John Doe* was in the cardiac critical care unit following a heart transplant when his physicians discovered that the individual who donated the heart died from a massive infection. Fearing the heart may have been infected, his physicians sought more information so they could give Mr. Doe the right antibiotics. However, the hospital where the donor died refused to provide any information, citing the federal patient privacy rules as outlined in the Health Insurance Portability and Accountability Act (HIPAA). Because the hospital refused to release any information, Mr. Doe’s physician prescribed multiple antibiotics, potentially exposing him to dangerous side effects.
Mary Roe, a 78-year-old patient with Parkinson’s disease who resided in an assisted living facility, acquired a bladder infection and quickly became confused. The facility’s director made arrangements for her to be transported to a hospital for treatment. For unknown and perhaps unknowable reasons, Ms. Roe thought she had a venereal disease and was mortified. On the way out the door, she was crying and demanding that no one be told what was wrong with her. When her daughter, who lived out of town and was Ms. Roe’s durable power of attorney (DPA), tried to call her mother, no one would tell her where she was; you can imagine her distress and the scene that ensued.
These two cases are examples of the continuing confusion about the privacy rules, which went into effect more than 11 years ago. The rules, in fact, explicitly permit physicians and hospitals to release information without a patient’s authorization for treatment reasons, which would have covered Mr. Doe’s situation. The rules also explicitly permit information to be given to someone who is a patient’s DPA.
Nonetheless, frequent misunderstandings about what the rules allow have been causing frustration, uncertainty, and anxiety in physician offices, clinics, hospitals, and even pharmacies across the country. Confusion (actual or intentional) over the rules has triggered a fresh round of acrimony over the issue of medical privacy, patient’s rights, and now even the Affordable Care Act (ACA)!
If you happened to catch the House Energy and Commerce Committee hearings on the failures and foibles of the ACA website launch, you heard Congressman Joe Barton (R-TX) argue that a line of source code embedded in the software that operates the website violates the HIPAA law and infringes on our medical privacy rights. While the website was a fiasco, the HIPAA law doesn’t even apply to it.
The overwhelming majority of misunderstandings about HIPAA appear to be the result of not knowing the law’s requirements, deliberate ignorance, or erring on the side of caution—withholding information to avoid inadvertently violating the law’s restrictions.
The rules, for example, unequivocally allow physicians, hospitals, and other healthcare entities to provide information about patients to other treating physicians without authorization from the patient, precisely to avoid endangering care.
In an excess of redundancy, let me repeat: In order to be subject to HIPAA, individuals, organizations, and agencies — and their respective business associates (e.g., insurance agents, outside business assistance) — must meet the law’s definition of a “covered entity” which include the following three categories:
- Health Care Providers: specifically defined to include, physicians, clinics, psychologists, dentists, chiropractors, nursing homes, and pharmacies; all are only included if they transmit any information in an electronic form in connection with a transaction for which the U.S. Department of Health and Human Services has adopted a standard.
- Health Plans: health insurance companies, HMOs, company health plans, and government programs that pay for health care, such as Medicare, Medicaid and the military and veteran’s healthcare programs.
- Health Care Clearinghouses: entities that process nonstandard health information they receive from another entity into a standard (i.e., standard electronic format or data content), or vice versa. This includes billing services, repricing companies, community health management information systems, and value-added networks and switches if these entities perform clearinghouse functions.
For anyone who would like to argue that the subsidies included for low-income citizens in the ACA equate to a government program that pays for health care, the subsidies are contributions to the premium charges of a health plan that pays for your health care, not a direct payment for health care as required by the law for covered entities. So, HIPAA does not apply to the healthcare.gov or the low-income subsidies. Period. Full Stop.
*The names in this article are fictional, but the stories are not.
Leah Curtin is Executive Editor, Professional Outreach for American Nurse Today.