HHS preparing to offer HIPAA omnibus guidance: Update
HIPAA Being Misinterpreted, Congress Told
By David Pittman, Washington Correspondent, MedPage Today
Published: April 26, 2013
WASHINGTON -- Healthcare providers often misunderstand or over-interpret a 1996 health privacy law and as a result frequently do not share vital health information with family, caregivers, and others, lawmakers heard Friday.
Some members of Congress have expressed concern that certain provisions of the Health Insurance Portability and Accountability Act -- called HIPAA for short -- have prevented providers from sharing information with loved ones and law enforcement that may have saved a patient's life or the lives of others. The law restricts the sharing of information in most circumstances unless the patient grants permission.
During a hearing Friday, Rep. Tim Murphy, PhD, (R-Pa.) noted instance when doctors did not share concerns about patients with the family, citing the 1996 HIPAA law as the reason, and the patients later took their own life.
Murphy, a clinical psychologist and chair of the House Energy and Commerce Oversight and Investigations subcommittee, expressed worry that actions like this could hinder patient care and might fail to prevent public health tragedies. For example, patients with mental illness could be at risk of killing themselves or others, or patients with chronic conditions could miss out on obtaining the care they need.
Physicians frequently misinterpret what they're allowed to share under HIPAA, said Mark Rothstein, JD, director of the Institute for Bioethics, Health Policy and Law at the University of Louisville School of Medicine in Kentucky.
"The outcome is that some use of the disclosures permitted by the privacy rule are not allowed by some covered entities, perhaps out of ignorance or an overabundance of caution," Rothstein said.
Providers are allowed to share patients' health information with law enforcement, in certain public health instances, and to avert a serious health risk to the patient and others.
HIPAA allows providers to use their judgment on what they think is in the best interest of their patient, Leon Rodriguez, JD, director of the Office of Civil Rights for the Department of Health and Human Services (HHS), told lawmakers.
"We have never taken enforcement action because a provider has decided the best interest of the patient [is] to disclose information to a third party," Rodriguez said.
In fact, of the 80,000 complaints of HIPAA violations HHS has received, only 12 have resulted in monetary penalties, Rodriguez said.
That lack of enforcement hasn't stopped providers from fearing punishment or pleading ignorance to the nuances of what HIPAA allows them to say and not, lawmakers said.
"I can tell you that guy, that gal seeing a patient at 3 a.m. doesn't have your expertise," Rep. Bill Cassidy, MD (R-La.), told Rodriguez and Rothstein, giving the example of a emergency department doctor. "But what they do have are examples of physicians who have been grabbed by the law and not let loose until every one of their personal resources have been exhausted."
Other providers often use the law the shield themselves from conversations with caretakers they'd like to avoid.
"I wonder if some physicians don't hide behind HIPAA just to move onto the next patient, not wanting to be bothered with an aunt, or an uncle, or a cousin in regard to questions about their loved one," Rep. Phil Gingery, MD (R-Ga.), said. "I hope that doesn't exist too much, but it's something we need to think about."
Said Carol Levine, director of the Families and Health Care Project of the United Hospital Fund in New York City, "HIPAA has become a very convenient excuse to avoid difficult conversations with family members."
Lawmakers convened Friday's hearing in the wake of a March 5 gathering of families of the Newtown, Conn., shooting, where they learned that HIPAA may have prevented the release of vital health information.
The specific topic of preventing mass violence through disclosure was scarcely mentioned Friday. Meanwhile, the committee heard from families of those with mental illness and addiction who were blocked from learning more about their loved one's condition and treatment because providers cited HIPAA.
To combat provider misunderstanding around HIPAA, HHS issued a letter to providers reminding them of their rights and obligations on who they can and must notify when a patient is a serious threat to them self or others. Rodriguez said that letter has helped spur discussion in the provider community.
Rothstein and other lawmakers called on HHS to launch more and better provider education outreach.
Deven McGraw, JD, director of the Health Privacy Project at the Center for Democracy and Technology, suggested more guidance to providers informing them of rights and obligations, and that HHS should develop better ways to share such guidance with physicians. McGraw said HHS should work with professional societies who have more direct contact with physician members, rather than just posting documents on its website.
"It sounds like too many people are hiding behind [HIPAA] when there are clear exceptions when information can be shared," McGraw said.