Mar

19

HIPAA Myths:  What You Don’t Know Can Hurt You

Sometimes it is more fun and brings the story home best by telling it from a personal perspective. My much awaited () next blog comes from personal experience as a patient who has been confronted with covered entities’ heavy reliance on what amount to HIPAA myths. Sometimes I do drive my health care professionals and their privacy officers up a wall by doing things like actually reading Notices of Privacy Practices and asking questions that I already know the answer to and know the individual I’m dealing with does not or truly believes one of the many HIPAA privacy myths floating around out there.

Each of the following vignettes are true and some of them are very recent. I had the unfortunate pleasure of spending several days in the hospital and encountered my share of HIPAA myths along the way. Also, just given what amounts to periodic encounters with the health care system as a patient, I run across a number of rather interesting and sometimes bizarre beliefs not based in any HIPAA reality.

I was recently referred to a pain management clinic who attempted to obtain copies of specifically applicable test results, diagnostic images, etc. The clinic ran into a problem when attempting to obtain copies of the needed treatment and diagnostic related PHI (mine). The clinic was informed by one very large health care provider that, in this case, a copy of my CT scan and related images and diagnostic reports could not be released without my specific authorization.

Now none of the PHI requested by the clinic was specially protected by state law or federal law. Being the pain I sometimes can be, I wasn’t satisfied with just “going with the flow” and signing the authorization that would “allow” this large provider to send copies of the requested PHI to another covered entity for treatment purposes. I contacted the large provider and asked why I was required to sign an authorization to release my images and diagnostic notes to the pain clinic. I was politely informed that “the law required patients sign an authorization before any PHI could be released to any other health care provider.”

Now a covered entity can adopt more stringent privacy practices than required by the HIPAA Privacy Rule but to say that “the law says so” was more than a bit of a stretch. What was really disconcerting was the customer service representative I was speaking with really believed HIPAA required me to authorize the release of, in this case, not specially protected health information for treatment purposes. I did ask to speak to the manager and the manager did indicate that no authorization was required. Seems front line staff need a bit of training…

On to the second vignette… I was standing in line waiting to check in to see my primary care physician at a large clinic. The man in front of me was a new patient and provided a copy of the practice’s Notice of Privacy Practice (NPP). When he asked what was included in the NPP, the receptionist said, “The Notice just tells you that we can’t release any of your health information to anyone without your permission.” The new patient indicated he did not want a copy of the NPP if that was all it explained.

Those who know me know that I’m not always as tactful as I should be. I thought of telling the new patient that the NPP included much more than, “we can’t release any of your health information without your permission,” but, in attempting to be tactful and respectful of the patient in front of me, I refrained from inserting myself into the verbal exchange between the new patient and the receptionist.

When it was my turn to check in, I suggested to the receptionist she actually read the NPP given it also included information about patient rights and when the clinic could share the new patient’s PHI without the patient’s consent or even without notifying the patient. Her response – “Really? I didn’t know that. I guess I should read the Notice.”

Again, it appears a bit of education is in order (which is one of the key areas where covered entities and business associates are not compliant with the HIPAA Privacy and Security Rules). This was not a small clinic where it is sometimes more understandable that the appropriate training had not been provided. In this case, the clinic was part of a very large health care delivery system with thousands of employees. In fact, this was a provider organization outwardly proud of the fact that all workforce members were appropriately trained and this covered entity was fully compliant with the requirements of the HIPAA Privacy and Security Rules. In the end, it really doesn’t matter the size of the organization. What matters is the quality of the training program, the frequency with which training is conducted and the number of HIPAA myths that are incorporated in the training that is conducted.

Unfortunately, it is often the larger organizations with higher turnover who fail to fully educate staff. Also, too may covered entities (especially providers) foster the myth that all PHI is sacred and to release it to anyone, allowed or not by regulation, is a serious violation of HIPAA. There is frequently a high level of what I would characterize as indoctrinated fear often affecting covered entity staff who frequently interact with patients, health plan members and their families.

The final vignette… When checking in with a specialist for another large provider (and also when I was admitted to the hospital the very same provider was affiliated with early this month), I was asked to sign a consent form that would allow the specialist (and the hospital) to release specially protected health information to my health plan. When asked to sign the consent form, I proceeded to cross out the specific line on the consent form that indicted I was consenting to release of my specially protected health information and make my own notation that I forbade the provider from releasing my specially protected health information to my health plan.

Other than the one sentence regarding release of specially protected health information to my health plan, the form was compliant with the HIPAA Privacy Rule, 42 CFR Pt. 2 and, in this case, Oregon privacy laws. After much debate and consultation with legal counsel it was determined by the health care provider organization that yes the sentence was inappropriate and should be removed from the consent form.

These are examples of where ignorance is not bliss. Myths and misinterpretations can lead to regulatory and legal problems for covered entities and business associates. Also, in the end it can be the patient or health plan member who is harmed. As an example, the average individual will not know what should be contained in a NPP such as notifying the individual of his or her privacy rights. Also, the average individual would not likely catch the inclusion of language that, in essence, gives the covered entity or business associate carte blanche when it comes to sharing the patient or health plan member’s specially protected health information.

Myths will always be present to one extent or another when it comes to regulatory compliance. It is important, though, for covered entities and business associates to take steps to minimize the number of myths floating around within an organization in an effort to protect the organization and the individuals it serves.