Fleming & Curti, P.L.C. - HIPAA Rules Not As Sweeping As Most Professionals Believe

JULY 4, 2005 VOLUME 13, NUMBER 1

HIPAA Rules Not As Sweeping As Most Professionals Believe

With its 1996 adoption of the Health Insurance Portability and Accountability Act (fondly and universally known as HIPAA), the U.S. Congress plunged the medical community and those who regularly deal with it into confusion and anxiety. Stories abound about alleged HIPAA privacy violations, and the real import of the new law is probably more apparent in how individuals and organizations have reacted to it than in what it actually provides.

But what does HIPAA say about privacy of medical records, and to whom does it apply? The actual scope of the law is more narrow than is popularly believed. It applies only to health care providers, health care clearinghouses and health care plans. In order to qualify as a "health care provider" for example, a person, business or agency must provide health care services, must engage in one or more "covered transactions," and must conduct those transactions electronically. The Centers for Medicare and Medicaid Services offers online "Covered Entity Decision Tools" to help determine whether HIPAA applies.

Assuming you (or your employer) are a "covered entity," what does HIPAA actually require? The law’s most significant restriction is to require that use or disclosure of patient information be limited to the "minimum necessary" to accomplish the purpose of the use or disclosure. Importantly, even that restriction does not apply to communications among health care providers.

Communications to non-providers are not prohibited, but should be limited to the minimum necessary to facilitate care and treatment. A physician may, for example, communicate a patient’s condition to family or caregivers to the extent necessary to improve treatment, including explanations of medications and care plans that will be administered or overseen by the non-patient. The American Medical Association has a useful list of real-world questions and answers on its "Frequently Asked Questions" page, and the Centers for Medicare and Medicaid Services website provides somewhat less practical but more detailed answers to its "Frequently Asked Questions."

Notwithstanding prevalent practices in doctor’s offices, hospitals, pharmacies and elsewhere, HIPAA does not mandate that patients be given numbers rather than using names in waiting rooms, or that staff members use only first names (we have previously written about this practice, in an October, 2004, Elder Law Issues). Similarly, it is permissible for doctor’s offices to leave messages on home answering machines confirming appointments, and to place patients’ charts on the examination room door. In these and all other activities, the health care provider should be sensitive to the importance of patient privacy and take reasonable steps to protect that privacy—but nothing in HIPAA mandates many of the changes seen in medical practices since its adoption.

HIPAA has undoubtedly had a profound effect on health care, and has generated a collection of related legal issues. For example, the use of durable powers of attorney (both for health care and for financial purposes) has been made more problematic because physicians often resist efforts to secure an evaluation of a senior's capacity to make decisions for himself or herself. Paradoxically, the power of attorney becomes most difficult to implement at precisely the time it is most needed. Inclusion of specific HIPAA language in a power of attorney can help ameliorate this difficulty, though it may not completely resolve all potential problems.

Another common HIPAA problem arises in guardianship and conservatorship proceedings. When an adult becomes incapacitated (or approaches incapacity), it may be necessary to initiate legal proceedings, and in nearly every case the court will insist on a medical evaluation. It often becomes difficult to secure a formal evaluation from a physician or other professional in the face of HIPAA privacy dictates, even when everyone involved acknowledges the need for protective proceedings. Considerable discussion may be required to persuade medical evaluators that they are permitted to share information about their patient's capacity in guardianship proceedings.

The good news about HIPAA, however, is the obvious: it has heightened awareness of and sensitivity to medical privacy issues. Although providers may be more skittish about sharing information and it may sometimes be more difficult to provide good care (medical, personal and/or legal) to the patient, the net result is a more secure and protective medical care system.