| |||||||||||||
|
Home
|
For other articles and previous issues click here. April 19, 2004 Mountains Out of Molehills? In the long-term care and home health arenas, issues of privacy may seem more complex than they are in other settings, particularly when individuals request information about patients without the benefit of durable powers of attorney. Many healthcare providers, medical records professionals, and administrative staff who work in assisted-living facilities, nursing homes, and home healthcare are stymied by the rules laid out by the Health Insurance Portability and Accountability Act (HIPAA) to ensure the confidentiality of protected health information. Patients in these settings often rely on a variety of people to guide or control their healthcare interests. However, many friends, family members, professional caretakers, and patient advocates have no clearly defined legal role to act on behalf of the patients. Physicians and other healthcare providers need medical records to provide care, and information is needed for billing and insurance purposes. Family members may need facts about their loved ones’ conditions to make decisions or provisions, yet family dynamics and rivalries may cause other family members to attempt to block release of information to certain individuals. Caretakers may feel entitled to medical records, yet their entitlement to private information may seem questionable to facility staff. Requests for information may arrive by fax or phone, leaving some staff members uncertain of the validity of the request or the rights of the requesters. When healthcare providers, family members, and outside agencies request patient information and the facility has not made clear its policies regarding release of information and the steps it is taking to ensure patient privacy, staff members may lack the confidence to handle such a request. As a result, out of ignorance they may release records without the proper authority or out of diligence they may fail to release vital information, and by doing so compromise patient care. More often than not, suggest many in the field, staff members are erring on the side of caution—an approach that sounds judicious, but in fact may be creating more problems than it’s preventing. In their effort to comply with HIPAA’s privacy rule, individuals who control the release of information and struggle to maintain an atmosphere that respects privacy may be making the issues more complex than they need to be. Thus, confusion about HIPAA regulations may have workers going overboard in their desire to be diligent—a zeal that’s fueled by misunderstanding of the regulations. “We all agree that covered entities need to be really careful about who they release info to,” says Hilary Dalin, Medicare coordinator for the Health Assistance Partnership, Washington, D.C. “But, what we hear a lot more about is covered entities that are reluctant to release information to people who have a legal right to get that information, whether they’re family members or people who work for an advocacy organization that’s trying to help the individual.” In many cases, she observes, covered entities are taking a narrow look at the regulations and failing to see that there’s “very broad ground for giving information to good actors—the people who are trying to help individuals with their healthcare needs.” “It’s a new law, and it’s very complex,” agrees Janet Wells, director of public policy at the National Citizens’ Coalition for Nursing Home Reform. “People simply haven’t gotten enough information and don’t know what the requirements are, so they’re very nervous about it.” Given the language of the law and pressure to comply, the confusion is understandable. Tammy Woods, administrative assistant in the senior services department of Synergy Medical Education Alliance, a residency program that trains doctors, recalls the phone call she received from someone who identified himself as an agent of Adult Protective Services (APS). The caller requested the medical records of an older woman who was caught in the middle of a tug-of-war between her two contentious children. While Woods clearly understood the need for APS to have the woman’s records, what was unclear was how to verify the caller’s identity. “He didn’t come in, didn’t give me any identifying information, but just called on the telephone,” she notes. “Anyone can call on the phone, so I didn’t know who he was.” She denied his request, but he informed her that APS’s right to the information supersedes HIPAA regulations. Still, she says, how was she to know that the APS agent was whom he claimed to be? Woods says the rules and policies seem to be of little help. “We’re told that if we make a ‘good-faith effort’ we’ll be in compliance,” she says. But, it’s a phrase that’s open to interpretation. Woods, like many of her counterparts in similar circumstances across the country, is left asking, “How far do we have to investigate this to protect the patient and where do we draw the line on what information can be given?” According to Cynthia Marcotte Stamer, a partner with Epstein Becker Green Wickliff & Hall’s National Health Law Practice, “The law itself does not restrict legitimate, appropriate uses for treatment, payment, or operation purposes, and most disclosure would be for those purposes.” She says facility staff are often nervous about providing information to other healthcare providers, but facilities are never restricted from releasing information to other healthcare providers for treatment purposes—and they need not even be limited to providing only the minimum information necessary. The HIPAA statute, she notes, was not intended to stifle the free sharing of information to the extent that it would interfere with the care and treatment of the patient. When information is requested by nonhealthcare professionals, however, the picture becomes cloudy. “That’s much less defined and there’s much less latitude to disclose,” Stamer says. What is the guiding concept in such cases? “Of course, the documentation, notice, and record-keeping requirements of the privacy standards are new and important. When deciding when and how much to share information on a minimum-necessary basis, give only that which is reasonable and appropriate for caring for the patient,” Stamer says. Although facilities need to exercise judgment, she comments that little has changed with HIPAA in this regard and that state law has always provided for the same level of caution. “There is confusion among providers and others about what information they can give out and to whom,” acknowledges Cheryl Fish-Parcham, Medicaid coordinator at the Health Assistance Partnership. “The best way to get information and satisfy everyone … is when the patient signs a written authorization saying that they want you to have the information.” That authorization must conform to certain HIPAA requirements, including that it be dated. When that form exists, she says, facilities should always feel free to provide the information. There may be instances in which it’s not practical for the facility to obtain a written authorization, yet it may still release information, explains Fish-Parcham. One such instance is when a person in an assisted-living facility is given an opportunity to object to the disclosure of information. If the person doesn’t object to disclosure, the facility can give general information—the type that can be obtained in a directory—such as the patient’s location and general condition. Another instance, she says, occurs when someone other than the patient—typically a family member—is involved in paying for that patient’s healthcare or making healthcare decisions. In this case, information can always be disclosed if the patient is present and agrees to the sharing of information. However, says Fish-Parcham, if the individual is not present and the person requesting information is involved in the payment for care or in healthcare decision making for the patient, if the facility decides in their professional judgment that the disclosure is in the best interests of the patient, and if the information being requested is consistent with the stated need of the person requesting it (such as paying insurance claims), the facility is free to release the information. In addition to family members and others with a personal interest, social service agencies often find it necessary to obtain information about residents or patients in assisted living, long-term care, and home healthcare. Advocates, says Fish-Parcham, are sometimes designated under federal or state law as having the right to information. “An example would be a long-term care ombudsman, who is supposed to investigate the quality of care for people in nursing homes, and, in some states, assisted-living facilities as well,” she says. “If they have that power and if they act as oversight agencies for the state and the federal government that are enforcing people’s rights, they have free reign and access to records.” When patients are unable to speak for themselves—for example, if they’re unconscious, afflicted by dementia, or comatose—they may be represented by someone to whom they’ve given a healthcare power of attorney or another legal document that designates them as the person’s representative. “If they’ve got that legal status, they are treated as the individual would be and are allowed full access to that person’s record,” explains Fish-Parcham. “If they don’t have that kind of authority and if the patient can’t consent because of incapacity or emergency circumstances, the covered entity is allowed to use its professional judgment to determine if the person requesting information for a healthcare or payment matter is entitled to the information.” Providers are often uncertain about how to handle requests from advocacy programs and in their uncertainty may deny requests for information that is vital to the advocates’ efforts on behalf of patients. To overcome this hurdle, the Health Assistance Partnership advises the advocacy program workers to try to set up a three-way call that includes the patient and the provider holding the records. “In this situation,” says Fish-Parcham, “the individual is present, hasn’t objected to the release of information, and has made it clear that they want the requester to have the information.” Sometimes, the problem is not determining an individual’s entitlement to records, but rather verifying the identity of the requester, particularly when records are requested on the telephone or through faxes or e-mail messages. A technique used by SHIPs—state health insurance programs that counsel medicare beneficiaries—may prove helpful. According to Dalin, “The Centers for Medicare & Medicaid Services, which funds these programs, has set up a process whereby if the agency has not gotten written authorization and a three-way conversation cannot be set up, the agencies have what are called unique identifier numbers that they can use as a way of signaling to some Medicare contractors that they have the authority to get protected health information.” These numbers, she says, were distributed to key staff and volunteer counselors approximately six months ago, and the strategy seems to be working quite well. “The process makes it very clear that if a SHIPs’ staff or volunteer counselor can get written authorization, they should. And if they can’t, they should attempt to set up the three-way conversation,” says Dalin. Only when neither of these options is available can they give the unique identifier number and obtain the information. This gives peace of mind to the covered entity and ensures that the requester of information is legitimate. “It’s a limited procedure,” says Dalin, “but it does create a model for how this can be done.” Healthcare providers in these arenas often find themselves at the center of family squabbles, which further cloud the issues of privacy. In assisted living, for example, says Fish-Parcham, there might be disputes between family members about who should have decision-making authority for someone. Contentiousness over estates may spark power plays among family members in which information can be used as a weapon. “If that’s arisen within a family and there’s more than one family member that’s looking for access to information, each with competing interests, then certainly facilities should be very careful about giving information only to those who really do have legal authority or who have been designated to get the information,” Fish-Parcham cautions. The problem, she suggests, is that the repercussions of such scenarios spill over into situations where there is no inherent conflict and results in needless restriction of information. “In other circumstances where there hasn’t been this kind of dispute, the facility doesn’t need to treat other family members in the same way,” notes Fish-Parcham. “Providers are always concerned that they’ll flub up,” says Wells, “but they’re probably overly concerned. It’s more important that they form a good working relationship with the family members so that there’s a clear understanding about who in the family has the right to detailed information about the individual’s care.” In the early days of HIPAA, facilities went so overboard as to not allow flower deliveries to patients because it would disclose a patient’s location. “You couldn’t visit a relative in a nursing home during mealtime,” says Dalin, “because you might have seen someone else eating a special diet.” Nursing homes typically post residents’ names on their room doors. Some thought that under HIPAA they could no longer do so, but under the law, says Wells, there is no such prohibition. Similarly, she notes, it’s not against the regulations to page a resident’s name over the intercom. “They can’t call out their health information, but they can call their names,” Wells says. Sometimes in Alzheimer’s wings, staff and family will display pictures of the residents in their youth, another activity that’s often misunderstood but that is not outlawed by HIPAA. While some of these consequences of overzealous attempts to enforce what are believed to be HIPAA rules might seem trivial, other repercussions can be life-altering. To illustrate the dangers of restricting information for fear of overstepping boundaries believed to be defined by HIPAA, Fish-Parcham recalls the case of a Medicare counseling program that was trying to represent a hospitalized patient who needed benefits to pay for her home care. There was a dispute about whether or not she was entitled to those benefits, and the hospital was reluctant to disclose the medical records that were needed to advocate on the person’s behalf. The woman, who was blind and unable to communicate her own health information, wanted the hospital to disclose the information, but the hospital denied the request, claiming that the counseling program was not entitled to the records and didn’t have decision-making authority unless it had a power of attorney. That, however, says Fish-Parcham, represents a misunderstanding of HIPAA regulations. “The rules say that if there’s a written authorization—and there was in this case—the facility can disclose the information,” she says. In some cases, HIPAA rules may be used—or may be perceived to be used—as a shield to avoid contention and an excuse not to provide information. “Some nursing homes have been reluctant to work with families in the past and may have seen HIPAA as an excuse not to,” says Wells. And, when in doubt, facilities often trot out HIPAA as rationale for saying no. Wells points to cases in which nursing home family council members represent residents who are not members of their own families because those residents don’t have a family member to look after their interests. When complaints arise about the care these residents are receiving, she indicates, “the director of nursing or the administrator will say, ‘Under HIPAA, you don’t have a right to deal with any health-related problem of that individual.’” Wells recalls being told of a nursing home in which the nursing assistants were instructed that they could no longer talk to families about their loved ones. This fear, she suggests, compromises care by restricting important information. “We always encourage families to talk to the nursing assistants about what’s going on with the residents because they work with them most closely, usually more than anyone else in the nursing home,” she says. The solutions, agree experts and those trapped in the HIPAA conundrum, are information, education, and training. “It’s important for both providers and consumers to have information so that they understand what the law does,” Wells concludes. Equally important is that they understand what the law does not do. “It doesn’t make these radical changes in the way that nursing homes and residents and their families communicate with each other,” she says. “The law requires covered entities to have written policies and procedures and to train on those,” says Stamer. State law governs many of the thorny areas; for example, it sets the criteria for determining who can claim to be a personal representative for a patient or resident. “So, what people really need to do is write down the standards and procedures and stay tuned. As the laws develop, it would be wise to revise those standards and provide notice for patients and staff,” advises Stamer. According to Carol Ann Quinsey, RHIA, CHPS, professional practice manager, American Health Information Management Association, colleagues that specialize in long-term care and nonhospital or clinic venues tell her that people are afraid, but HIPAA isn’t the big bogeyman that people think it is. They’re quick to point out, however, that even if mountains are being made out of molehills, “it doesn’t absolve people of the responsibility to be careful.” The best advice might be to slow down, take a deep breath, and consider all angles of the situation. “The problem is that people often don’t use good judgment,” says Stamer. “They just start blabbing and then they get in trouble. As long as you do what you’ve always been ethically obligated to do, which is to communicate about patient private information judiciously and have a clear understanding about why you’re doing it and what the justification is—which has always been the ethical obligation of the healthcare provider and always been good risk management for anybody talking about invasion of privacy—you’ll probably be OK.” — Kate Jackson is a staff writer at For the Record. Resources American Health Care Association Centers for Disease Control and Prevention Privacy Rule
Guidelines Centers for Medicare & Medicaid Services Health Assistance Partnership, Privacy Regulations Q &
A Health Privacy Project HIPAA’s Privacy Rule National Citizens’ Coalition for Nursing Home Reform
Office for Civil Rights, Health and Human Services, HIPAA
Guidelines |
 |
|
3801 Schuylkill Rd • Spring City, PA 19475 Publishers of For the Record All rights reserved. |