Privacy and Medical Records: A Few Words About HIPAA

JUNE 3, 2013 VOLUME 20 NUMBER 22
A delightful, intelligent and witty client of ours (nearly all our clients are delightful, intelligent and witty) visited her podiatrist’s office. Our client has always battled problems with her weight, so when an assistant insisted that she step onto an office scale she declined. I’m pretty sure, she said, that my podiatrist doesn’t really need to know my weight, and I just don’t like scales. The podiatrist’s assistant smiled understandingly but insisted. “I’m sorry,” she said, “but we have to take your weight on each visit. It’s required by HIPAA.”

Experienced elder law attorneys and people working in the medical field will likely have laughed out loud at that story. It is a good illustration of just how misunderstood HIPAA really is.

HIPAA, for those less familiar with acronym-speak, is the Health Insurance Portability and Accountability Act of 1996. As the name of the law indicates, it has been around for nearly twenty years, though it came to more prominence in 2003, when the first round of regulations implementing the law became effective. HIPAA has since been blamed for all manner of silliness — including the mandatory weigh-in at our client’s podiatry office, the “please stand behind this line” sign at your local pharmacy counter, and (our personal favorite) the sign-in sheet at your doctor’s office that variously requires either your first (only) or last (only) name — apparently on the theory that your privacy is better protected when the receptionist shouts out “Mr. Johnson?” or, in another office, “Dave?”

What does HIPAA actually provide? It mandates that your health care providers — pretty much all of them — keep your records and data confidential. It is an attempt to prevent sale and recirculation of identifiable data. You would probably not want your name added to a list of people diagnosed with a given condition, and then sold to an insurance company, or a medical supplier. HIPAA is on your side.

But here’s the more difficult part. HIPAA doesn’t mandate that doctor’s offices treat you like (or actually issue you) a number to hide your name. It doesn’t require that you weigh in at your podiatrist’s. It doesn’t prevent the hospital where you are being treated from communicating with your doctor’s office or your pharmacy. It also doesn’t give you the right to sue your doctor, hospital or pharmacist for violating your privacy.

What does get prosecuted under HIPAA? Not much. Last year, according to the US Department of Health and Human Services, there were about 10,000 HIPAA complaints received. About two-thirds of those were dealt with summarily, and another large segment are deemed to involve no violation at all. That leaves about a quarter of all cases in which some sort of corrective action is mandated — which does not mean fines, or criminal prosecution, or even public disclosure of offending offices or providers.

From time to time there are serious fines levied. Just last month, for instance, Idaho State University paid a $400,000 settlement for disabling its firewall protection on servers housing patient data on almost 20,000 individuals cared for in its clinics. And just a few months earlier, Hospice of Northern Idaho agreed to pay $50,000 to resolve violations centering on the theft of an unencrypted laptop containing records of 441 hospice patients. The Hospice of Northern Idaho case was a landmark, according to the Department of Health and Human Services: it was the first time the agency had entered into a settlement involving security breaches involving fewer than 500 patients.

Obviously, the privacy regulations governing health care providers have a big impact on the provision of services and on patients. But what does this have to do with lawyers — especially since lawyers can not file lawsuits on behalf of clients who believe that their HIPAA privacy rights have been violated? It is the doctrine of unintended consequences writ large: lawyers who draft estate planning documents for clients want to be sure that they will be effective at a later time when the client may not be able to give consent. But there is concern that doctors, hospitals and other health care providers will not deal with family members, even if they have been named as agent in a properly drawn power of attorney.

We should not have to worry. The Department of Health and Human Services has made clear that it permissible for medical providers — including doctors, pharmacists, nurses and social workers — to talk with family members unless the patient has expressly forbidden such conversations. Among the frequently asked questions prominently listed on the DHHS website is this one:

“If I do not object, can my health care provider share or discuss my health information with my family, friends, or others involved in my care or payment for my care?”

The answer, in a word, is “yes.” Read the DHHS answer for more detail.

Much of the hyperbole about the reach of HIPAA, and the difficulty in complying, is just silly. Your doctor is supposed to have a plan for protecting your health records, and not to share them inappropriately. That should not preclude talking with either your family or your other health providers (hospital, pharmacist, social worker). But to be safe, your health care power of attorney, your financial power of attorney and even your revocable living trust could include a provision expressly authorizing your agent and trustee to talk with your doctor when it is necessary to get updated medical information.

And our client with the anxiety about stepping on the podiatrist’s scale? We explained the law to her. “That’s just silly,” we said. “HIPAA doesn’t mandate that they weigh you at every visit. That’s the Patriot Act.”