An increasing number of stories recently are casting light onto circumstances when HIPAA has been used as an excuse to deny a patient or investigators access to medical information. The largest story, a collaboration piece between NPR and ProPublica by Charles Ornstein, cited three examples where HIPAA was improperly used to deny access. The three examples included a parent being threatened for taking pictures of her son, police being denied information by a nursing home when investigating a potential crime and employees at the Department of Veterans Affairs being threatened or retaliated against when seeking to blow the whistle.
In each of the examples identified by Mr. Ornstein, HIPAA was used thrown out by the offending organization as a defense to its actions. However, as the tone of the reference likely makes clear, the organizations did not correctly use HIPAA. In each instance, the proposed action either fell into a permissible use or disclosure or was not even covered by HIPAA in the first place.
Why do these problems seem to be occurring so frequently? Is it that the issues are actually occurring more often, or is more attention being paid to the issues? I believe that the problems and misconceptions about HIPAA have persisted for a number of years now, but greater attention is being paid to problems when they arise.
What is driving the increased attention? For one thing, I think the enactment of the Omnibus Rule in 2013 brought a lot of mainstream coverage to HIPAA and made a lot of people very aware of the general nature of what HIPAA does. Unfortunately, the vast coverage did not necessarily translate to people gaining an in-depth or accurate understanding. If time was taken to read the regulations then it would be easy to see how the above examples did not follow the guidelines set out in the Privacy Rule.
What can be done to help? First, an easy to understand guide to the Privacy and Security Rule can be prepared and shared. Arguably, this is already done because covered entities need to provide a Notice of Privacy Practices to patients explaining what uses the covered entity can make of an individual’s protected health information. However, I believe a more general guide may be needed. Second, organizations need to ensure that good and thorough training is provided. If someone works for a covered entity, business associate or any other party in the healthcare field, they should know what HIPAA does. HIPAA is not something that can be pushed to the side, but plays a front and center role in determining how a number of operations may go. If an individual who is acting on behalf of a healthcare entity does not understand HIPAA, then the likelihood of good practice is already lost.
Many problems with HIPAA and compliance come down to a lack of understanding. Getting a solid base into place and then maintaining education will be tremendously helpful. Knowledge is power and can benefit everyone.