HIPAA, A Cautionary Tale
by Gary M. Votour, MHCA
The Health Insurance Portability and Accountability Act (HIPAA) consists of a set of standards based on the 1996 law that are designed to ensure the protection of a patient’s medical records at all points in the process, from data acquisition to use by qualified medical personnel and most importantly, during transfer of a patient to other facilities for treatment or to a new insurer. It has broad implications for how medical records are maintained and utilized, and first and foremost in those concerns is that at all points in this system the confidentiality of a patient’s information is to be protected. (Dunn, 2007)
Because HIPAA encompasses a very complex set of standards, the implementation issues that arise are equally complex. The use of timeouts on data terminals, privacy buffers in patient registration areas, restrictions on the release of patient information, and the use of data encryption have all become commonplace as measures to protect this confidentiality in many health care settings. Most larger facilities even employ specifically trained staff who oversee these standards and train employees in their adoption and practice. (DeMuro, 2001)
One specific issue that has been identified is the release of information to family members during hospitalization. A decade ago it was commonplace to be able to call a hospital and inquire as to the status of a family member or friend who was being treated as an inpatient. Now that information is generally only released to those on a list of authorized people designated by the patient or their proxy holder.
Another example would be the use of generic workstations within health care facilities for maintaining and accessing patient information. Those systems did not have the ability to establish individual accounts with appropriate permissions to access records for only the patients being treated by an individual or unit. Newer systems have individual accounts for each user that allow the limited access to specific records needed and allowed in order to protect patient privacy, and include safeguards such as automatic logouts after a period of inactivity.
Another example is apparent in the design of patient registration areas. The commonplace practice of having a physical line defined several feet away from the point of interaction between patient and registrars is designed into the patient flow. This line, behind which patients waiting for service are required to wait, is designed to protect the privacy of a patient checking in for an appointment when they are asked to verify details such as their insurer, date of birth and even what doctor or service they have an appointment for.
In essence, as hospitals became aware of the need for these changes, they made them to avoid charges and fines for noncompliance. This transformation of patient privacy is reflective of the shift in most facilities perspectives on privacy, and is a result of regulatory changes like HIPAA. (Kuriyan, 2001)
As an aside, I can refer to one instance I have firsthand knowledge of where the HIPAA regulation was being misused. Please consider it as a cautionary tale. In 2005, I was staying with my wife in the Neurosurgical ICU of a very large surgical hospital in Boston. My decision to be there by her side 24/7 was not always accepted by all of the staff. In fact, one specific nursing supervisor (who I will call Sean) had a serious issue with family members being inside of ‘his ICU’, and constantly challenged my right to be there at every opportunity.
Rounds would occur each morning at approximately 5 AM, when the resident team of doctors would work their way through the ICU, performing daily evaluations and reviewing patient charts from the last 24 hours. After a couple of weeks, those doctors became accustomed to me being present and began to include me in their review of my wife’s condition, asking me for my observations. This upset Sean to the point where he called a family conference including myself, patient relations, social workers, the attending surgeon and the unit hospitalist and demanded that I be removed for violating HIPAA. It is illustrative of how HIPAA can at times be misused to influence situations in ways that are not appropriate.
(I’m paraphrasing the conversation based on my recollection.)
Sean: Mr. Votour has violated HIPAA regulations by participating in the rounds discussions of the interns.
Surgeon: How is that, Sean? He holds her proxy, his wife is comatose and the doctors on rounds have asked him to participate.
Sean: Well, the doctors on rounds might refer to other patients during their conversations with Mr. Votour, and he doesn’t have the permission to be privy to that because he doesn’t work for us.
Social Worker: Seriously, Sean, you must be kidding. His wife has a cancer that affects 1 in a half million people, she underwent a procedure never done in New England let alone in this hospital, and he has been nothing but helpful.
Patient Relations: We are proud to support Mr. Votour’s decision to stay with his wife here, Sean.
Surgeon: And from what I have heard from my nurses in our ICU, he has made himself useful and always followed their instructions to the letter.
Sean: Ummmm…. Well I was taught that family members and doctors can’t be discussing this information unless they are in a private setting. If he wants to talk to them, he needs to ask for family conferences like this to be arranged in a private room, not out in the middle of my ICU.
Hospitalist: Sean, give it a rest. Stop now before you embarrass yourself any further.
Me: Sean, shut the hell up and stop wasting my time and the time of all these people here. I’m leaving, so this meeting is no longer a ‘family conference’.
I got up and left, so did the surgeon, the social worker, the hospitalist and the director of patient relations leaving Sean sitting in the conference room alone. Sean spent the next ten weeks or so glaring at me every chance he got. I simply smiled back each time and adjusted my glasses with my middle finger.
That is an example of where HIPAA can be misused to try and restrict a family members access to a patient in an inappropriate manner. I doubt that happens so much anymore in most facilities. People like Sean tend to get educated by others when they are misusing policy or they eventually get terminated.
DeMuro, P. R., & Gantt III, W. H. (2001). HIPPA PRIVACY STANDARDS RAISE COMPLEX IMPLEMENTATION ISSUES.. (cover story). hfm (Healthcare Financial Management), 55(1), 42. Retrieved from EBSCOhost.
Dunn, R. (2007). Haimann’s healthcare management(8th ed) Health Administration Press. Chicago,Illinois.
Kuriyan, J. (2001). HIPPA and MCOs: Administrative Simplifications or IT Modernization/. Health Management Technology, 22(10), 40. Retrieved from EBSCOhost.