HIPAA: Healthcare’s Favorite Scapegoat

MattFisher-whiteBy Matt Fisher, Esq
Twitter: @matt_r_fisher
Host of Healthcare de Jure#HCdeJure

Stop if you’ve heard either of these or some other variation before: I can’t tell you anything about that patient because of HIPAA or I can’t give you a copy of your medical records because of HIPAA or HIPAA doesn’t let me say anything. Throwing up HIPAA as an excuse to prevent the free and usually justified flow of medical information is all too common place in healthcare. These issues have been forefront of mind because of a recent back and forth on Twitter that included a combination of providers, lawyers, patients and other individuals. The common thread throughout the discussion was that HIPAA is used a barrier with an alarming degree of frequency.

The means by which HIPAA is raised as a barrier may vary, but the underlying premise is always the same: a requested action cannot occur because HIPAA privacy and/or security requirements allegedly prohibit the desired action. A fundamental question is why HIPAA is so frequently used as an excuse. Is misunderstanding or a lack of understanding of HIPAA so widespread? Is the use of HIPAA as an excuse a sign of laziness or not caring about individual rights? Does too much fear exist surrounding the fallout from a potential violation? The exact question and answer will likely never be known (since it is unlikely that anyone will admit the true reasons), but it is also unnecessary to know the question and/or answer.

The mere fact that the issue exists should be the impetus to drive for change. HIPAA, when properly understood, facilitates many of the outcomes that it is used to prevent. HIPAA does contain a myriad of privacy and security requirements, but those requirements enable common sense usage and are not intended to prevent the delivery or coordination of care as is so often asserted.

One step in removing HIPAA as an excuse is for the impacted parties to be fully aware of what HIPAA does and what it allows. Arming one’s self with a working knowledge of HIPAA promotes the ability to call out a party or individual when that party tries to use HIPAA in the wrong way. Such knowledge is both a means of self-help and promoting awareness. If the erring party is not taking appropriate steps to become educated or misinterprets a requirement, then the correct information can be presented to them. The fact that conversations identifying and diving into these issues are occurring on social media and elsewhere is a positive sign.

It is acknowledged that shining a bright light on the misconceptions surrounding HIPAA is not a cure-all approach. In fact, even when presented with the right and required path to take, resistance can be expected.

That leads into another step, which is to continue making educational and informational materials available. If correct and accurate information about HIPAA becomes readily available and hard to miss, the opportunities to accessing such information and materials also increase. The more chances there are to drink from the fountain of knowledge, hopefully the more individuals will actually do so. The other old axiom of you can lead a horse to water, but you can’t force the horse to drink also applies, but there is always the chance that optimism will prevail.

The Office for Civil Rights and Office for the National Coordinator of Health Information Technology are walking the educational walk. The past few years have seen a relative explosion in the production of resources and tools. These resources and tools attempt to remedy misconceptions and ensure a well-rounded understanding. As such, the resources consider how HIPAA applies to newer technologies or realities, while staying true to truths that have existed since HIPAA was first enacted. That fact reveals one of the issues though, the resources are not spreading new information, but speaking to certain HIPAA basics.

The frustration over non-compliance can be seen in the publicly announced enforcement actions. Many of those settlements find pervasive and fundamental non-compliance issues. However, the settlements also do not address so-called “smaller” issues such as breaches impacting fewer than 500 individuals or failures to grant access. Those problems are often addressed outside the public eye.

With all of these issues, maybe the time is ripe for a grassroots movement to dispel many of the myths surrounding HIPAA and its perceived role as a barrier in healthcare. Many platforms exist to promote such a movement, none with more potential power than social media. Social media enables the quick and widespread dissemination of information, calling out of bad actors, and means of pushing for a response. The question here is whether enough of a public issue exists, though that can arguably be driven by putting the issue out. Regardless, if more people create resources that can address HIPAA questions and show how it is misstated, then the excuse will hopefully become harder and harder to use.

For the time being, the scapegoat will remain. It can only be hoped that this unfortunate reality will change soon. In the meantime, continue spreading the message as to how HIPAA really operates.

About the author: Matthew Fisher is the chair of the Health Law Group at Mirick, O’Connell, DeMallie & Lougee, LLP, in Worcester, MA. Matt advises his clients in all aspects of healthcare regulatory compliance, including HIPAA, the Stark Law and the Anti-Kickback Statute. This article was originally published on Mirick O’Connell’s Health Law Blog and is republished here with permission.