When individuals seek access to medical records or information, the process can often prove frustrating and labyrinthine. The long and convoluted process can arise from an unintentional misunderstanding of HIPAA (or state law) requirements, or an absence of knowledge.
Concerns around access are cited frequently, especially as individuals become more informed and involved in their own health. In fact, a relatively new startup, Ciitizen, has created a Patient Record Scorecard to grade organizations on whether the right to access is respected. It is incredibly important to recognize that there are significant challenges in access and compliance in the real world. Information blocking is one of the most significant barriers that patients routinely struggle with while coordinating their, or their loved one’, care. As more patients are taking the driver’s seat of their care, they encounter more and more frustrating HIPAA roadblocks and questions. Grace Cordovano, PhD, board-certified patient advocate, founder of Enlightening Results and co-founder of Unblock Health, frequently encounters the many facets of HIPAA as they relate to patients in real life. Here are some common scenarios presented by Dr. Cordovano that patients struggle with respect to HIPAA and what options may exist or how outcomes may be influenced.
Scenario 1: A patient requires a second opinion with a specialist, but the specialist, who is part of a larger hospital system, does not accept the patient’s insurance. The patient is forced to pay cash out of pocket for all services. Since the patient is paying cash for all their care, the patient does not want to sign the HIPAA standard form, which states it is for billing and operations purposes. The patient wants their privacy respected but since the specialist does not accept the patient’s insurance, the patient does not see why their information must become part of the specialist’s data ecosystem. The patient is confused and asks, “Who is HIPAA actually protecting?”
Response: While the patient is rightfully thinking about the impact of procedures on their own journey, HIPAA is focused on the physician or other clinician and the healthcare industry from the organizational perspective. In the scenario of a specialist, the specialist’s obligation to comply with HIPAA, if applicable, must be viewed from the overall perspective, not just with one individual. Accordingly, if the specialist accepts other insurance coverage and bills insurance for services (which almost exclusively occurs electronically at this point in time), then the specialist (or more likely the organization where the specialist works) meets the definition of a health care provider under the HIPAA definition of a covered entity. If the specialist is a covered entity, then HIPAA applies to all of the specialist’s operations and care delivery.
With that being said, the exact nature of the specialist consult should be considered. Is the referral for a consult through an “official” channel, or is the specialist somehow being consulted in a side gig. For example, a well-known specialist could want to setup an independent practice solely for providing second opinions. That side gig could require only out of pocket payments by an individual and reside wholly outside of the insurance system. In that case, the specialist’s side gig could very well fall outside of HIPAA coverage and the requirements of HIPAA, both good and bad, would not apply.
To the point of an individual not necessarily wanting their data to become a part of the specialist’s data ecosystem, that may be unavoidable. Even if HIPAA does not apply, a physician (and many other clinicians) have state level licensing obligations to maintain records and keep patient information. Those requirements would not preclude providing a patient access to information, but it would mean the physician cannot just segregate the data out or forego keeping it.
Scenario 2: A patient has been seeing a mental health clinician for over a year. The clinician is a member of a private practice with a few therapists and social workers, none of whom accept insurance. The patient has been paying $175 cash, out of pocket, for each therapy session. The patient has asked for a copy of their medical records for continuity of care purposes to share with the patient’s new primary care doctor as well as to provide documentation for a disability claim. The records request is denied as the therapist cites HIPAA, claiming that denial of the request is necessary to protect the patient from harm. Consequently, the new primary care doctor is unable to see which medications have been prescribed to the patient, which may have caused severe side effects. The disability claim is also consequently denied due to lack of medical evidence supporting the disability case. The patient asks, “How can the therapist cite HIPAA if the therapist does not accept any insurance? How can I be prevented from getting my records for my continuity of care purposes that I paid for all in cash out of pocket?”
Response: As noted in the first response, not every healthcare provider is a covered entity. Under HIPAA, in addition to being a clinician who provides healthcare services, it is also necessary to engage in an electronic transaction covered by HIPAA (that usually means billing insurance). If a mental health clinician (or any other type of clinician) does not take any insurance at all, then that clinician is not subject to HIPAA. While the assessment in that regard rests upon a technicality, the technicality is an important one.
If HIPAA applies, then why would the clinician still use HIPAA as an excuse to not provide access? One option could be that the clinician and the associated practice is voluntarily choosing to follow the requirements of HIPAA. Nothing stops an individual from respecting regulatory requirements and using as a guide for operations. However, if the regulations do not apply, then the remedies available under the regulations would also not apply. In the HIPAA context, that is not necessarily troubling because individuals really do not have many options other than complaining to the organization’s privacy officer, the HHS Office for Civil Rights, or the applicable state’s Attorney General.
However, if HIPAA compliance is being pursued voluntarily, then an argument can be made for an exception or the proverbial turning of the blind eye to a requirement. Arguing for an exception can be appealing, but likely takes convincing.
The bigger remaining issue though is state law. Even though the clinician may use HIPAA as the reason for not honoring a request, state law may actually be the real basis for the complication. Before requesting any type of record, an individual would find it beneficial to review applicable state law and see what restrictions, if any, could apply. If any state law is found to be applicable, then understanding how that state law works could help provide a way of educating the clinician on what actions can be taken. A potential resource for identifying those state laws is available through the HHS Office of the National Coordinator of Health IT, which has a downloadable document that can be a place to start research.
Scenario 3: An uninsured patient is brought to the emergency room and requires an emergency surgery. The patient does not want to sign the HIPAA form because the patient knows that there is no insurance company to bill. The patient does not want their PHI used for any purposes and fears for their own and their family’s safety as the patient is part of an immigrant, non-US citizen family. The patient fears what her information could be used for and asks what “improving business operations” with respect to her PHI actually means. How do you advise the patient?
Response: A covered entity can use PHI without any notification to or consent from an individual for treatment, payment, and health care operations of the covered entity. While treatment, payment, and health care operations are all defined very broadly, use and disclosure of PHI for each term focuses on actions that help the covered entity. None of the concepts allows a covered entity to randomly share an individual’s information. While it may not be possible to fully allay fears that improving business operations is a benign use, it would not mean disclosure to law enforcement or another government enforcement agency.
Beyond business operations, a question can arise as to whether other permissible uses and disclosures would result in information about a potentially undocumented immigrant being disclosed to a law enforcement agency. The basis for the concern is the provision in the Privacy Rule allowing disclosure without a chance for objection by the individual. However, uses and disclosures to law enforcement general relate to a crime on the premises or to help with an active investigation. Merely treating an individual who may be an undocumented immigrant would not necessarily fall into any of those categories. While there are limitations around law enforcement use, it could be possible for law enforcement to obtain a warrant or subpoena, in which case the information can be obtained.
A broader question though may be whether it is even necessary to ask about the individual’s immigration status. Does information about the status impact how care is delivered or what care is needed? If the information is not obtained, then it cannot be disclosed. Unless there is some policy within the facility or imposed by state law, it may not be necessary to disclose information around immigration status.
Despite the potential limitations and lack of necessity of collecting the information, the unfortunate practical reality is that the information may be obtained and extreme harm caused, even if a violation of HIPAA rights occurs in causing that harm. Once the cat is out of the bag though, it likely cannot be put back in. The reality likely leaves an individual in a situation, but is could be possible to push back on any request for the information.
The fact that records can be created without an individual desiring that to occur is a result of competing interests and requirements. Physicians, hospitals, and other facilities, as noted to some degree above, are required to maintain records of services provided. The use of those records is then most frequently covered by HIPAA. That setup drives from a regulatory scheme focused on framing and driving actions by pretty much everyone except for the individual. Shifting control or primary focus to an individual would arguably reflect a fundamental change in the system and result in a large ripple effect across many regulatory levels. Being aware of the concerns and generating a robust discussion is a good place to start as conversation can lead to change.
As the scenarios identified above show, HIPAA comes with a lot of nuance and can take time to understand. Taking that time is very important though. A deep, thorough understanding stands to benefit everyone.