- Interviewed 30 health service administrators and 30 frontline health care workers across New York State about their experiences with HIPAA rules and providing health information access to patients and their caregivers.
- Attended 12 HIPAA health care workforce trainings to learn how frontline workers were being taught to respond to requests for protected health information when asked for by patients and/or their caregivers.
- Attempted a review of HIPAA policy and practice documents, forms, and directives, but was unable to secure a sufficient number of documents from providers to conduct a full analysis.
- Developed sample training materials that were piloted in Buffalo, sponsored by the Healthcare Association of New York State, and in Albany, sponsored by the New York State Office of Children and Family Services.
- Presented findings at numerous conferences (e.g., AcademyHealth’s National Health Policy Conference, New York State Office of Children and Family Services annual meeting) and to a broad range of stakeholders, including administrators and health care providers at nonprofit and public hospitals, nursing homes, U.S. Government Accountability Office’s health care unit, U.S. Department of Education’s Office for Civil Rights, and U.S. Department of Health and Human Services.
The project revealed that many providers and frontline staff are misinformed and incorrectly trained about HIPAA and are operating in a climate of fear over data breaches and lawsuits. As a result, HIPAA is being misapplied to keep patients at arm’s length from their health information, rather than as a way to facilitate the sharing of information. Among Brookdale’s findings:
- The enactment of the Health Information Technology for Economic and Clinical Health Act in 2009 eclipsed HIPAA and led to HIPAA trainings being more focused on the need to protect data security. Consequently, a climate of fear over data breaches, computer hacks, lawsuits, fines, and sanctions has led many administrators and frontline workers to believe that they need to withhold access to health care information to remain HIPAA complaint.
- HIPAA implementation has narrowed to emphasize risk management, with HIPAA policies and procedures framed as a safeguard to protect the health care institution, as opposed to the need to share health information with patients and caregivers.
- Documentation brought by patients to medical appointments verifying their right to their own health information could allay provider fears of committing violations that would result in lawsuits and sanctions.
- A centralized database of health care documents (e.g., living will, health care proxy, power of attorney, designation of caretaker, HIPAA release) would allow providers and frontline staff to verify, for example, a caregiver’s right to a patient’s protected health information.
- Standardized HIPAA policy materials, based on current best-practice documents and in clear, succinct language, should be developed and streamlined.
The findings by Brookdale were illuminating, but Brookdale was unable to transform them into a publishable and actionable report. In part, there were multiple staffing changes at Brookdale and things were lost as the project was handed off from some faculty to others. Although project personnel changes do happen, these were unusually disruptive. NYSHealth tried but was not wholly successful in working with the new project director to establish clear and mutually shared expectations for analyses and to ensure that the final product informs decision-making by policymakers. Even more frequent check-ins, especially at project milestones, might have ensured alignment in expectations and any needed course corrections in real time.
The Foundation remains interested in issues related to HIPAA, especially in the context of digital health, wearable health sensors, and other technologies that involve the sharing of protected health information. The Foundation is exploring next steps, such as preparing issue briefs that build upon Brookdale’s findings or supporting a future project to implement strategies that ensure HIPAA is being applied as it was originally intended—as a consumer protection law to ease patients’ access to their health information.
Co-Funding and Additional Funds Leveraged: N/A