Why HIPAA is healthcare’s favorite scapegoat for info blocking
Stop me if you’ve heard either of these or some other variation before: I can’t tell you anything about that patient because of HIPAA or I can’t give you a copy of your medical records because of HIPAA or HIPAA doesn’t let me say anything.
Throwing up HIPAA as an excuse to prevent the free and usually justified flow of medical information is all too common place in healthcare. These issues have been top of mind because of a recent back-and-forth I had recently on Twitter that included a combination of providers, lawyers, patients and other individuals.
The common thread throughout the discussion was that HIPAA is used a barrier with an alarming degree of frequency. The means by which HIPAA is raised as a barrier may vary, but the underlying premise is always the same: a requested action cannot occur because HIPAA privacy or security requirements allegedly prohibit the desired action.
A fundamental question is why HIPAA is so frequently used as an excuse. Is misunderstanding or a lack of understanding of HIPAA so widespread? Is the use of HIPAA as an excuse a sign of laziness or not caring about individual rights? Does too much fear exist surrounding the fallout from a potential violation? The exact question and answer will likely never be known, because it is unlikely that anyone will admit the true reasons. However, it is also unnecessary to know the question or answer.
The mere fact that the issue exists should be the impetus to drive for change. HIPAA, when properly understood, facilitates many of the outcomes that it is used to prevent. HIPAA does contain myriad privacy and security requirements, but those requirements enable common sense usage and are not intended to prevent the delivery or coordination of care, as is so often asserted.
One step in removing HIPAA as an excuse is for the impacted parties to be fully aware of what HIPAA does and what it allows. Having a working knowledge of HIPAA promotes the ability to call out a party or individual when they try to use HIPAA in the wrong way. Such knowledge is both a means of self-help and promoting awareness. If erring parties are not taking appropriate steps to become educated or misinterpret a requirement, then the correct information can be presented to them. The fact that conversations identifying and diving into these issues are occurring on social media and elsewhere is a positive sign.
It is acknowledged that shining a bright light on the misconceptions surrounding HIPAA is not a cure-all approach. In fact, even when organizations or individuals are presented with the right and required path to take, resistance can be expected.
That leads into another step, which is to continue making educational and informational materials available. If correct and accurate information about HIPAA becomes readily available and hard to miss, the opportunities to access such information and materials also increase. The more chances there are to drink from the fountain of knowledge, hopefully the more individuals will actually do so. The other old axiom that applies is this—you can lead a horse to water, but you can’t force the horse to drink, but there is always the chance that optimism will prevail.
The Office for Civil Rights and Office for the National Coordinator of Health Information Technology are walking the educational walk. The past few years have seen a relative explosion in the production of resources and tools, which are intended to remedy misconceptions and ensure a well-rounded understanding. The resources discuss how HIPAA applies to newer technologies or realities, while staying true to truths that have existed since HIPAA was first enacted. The resources are not spreading new information, but speaking to certain HIPAA basics.
The frustration over non-compliance can be seen in publicly announced enforcement actions. Many of those settlements find pervasive and fundamental non-compliance issues. However, the settlements also do not address so-called “smaller” issues, such as breaches impacting fewer than 500 individuals or failures to grant access. Those problems are often addressed outside the public eye.
With all of these issues, maybe the time is ripe for a grassroots movement to dispel many of the myths surrounding HIPAA and its perceived role as a barrier in healthcare. Many platforms exist to promote such a movement, none with more potential power than social media. Social media enables the quick and widespread dissemination of information, calling out of bad actors, and offering a means of pushing for a response.
The question here is whether enough of a public issue exists, though that can arguably be driven by putting the issue out. Regardless, if more people create resources that can address HIPAA questions and show how it is misstated, then the excuse will hopefully become harder to use.
For the time being, the scapegoat will remain. It can only be hoped that this unfortunate reality will change soon. In the meantime, continue spreading the message as to how HIPAA really operates.