Practical HIPAA basics for Patients and their Families

My daughter was rushed to the ER one evening and I joined her. She was 18, maybe 19. They took her to do an ultrasound and I started walking with the bed. The employees stopped me and said I could not accompany her, she was an adult. She looked at them and said "I want her with me." And they replied that HIPAA would not permit me to accompany her. I explained that I could take the time to educate them as to why that statement was not true and would be happy to educate their supervisors if they also held the same mistaken beliefs, but given my daughter's emergency - if she was okay with going alone, I would not object at this time. My daughter agreed and off they went. I complained the next day.

I have another daughter who was having x-rays done as an outpatient and was also told I could not accompany her due to HIPAA. She was actually a minor. I was prepared in a non-emergent situation with a minor to object, but this daughter was actually quite happy for me not to accompany her - she was 15. Very independent. 

In one case, my mother was in the hospital following surgery and the nurses were giving her a hard time about her lack of following their instructions....and my mom is a nurse. She wasn't following the instructions, because the nurses were only taking into account the immediate situation and not the full history - which was clearly in the record. I called to inform them. Upon the nurse haughtily telling me she could not speak to me about my mother due to HIPAA, my response was that first, HIPAA would not stop her and second, I am not asking her for information, merely providing information to her. She need only listen - not speak. (Yeah, I can be a bit of a prat, but while firm, I was also very polite in all situations described above). 

I have heard HIPAA used as an excuse for so many things - doctors cannot talk to a family, nurses cannot listen to information from families, companies cannot respond to patients directly, etc. ad nauseum. 

So in this post, let me share a few things about HIPAA with you. (HIPAA is the Health Insurance Portability and Accountability Act of 1996, including all its subsequent amendments under the Affordable Care Act and implementing regulations that were effective in 2013 with the HIPAA Omnibus Rule). HIPAA has never been intended to interfere with medical care and in fact, to share patient information for treatment between health care providers, a patient authorization is not required. 

But to help address the situations above, 1) when a person verbally states that they want someone with them, that is patient authorization. And patient authorization is all that is required in HIPAA in order for a health care provider to share information - it does not need to be in writing, especially when the patient, the person, and the provider are standing there together. So when my daughter said she wanted me with her - that was sufficient. And yes, the hospital privacy officer agreed with me and sent us written apologies stating he would ensure that all staff were appropriate educated on that factor. It did not matter that we were related or that she was an adult and I her mother - what mattered was she gave permission. 

This leads into the situation with my other daughter. As a minor, she is not legally capable of providing legal consent, therefore, the parent was the appropriate person to grant consent. Perhaps at 15, her assent is desired or even required under certain state laws for medical treatment, but if an authorization to share medical information was required in writing, the parent or guardian would have to sign for it to be legal (foregoing any discussion here of emancipation and exceptions). Thus, as her parent, it was my right to give myself access to her information and accompany her to testing. 

Let's take that one step further. Perhaps the medical technician in either situation intended to protect the privacy of other patients. So? HIPAA provides for incidental disclosures, which covers situations in which patients are in close proximity and it is near impossible to maintain strict confidentiality. One should take reasonable precautions, but there is nothing illegal about an emergency room that has curtains instead of walls or stage all patients waiting on surgery in the same waiting area. That's not a valid enough reason to override a scared person's need to have their support person with them.

Last, my mother. Believe it or not, providers can share patient information with people the provider feels/knows is involved in the patient's care and wellbeing. Thus, knowing I was the daughter, the choice could have been made legally to provide me with information about my mother. True, this scenario can get complicated and ugly quickly - how could they verify who I am, or whether my mother and I were close, or any number of other variables. And so, it is logical that an entity would not permit employees to make this decision - but there are other ways to handle it. One could check with the patient, ask the doctor, or have an escalation process to find a potential solution rather than shutting out what may have been the only person in the patient's life (not the case here, but the nurse might not have known that). 

I hope this helps you with some basic misunderstandings about HIPAA. Please do not assume that your providers, health care employees, or even all privacy officers understand this - and by no means do I claim to know everything about HIPAA. Few take the time to fully understand all of HIPAA and sometimes a simple straightforward policy by the entity is much easier to train and enforce than are policies that enable HIPAA to be followed in full. And sometimes state law is more strict (I do not know of any, but they could exist). 

One final point, pl ease note that HIPAA is spelled with two As and NOT two Ps, e.g. HIPPA. If you are a consultant or vendor trying to get my business, you at least need to spell it right.