The Health Insurance Portability and Accountability Act, commonly known as HIPAA, includes multiple provisions intended to improve patient access to healthcare and their personal medical records, but it is best known for its privacy rule, which is intended to ensure the privacy of individuals’ so-called “protected health information” (PHI).
There are a number of misconceptions about the HIPAA privacy rule, though. That can sometimes lead to situations in which information is withheld unnecessarily (or even illegally), or barriers to the delivery of quality care to patients.
First, it is helpful to understand that HIPAA does not apply to everyone. If a friend confides information about a health condition and you subsequently reveal that information to a third party, you’re not violating HIPAA unless you happen to be defined as a “covered entity” under the law. Covered entities include healthcare providers, insurance companies, healthcare networks, and the business associates to whom they entrust PHI. Schools are not subject to the HIPAA privacy rule, either; they are governed by a different law (FERPA) aimed at protecting the privacy of students’ personal information. As a general category, employers are not classified as covered entities under HIPAA, either.
Second, the HIPAA privacy rule is not absolute. The Department of Health & Human Services, which oversees enforcement, has provided guidance that allows for certain exceptions. In response to the COVID-19 pandemic, for example, DHHS clarified situations that would allow for information to be shared with first responders and public health authorities, as well as “health information exchanges”.
Unfortunately, concerns about HIPAA compliance can sometimes lead to situations in which healthcare providers, other covered entities, and even private individuals feel compelled to withhold information that might otherwise be important to share with family, friends, or loved ones.
A few years ago, we heard of a case in which a church pastor was warned not to print information about ailing or deceased members of the congregation because it would constitute a violation of the HIPAA privacy rule. Because churches are not considered covered entities under the law, however, those concerns were unfounded. Just as in the example above in which a friend shares medical information with a third party, HIPAA simply does not apply.
In fact, HIPAA does not prevent healthcare providers from confirming certain facts; for example, a nursing home may report a death, and can generally provide information confirming that a person has been admitted.
Sometimes the over-application of HIPAA can have real-world implications for patient care. In one case, for example, the adult child of an elderly patient attempted to reach hospital personnel to inform them of her mother’s allergies to certain medications. The staff refused to speak with her, citing concerns about patient privacy. When the caller insisted that she was not asking them to share any details, but rather was seeking to provide critically important information, they still refused to speak with her. In fact, one of the problem medications had already been prescribed. Fortunately, it was never actually administered. Nevertheless, this case highlights the potential problems that can arise from an overly cautious approach to HIPAA enforcement.
Many of the HIPAA enforcement actions taken by DHHS are actually for situations in which healthcare providers are too aggressive in withholding information. Under HIPAA, patients have a right to receive a copy of their own PHI. Providers who fail to honor such requests in a timely manner risk fines and penalties as a result.
It’s also common for healthcare providers to require written approval before sharing information with friends or family. In many cases, that can create unnecessary restrictions in providing important information to a patient’s loved ones. In reality, patients may give verbal permission for providers to inform family members of their condition, for example. If a patient is incapacitated, providers can use their judgment in determining whether or not to share details, and with whom.
HIPAA compliance can sometimes be confusing, and mistakes can be costly. To protect your patients and avoid penalties, work with technology companies that understand HIPAA compliance and have developed world-class security to ensure that information is protected. To learn more about WestFax’s HIPAA-compliant Healthcare Fax, contact us at (800) 473-6208, or via e-mail at firstname.lastname@example.org.