Privacy or Safety?
Case Objectives
- Understand that the HIPAA Omnibus Rule is an enabler of data sharing, not a barrier.
- Review common misconceptions about privacy rules.
- Understand the current regulatory environment beyond HIPAA including the HITECH Act, which attempts to balance privacy and safety.
The Case
A 64-year-old man with advanced dementia was admitted after being placed on a hold for grave disability. Family members noted he had a week of worsening confusion and agitation. The patient was undergoing a diagnostic workup for his altered mental status with a plan for a brain MRI if the etiology was still unclear. The cross-covering overnight resident was following up on the studies and placed an order for a brain MRI as discussed with the primary team at signout.
In this hospital, signout occurred with a paper-based system. In order to protect patient privacy, hospital policy dictated that signout documentation includes only patients' initials rather than more identifiable information such as full names or dates of birth. In this case, the patient requiring the brain MRI had the same initials as another patient on the same unit who also happened to have severe cognitive impairment from a traumatic brain injury. The cross-covering resident mixed up the two patients and placed the MRI order in the wrong chart. Because the order for a "brain MRI to evaluate worsening cognitive function" could apply to either patient, neither the bedside nurse nor radiologist noticed the error. The following morning, the primary team caught the error and the MRI was canceled and ordered for the correct patient. The near miss led to several discussions about optimizing signout processes while also protecting patient privacy.
The Commentary
This case is a perfect, and yet disheartening, example of how badly HIPAA's privacy regulations continue to be misinterpreted. It is a cautionary tale that argues for much better education about HIPAA's provisions, which have always permitted the sharing of relevant information for purposes of treating a patient.
The History and Early Evolution of HIPAA
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was enacted as a health reform measure; one section of that law, "Administrative Simplification," was aimed at increasing efficiency in health care through the adoption of electronic standards for transactions between providers and health plans. The context of the law was important. Prior to HIPAA, the United States had no national standards for health information privacy, in contrast to other industrialized countries. Congress recognized the privacy risks inherent in digitizing claims information and mandated the adoption of privacy and security safeguards.(1) With this, Congress was partly responding to survey data, which has consistently shown that patients have concerns about the privacy and confidentiality of their medical records. Moreover, other studies have demonstrated that patients will sometimes censor themselves when they have concerns about whether the information will be used against them or shared inappropriately.(2)
At the time of HIPAA's passage, Congress gave itself 3 years to enact health privacy legislation. However, it failed to do so. This left the task to the Department of Health and Human Services (HHS), which adopted the privacy and security safeguards we now know as HIPAA in regulations. The initial privacy regulations went into effect in 2003, and the security provisions, which apply only to electronic, identifiable health information, went into effect 2 years later.(3)
Nearly all stakeholders reacted to HIPAA's privacy and security provisions with hostility. Industry was concerned the regulations would "bankrupt" or "paralyze" health care. On the other hand, prominent privacy advocates expressed concern that the regulations didn't go far enough. Some of the hostility was fueled by several myths and misunderstandings of the provisions of the regulations by health care providers and health plans.(3) To illustrate a few examples, providers interpreted HIPAA as precluding the use of sign-in sheets in waiting rooms; prohibiting the sharing with even close family members of any information about a patient; and requiring patient consent before any information could be shared, even between providers for treatment purposes.(4) In response to these myths, HHS has issued plain-English guidance, and patient and consumer advocates as well as professional associations have disseminated answers to common questions about its provisions.(5) The health care industry has now had more than a decade to digest, implement, and incorporate these rules into day-to-day operations.
This case demonstrates that misunderstanding of HIPAA's regulations persists and illustrates how such misinterpretations can have serious implications for patient care. HIPAA's Privacy Rule has always enabled the sharing of health information in order to treat a patient, without the need to first obtain the patient's consent.(6) Providers also are not required to withhold, mask, or shield information accessed or shared for treatment in order to enhance privacy, particularly when doing so could have a negative impact on patients. The requirement in the Privacy Rule to access or share only the "minimum necessary" amount of information does not apply when information is accessed internally or shared with others for the purpose of treating a patient.(7) Guidance from HHS could not be clearer on this issue.(8)
Although providers do risk substantial penalties for violations of HIPAA's regulations, the track record on enforcement by HHS Office for Civil Rights (OCR) (which oversees HIPAA's Privacy and Security Rules) demonstrates that significant penalties are generally meted out to organizations with patterns of repetitive violations. Episodic and inadvertent violations are far more likely to be treated by OCR as an opportunity to counsel and correct a provider about what the regulations require.(9)
Even though OCR can fine or counsel organizations for violating HIPAA, neither OCR nor any other entity has the authority to penalize them for over-interpreting HIPAA's regulations. Many organizations do, in fact, impose greater privacy protections than the Rules require—likely out of an abundance of caution. However, entities should not pursue privacy safeguards that could have a negative impact on patient care, and they certainly shouldn't point the finger at HIPAA as the rationale for doing so, at least not in circumstances where the regulations and accompanying guidance are clear.
While most organizations that over-interpret HIPAA are simply failing to understand the federal regulations, there are circumstances in which state and federal laws do impose more stringent privacy burdens than those required by HIPAA itself.(10) For example, in some states, a patient's consent or specific authorization may be required in order to share health information, particularly when the information being shared is considered to be particularly sensitive (e.g., mental health diagnoses, certain reproductive health information, genetic information, and substance abuse treatment information). But even in such circumstances, many state laws include an exception when information is accessed or shared among health care entities for treatment purposes.(11) Although intersecting federal and state laws on this topic can often be confusing and are a significant source of frustration, providers should still seek to avoid over-interpreting. The best strategy is to solicit clarification from available regulatory guidance or from legal counsel. Low tolerance for risk with respect to compliance with privacy laws can, as in this case, actually impose significant clinical risks on patients. The HIPAA Privacy Rule requires covered health care providers to appoint a privacy officer to help assure compliance with privacy laws and policies; this individual—often called a Chief Privacy Officer—should help providers establish responsible policies and practices that appropriately protect information and ensure its availability for treatment and other critical functions. However, even some Chief Privacy Officers, in the interest of trying to reduce risk for their organizations, are guilty of occasionally over-interpreting privacy legal requirements. Crafting workable policies and practices requires input from both the compliance office and the clinical care team.
HIPAA in the Digital Age
The federal incentives for adoption and meaningful use of certified electronic health record technology, enacted by Congress in 2009 in the Health Information Technology for Economic and Clinical Health (HITECH) Act, have greatly increased the electronic clinical data being collected and ultimately shared by health care providers.(12) Some have claimed that this digital health data ecosystem requires a rethink of HIPAA, which was enacted at a time when most clinical records were kept on paper. But HIPAA is not necessarily as behind the times as some allege. The Privacy Rule is medium-agnostic and sets rules for information on access and disclosure, regardless of whether the information is kept on paper or electronic format. The HIPAA Security Rule sets flexible safeguards that apply only to electronic health information.
While HIPAA provides the foundation of privacy and security protections for digital health information, the increased collection and digitization of health data and the need to achieve a more value-based, patient-centered, learning health care system create new opportunities for health data sharing and may impose greater risks. HIPAA's framework may need to flex and bend to meet the needs of a new health data ecosystem. Policymakers should endeavor to do more to ensure this framework continues to enable the kind of responsible health data sharing that is needed to improve patient care, population health, and the greater patient engagement.
For example, HIPAA's Privacy Rule permits the re-use of clinical data in order to internally improve health care quality and population health, without the need to first obtain patient authorization. However, the re-use of this data to contribute to generalizable knowledge—i.e., to promote a learning health care system—is considered research, and the patient's prior consent is needed unless a Privacy Board or Institutional Review Board waives this requirement based on its assessment of the risks to patient privacy. Regulatory modification or additional guidance could help open up greater re-use of clinical information for learning purposes.(13) As another example, clarification of the right of patients to receive copies of their digital health data easily, and in a format that the provider can produce and that helps the patient to better manage care, could open up the pipelines of digital communication between providers and patients. Such free flow of digital information will be needed to facilitate patients' use of digital tools that can help them manage chronic conditions, for themselves and for family members.(14)
Of course, more outreach and education to providers is needed to help assure that what happened in this case does not happen again, in any institution or provider organization. In addition, it may be possible to program electronic record software so that the signout process automates the sharing of sufficient patient information to consistently enable clinical information to be appropriately matched to the right patient. Providers should leverage advances in software to assure delivery of quality care for the patient and compliance with applicable privacy laws; those two aims should never be seen as mutually exclusive.
HIPAA's regulations were designed to accommodate most of the routine use cases involving patient data engaged in by health care providers. If a particular precaution taken in the name of "HIPAA" or "privacy" poses risks to patients, it is likely not necessary—and providers and health care delivery systems should consult with their privacy officer, seek counsel, or review guidance from HHS prior to imposing it. Key lessons to consider include:
- Review your HIPAA and state medical privacy law policies to ensure they are up-to-date and that they are not based on any myths about what those laws require.
- Train regulatory staff on privacy laws—it is a requirement of the law to do so, and it helps ensure that misinterpretations of the law do not get embedded in to day-to-day operations.
- Consider the way your electronic health record technology can be leveraged to both advance privacy and improve the quality of patient care.
Reflections and Moving Forward
Before 1996, in a pre-HIPAA world, patient privacy protection was an important goal, but there were no civil penalties or fines for breaches. There was no public reporting and minimal reputational risk. Although hospitals did their best, a lack of oversight and enforcement led to a different kind of patient harm—a lack of respect for patient privacy preferences.
From 1993 to 1996, one of us (JH) was a resident in Emergency Medicine at Harbor-UCLA Medical Center. Once during that time, a famous Hollywood personality presented with the chief complaint "I feel nauseated, worse in the morning." JH ordered a urine pregnancy test, which came back positive. At that time, there were no civil penalties or fines for inappropriate information sharing. The lab tech sold the chart to a celebrity gossip publication for 5 times his annual salary. The tech was fired immediately by the hospital but there were no other consequences.
As awareness of the need to better protect privacy evolved, emergency departments began revising workflow. On the departmental tracking "grease board," names were replaced with initials. When safety issues arose, the department returned to writing full names but provided a swinging cover over the names so that they were not visible to casual passersby. Today at Beth Israel Deaconess Medical Center, where JH is Chief Information Officer, all emergency department workflow is electronic. On iPhones, iPads, and privately viewed screens, full names are shown. On publicly viewable LCD panels, only initials are shown. Such an approach has balanced privacy and safety. Similarly, Beth Israel Deaconess surgeons used to carry signout documents as spreadsheets on USB drives. Given the risk of loss or theft of mobile devices, this system was moved to a secure, encrypted, IT-hosted approach with full patient names shown to authenticated users.
The world of health care IT, accelerated by the HITECH Act, provides us with new tools to mitigate privacy risk. There will always be a tradeoff between convenience and perfect security, but there no longer needs to be a tradeoff between privacy and safety. The HIPAA Omnibus Rule gives us guidance that helps us share data. As long as appropriate risk mitigations are taken and patients are aware of our practices and consent to some data exchanges, patient privacy preferences can be enforced with technology solutions.
There is a common misconception that HIPAA prevents or restricts data flows. HIPAA's intent is to provide a framework for appropriate data exchange. In my own experience (JH) serving as health care navigator for my parents, I've been told that HIPAA prevents the exchange of information between hospitals and patients and families. Exactly the opposite is true, HIPAA and HITECH require it. In fact, Meaningful Use Stage 2 stimulus payments are only made after a hospital or professional demonstrates the sharing of data with patients and families for at least 5% of encounters.
Simple steps can ensure best practices for protecting privacy:
- Avoid the use of patient identified paper records, which can easily be lost or misplaced.
- Ensure that electronic resources are accessible only to those with a need to know.
- Encrypt all mobile devices so that no information is compromised if the device is stolen.
- Use centrally maintained and secured systems instead of shadow systems, such as passing around a USB drive or using a public resource without appropriate business associate agreements (e.g., Dropbox).
Collaboration among clinicians, IT professionals, legal departments, and compliance staff can achieve the goal of sharing the right data with the right people in the right context. Technology, policy, and people (education) are all necessary prerequisites to prevent the kinds of harm illustrated in this case.
Take-Home Points
- Using fully patient identified records is appropriate for patient safety and can be done within the current regulatory framework by secure electronic systems.
- While there are risks for violating HIPAA, patient care can also be endangered by over-interpreting the regulations.
- Use of digital health information and data sharing are increasingly necessary for our changing health care environment; HIPAA shouldn't be viewed as a barrier to achieving those goals.
- Patients and families always have full access to any records we create.
John D. Halamka, MD, MS
Chief Information Officer, Beth Israel Deaconess Medical Center
Professor of Medicine, Harvard Medical School
Deven McGraw, JD, MPH, LLM
Partner, Manatt, Phelps & Phillips LLP
Faculty Disclosure: Dr. Halamka is on the Board of Imprivata, a publicly traded company with products that include information security software. Ms. McGraw has declared that neither she, nor any immediate member of her family, have a financial arrangement or other relationship with the manufacturers of any commercial products discussed in this continuing medical education activity. In addition, the commentary does not include information regarding investigational or off-label use of pharmaceutical products or medical devices.
References
1. Pritts JL. The Importance and Value of Protecting the Privacy of Health Information: The Roles of the HIPAA Privacy Rule and the Common Rule in Health Research. [Available at]
2. McGraw D, Dempsey JX, Harris L, Goldman J. Privacy as an enabler, not an impediment: building trust into health information exchange. Health Aff (Millwood). 2009;28:416-427. [go to PubMed]
3. Solove DJ. HIPAA turns 10: analyzing the past, present and future impact. J AHIMA. 2013;84:22-28. [Available at]
4. Beckel A, Grace S. The list: six HIPAA myths debunked. January 1, 2009. [Available at]
5. Summary of the HIPAA Privacy Rule. Washington, DC: US Department of Health and Human Services. [Available at]
6. HIPAA Administrative Simplification. Washington, DC: US Department of Health and Human Services. 42 CFR Section 164.502(a)(1) (2013). [Available at]
7. HIPAA Administrative Simplification. Washington, DC: US Department of Health and Human Services. 42 CFR Section 164.502(b)(2)(i) (2013). [Available at]
8. Minimum Necessary Requirement. Washington, DC: US Department of Health and Human Services. 45 CFR Section 164.502(b), 164.514(d) (2003). [Available at]
9. McMillan M. Five things to know about omnibus HIPAA enforcement. Government Health IT. October 28, 2013. [Available at]
10. Does the HIPAA Privacy Rule Preempt State Laws? Washington, DC: US Department of Health and Human Services. [Available at]
11. Daniel J, Posnack S. Privacy and Security Solutions for Interoperable Health Information Exchange: Report on State Medical Record Access Laws. Rockville, MD: Agency for Healthcare Research and Quality; August 2009. Contract No. 290-05-0015. [Available at]
12. Perna G. ONC: EHR adoption in hospitals has tripled since HITECH. Healthcare Informatics. March 5, 2013. [Available at]
13. McGraw D. Paving the regulatory road to the "learning health care system." Stanford Law Rev Online. 2012;64:75-81. [Available at]
14. McGraw D, Ingargiola S. Patients: the "X" factor for health information exchange. iHealthBeat. December 18, 2014. [Available at]