Denying Release of PHI can be a HIPAA Violation

For 20 years now, risk managers have drilled into their staffs the importance of complying with the Health Insurance Portability and Accountability Act (HIPAA) and emphasized the potential civil and criminal penalties for failing to safeguard a patient’s protected health information (PHI). But has that message been oversold? Risk managers are encountering staff members who are so afraid of violating HIPAA that they refuse some information requests just to play it safe.

What those employees don’t understand, however, is that they’re not playing it safe at all. Making “no” the response to any PHI request that seems questionable or which the employee just doesn’t understand can lead to significant liability. As strict as HIPAA is about protecting information, it also obligates the healthcare provider to release PHI in appropriate circumstances, HIPAA experts point out. Failure to do so can be just as bad as inappropriately releasing PHI, they say.

“HIPAA is a double-edged sword for risk managers,” says Elizabeth G. Litten, JD, partner and HIPAA privacy officer with the law firm of Fox Rothschild in Princeton, NJ. “You have an obligation to protect information, but you also have an obligation to disclose it.”

Risk managers should remember that, no matter how much education has been provided to staff members, they will not understand the intricacies of HIPAA compliance as well as the risk manager or compliance officer, Litten says. That limited knowledge should be taken into account when advising staff on how to handle difficult HIPAA decisions.

“With people who have a sketchy knowledge of HIPAA, their tendency is to be very conservative when patient information is involved,” Litten says. “You may think you have provided a solid education on HIPAA, but when a request comes in during a busy workday, what they remember is you telling them to protect that information and all the bad outcomes that can result if they don’t.”

Court orders and formal HIPAA authorizations are easiest to comply with and provide complete cover for the healthcare organization, notes Michael A. Moroney, JD, an attorney with the law firm of Carroll, McNulty and Kull (CMK) in Basking Ridge, NJ. Subpoenas can be trickier because they do not hold the same weight as a court order. The best course of action is for the healthcare provider to call the patient and explain that the records have been subpoenaed and ask permission to release them. If the patient consents, the provider should have him or her sign an authorization for the release. A verbal OK is not sufficient for responding to a subpoena, Moroney says.

“If the patient or representative is not available, then you go to the attorney issuing the subpoena and drill down to see how much effort they made in contacting the patient and giving him or her an opportunity to object to the subpoena,” Moroney says. “If you’re not comfortable with what you hear, you put everyone on notice that you’re not releasing the records until someone provides a HIPAA authorization.”

AN ALL-PURPOSE EXCUSE

The increase in HIPAA audits and enforcement in recent years has prompted more healthcare employees to follow the approach of “better to be safe than sorry,” says Angela Rose, MHA, RHIA, CHPS, FAHIMA, director of health information management practice excellence at the American Health Information Management Association in Chicago.

“It happens all the time, more often than not,” Rose says.

In some cases, HIPAA is used as an all-purpose justification in a disagreement, particularly involving photography, Rose notes. She cites a 2014 incident in Missouri in which a mother took a photograph of her child during an appointment with an audiologist, who objected and soon called security. The security guard cited HIPAA as the reason she was not allowed to take photographs and demanded that the mother turn over her cell phone so the photo could be deleted. When she refused, the security guard escorted her out of the hospital and told her she could not return.

“You are being trespassed for violation of HIPAA,” the guard told her, according to a recording the mother made of the incident. (For more details on the incident, along with the recording, go to http://tinyurl.com/zde34ej.)

The incident gained a good deal of attention in the media, and Mercy Hospital responded to the mother’s complaints by agreeing to educate its staff and review its policies about taking pictures on its campus. The audiologist and security guard overreacted and misinterpreted HIPAA, Litten says. Though the audiologist may have had a legitimate reason to ask not to be photographed, HIPAA did not prevent the mother from taking photos of her son during treatment.

Litten recently worked with staff members of a social services agency who wanted to report information about a violent crime to police, but they worried that reporting would be a HIPAA violation. She assured them that they could report the information, but she says the situation illustrates how employees can encounter unusual situations that do not fit neatly into any of the lessons they learned about HIPAA compliance. (See the story later in this issue for more on that situation.) Too often, the befuddled employee turns down the request for fear of violating HIPAA, she says.

One of the most common ways that HIPAA is misused involves information needed for treatment purposes, notes Nicole DiMaria, JD, a healthcare attorney with the law firm of Chiesa Shahinian and Giantomasi in Trenton, NJ. Patient consent is not needed to disclose records for treatment purposes, she notes, but it is common for a physician’s office or other facility to refuse a request to send documents to another healthcare facility. The office staff member typically cites HIPAA and says the information can’t be sent until the patient comes in and signs a form authorizing the transfer.

“That is simply not true,” she says. “As long as the staff can be reasonably certain I am who I say I am, by verifying data they have on file, they can disclose the information to the specialist based on my verbal authorization.”

Healthcare employees must understand that HIPAA includes affirmative obligations to make information accessible under the appropriate circumstances, Litten says. In addition, there are scenarios in which PHI is protected by HIPAA and the law typically would not permit the disclosure, but the situation may qualify as an exception in which the release is required, she notes. An example would be a request from law enforcement that falls under HIPAA’s exceptions for public health and safety. State laws also may apply, although HIPPA’s affirmative obligation to allow access can override a state law that would restrict the release.

MAKE AN EXPERT AVAILABLE

Hospitals and health systems should have a designated HIPAA expert whom staff members can turn to when they are not sure how to respond to an information request, Litten suggests. This resource can take pressure off the employee and help avoid the mistake of “erring on the side of caution” that many will default to when they aren’t sure about a request. Rose suggests a HIPAA hotline also could be useful.

Rose notes that a patient complaint about PHI being withheld improperly could lead the Office of Civil Rights (OCR) to visit the hospital and assess HIPAA compliance. Regardless of how the original complaint is handled, having OCR in your hospital is bound to lead to other problems. “They don’t leave with just that one problem. They’ll find something else,” Rose says. “It’s a domino effect that you don’t want to get started.”

After any incident in which staff misinterpreted HIPAA or used it as an excuse to justify their actions, Rose recommends that the risk manager should follow up directly with those involved. “I’d certainly talk to them individually, but it also would raise a red flag to make me wonder if the whole organization needs retraining,” Rose says.

Misuse and overuse of HIPAA occurs more frequently in physician practices than in hospitals, notes Catherine J. Flynn, JD, also an attorney with CMK in Basking Ridge. Hospitals and health systems have developed more robust HIPAA education programs and have stayed on top of HIPAA changes better than physician practices, she explains. Risk managers should make a point of assessing HIPAA education and compliance in physician practice groups that are acquired by the health system, Flynn says.

Fears of HIPAA penalties also can lead administrators to overreact to an apparent breach, Litten notes. Although HIPAA requires a prompt response to a breach and specific steps for notification, healthcare administrators sometimes can be too hasty to declare that a breach happened and trigger all the requirements, she says. The loss of PHI, in and of itself, does not necessarily constitute a breach, she explains. The key question is whether data was accessed by others or is at risk of being accessed.

Litten cites an example in which hospital leaders realize that paper files with PHI were improperly sent to a disposal contractor not approved for HIPAA compliance. Automatically declaring a data breach would be a mistake, she says.

“First, you can track down those boxes and retrieve them from the disposal company, get certifications that nothing was removed or viewed,” she explains. “You can go through the risk assessment outlined in HIPAA, and if you can satisfy yourself that there is a very, very low probability that the information was compromised, there is no breach. It can be counterproductive to incite a lot of panic and generate distrust of the covered entity, all because you wanted to play it safe and classify this as a breach.”

SOURCES

• Nicole DiMaria, JD, Chiesa Shahinian and Giantomasi, Trenton, NJ. Telephone: (973) 530-2111. Email: [email protected].
• Catherine J. Flynn, JD, Carroll, McNulty and Kull, Basking Ridge, NJ. Email: [email protected].
• Elizabeth G. Litten, JD, Partner and HIPAA Privacy Officer, Fox Rothschild, Princeton, NJ. Telephone: (609) 895-3320. Email: [email protected].
• Michael A. Moroney, JD, Carroll, McNulty and Kull, Basking Ridge, NJ. Email: [email protected].
• Angela Rose, MHA, RHIA, CHPS, FAHIMA, Director of Health Information Management Practice Excellence, American Health Information Management Association, Chicago. Email: [email protected].