Keeping patients’ details private, even from kin
An emergency room nurse in Palos Heights, Ill., told Gerard Nussbaum he could not stay with his father-in-law while the elderly man was being treated after a stroke. Another nurse threatened Mr. Nussbaum with arrest for scanning his relative’s medical chart to prove to her that she was about to administer a dangerous second round of sedatives.
The nurses who threatened him with eviction and arrest both made the same claim, Mr. Nussbaum said: that access to his father-in-law and his medical information were prohibited under the Health Insurance Portability and Accountability Act, or Hipaa, as the federal law is known.
Mr. Nussbaum, a health care and Hipaa consultant, knew better and stood his ground. Nothing in the law prevented his involvement. But the confrontation drove home the way Hipaa is misunderstood by medical professionals, as well as the frustration — and even peril — that comes in its wake.
Government studies released in the last few months show the frustration is widespread, an unintended consequence of the 1996 law.
Hipaa was designed to allow Americans to take their health insurance coverage with them when they changed jobs, with provisions to keep medical information confidential. But new studies have found that some health care providers apply Hipaa regulations overzealously, leaving family members, caretakers, public health and law enforcement authorities stymied in their efforts to get information.
Experts say many providers do not understand the law, have not trained their staff members to apply it judiciously, or are fearful of the threat of fines and jail terms — although no penalty has been levied in four years.
Some reports blame the language of the law itself, which says health care providers may share information with others unless the patient objects, but does not require them to do so. Thus, disclosures are voluntary and health care providers are left with broad discretion.
The unnecessary secrecy is a “significant problem,” said Mark Rothstein, chairman of a privacy subcommittee that advises the Department of Health and Human Services, which administers Hipaa. “It’s drummed into them that there are rules they have to follow without any perspective,” he said about health care providers. “So, surprise, surprise, they approach it in a defensive, somewhat arbitrary and unreasonable way.”
Susan McAndrew, deputy director of health information privacy at the Department of Health and Human Services, said that problems were less frequent than they once had been but that health care providers continued to hide behind the law. “Either innocently or purposefully, entities often use this as an excuse,” she said. “They say ‘Hipaa made me do it’ when, in fact, they chose for other reasons not to make the permitted disclosures.”
Mr. Rothstein, one of Hipaa’s harshest critics, has led years of hearings across the country. Transcripts of those hearings, and accounts from hospital administrators, patient advocates, lawyers, family members, and law enforcement officials offer an anthology of Hipaa misinterpretations, some alarming, some annoying:
Birthday parties in nursing homes in New York and Arizona have been canceled for fear that revealing a resident’s date of birth could be a violation.
Patients were assigned code names in doctor’s waiting rooms — say, “Zebra” for a child in Newton, Mass., or “Elvis” for an adult in Kansas City, Mo. — so they could be summoned without identification.
Nurses in an emergency room at St. Elizabeth Health Center in Youngstown, Ohio, refused to telephone parents of ailing students themselves, insisting a friend do it, for fear of passing out confidential information, the hospital’s patient advocate said.
State health departments throughout the country have been slowed in their efforts to create immunization registries for children, according to Dr. James J. Gibson, the director of disease control in South Carolina, because information from doctors no longer flows freely.
Teaching staff to protect records is easier than teaching them to share them, said Robert N. Swidler, general counsel for Northeast Health, a nonprofit network in Troy, N.Y., that includes several hospitals.
“Over time, the staff has become a little more flexible and humane,” Mr. Swidler said. “But nurses aren’t lawyers. This is a hyper-technical law and it tells them they may disclose but doesn’t say they have to.”
Many experts, including critics like Mr. Rothstein and proponents like Ms. McAndrew, distinguish different categories of secrecy.
There are “good faith nondisclosures,” as when a floor nurse takes a phone call from someone claiming to be a family member but cannot verify that person’s identity. Then there are “bad faith nondisclosures,” like using Hipaa as an excuse for not taking the time to gather records that public health officials need to help child abuse investigators trying to build a case.
Most common are seat-of-the-pants decisions made by employees who feel safer saying “no” than “yes” in the face of ambiguity.
That seemed to be what happened to his own mother, Mr. Rothstein said, when she called her doctor’s office to discuss a problem. She was told by the receptionist that the doctor was not available, Mr. Rothstein said, and then inquired if the doctor was with a patient or out of the office. “I can’t tell you because of Hipaa,” came the reply. In fact the doctor was home sick, which would have been helpful information in deciding whether to wait for a call back or head for the emergency room.
The law, medical professionals and privacy experts said, has had the positive effect of making confidentiality a priority as the nation moves toward fully computerized, cradle-to-grave medical records.
But safeguarding electronic privacy required a tangle of regulations issued in 2003, followed last year by 101 pages of “administrative simplification.”
Senator Edward M. Kennedy, Democrat of Massachusetts, a sponsor of the original insurance portability law, was dismayed by the “bizarre hodgepodge” of regulations layered onto it, several staff members said, and by the department’s failure to provide “adequate guidance on what is and is not barred by the law.” To that end, Mr. Kennedy, along with Senator Patrick M. Leahy, Democrat of Vermont, plans to introduce legislation creating an office within the Department of Health and Human Services dedicated to interpreting and enforcing medical privacy.
“In this electronic era it is essential to safeguard the privacy of medical records while insuring our privacy laws do not stifle the flow of information fundamental to effective health care,” Mr. Kennedy said.
This spring, the department revised its Web site, www.hhs.gov/ocr/hipaa, in the interest of clarity. But Hipaa continues to baffle even the experts.
Ms. McAndrew explained some of the do’s and don’ts of sharing information in a telephone interview:
Medical professionals can talk freely to family and friends, unless the patient objects. No signed authorization is necessary and the person receiving the information need not have the legal standing of, say, a health care proxy or power of attorney. As for public health authorities or those investigating crimes like child abuse, Hipaa defers to state laws, which often, though not always, require such disclosure. Medical workers may not reveal confidential information about a patient or case to reporters, but they can discuss general health issues.
Ms. McAndrew said there was no way to know how often information was withheld. Of the 27,778 privacy complaints filed since 2003, the only cases investigated, she said, were complaints filed by patients who were denied access to their own information, the one unambiguous violation of the law.
Complaints not investigated include the plights of adult children looking after their parents from afar. Experts say family members frequently hear, “I can’t tell you that because of Hipaa,” when they call to check on the patient’s condition.
That is what happened to Nancy Banks, who drove from Bartlesville, Okla., to her mother’s bedside at Town and Country Hospital in Tampa, Fla., last week because Ms. Banks could not find out what she needed to know over the telephone.
Her 82-year-old mother had had a stroke. When Ms. Banks called her room she heard her mother “screaming and yelling and crying,” but conversation was impossible. So Ms. Banks tried the nursing station.
Whoever answered the phone was not helpful, so Ms. Banks hit the road. Twenty-two hours later, she arrived at the hospital.
But more of the same awaited her. She said her mother’s nurse told her that “because of the Hipaa laws I can get in trouble if I tell you anything.”
In the morning, she could speak to the doctor, she was told.
The next day, Ms. Banks was finally informed that her mother had had heart failure and that her kidneys were shutting down.
“I understand privacy laws, but this has gone too far,” Ms. Banks said. “I’m her daughter. This isn’t right.”
A hospital spokeswoman, Elena Mesa, was asked if nurses were following Hipaa protocol when they denied adult children information about their parents.
She could not answer the question, Ms. Mesa said, because Hipaa prevented her from such discussions with the press.
(Published by The New York Times, July 3, 2007)