The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was meant in part to help maintain the privacy and security of medical records that contain Protected Health Information (PHI). HIPAA grew out of the understanding being that when large amounts of PHI move into electronic formats, the risks of large-scale data breaches increase significantly.
An issue with HIPAA is that it was so broadly written, and often narrowly interpreted. With that, its implementation has led to many cases of unintended consequences.
One example is the ubiquitous patient status board. These boards have long played an important role in coordinating and communicating about patient care in hospitals. In busy wards, the status board often serves as the central access point for operational and patient-related information. Status boards have transitioned from dry-erase whiteboards to real-time electronic boards. Irrespective of the type of board, HIPAA mandates that the information on the board, which long included the patients' names and other medical data, can no longer include that in the public view.
The narrow, yet definitively accepted HIPAA interpretation means that the regulation does not delineate between a 50GB PHI database, and a localized white-board with 15 names on it.
Strictly speaking, status boards can contain PHI in the limited situation where only those involved with the listed patients’ PHI have a need to see it for Treatment, Payment and Health Care Operations (TPO). So, during an active meeting, putting names on a white board is OK, or if the room is restricted to only those who provide TPO activities for the listed patients. Otherwise, patient PHI should not be on white boards.
The HIPAA privacy and security requirements prohibit displaying patients’ names in public via these status boards. Patients though can sign a waiver allowing their names to be displayed on the status board. But for most institutions, HIPAA has made use of status boards much harder.
Another issue is when it comes to mental health and substance-abuses issues; HIPAA has placed significant constraints on healthcare providers. Medical staff often cannot proactively reach out to family members because HIPAA patient privacy rules prevents them from telling family members about mental health issues and addiction issues if the patient is a legal adult, without their express consent.
It should be noted though that the HIPAA final rule in section 45 C.F.R. § 164.502, allows healthcare providers to disclose protected health information for treatment purposes without patient consent in some limited cases.
HIPAA also stymies a physician’s ability to reply to negative online reviews and social media interactions. Sites such as vitals.com, healthgrades.com, RateMDs.com and countless others exist where patients (and trolls) can post a review of a physician. Yelp has reviews for restaurants, and also reviews for doctors in all major cities.
A similar situation arises with teachers, as the Family Educational Rights and Privacy Act (FERPA) also limits how teachers can reply to teacher rating sites.
While restaurants often reply to negative reviews, physicians who attempt a direct reply to a patient’s social media posting may be in violation of HIPAA.
The cruel reality is that a patient can post just about anything they want about a physician. But that same physician may be violating HIPAA if they reply to their patient via social media.
It is also important to note that just because a patient blogs about their condition or tweets about their medical status; in no way does that mean they are waiving their HIPAA rights.
[ ALSO ON CSO: Cyberattacks will compromise 1-in-3 healthcare records next year ]
As to the quality of these reviews, Niam Yaraghi, a fellow at The Brookings Institution, writes that patients are often neither qualified nor capable of evaluating the quality of the medical services that they receive. How can a patient, with no medical expertise, know that the treatment option that they received was the best available one? How can a patient's family whose relative died know that physician had provided their loved one with the best possible medical care? If patients are not qualified to make medical decisions and rely on physicians' medical expertise to make such decisions, then how can they evaluate the quality of such decisions and know that their doctor's decision was the best possible one?
In the next blog post, I’ll conclude with some action items, in addition to sage advice from Rebecca Herold.
This article is published as part of the IDG Contributor Network. Want to Join?