- Interviewed 30 health service administrators and 30 frontline health care workers across New York State about their experiences with HIPAA rules and providing health information access to patients and their caregivers.
- Attended 12 HIPAA health care workforce trainings to learn how frontline workers were being taught to respond to requests for protected health information when asked for by patients and/or their caregivers.
- Attempted a review of HIPAA policy and practice documents, forms, and directives, but was unable to secure a sufficient number of documents from providers to conduct a full analysis.
- Produced a final report, with key findings on factors that facilitate or impede patient and caregiver access to protected health information.
- Developed sample training materials that were piloted in Buffalo, sponsored by the Healthcare Association of New York State, and in Albany, sponsored by the New York State Office of Children and Family Services.
- Presented findings at numerous conferences (e.g., AcademyHealth’s National Health Policy Conference, New York State Office of Children and Family Services annual meeting) and to a broad range of stakeholders, including administrators and health care providers at nonprofit and public hospitals, nursing homes, U.S. Government Accountability Office’s health care unit, U.S. Department of Education’s Office for Civil Rights, and U.S. Department of Health and Human Services.
The project provided an in-depth understanding of how providers and frontline staff are being misinformed and incorrectly trained about HIPAA and are operating in a climate of fear over data breaches and lawsuits. As a result, HIPAA is being misapplied to keep patients at arm’s length from their health information, rather than as a way to facilitate the sharing of information.
Brookdale’s final report highlighted factors that impede and facilitate appropriate implementation of HIPAA. Among the findings:
- The enactment of the Health Information Technology for Economic and Clinical Health Act in 2009 eclipsed HIPAA and led to HIPAA trainings being more focused on the need to protect data security. Consequently, a climate of fear over data breaches, computer hacks, lawsuits, fines, and sanctions has led many administrators and frontline workers to believe that they need to withhold access to health care information to remain HIPAA complaint.
- HIPAA implementation has narrowed to emphasize risk management, with HIPAA policies and procedures framed as a safeguard to protect the health care institution, as opposed to the need to share health information with patients and caregivers.
- Documentation brought by patients to medical appointments verifying their right to their own health information could allay provider fears of committing violations that would result in lawsuits and sanctions.
- A centralized database of health care documents (e.g., living will, health care proxy, power of attorney, designation of caretaker, HIPAA release) would allow providers and frontline staff to verify, for example, a caregiver’s right to a patient’s protected health information.
- Standardized HIPAA policy materials, based on current best-practice documents and in clear, succinct language, should be developed and streamlined.
Although Brookdale’s final report did contain robust information, transforming it into a report for public release would have required additional investments of time and funds, of which NYSHealth and Brookdale could not further commit.
Nevertheless, the Foundation remains interested in this topic, especially in the context of digital health, wearable health sensors, and other technologies that involve the sharing of protected health information. The Foundation is exploring next steps, such as preparing issue briefs that build upon Brookdale’s findings or supporting a future project to implement strategies that ensure HIPAA is being applied as it was originally intended—as a consumer protection law to ease patient access to their health information.
Co-Funding and Additional Funds Leveraged: N/A