HIPAA limits less than people think

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.nwaonline.com/news/2015/jul/27/hipaa-limits-less-than-people-think-201/?features-style

How do people use, misuse or abuse HIPAA, the federal regulations
protecting patients' confidential health information? Three anecdotes from
the past few years:

• Patricia Gross and a close friend had taken refuge in a cafe at Brigham
and Women's Hospital in Boston, where Gross' husband was dying of cancer.
She was lamenting his inadequately treated pain and her own distress when a
woman seated at a nearby table walked over.

"She told me how very improper it was to be discussing the details of a
patient's treatment in public and that it was a HIPAA violation," Gross
said. This happened several years ago.

• In a continuing care retirement community in Ithaca, N.Y., Helen Wyvill,
72, noticed that a friend hadn't shown up for their regular swim. She
wasn't in her apartment, either.

Had she gone to a hospital? Could friends visit or call? Was anyone taking
care of the dog?

Questions to the staff brought a familiar nonresponse: Nobody could provide
any information because of HIPAA. This happened in June.

"The administration says they have to abide by the law, blah, blah," Wyvill
said. "They won't even tell you if somebody has died."

• Ericka Gray repeatedly phoned the emergency room at York Hospital in
York, Pa., where her 85-year-old mother had gone after days of back pain,
to alert the staff to her medical history. "They refused to take the
information, citing HIPAA," said Gray, who was in Chicago on a business
trip. This was in 2012.

"I'm not trying to get any information. I'm trying to give you
information," Gray told them, adding that because her mother's memory was
impaired, she couldn't supply the crucial facts, like medication allergies.

By the time Gray found a nurse willing to listen, hours later, her mother
had already been prescribed a drug she was allergic to. Fortunately, the
staff hadn't administered it yet.

Each scenario, lawyers say, involves a misinterpretation of the privacy
rules created under the Health Insurance Portability and Accountability
Act. "It's become an all-purpose excuse for things people don't want to
talk about," said Carol Levine, director of the United Hospital Fund's
Families and Health Care Project, which has published a HIPAA guide for
family caregivers. The PDF can be viewed at uhfnyc.org/assets/1073.

YES, THEY CAN

Intended to keep personal health information private, the law does not
prohibit health care providers from sharing information with family,
friends or caregivers unless the patient specifically objects. Even if he
is not present or is incapacitated, providers may use "professional
judgment" to disclose pertinent information to a relative or friend if it's
"in the best interests of the individual."

HIPAA applies only to health care providers, health insurers,
clearinghouses that manage and store health data, and their business
associates. Yet the last time I wrote about HIPAA, a California reader
commented that she'd heard a minister explain that the names of ailing
parishioners could no longer appear in the church bulletin because of HIPAA.

Wrong. Neither a church nor a distraught spouse is a "covered entity" under
the law.

In June, Rep. Doris Matsui (D-Calif.), co-chairman of the Democratic Caucus
Seniors Task Force, who has heard similar complaints from constituents,
introduced legislation to clarify who can divulge what and under what
circumstances. The proposed bill would require the Department of Health and
Human Services, which last year issued new HIPAA "guidance," to make that
statement part of its regulations and to create model training programs for
providers and administrators, patients and families.

"A lot of times it's just misunderstanding what is and isn't allowed under
HIPAA," Matsui said.

BASICS

So, what is and isn't?

Family members can provide information, as Gray attempted to do. "How does
keeping information confidential stop you from listening to someone?" said
Eric Carlson, directing attorney for Justice in Aging, a legal advocacy
group in California. "There's no HIPAA privacy consideration there."

An assisted living facility or nursing home can report a death. It can also
give someone's general condition and location, assuming the patient remains
within the facility. And if, as Wyvill suggested, residents ask
administrators to keep a list of those who want their neighbors to know
they've gone to a hospital, that's perfectly legal under HIPAA.

The law gives providers flexibility in disclosing information in the
patient's interest, but it doesn't require them to. Clinton Mikel, chairman
of an American Bar Association group on electronic records and privacy,
said that providers sometimes decided, "We could, but we're not required
to, and we think this situation is a mess, so we're going to exercise that
option."

A caregiver's strongest defense, Mikel said, is to be the patient's
personal representative -- a health care proxy or guardian, or the person
entrusted with power of attorney -- or to have the patient authorize the
release of information. In such cases, providers must comply.

HIPAA doesn't require patients to give consent in writing. They can
verbally ask that a relative or friend receive information. Facilities may
legally demand a signature on a form, nonetheless, and many do.

Patients can complain to the Health and Human Services Office for Civil
Rights, which lately has intensified enforcement of many aspects of the
privacy rules, Mikel said. Still, the civil rights office "is not in the
gotcha game," he said. The office generally tries to resolve complaints by
fixing problems, not levying penalties. Staff members' fears of the
consequences of an unintended HIPAA violation are probably overblown.

"Do I see it going after a health care provider for disclosing something to
a family member in good faith? I don't," Mikel said. An assisted living
staff member or hospital aide isn't likely to lose a job.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!