Misconceptions about the HIPAA laws can negatively impact patient care and waste hours of staff time. By way of reminder, The Health Insurance Portability and Accountability Act (HIPAA) was developed in 1996 and became part of the Social Security Act. The primary purpose of the HIPAA rules is to protect health care coverage for individuals who lose or change their jobs, in large part to ensure that patients can access their own medical records. I admit that I didn’t understand the importance of that until I talked to a patient from Japan who was unable to get the records of her treatment in that country because, at least when this conversation happened several years ago, in Japan, medical records were the property of the physician and he was not required to provide them to the patient.
Like most clinicians, the perils of violating HIPAA have been drilled into me. One of the reasons we all fear it so much is that the penalties for violating it, particularly under the additional regulations implemented at the advent of the electronic health information era, can add up to millions of dollars in fines. It’s totally understandable that we fear financial ruin as a result of breaching HIPAA. However, I don’t see much training about what HIPAA does NOT require. The improper interpretation of HIPAA rules can actually lead to delays in care and hurt patients. The American Medical Association has been posting a series of “Regulatory Myths” in medicine. I’ve blogged about this useful information before. One of the most recent posts is about the myth of HIPAA disclosure requirements.
Protected health information regulatory myth:
HIPAA does NOT require that health care providers obtain patient authorization to disclose protected health information (PHI) to other clinicians for treatment purposes.
Did you know that? Many years ago, my father had a stroke and I could not get the hospital at which I had privileges to send the report of his last brain MRI to the hospital where my Dad was currently hospitalized. Despite sending long distance faxes to provide all the consents demanded, I only accomplished getting the report to the treating neurologist because I was personal friends with the Chief of MRI at my hospital. I was furious – but no one would listen to my complaints that the entire process was wrong. Just last year, I called the rheumatologist treating a patient to let him know about a concern I had, and the physician’s secretary said that the doctor could not talk to me without a signed release from the patient. I said, “You are wrong, but even if you were right about the HIPAA law, the doctor can LISTEN to me all day long – I am not asking him to tell me anything – I am trying to tell HIM something about his patient!”
We dutifully get patients to sign HIPAA releases so that we can communicate with their other doctor,s even though it is not required. In fact, when I went to the doctor last week, I was asked to sign a medical release form so that the doctor I was seeing could talk to my other treating physicians. It’s stupid, it’s time consuming and it’s not even legal. Here’s the truth: Apart from psychotherapy notes – in which specific requirements apply – health care providers are not required to procure authorization or consent from patients to disclose PHI to another clinician or clinical entity for treatment purposes under HIPAA because the HIPAA Privacy Rule permits such disclosures to facilitate patient care. End of story.
Here’s the AMA’s “Debunking myths” page with links to a lot of useful information.
You can also click here to submit a myth about which you’d like clarification.