HIPAA: Facts Versus Fiction

There was a very interesting article in the  NYT about 6 weeks ago (Tuesday, July 21. 2015, p D2) about the Health Insurance Portability and Accountability Act, widely know as “Hipaa.”  The article was entitled: “Hipaa as a code of silence,” and was written by Paula Span.  At the time I thought the article was interesting, but I could not decide whether I should write about it.  Well, since the article came out, I have been asked about various Hipaa issues by quite a number of friends and medical colleagues.  So, let’s talk about it.

Hipaa is a federal law that provides rules for sharing personal medical information, primarily for the purpose of protecting such information from unauthorized uses.  As the article points out, Hippa is poorly understood, not only by patients, their families and friends, but also  by many health care professionals.  In my experience, for health professionals, mention of the word “Hipaa,” creates anxiety, and the fear that a potential Hipaa violation could be in the offing.  In fact, hipaa is not all that complicated, and it is important that all of us understand how it works.

So, how does Hipaa work


Hipaa is based on two principles: patient privacy, and health care professional confidentiality.  The idea is that a patient has a right to limit who knows about his or her medical condition.  In addition, health care professionals have an obligation to keep patient health information from being disclosed without the patient’s consent.  It is important to note that some patient health information can be disclosed, even without the patient’s consent if it is required by law (e.g., providing information to people who are directly involved in the care of a patient or for payment for services), or in some specific circumstances, if the health care professional considers disclosure of medical information necessary for the care of the patient, but ONLY if the patient does not specifically object.  Thus, doctors and other health professionals can share medical information with family caregivers (or others directly involved in a patient’s care), IF the patient is conscious, understands the health situation, and has the opportunity to say no.  If the patient is not conscious or if the patient cannot understand the situation and cannot make appropriate decisions, the health care provider must use good judgment regarding what family and other caregivers should be told.  The health care provider is not required to share information with family and other caregivers.  The law does not require that a patient sign a form that gives the health care provider permission to provide information to family and other caregivers, but many hospitals do require written consent as part of their care facility registration process.

So, who does the Hipaa law apply to?  The answer is simple- only health care professionals and others involved in in the patient’s health care.  The law does not apply to family members and friends of the patient, nor does it apply to veterinarians, the clergy, newspaper reporters, etc.  The law does not prevent family members and others from providing information to the health care providers (e.g., information about a patient’s medications).  The law also does not prevent a nursing home or assisted living facility  from reporting a death or that a resident has been hospitalized; many nursing homes and assisted living facilities keep lists of relatives and friends the residents want to be notified if they are in hospital or have died.

Health Information Technology for Economic and Clinical Health Act (HITECH ACT)

The NYT article did not discuss HITECH, a law that complements Hipaa, but I think you should know about it.  This law was passed as part of the American Recovery and Reinvestment Act of 2009 (ARRA).  ARRA was meant to widen the scope of privacy and security protection for patients under Hippa by promoting the adoption and meaningful use of health technology.  The law is particularly concerned about privacy and security concerns associated with the electronic transfer of patient health information.  The law covers what is called “willful neglect,” and carries with it civil penalties of up to 1.5 million dollars for violations.  We as health care providers, are frequently reminded of our responsibilities to protect patient medical information from those not authorized to see it.  That should be reassuring to patients and their loved ones.

How can family members avoid “Hipaa encounters?”

In my opinion, it is very important for all people to make certain their medical wishes are known, including who they want to be able to make medical care decisions for them, if they become incapacitated.  It is relatively easy and inexpensive to designate a relative or friend as one’s personal representative or give someone power of attorney (general and/or medical) should the person become incapacitated.  I strongly recommend that all people, aged or not, healthy or not, tend to this.  This is simple stuff for attorneys.  I suggest you read the NYT article.  In addition, I recommend you check out the following: United Hospital Fund (Next Step in Care): HIPAA: questions and answers for family caregivers.  www.nextstepincare.org (2014).

Leave a Reply

Your email address will not be published. Required fields are marked *