The Health Insurance Portability and Accountability Act (HIPAA) was enacted in part to protect private patient health information from disclosure to unauthorized sources. The confidentiality section of HIPAA provides severe penalties in response to most unauthorized disclosures.
However, the law provides exceptions for disclosing patient health information in certain circumstances, including "to avert serious and imminent threats to health or safety." But many health care providers are so concerned with the consequences of a HIPAA violation that they are overly cautious and refuse to disclose patient information, even when permitted by an exception.
According to a government memo describing a recent House Energy and Commerce Subcommittee on Oversight and Investigations hearing aimed at exploring "how HIPAA may interfere with patient care and public safety, either through misunderstanding, or proper application, of the law," some healthcare providers "apply HIPAA regulations overzealously" preventing family members and law enforcement from obtaining needed information.
The memo cited misunderstanding among healthcare providers about HIPAA requirements, the law's broad discretion for disclosing information, insufficient HIPAA education, and concerns about consequences due to noncompliance as reasons for overly cautious provider behavior.
The HIPAA privacy rule allows providers to share information about patients with their friends and family members involved in their care, for law enforcement purposes, and in the case of a serious threat to health or safety. Furthermore, if a patient is not present or is incapacitated, providers may discuss patient information with family and friends if professional judgment dictates that doing so is in the individual's best interest.
While providers could be penalized for an impermissible disclosure under HIPAA, there is no penalty for merely refusing to make disclosures permissible under the law. Therefore, many providers believe the best way to avoid penalties is to disclose information as conservatively as possible.
This issue was brought to light when the Department of Health and Human Services (HHS) Office of Civil Rights (OCR) sent a letter to health care providers after the Sandy Hook Elementary shootings making them aware of their ability under HIPAA to disclose information and reminding them of their ethical "duty to warn" when they believe a patient poses a serious and imminent threat to himself or others.
On the other hand, HIPAA privacy protections ensure that confidential information is not released to unauthorized individuals. This privacy protection prevents identity theft and other consequences. If patients are not reassured that their records will be kept confidential, they may refuse treatment out of fear that their records will end up in the wrong hands. This is especially a concern when it comes to mental health records.
State-specific privacy laws further complicate the situation because providers are expected to comply with their individual states' privacy laws, in addition to HIPAA. This requirement is likely to further discourage providers from disclosing protected health information.
In order to ensure that providers disclose information when appropriate, but keep it confidential when not, it is essential to re-educate providers and provide adequate guidance. While the OCR has provided guidance on this issue, it is not always easily available to providers. A physician's time is better spent researching upcoming surgeries and procedures than scouring the HHS website looking for answers on whether he can discuss a patient's care with a particular individual.
HIPAA should enhance, not detract from patient safety. If scare tactics regarding enforcement are resulting in a lack of communication regarding a patient's care, we must reconsider how we are communicating HIPAA requirements to providers.