by Jill Burrington-Brown, MS, RHIA
When covered entities implemented the HIPAA privacy rule more than a year ago, the intention was to strengthen patient privacy protection and improve provider access to information, thereby improving quality of care. At times that can be a difficult balancing act.
The mainstream and healthcare press have widely reported problems in protecting patient privacy while still providing pertinent information to families and healthcare providers. The pitfalls seem to be focused in several areas particular to directory information.
Too Much Information
Barry Herrin, JD, a healthcare attorney with Smith Moore LLP in Atlanta, recounts his alarming experiences gathering patient information in the run up to HIPAA. “At the request of facility administration, I called the emergency room and asked if a certain patient had been treated there that evening,” Herrin says. “The staff member answering the telephone was very helpful, and when it was apparent that the person with the exact name I was seeking was not in the facility, volunteered two or three similar names of other patients to ‘make sure I had the right person,’” he continues. “I thanked her for her assistance, then called the business office of the facility three days later, posing as an insurance adjuster and inquiring about the emergency department treatment of the names of the patients I had ‘discovered.’ With only a valid date of service and a valid name, the facility business office faxed me the discharge summaries on those patients before the end of the business day.”1 This is an obvious breach that strikes fear into every HIM professional’s heart. But instances of too little information are also a problem.
. . . Or Too Little
At the other end of the spectrum are healthcare professionals who, fearful of repercussions, are reluctant to divulge any information. There have been several news reports of miscommunications between relatives and hospitalized patients. The Seattle Times reported that a hospital in Washington state refused to give information to a man who had been notified by his elderly mother’s assisted living facility that she was admitted to the emergency department with a fractured ankle. The same article also reported that Washington State Hospital Association president Leo Greenawalt had a similar issue when dealing with the hospitalization of his elderly parent. The hospital, located across the country, would only tell him that his father was in intensive care, despite the fact that Greenawalt was well educated regarding the HIPAA regulations and tried to explain that the hospital could indeed give out the information he was seeking.2
There is also ample anecdotal evidence from hospital and physician offices of the difficulty in obtaining continuity of care information for patients moving between the two healthcare settings. When healthcare providers are facing fines of up to $50,000 for unintentional wrongful disclosure, it is clear that the fear factor in getting it wrong is a large motivator in being over cautious. Alice Becker, JD, senior associate general counsel for PeaceHealth in Bellevue, WA, adds, “There can be confusion about what healthcare providers tell family members. We have routinely trained our work force and have provided written policies and procedures to provide further guidance,” Becker says. “However, each situation can be different and because we operate in three different states with different laws, mistakes can be made.”
Opting out of the Directory
Jill Callahan Dennis, JD, RHIA, principal of Health Risk Advantage in Parker, CO, believes many problems begin when healthcare facilities do an inadequate job of explaining to patients the ramifications of opting out of the hospital directory. “Many patients opt out, then are upset when their friends cannot locate them in the hospital,” Dennis says. “Those friends are also upset with the hospital and don’t understand why hospital staff won’t acknowledge the patient’s presence. It really puts the hospital between a rock and a hard place, but they must adhere to the patient’s expressed wishes. If hospital staff did a more thorough job of explaining what opting out really means, we’d have fewer of these episodes.”
Herrin emphasizes that the right to opt in or out of the directory may be delayed in the onset of an emergency. Without a doubt, he states, “getting information on a patient’s condition to his family and support network is in the patient’s best interest.” The confusion stems from facilities not understanding how the privacy rule is applied in emergencies.
Defining Clergy Access
Confusion still remains about what information to give members of the clergy. Do clergy see a list of all patients of their denomination? Do they only see those patients they ask for by name? Or can they have access to all patient names? Herrin decided to “accept a challenge from the facility’s administration, by dressing in a formal, three-piece blue suit adorned with a religiously suggestive lapel pin and carrying a bible into the facility lobby,” he recalls. “When I greeted the volunteer at the reception desk, she very politely said good morning and handed me the census report, which I promptly presented to the administrator.”3
Herrin goes on to reiterate that the privacy rule requires that facilities offer patients the option to have their names unavailable to members of the clergy. “The rules require that only the ‘minimum necessary’ information be disclosed so that a person can perform their required job functions,” he states. “In the case of visiting clergy, there are no such job functions that would have entitled me to see the entire patient census. Rather, I should have received only a ‘clergy list,’ or the list of patients wishing to receive visits from the clergy.”4
PeaceHealth is in the unique position of juggling its efforts to reconcile HIPAA with laws in three different states in which it provides services. For example, Becker says the different state laws regarding consent and authorization cause problems in participating in clinical studies when state law is more restrictive than HIPAA.
Herrin believes most misconceptions now occur as a result of facilities’ failure to perform an adequate pre-emption analysis resulting in the more stringent state laws not being followed. “Many states have an affirmative responsibility for healthcare providers not to release information without the written consent of the patient or a person authorized to act on the patient’s behalf, except where specifically authorized by law,” Herrin emphasizes. “The privacy rule cannot be used to avoid this restriction based on its own required pre-emption analysis. Consequently, in those states, patient consent to release medical information for treatment and payment would still be required—a notice of privacy practices acknowledgement would be insufficient.”
Herrin also points out that not all providers have someone who understands the legal aspects of HIPAA compliance, noting that compliance is a legal concept. He goes on to say “an extremely important part of this is the pre-emption analysis and how state law modifies HIPAA. National templates and seminars don’t include it, and healthcare facilities miss it.”
Does the Privacy Rule Need Modification?
Both Becker and Dennis say that the rules surrounding accounting of disclosures should be re-examined. Becker observes, “It is particularly burdensome and probably serves no real practical purpose. We have found that few, if any, patients request an accounting and those that do usually are interested in disclosures not covered by the accounting.”
Both are also quick to point out that they believe that the privacy rule has had a positive influence in healthcare delivery. Dennis notes that it has done a good job of raising provider awareness of privacy and has resulted in greater attention to privacy by covered entities. Becker says that patients are requesting more frequent access to their records and becoming more engaged in their healthcare. “Staff are also far more aware of their obligations to maintain the confidentiality and privacy of patient information,” she says.
Education and Re-education Is Key
At PeaceHealth, even problems that do not rise to the level of noncompliance may trigger staff retraining and re-education regarding policies and procedures, says Becker. Dennis notes that some of her clients have taken the lessons they have learned during the first year of implementation and are deliberately plugging those lessons back into their policies, procedures, and staff training programs.
As we look back at year one of the privacy rule, it is our obligation as HIM professionals to review our policies and procedures and assess our facility’s performance. If any of the above situations have occurred in your facility, what has your organization done to correct the problem? We must look at these situations as opportunities and continue to update our education and training in order to keep these problems from happening again.
- Herrin, Barry S. “Tales from the Dark Side: Real Privacy Nightmares from HIPAA Assessment Engagements.” Hospitals and Health Systems Rx 4, no. 2 (2002): 1–4.
- “After Hospital’s Silence, Man Loudly Protests Privacy Law.” Seattle Times (March 30, 2004).
- Herrin, “Tales from the Dark Side,” p. 1.
Jill Burrington-Brown (email@example.com) is an HIM practice manager at AHIMA.
Burrington-Brown, Jill. "Does the Privacy Rule Hinder Patient Care?" Journal of AHIMA 75, no.9 (October 2004): 72-73,76.