HIPAA does not stop health care providers from disclosing patient information to provide better care.
In discharging its mandate under the Health Insurance Portability and Accountability Act (HIPAA) to establish privacy protections for health care transactions, the U.S. Department of Health and Human Services (HHS) has erected a regulatory framework focused on preventing unauthorized disclosures of personal data. The HIPAA Privacy Rule issued by HHS provides national standards to safeguard the confidentiality of individuals’ health information.
Although many prominent commentators—including lawmakers, scholars, health care providers, and patient advocacy groups—have criticized HIPAA for blocking commonsense communication and impeding disclosure in dire situations, the law does not actually prevent information sharing in the vast majority of cases. But misconceptions and misinterpretations of HIPAA can hamper information exchange, at times to the detriment of patient well-being and family involvement. Instead of radical changes to HIPAA’s regulatory structure as some critics have proposed, it is imperative to equip health care providers with a clearer understanding of how the Privacy Rule works to reduce bureaucratic hurdles and optimize patient care.
The emphasis on preserving privacy, as opposed to demanding interoperability, is baked into the regulatory structure itself. Under the HIPAA Privacy Rule’s general directive, health care providers, insurers, and other covered entities subject to its requirements may not use or disclose protected health information except as authorized by the regulation. Even where HIPAA allows health information to be shared, doing so is seldom required. The only disclosures that HIPAA compels are those to the patient—or to certain authorized patient representatives—and to HHS for compliance purposes. All other information releases are permissive and subject to potentially more stringent state or other federal law.
HIPAA’s focus on penalizing improper, rather than insufficient, information exchange has led numerous experts to decry the resulting imbalance in regulatory incentives, which can make doctors and hospitals overly cautious in sharing information with patients’ families, caregivers, and downstream health care providers. Counterproductive HIPAA myths are abundant and many organizational policies erect unnecessary barriers based on overzealous or inaccurate interpretations of the law. The consequent wariness among clinicians and administrators can adversely impact patient care if vital information is withheld from loved ones and other health care professionals.
News reports have highlighted the “code of silence” imposed by misconceptions about HIPAA, with “families cut out of care” by the defensive posture of health care facilities and their proclivity to err on the side of withholding information. Virginia State Senator Creigh Deeds (D), whose bipolar son tragically stabbed him before committing suicide in 2013, subsequently testified before the U.S. Congress that HIPAA prevented him from “accessing the information” he needed to intervene before catastrophe struck. HHS Secretary Alex Azar noted in a recent speech that “current interpretations” of HIPAA, along with older federal substance abuse confidentiality regulations, “get in the way” of combatting the nation’s opioid addiction crisis.
These critiques identify a real and pressing issue raised by widespread HIPAA misunderstandings within the health care community. Unfortunately, some of the solutions put forward have proposed stripping clinicians of their substantial discretion under the law, thereby substituting additional regulatory mandates for professional judgment. These proposals are no doubt well-intentioned, but they risk doing more harm than good for doctors and patients alike.
For example, a former administrator of the Centers for Medicare & Medicaid Services has suggested that HHS penalize and publicize health care organizations that fail to disclose timely information to clinicians and families. This approach would vastly expand the investigative purview of HHS from deterring privacy and security breaches to punishing overprotectiveness. Legislation introduced in the last Congress would have required HHS to issue new HIPAA regulations creating a “compassionate communication” exception for individuals with severe mental illness. Ironically, such rulemaking would have eroded the parity under HIPAA with respect to medical and mental health information—with the very limited exception of therapists’ desk-drawer psychotherapy notes, which must be kept apart from the rest of the mental health chart in order to retain their additional safeguards. Reduced privacy protections for behavioral health would also run headlong into the penchant for state law to afford more, not less, protection to psychiatric and other particularly sensitive records.
One of the underappreciated strengths of the HIPAA regulatory regime is the extent to which it accords significant discretion to clinicians in handling health information. The federal government, including HHS and its component agencies, does not regulate the practice of medicine. That is a state function, typically delegated to medical boards partly comprised of practicing professionals. HIPAA provides a uniform “federal floor” of basic privacy practices and offers numerous pathways for information exchange, but it usually steers clear of dictating how and when clinicians must communicate.
By facilitating permissive information disclosure, HIPAA’s regulatory scheme enables clinicians to use health information consistent with their professional ethics obligations and applicable state law. Physicians and other health care professionals are uniquely situated, given the intimacy of the treatment relationship and the fiduciary duties of confidentiality and care that spring from it, to protect patient welfare in circumstances of vulnerability. The extant flexibility under HIPAA permits them to do just that.
HHS’s Privacy Rule itself has never restricted the ability of health care providers to share information for clinical care. In fact, requests or disclosures for treatment are one of the few exceptions to HIPAA’s overarching injunction to release only the “minimum necessary” information. Thus, a primary care office can send a patient’s entire chart to a treating specialist, and health care providers can talk with one another about their joint plans for care. Of course, a doctor’s office may also voluntarily choose to obtain the patient’s consent beforehand, which may be entirely appropriate if the request is not urgent and the staff does not recognize the requestor.
Moreover, HIPAA defers broadly in several instances to clinicians’ experience and expertise. For example, when communicating with patients’ family, friends, and caregivers, clinicians may exercise “professional judgment” to infer that the patient does not object. If the patient is unavailable or incapacitated, health care providers may also make a professional determination as to whether disclosure to loved ones is in the individual’s “best interests.” Similarly, where state law does not address parental access to unemancipated minors’ health records—a particularly sensitive topic in some types of adolescent care—HIPAA allows licensed health care professionals to rely on their professional judgment in providing or denying the records.
With the benefit of empowerment comes the burden of education. Because health care organizations retain substantial control over the flow of medical information, it is important that they receive clear and accurate guidance on what the law does—and does not—say. The 21st Century Cures Act, enacted in December 2016, expressed Congress’s concern about “confusion in the health care community” over HIPAA and directed HHS to issue clarifying guidance and model training programs. Countering and dispelling HIPAA fallacies is the surest path to removing ill-conceived roadblocks that impede patient care.
As the former head of HIPAA enforcement once explained, “HIPAA is meant to be a valve, not a blockage.” Ensuring those informational arteries remain healthy and clear entails harnessing clinician discretion, not undermining it. Enfranchised and informed clinicians can both protect patient privacy and exchange information to advance patient care.