Wednesday, June 18, 2008

Fun With HIPAA

In my extensive perusing of medical blogs recently, I came across an article at The Happy Hospitalist which asked whether HIPAA applied to the deceased. This comes in the wake of health information we've received via the media about Tim Russert. It's not surprising that in the comments section, no one knew the answer to this question. In every HIPAA training session I've attended thus far, we're basically given a brochure, told to take the test, and told the page number at the back where the answers may be found. In one HIPAA session I took as an undergrad (to work as a medic on campus), we were shown a video about "Protected Health Information" but not really expected to listen, as "it's really boring." Great. In the wake of all this HIPAA misinformation, even amongst health professionals, I decided to *try* to read through the actual rules and come up with some answers.

First, I'd like to clarify that it is "HIPAA", which stands for Health Information Portability and Accountability Act. It is NOT spelled "HIPPA", which I see all the time and makes my inner spelling bee demon ANGRY.

1) Does HIPAA apply to the dead? There are layers here (it's like an onion): First, if you are getting this info because it might apply to your own healthcare, then you can get it, as HIPAA allows release of information for treatment, "even the treatment of another individual." Second, if you are the legal executor of the estate of the deceased, then you can have access to information. Third, hospitals may release records to medical examiners or funeral directors as needed.

This was very important when I worked in the ME's office, because usually what happened at the hospital before death was vitally important (ha) to the autopsy results. If the patient grabbed their chest and said "OW" before passing out, and an EEG lead showed ST elevation MI, then V fib and asystole, then when the body goes to autopsy and even a small coronary plaque is found (but minus large ischemic tissue because it was too sudden), tada, "Hypertensive Atherosclerotic Coronary Artery Disease" is your answer.

The next part of this is that autopsy results are a matter of public record. Many public medical examiners' offices websites have a formal process for request of public records. (Note that you have to know a good bit about the decedent in question; you can't just write in and say "send me reports".

2) Can I have access to my own health care information? YES. I see this all the time. Patients ask for a copy of their health care records (maybe a copy of a radiology report, or a lab value) and are told "we can't do that, it's a HIPAA violation." That's crap. Fine, make them sign the waiver, cover your bottom, but it's their information, not yours (be you the hospital or clinic, doctor or nurse).

3) If my husband is in the hospital, can they notify me? YES. I pulled this straight from the HIPAA FAQ page. They do add the caveat that if the patient is awake and can consent, or at least not object, the hospital can do this. In other words, try to tell the patient this is what you're doing, which is basically like asking them politely anyway (or should be). They then clearly state that if the patient cannot consent, the "covered entity" (health care provider) can still notify family or close friends of their "location, general condition, or death." In other words, if you call the hospital, identify yourself as family and ask where is my loved one? and how are they?, the hospital is not being truthful if they say "we can't tell you, it's a HIPAA violation." (They may have other reasons for not telling you; they might like to see ID first, to make sure you're not a reporter or someone else who doesn't need to know).

4) Can I pick up my husband's prescriptions at the pharmacy? Yes.

5) Can I see my kid's medical records? So long as your parental rights haven't been terminated, you didn't sign an agreement with the doctor to allow the records to remain confidential, or it was a situation where the kid didn't need permission to consent (like for birth control or STD testing), then yes, you may see your child's medical records. If it was an emergency, and the child received treatment before you got there, you may see the records unless the hospital/doctor decides there's a reason you shouldn't (like, the kid has a strange set of fractures with a bad story to go with it).

6) What are the consequences of violating HIPAA? In civil court, you may be fined $100 per incidence, or in criminal court, up to $50,000 and up to a year in jail, depending on how you violated it (ie, failure to provide privacy notice versus deliberately leaking public health information to the press). This, friends, is why everyone misinterprets HIPAA and why everyone is so afraid of this law. This is why you will sign a release form to receive a copy of your own medical records, or why some doctors won't fax records for fear of a HIPAA violation (by the way, that's a load of crap.)

More can be found here: HIPAA Frequent Questions.

So what does this mean about Tim Russert? I think there are several issues at play here.

First, his autopsy records are a matter of public record, and therefore available to the media.

Second, for his physician to be talking publicly about his treatment of Mr. Russert, I'd assume that family had to have given permission for him to do so. If they hadn't given him permission, and he went on Larry King, he could be prosecuted under the HIPAA laws and/or sued in civil court. His physician can reveal all the information he wants to the ME, or to the family representative, but Larry King doesn't count.

And there you have it. Funny how a law that was intended to make health information "portable" has instead hampered my own ability to see my records or my doctors to talk to each other, but I guess that's politics for you.

1 comment:

Mike said...

In general, the Privacy Rule has the same requirements for use and disclosure of PHI of
the deceased as of the living. Therefore, any uses and disclosures of a deceased person’s
PHI must follow all of the same requirements, such as for authorization and minimum
necessary.
However, there are a few situations in which the PHI of a deceased person may be
released without authorization. Health information may be needed for a variety of
purposes after an individual’s death. Covered entities are permitted to use and disclose
PHI on deceased persons to:

• A coroner or medical examiner for the purpose of identifying a deceased person,
determining a cause of death, or other duties as authorized by law.
• Funeral directors as necessary to carry out their duties with respect to the
individual. If necessary, covered entities may disclose PHI to funeral directors
prior to, and in reasonable anticipation of, the individual’s death.
• Organ procurement organizations or other entities engaged in the procurement,
banking, or transplantation of organs, eyes, or tissue for the purpose of
facilitating donation and transplantation.

Disclosures related to decedents that are required by law may not be subject to the
minimum necessary requirement. Minimum necessary does apply to disclosures related
to decedents when not required by law. Most disclosures related to decedents are subject
to the minimum necessary. All disclosures related to decedents must be tracked..

Mike
HIPAA Training