Privacy and Medical Records: A Few Words About HIPAA

JUNE 3, 2013 VOLUME 20 NUMBER 22
A delightful, intelligent and witty client of ours (nearly all our clients are delightful, intelligent and witty) visited her podiatrist’s office. Our client has always battled problems with her weight, so when an assistant insisted that she step onto an office scale she declined. I’m pretty sure, she said, that my podiatrist doesn’t really need to know my weight, and I just don’t like scales. The podiatrist’s assistant smiled understandingly but insisted. “I’m sorry,” she said, “but we have to take your weight on each visit. It’s required by HIPAA.”

Experienced elder law attorneys and people working in the medical field will likely have laughed out loud at that story. It is a good illustration of just how misunderstood HIPAA really is.

HIPAA, for those less familiar with acronym-speak, is the Health Insurance Portability and Accountability Act of 1996. As the name of the law indicates, it has been around for nearly twenty years, though it came to more prominence in 2003, when the first round of regulations implementing the law became effective. HIPAA has since been blamed for all manner of silliness — including the mandatory weigh-in at our client’s podiatry office, the “please stand behind this line” sign at your local pharmacy counter, and (our personal favorite) the sign-in sheet at your doctor’s office that variously requires either your first (only) or last (only) name — apparently on the theory that your privacy is better protected when the receptionist shouts out “Mr. Johnson?” or, in another office, “Dave?”

What does HIPAA actually provide? It mandates that your health care providers — pretty much all of them — keep your records and data confidential. It is an attempt to prevent sale and recirculation of identifiable data. You would probably not want your name added to a list of people diagnosed with a given condition, and then sold to an insurance company, or a medical supplier. HIPAA is on your side.

But here’s the more difficult part. HIPAA doesn’t mandate that doctor’s offices treat you like (or actually issue you) a number to hide your name. It doesn’t require that you weigh in at your podiatrist’s. It doesn’t prevent the hospital where you are being treated from communicating with your doctor’s office or your pharmacy. It also doesn’t give you the right to sue your doctor, hospital or pharmacist for violating your privacy.

What does get prosecuted under HIPAA? Not much. Last year, according to the US Department of Health and Human Services, there were about 10,000 HIPAA complaints received. About two-thirds of those were dealt with summarily, and another large segment are deemed to involve no violation at all. That leaves about a quarter of all cases in which some sort of corrective action is mandated — which does not mean fines, or criminal prosecution, or even public disclosure of offending offices or providers.

From time to time there are serious fines levied. Just last month, for instance, Idaho State University paid a $400,000 settlement for disabling its firewall protection on servers housing patient data on almost 20,000 individuals cared for in its clinics. And just a few months earlier, Hospice of Northern Idaho agreed to pay $50,000 to resolve violations centering on the theft of an unencrypted laptop containing records of 441 hospice patients. The Hospice of Northern Idaho case was a landmark, according to the Department of Health and Human Services: it was the first time the agency had entered into a settlement involving security breaches involving fewer than 500 patients.

Obviously, the privacy regulations governing health care providers have a big impact on the provision of services and on patients. But what does this have to do with lawyers — especially since lawyers can not file lawsuits on behalf of clients who believe that their HIPAA privacy rights have been violated? It is the doctrine of unintended consequences writ large: lawyers who draft estate planning documents for clients want to be sure that they will be effective at a later time when the client may not be able to give consent. But there is concern that doctors, hospitals and other health care providers will not deal with family members, even if they have been named as agent in a properly drawn power of attorney.

We should not have to worry. The Department of Health and Human Services has made clear that it permissible for medical providers — including doctors, pharmacists, nurses and social workers — to talk with family members unless the patient has expressly forbidden such conversations. Among the frequently asked questions prominently listed on the DHHS website is this one:

“If I do not object, can my health care provider share or discuss my health information with my family, friends, or others involved in my care or payment for my care?”

The answer, in a word, is “yes.” Read the DHHS answer for more detail.

Much of the hyperbole about the reach of HIPAA, and the difficulty in complying, is just silly. Your doctor is supposed to have a plan for protecting your health records, and not to share them inappropriately. That should not preclude talking with either your family or your other health providers (hospital, pharmacist, social worker). But to be safe, your health care power of attorney, your financial power of attorney and even your revocable living trust could include a provision expressly authorizing your agent and trustee to talk with your doctor when it is necessary to get updated medical information.

And our client with the anxiety about stepping on the podiatrist’s scale? We explained the law to her. “That’s just silly,” we said. “HIPAA doesn’t mandate that they weigh you at every visit. That’s the Patriot Act.”

Leave one

7 Responses

  1. Peggy Ford

     /  June 3, 2013

    Good come back!

  2. Ruth Russell

     /  June 3, 2013

    At a recent annual eye exam at my opthalmologist’s office, when I said I didn’t want a copy of the eye glasses prescription for $45 (in addition to the cost of the eye exam), I was told it was required by law and I had to pay for it whether or not I wanted a copy.

  3. pam keller

     /  June 3, 2013

    I am sorry to hear that there is no real action being taken on HIPAA complaints. I have a case where a physician (who also happens to be a state representative) shared a diagnosis of dementia with a family member without authority to do so, which formed the basis of a guardianship proceeding. The interesting thing was the physician’s records don’t reflect a diagnosis of or treatment for dementia and the physician admitted that he never told the patient or the spouse that the patient had dementia. The alleged violation has cost the gentleman thousands of dollars in legal fees to fight the guardianship proceedings. A HIPAA complaint has been made months ago without word from the authorities. Where does the client go from here?

  4. Thank you for making your newsletter easy to share. I’ve been reading and enjoying your content for years, and appreciate this updated feature.

  5. Pam:

    I don’t know what possible private right of action there might be for a privacy violation, whether under state or federal law. But HIPAA violations can not be remedied privately; your report to the agency was your only recourse.

    Robert Fleming
    Fleming & Curti, PLC
    Tucson, Arizona

  6. Lisa Comella

     /  January 11, 2017

    Is it customary and not a Hippa violation, for a hospital social worker to disclose patient medical/psych info to a sales rep who helps people find the right retirement/independent/assisted living place? Sales rep is non- medical, private person who owns her own business. Is it a violation if same person disclosed patient info while talking to such communities in town? Thank you for any guidance here.

  7. Lisa:

    HIPAA recognizes that medical providers often have to work with others — some of them not covered by HIPAA themselves — in order to get good care for patients. And HIPAA doesn’t cover the disclosures made by individuals not connected to the medical provider network. I think you are asking about the hospital’s liability for a non-HIPAA agency’s disclosure of confidential information; if that’s right, talk with the hospital’s legal counsel and/or risk management office. But the initial discussion with the placement agency should not be a HIPAA violation itself.

©2017 Fleming & Curti, PLC