Is It Really a Misunderstanding?: Why is HIPAA So Often Used as an Excuse

An increasing number of stories recently are casting light onto circumstances when HIPAA has been used as an excuse to deny a patient or investigators access to medical information.  The largest story, a collaboration piece between NPR and ProPublica by Charles Ornstein, cited three examples where HIPAA was improperly used to deny access.  The three examples included a parent being threatened for taking pictures of her son, police being denied information by a nursing home when investigating a potential crime and employees at the Department of Veterans Affairs being threatened or retaliated against when seeking to blow the whistle.

In each of the examples identified by Mr. Ornstein, HIPAA was used thrown out by the offending organization as a defense to its actions.  However, as the tone of the reference likely makes clear, the organizations did not correctly use HIPAA.  In each instance, the proposed action either fell into a permissible use or disclosure or was not even covered by HIPAA in the first place.

Why do these problems seem to be occurring so frequently?  Is it that the issues are actually occurring more often, or is more attention being paid to the issues?  I believe that the problems and misconceptions about HIPAA have persisted for a number of years now, but greater attention is being paid to problems when they arise.

What is driving the increased attention?  For one thing, I think the enactment of the Omnibus Rule in 2013 brought a lot of mainstream coverage to HIPAA and made a lot of people very aware of the general nature of what HIPAA does.  Unfortunately, the vast coverage did not necessarily translate to people gaining an in-depth or accurate understanding.  If time was taken to read the regulations then it would be easy to see how the above examples did not follow the guidelines set out in the Privacy Rule.

What can be done to help?  First, an easy to understand guide to the Privacy and Security Rule can be prepared and shared.  Arguably, this is already done because covered entities need to provide a Notice of Privacy Practices to patients explaining what uses the covered entity can make of an individual’s protected health information.  However, I believe a more general guide may be needed.  Second, organizations need to ensure that good and thorough training is provided.  If someone works for a covered entity, business associate or any other party in the healthcare field, they should know what HIPAA does.  HIPAA is not something that can be pushed to the side, but plays a front and center role in determining how a number of operations may go.  If an individual who is acting on behalf of a healthcare entity does not understand HIPAA, then the likelihood of good practice is already lost.

Many problems with HIPAA and compliance come down to a lack of understanding.  Getting a solid base into place and then maintaining education will be tremendously helpful.  Knowledge is power and can benefit everyone.


About Matt Fisher

Matt is the chair of Mirick O'Connell's Health Law Group and a partner in the firm's Business Group. Matt focuses his practice on health law and all areas of corporate transactions. Matt's health law practice includes advising clients with regulatory, fraud, abuse, and compliance issues. With regard to regulatory matters, Matt advises clients to ensure that contracts, agreements and other business arrangements meet both federal and state statutory and regulatory requirements. Matt's regulatory advice focuses on complying with requirements of the Stark Law, Anti-Kickback Statute, fraud and abuse regulations, licensing requirements and HIPAA. Matt also advises clients on compliance policies to develop appropriate monitoring and oversight of operations.
This entry was posted in Compliance, HIPAA, HITECH, Regulations and tagged , , , , , . Bookmark the permalink.

1 Response to Is It Really a Misunderstanding?: Why is HIPAA So Often Used as an Excuse

  1. Pingback: HITECH Answers: Meaningful Use, EHR, HIPAA News - Why is HIPAA So Often Used as an Excuse

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s