From minor annoyances to treatment delays, physicians feeling fallout of HIPAA privacy law
By Bonnie Darves
Imagine the following scenario: A patient is in your office complaining of chest pain, and he tells you he had a stress test done two days ago. You call the facility where the test was performed to get the ECG results faxed over right away.
The voice on the other end of the line, however, tells you that she cannot fax the results because the patient hasn't authorized their release. She insists that new federal privacy regulations require a signed release form.
You explain that the law doesn't require a signed release form in this case, but she refuses to fax the results. She does, however, suggest a solution she thinks will work: sending the results to you by cab. All the while, the patient's chest pain is increasing—and so is your frustration and anxiety.
This should be a chilling but fictional example of the misconceptions that can crop up regarding the privacy regulations that went into effect earlier this year as part of the Health Insurance Portability and Accountability Act (HIPAA). Unfortunately, the incident actually occurred at a cardiology office in Boston within days of the new rule's April 14 launch date.
"We eventually got it resolved," said Stephen G. Pauker, MACP, vice-chair of the department of medicine at Tufts-New England Medical Center, which performed the stress test. Dr. Pauker, who is on ACP's Board of Regents, also serves as privacy officer for his medical group.
But the delay added two hours to the patient's evaluation, holding up the patient's care. "People just don't understand," Dr. Pauker explained, "that if you're actively caring for a patient, treatment-related data don't require authorization."
The bungled exchange highlights the kind of missteps that patients, hospitals and physicians are encountering in the brave new world of HIPAA privacy compliance. Many people working in physician practices and hospitals are still unclear about what the new federal privacy rule requires them to do to safeguard patient information.
While some physicians say they see signs that the situation is starting to improve, others claim that lingering confusion about privacy regulations is affecting patient care. While the privacy rule was designed to help streamline the flow of patient information, some physicians say that misinterpretations of the rule have created obstacles that hinder patient care and introduce new hassles into their practice.
One of the biggest areas of confusion is figuring out exactly who physicians and clinical staff can talk to when it comes to confidential patient information. "Many people are still under the misconception that HIPAA says you're not allowed to talk to anyone but the patient, but that's not true," said Paul C. Tang, FACP, chief medical information officer for the Palo Alto Medical Foundation, a 500-physician multispecialty practice in northern California. (See "Debunking some common myths about the HIPAA privacy rule," below.)
Some hospitals, for instance, have made the mistake of requiring inpatients to "opt-in" to patient directories. Some refuse to acknowledge that a patient is even in the hospital unless he or she has already agreed to be listed in the directory.
(The privacy rule instead says that hospitals must offer patients an "opt-out" directory option if they don't want their names included.)
Stanley Glasser, ACP Member, a pulmonologist with Valley Pulmonary & Medical Associates in Springfield, Mass., recalled how one nursing home refused to tell him the room number of one of his own patients who had been transferred there.
And while some compliance problems are mere annoyances, Dr. Glasser explained, others have the potential to compromise patient care. He said one local hospital decided to put only the patients' first names on their charts. While the move was designed to protect patient identities, it created a frenzy among medical staff.
The hospital eventually rescinded its first-name only policy after a highly publicized fiasco at another hospital with a similar approach. "Hospital staff called a code," Dr. Glasser said, "but they couldn't find the right patient because they had only the first name."
Several physicians said that hospital misconceptions about the privacy rule can make it much harder to provide appropriate follow-up care. After treating a patient, for example, some emergency departments now are refusing to provide patient records to primary care physicians. The departments are under the mistaken impression that patients have to specifically authorize that transfer of information.
Other hospitals are rejecting physicians' requests for patient records on the grounds that record-request forms aren't "HIPAA-compliant." They argue that the patient hasn't signed a form authorizing the release of that information or that the reason for the request isn't clearly stated. New Jersey cardiologist Lou-Anne M. Beauregard, FACP, recalled that a recent request for records was rejected on those grounds, even though she was requesting the records in order to treat a current patient.
Hospitals that think they need specific patient authorization to transfer records to physicians "are going too far," said Michael R. Callahan, JD, chair of the health information and HIPAA compliance practice for Katten Muchin Zavis Rosenman in Chicago. "We're getting a conservative approach in the beginning until everyone better understands" the HIPAA privacy regulations.
Hospitals are erring on the side of rigid compliance policies, he continued, afraid they will be slammed with a stiff civil penalty—up to $25,000—for a violation. Others fear even costlier criminal sanctions and possible jail time.
Health care workers aren't the only ones baffled by the HIPAA privacy regulations. Patients, like hospitals and physicians, have also been confused by or misinformed about HIPAA privacy implications.
In some cases, patients who think they understand the privacy law are being so overprotective of their own records that they completely restrict disclosure of any of their own information. In some cases, they may be compromising their own care.
Elderly patients, for instance, who check off a box indicating they don't want their information released to anyone could effectively prohibit a physician from contacting a family member unless an urgent or emergency situation arises.
Dr. Beauregard cited a case in point. She and her colleagues at Heart Specialists of Central Jersey in Manalapan, N.J., have about 500 patients on warfarin who must be frequently monitored. The HIPAA regulations have complicated their efforts.
"These patients are hard enough to track down as it is," she said, a dilemma that is exacerbated when physicians cannot leave a message with a family member or on an answering machine. The practice resolved the answering-machine issue by addressing it specifically in its privacy practices notice. But that doesn't help when a patient doesn't return Dr. Beauregard's phone call after receiving a message.
"If we absolutely cannot reach the patient, we used to call family members," she said. "Now that has to be specifically approved." Dr. Beauregard has tried to counsel patients who request disclosure restrictions that such an approach might not be in their best interest.
She also recently encountered a situation where the son of a patient with heart failure called for much-needed advice on his father's condition. Even though the son wasn't specifically listed as a person with whom she could discuss the patient's condition, she decided to do so because HIPAA allows for such communication under emergency conditions.
Solutions and workarounds
When can physicians expect some relief from misinterpretations of the new privacy rule? Chicago attorney Mr. Callahan predicted that many misconceptions will be resolved as the government begins releasing follow-up guidance on issues that have caused the most confusion. "We're still in that transitional stage," Mr. Callahan said. "In a year, I think we'll have additional [government] guidances."
But that prognosis offers little consolation for physicians who are having problems now. Dr. Tang of the Palo Alto Medical Foundation urged physicians who are having problems with hospitals to follow the same route his group took: Sit down with the appropriate hospital officials—the health information management director and the privacy officer, at a minimum—and bring up concrete issues that are occurring.
Since Dr. Tang's practice took that proactive approach, barriers to information-sharing have eased. "We're ironing out [persistent problems] at the individual hospital employee level," Dr. Tang explained. "The biggest part is just ensuring that people understand the rule."
Dr. Beauregard said that after encountering delays getting patient records, she asked hospital administrators to review her records request form. They suggested some changes to make the form HIPAA-compliant, which has helped ease some problems getting records.
But most physicians simply don't have time to pick up the phone and do some HIPAA education every time they encounter a problem. That's why some, like Dr. Beauregard, are finding ways of working around recurring privacy-related problems.
For example, she said she has learned to ask for the "right people" at the hospital and other facilities when she needs records. She explained that many physician offices and hospitals are still "mildly obstructionist" when it comes to sending records, a fact that she said hasn't changed much under HIPAA.
She also said she tries to keep the plus side of the new HIPAA privacy rule in mind. For all its related hassles, the rule does provide some useful guidance on releasing patient information, said Dr. Beauregard, who pointed out that many of her patients have multiple family members who used to call seeking information about their relative.
Now she has a great excuse to limit those conversations to only those family members listed on the patient's authorization form—and for deflecting phone calls from concerned neighbors of patients living in adult communities. "With HIPAA, there is some understanding" about what her practice can legally tell friends and family about patients, she said. "It's been a nice protector for us."
While some hospitals and other organizations may have been overzealous in their interpretation of the HIPAA privacy regulations, most analysts say that the rule itself is not overly burdensome. The rule's enforcement process, for example, was created primarily to educate, not punish, providers.
"The enforcement process is complaint-driven, so unless someone files a complaint against you, nothing is likely to happen," explained Carl Cunningham, Director of the College's Practice Management Center.
If a hospital or practice won't provide patient information that physicians are entitled to, Mr. Cunningham suggested downloading the appropriate section of ACP's "HIPAA Privacy Manual" on the Web and sending it to the other party. "If someone is really getting bent out of shape over the HIPAA privacy regulation," he said, "they probably don't really understand the rule."
Dr. Tang agreed that above all, the privacy rule tells physicians to take a commonsense approach and use their professional judgment when deciding whether—and with whom—to discuss confidential health information. Problems emerge, he said, when people make complying with the regulations overly complicated.
"This business of people saying 'I'm not allowed to talk to you' is baloney," Dr. Tang explained. "And it's bad for patient safety."
Dr. Pauker, who serves as a privacy officer in Boston, said he advises the physicians he educates on HIPAA privacy to think about good clinical care and safety first, and then HIPAA.
"We know that inadequate communication is one of the most common causes of medical errors," he explained, "so if [inadequate] communication could cause risk to a patient, care for the patient first and worry about HIPAA later."
Bonnie Darves is a freelance writer in Lake Oswego, Ore.
Despite the reams of information that have been published on what the Health Insurance Portability and Accountability Act (HIPAA) privacy rule does and does not mean, confusion still reigns regarding several aspects of the new rule.
Here are some common myths about the HIPAA privacy rule that continue to confound physicians and their staff:
Myth: HIPAA prohibits using patient sign-in sheets or calling out patients' names in waiting rooms. Physician practices may still use patient sign-in sheets and call out patients' names—provided the information disclosed on the sheet or in the announcement is appropriately limited. Sign-in sheets cannot contain a patient's Social Security or phone number, for example, or requests for a description of the problem that brought the patient into the office.
Myth: Prescriptions, medical records and test results such as X-rays can be picked up only by the patient. Pharmacies that prohibit someone other than the patient from picking up prescriptions "are acting on their own policies, not the rule's requirements," said Pamela Waymack, managing director of Phoenix Services Managed Care Consulting in Evanston, Ill. "The HIPAA privacy rule explicitly provides that this common practice can continue."
The rule also allows physicians or staff to hand off medical records and test results to individuals other than the patient. But practices should take care to correctly identify the individual picking up any patient items and, if possible, obtain the patient's permission before releasing them.
Even without authorization, the HIPAA privacy rule allows physicians to release such items if they think that doing so is in the patient's best interest.
Myth: Physicians who disclose medical information to other physicians for treatment purposes must meet the "minimum necessary" standard. Early versions of the privacy regulations required health care providers to use that standard. But Chicago health care attorney Michael R. Callahan, JD, said that the final version of the rule allows providers to share patient information for treatment, payment and operations with all providers involved in a patient's care.
Physicians or other providers should, however, have a specific reason for requesting the records. In addition, most disclosures and requests for medical records should be tracked.
There are exceptions, according to Stephen G. Pauker, MACP, vice-chair of the department of medicine at Boston's Tufts-New England Medical Center and the privacy officer for his medical group. Routine discharge summaries to referring physicians or referral forms to another facility don't need to be tracked, he said, and physicians don't need to document the reporting of procedures or test results to a referring physician.
Myth: HIPAA prohibits, or at least discourages, the use of e-mail between physicians and patients. While that's not true, physicians should try to use e-mail systems that encrypt messages whenever possible. They should also avoid including patient health information unnecessarily in electronic exchanges.
Reece Hirsch, JD, a San Francisco health care privacy and security attorney with Sonnenschein Nath & Rosenthal LLP, pointed out that HIPAA does not specifically call for encrypting e-mail that contains health information. At the very least, he said, physicians should use password-protected systems for those exchanges. He also stressed the importance of advising patients of the possible risks of discussing health matters via e-mail and of obtaining their consent.
Because there is always a risk that the contents of e-mail can fall into the hands of unintended people, Mr. Hirsch said, physicians should ask patients to agree to and be willing to take that risk.
Dr. Pauker, for example, has developed a patient-clinician consent form that asks patients to explicitly authorize him and his colleagues to exchange e-mails discussing their health. The form gives patients guidelines, telling them to not use e-mail to discuss urgent matters, emergencies or sensitive topics such as treatment for AIDS or sexually transmitted diseases. The form also lists the potential risks and indemnifies the medical center should the information reach unintended parties.
Myth: Privacy breaches and incidental information disclosures must be reported to the Office of Civil Rights. Despite rumors of a secret "HIPAA police," physicians are not required to report incidental disclosures in which someone unwittingly or unintentionally gains access to patient health information. (If a patient walking down the hall overhears a conversation between a nurse and a physician, for example, no action is required.)
More serious breaches, however, require documentation. Ms. Waymack suggested using a central log rather than including the details in patient records where they might be difficult to track down or remember. Practices are also required to remedy the situation that led to the breach.
Internist Archives Quick Links
Prescribe Opioids Safely
Access this FREE online educational program to help you safely prescribe opioids and manage patients with chronic pain. Online CME is available. Find out more.
Inspire the Next Generation of Medicine
Contribute to the ACP Education Fund and support our profession and the young minds starting their careers.
Share your love of medicine by making a charitable donation today! All donations are tax-deductible.