospital executives took her medical record to a local
newspaper without her authorization.7
The state fined the hospital $100,000
and ordered the offending executives
February/March 2013 CareManagement 13
CEU for CCM & CDMS
Approved for 2 hours of CCM and CDMS education credit
The phrase “as long as the patient does not object” has sometimes been
turned into “as long as the patient consents.”
providers and the families and friends
of patients” (bold in original). In a
May 2004 “Dear Health Care Provider”
letter, the Office of Civil Rights also
says, “Doctors and other providers
covered by HIPAA can share needed
information with family, friends—or
even with anyone a patient identifies
as involved in his or her care—as long
as the patient does not object….Even if
the patient is incapacitated, a provider
can share appropriate information…
if he believes it is in the best interests
of the patient.”10 The phrase “as long
as the patient does not object” has
sometimes been turned into “as long
as the patient consents.” HIPAA does
not require written or any other kind of
consent. Some organizations have policies requiring written consent, but they
should not say that “it’s a HIPAA rule.”
Providers sometimes claim that only
“next of kin” are entitled to information. The term “next of kin” has no
legal standing and does not fit many of
today’s multicultural and multilayered
family structures. It has also been used
to deny access and information to gay
and lesbian partners. Hospitals are now
required to have nondiscrimination
policies, but violations still occur with
some frequency.11 The variation in state
laws recognizing same-sex partnerships
also contributes to the problem.
Health care providers, schooled not
only in HIPAA law but also in patient
autonomy, sometimes make assumptions about patients’ concerns over privacy. In fact, most patients want—and
need—the support and understanding
of the key people in their lives. Almost
four in five respondents in a recent
study of over 18,000 veterans were willing to share access to their electronic
14 CareManagement February/March 2013
health records with family members
and other nonprofessionals.12 Social
support is clearly an important element
in managing chronic illnesses, and it
is difficult for family and friends intimately involved with the patient’s care
to provide that support without relevant
information.
Case managers and other health
care providers can certainly recall cases
in which a patient adamantly refused
to have information shared with some
or all family members. The reasons
may be varied. For example, a relative
long out of the family picture shows up
unexpectedly and demands information on the patient’s condition. Or the
patient has had a long history of dissension with a particular family member
and does not want to share any information. Often, however, the reason
is not related to privacy at all but to a
desire not to burden a family member
with information and responsibilities.
These cases require negotiation, especially if the family member is going to
be responsible for follow-up care. At the
same time health care providers should
not agree to withhold vital information
from the patient at the family’s request
unless the patient has asked not to be
informed. Establishing rules for communication are important and are best
accomplished at the outset of care.
Part of the reason HIPAA has
been so misunderstood and misused
is that it fits neatly into an already well
established pattern of keeping family
caregivers at arm’s length. From the
viewpoint of many providers, families
cause trouble.13 They are emotional and
not “objective.” A law that limits sharing information offers a convenient but
misguided rationale.
Recommendations
Care managers may feel that they are
the final link in a chain that they have
not designed. While they are often
left to piece together the fragments
of a care plan that others have only
sketched out, they are far from powerless. Here are some recommendations
for collective and individual action:
• Convene a group of senior leaders and
staff to review relevant elements of
the organization’s privacy policies and
practices. This should include general
information about HIPAA compliance
but also any specific practices that
deviate from the general rules (requiring written consent, for example, for
disclosures to family members). It
should also include information about
the protections in place to protect the
security of data collected and stored in
an electronic health record.
• If this discussion reveals concerns or
contradictions, suggest establishing a
task force to come up with suggestions
based on the organization’s mission
and practice.
• Encourage staff training (or retraining) on HIPAA and HITECH so that
all staff understand the same principles and rules.
• Suggest that the organization create a
simple statement of the organization’s
policy and practices that patients and
family can understand. Patients are
required to sign a legal disclaimer
that they have been informed about
the organization’s policies, but they
are usually written in language that
only health care lawyers can understand. This simple statement can be
useful in discussions with patients and
families who are confused about who
is being told what and why.
Exclusively for ACCM Members
•W
hen dealing with individual
patients and families, initiate a
discussion about privacy and confidentiality so that they understand
the rules. If they have encountered
difficulties obtaining relevant information, speak with the staff person
responsible and ask for the reasons
information was withheld (or was
given but not understood).
• In cases that present unusual or challenging issues, discuss them with the
organization’s privacy officer before
taking any action. Raising potentially
serious problems is an important step
in reducing HIPAA violations and can
protect the institution as well as
patients and staff. CEU
Resources
United Hospital Fund Next Step in Care website (www.nextstepincare.org)
“HIPAA: Questions and Answers for Family Caregivers”
www.nextstepincare.org/Caregiver_Home/HIPAA/
This free guide answers the most common questions about HIPAA. It is available in English,
Spanish, Chinese, and Russian
“Family Caregivers’ Rights to Patient Information: What Health Care Providers
Need to Know”
www.nextstepincare.org/uploads/File/Guides/Provider/Provider_HIPAA.pdf
United States Department of Health & Human Services’ Office for Civil Rights
“A Patient’s Guide to the HIPAA Privacy Rules: When Health Care Providers May
Communicate with Your Family, Friends, or Others Involved In Your Care”
www.hhs.gov/ocr/privacy/hipaa/understanding/consumers/
consumer_ffg.pdf
This guide offers examples of instances in which a health care provider may share information with a family member. For example, it says that an emergency room doctor may discuss
a patient’s treatment in front of a friend when the patient asks that the friend come into the
treatment room. And it notes that a hospital may discuss a patient’s bill with a daughter
who is with the patient at the hospital and has questions about the charges. Moreover, a
nurse may tell you that she is going to tell your brother how you are doing, and then she
may discuss your health status with the patient’s brother if the patient did not say that she
should not. But the nurse may not discuss the patient’s condition with his brother if he has
told her not to do so. The guide says specifically, “HIPAA does not require that you give your
health care provider written permission. However, your provider may prefer or require that
you give written permission. You may want to ask about your provider’s requirements.”
References
1. National Association of Social Work
Standards for Social Work Case Management.
June 1992. www.socialworkers.org/practice/
standards/sw_case_mgmt.asp Accessed
December 31, 2012.
2. American Nurses Association, Code
of Ethics. www.nursingworld.org/
MainMenuCategories/EthicsStandards/
CodeofEthicsforNurses/Code-of-Ethics.pdf
June 2001. Accessed December 31, 2012.
3. HITECH Act Enforcement Interim Rule.
February 18, 2009. www.hhs.gov/ocr/privacy/
hipaa/administrative/enforcementrule/
hitechenforcementifr.html Accessed December
31, 2012.
4. Flizsar, G. HIPAA: The gathering storm
has arrived. Cyberinquirer, October 29, 2012.
http://cyberinquirer.com/?cat=395. Accessed
December 31, 2012.
5. O’Harrow RO Jr. Health-care sector vulnerable to hackers, researchers say. Washington
Post, December 25, 2012. www.washingtonpost.
com/investigations/health-care-sector-vulnerable-to-hackers-researchers-say/2012/12/25/
72933598-3e50-11e2-ae43-cf491b837f7b_story.
html. Accessed December31, 2012.
6. US Department of Health & Human
Services. Health Information Privacy
Enforcement Highlights (as of November
30, 2012). www.hhs.gov/ocr/privacy/hipaa/
enforcement/highlights/index.html. Accessed
December 31, 2012.
7. Hiltzik M. Her case shows why healthcare
privacy laws exist. Los Angeles Times, January
4, 2012. http://articles.latimes.com/2012/
jan/04/business/la-fi-hiltzik-20120104.
Accessed December 31, 2012.
8. Hiltzik M. Personal Communication.
November 17, 2012.
9. Reinhard S, Levine C, Samis S. Home Alone:
Family Caregivers Providing Complex Chronic
Care. October 2012. www.uhfnyc.org/publications/880853. Accessed December 31, 2012.
10. Gabrielli RM. Letter. Office for Civil
Rights. US Department of Health & Human
Services, May 17, 2004.
The guide also states that HIPAA does not require proof of identity in answering phone
calls. However, health care providers may have their own rules for verifying who is on
the phone.
11. Medicare finalizes new rules to require
equal visitation rights for all hospital patients.
November 17, 2010. www.hhs.gov/news/
press/2010pres/11/20101117a.html. Accessed
December 31, 2012.
The guide advises patient that if they want to make sure their health care providers share
their health information with family, friends, or others involved in care, they may want to
print a copy of this document and discuss it with health care providers and share this information with family members, friends, or others involved in care or payment for care.
12. Zulman DM, Nazi KM, Turvey CL, et
al. Patient interest in sharing personal
health record information. Ann Intern Med.
2011;155:805-810.
13. Levine C, Zuckerman C. The trouble with
families. Toward an ethic of accommodation.
Ann Intern Med. 1999;130:148-152.
February/March 2013 CareManagement 15