A Conversation About HIPAA: A 20th Anniversary Reassessment

On November 7, 2016, NYHealth hosted a conversation with Linda Colon, Regional Manager, Office for Civil Rights, U.S. Department of Health and Human Services; Raquel Malina Romanick, Staff Attorney, Brookdale Center for Healthy Aging at Hunter College; and Christine Bechtel, Consumer Advocate and Co-founder of GetMyHealthData about the Health Insurance Portability and Accountability Act (HIPAA). The speakers discussed efforts to break down misunderstandings about the law and ensure patients and their families have access to the information they need to optimize their health.

2016 marks the 20th anniversary of HIPAA, which was designed to ease access to health information for patients and their network of caregivers, as well as to protect them from inappropriate disclosure of records. HIPAA also permits health care providers to share a patient’s health information and status with the patient’s spouse, family members, or other people identified by the patient, as long as the patient does not object.

However, misunderstanding and misapplication of the law and its requirements often have the opposite effect, making it more difficult for patients to access information they need to be fully engaged in their health and care and for caregivers to aid patients in need. For example, an out-of-state daughter frantically trying to give a hospital information about her memory-impaired mother, or a concerned neighbor attempting to find her missing friend in a hospital—both were barred by the hospitals mistakenly invoking HIPAA.

Too often, HIPAA has been used to deny information, even when the right to access is legitimate such as patient requests for medical records. Denial of health information was one of the top consumer complaints to the U.S. Department of Health and Human Services’ Office for Civil Rights from 2004 to 2014.

Misconceptions about HIPAA came to the fore in the aftermath of the Orlando nightclub shooting tragedy in June 2016, when families of the victims arrived at the hospital and were wrongly told that information about their loved ones’ conditions could not be shared because of HIPAA.

At this panel discussion, Ms. Romanick spoke about the work that Brookdale Center for Healthy Aging is doing to understand the problems with HIPAA and health information access and the sources of misinformation among health care providers, especially HIPAA trainers. With NYHealth funding, it is also talking with providers to learn about where the roadblocks exist and the institutional concerns that may lead to wrongful gatekeeping of information, as well as developing possible solutions for how to fix the problem.

In early 2016 the U.S. Department of Health and Human Services’ Office for Civil Rights issued guidance to clarify access to health information under HIPAA. Ms. Colon discussed the complaints that drove this effort to reinforce patient rights. She also spoke about some of the most common HIPAA myths and violations by providers denying access that she observes in the patient complaint data. Ms. Colon emphasized that providers must shift their mindset from a culture of denial to a culture of access.

Ms. Bechtel observed that having policies on the books is not enough, and shared stories of patients struggling to get their health records. She described the widespread sense that “data are for doctors” and that doctors would not be expected to give good care without data. Why should we then expect patients to optimize their health without their own data? She offered some simple, practical solutions that providers can adopt to address these issues, such as shadowing a patient who is seeking health records to understand where the obstacles are in their own institutions.

Questions and comments from the audience highlighted the continued confusion among providers in determining how to share patient records. Ms. Colon reminded them that they must share, if requested, the entire patient file, including records in the file sent from prior providers, records from all prior years, and whether or not the patient has paid their final bill. One event attendee suggested that hospitals change the title of their chief privacy officers to patient information officers.

In closing, the panelists reiterated that much work remains to get this information into the hands of patients and providers so that HIPAA is a tool that benefits everyone.