Understanding HIPAA, and how it can hurt health care

In 1996, President Bill Clinton signed the large, complicated Health Insurance Portability and Accountability Act, or HIPAA. HIPAA quickly became synonymous with privacy protection for patient medical records, and “That could be a HIPAA violation” became a buzz phrase among medical professionals and, I was surprised to observe, patients.

HIPAA is designed to protect what’s called “protected health information.” According to the U.S. Department of Health and Human Services (HHS), “protected health information” or Protected health information includes individually identifiable information involving the individual’s past, present or future physical or mental health or condition, the provision of health care to the individual, or payment for the provision of health care to the individual. In order to receive protection under the law, the information has to be connected to a specific person by name, address, birthdate, Social Security number, or even such descriptions that would allow a person to be able to identify the patient. (For example, if a doctor were to be overheard in public saying, “The heavyset cashier with the brown hair at Walmart has melanoma,” that would be a HIPAA violation.)

However, non-identifiable information is not protected. A physician can safely say at a medical conference that she had a 46-year-old female patient with Chagas’ disease because that patient could still be any 46-year-old woman. As HHS states, “There are no restrictions on the use or disclosure of de-identified health information.”

There are specific times that doctors or hospitals can share protected health information. Briefly, these include: giving information to the patient (as when patients ask for and receive their lab results); for payment (such as between a doctor and insurance company); or health care operations, like investigating a fraud case.

Psychotherapy notes require a patient’s permission before any part can be disclosed. However, even these are shared without permission in certain circumstances. If a potentially dangerous patient is missing and they were last heard on the phone threatening to kill someone, the police could require emergency access to those notes to try to find and protect the potential victim.

However, many doctors and hospitals misuse HIPAA to create roadblocks for outside physicians and hospitals who are simply trying to obtain proper medical records to deliver care to their new patients. How many times have you had to fill out a form and sign it, wait for it to be faxed, and then wait for days for the other doctor’s reply? That’s not HIPAA’s intent. The law is meant to protect patients from doctors discussing cases inappropriately with gym buddies, or nurses from telling pharmaceutical representatives about which patients might be interested in that new depression pill. 

It’s important that those who work in health care understand that patients and their treating doctors have a right to their medical information — immediately, and without the need for any signatures or faxes. That’s what the law allows. Yet, I’ve found that the same university medical center that has no problem disclosing my patients’ medical conditions to Anthem Blue Cross so that they can get paid will balk and demand unnecessary paperwork when its patients come to me for a consult.

This creates problems when doctors are trying to write a prescription and patients can’t remember the name of the medication that caused an allergic reaction, or when doctors are trying to avoid duplicating blood tests that were just done one month ago by the primary care physician. It’s no wonder that there are so many medical errors and so much waste in medicine — it can be incredibly difficult to decide the next steps in care when we don’t know what the last three steps were. Indeed, my recent conversation with a medical resident who practices at Beth Israel, a Harvard teaching hospital, confirmed that even the best in the country struggle with this — she told me their morning conferences regularly feature adverse patient events that could have been prevented with more streamlined medical records.

HIPAA provides guidance for just about every sensitive situation. Patients can give verbal permission for doctors to tell their family members how they are doing in the hospital, for example. If the patient is in a coma or can’t talk, the doctor or nurse can use her best judgment. Someone who seems like a casual friend might not get any details, but the patient’s wife might get a full diagnosis and prognosis.

HIPAA, while protective of patients’ information, is actually quite logical about how we’re supposed to handle medical information in times when it is truly needed. Now that patients are rallying around the concept of open access to medical records, health professionals are more obligated than ever to stop blocking their access.

While HIPAA allows doctors to release protected health information for the public good (for example, if someone with Ebola breaks quarantine and runs around New York City) getting information on individual patient cases for news stories can be challenging. That’s why journalists will often have better luck contacting patients on online forums, where patients can decide whether or not to reveal their identities, through disease-specific associations like the American Cancer Society, or by maintaining relationships with physicians willing to pass on requests for comment to their patients.

[Photo by Josh Hallett via Flickr.]