HIPAA Insanity
Main Article Content
Abstract
Thanks to an article in The New York Times on the HIPAA Privacy Rule, I favor a new definition of “insanity.” I used to think of insanity as repeating the same behavior and expecting a different outcome. It is a timeless and classic definition but lacks the medical relevance and topical urgency of my new favorite definition in the electronic age. It is brought to us by The New York Times’ article posted on August 9, 2014, entitled “Baby Pictures at the Doctor’s? Cute, Sure, but Illegal.” Insanity can now be defined as applying an ethically grounded federal regulation in such a way that leaves well-intentioned clinicians unable to experience an essential joy of their profession. What is insane about this article is its complete and utter mangling of both the intent and the actual language of the rules regarding medical record privacy that we all have come to know as HIPAA. The fatal flaw in the argument put forward by the author and the “authorities” that she cites is the notion that any information whatsoever given to a doctor by someone who is or has been a patient is covered under the rules that we call HIPAA.
The practice of parents sending in pictures of their children for posting on the walls of their obstetrician’s or pediatrician’s offices is a proud and joyous one, which was neither intended to be infringed upon, nor actually, legally, infringed upon by the adoption of the HIPAA privacy regulations. The reason for this legal conclusion is threefold. First, a photograph taken by a parent outside the context of medical treatment is by definition not health information. It is both axiomatic and obvious that anything which is not health information cannot be protected health information. Second, even if the photograph is of a patient, if the photograph is not identifiable as that of a particular patient, as is typically the case with baby pictures, it is not individually identifiable. The HIPAA regulations contain extensive descriptions of permissible de-identified pieces of protected health information. However, the regulations are clear that the information, in this case a photograph, has to be protected health information in the first place, in order to necessitate de-identification and conform with HIPAA standards. The third and most important reason that this practice is not prohibited by the HIPAA regulations is whether that photograph might be health information in a different context that has no relation to medical treatment. If that is the case, then it is certainly not the health information of that clinician. Patients have an unrestricted right to do whatever they want with their health information, including posting it to the internet, or even on a highway billboard, if they want.
In certain situations information supplied by a patient when it is received by a clinician for clinical purposes, and incorporated into the patient’s medical record can become protected health information. When that information is supplied for the purpose of, and used for the purpose of diagnosing, treating or preventing illness in individual concerning whom the doctor has receives the information, it becomes protected. For example, if the picture was supplied by a parent, but maintained by the doctor for the purpose of monitoring the progression of a skin disease, that would constitute conversion of the document to protected health information. But if a patient, perhaps one with a longstanding relationship with his or her doctor, were to supply a recommendation for an Italian restaurant; that information would never become protected health information simply because it is not health information. The same can be said of baby pictures offered for public posting by glowing new parents.
There are some notable exceptions to the general rule for information that can be considered protected health information. An important example, one which directly relates to the initial hysteria over posting patients’ names outside their doors, is being able to identify a particular patient based on which physicians’ specialty necessarily reveals the patient’s diagnosis. For example, if a patient is admitted to the hospital on a general medical surgical floor it is common practice for that patient’s name to be posted on the door, in order for clinicians to properly identify which patient is intended to receive which treatment. That is not a HIPAA violation. But if that patient were to be admitted to a surgical floor specifically designated for treatment of patients with HIV, then posting that patient’s name would disclose the patient’s HIV diagnosis. While it is not specifically addressed in the HIPAA privacy regulations, posting the names of individuals particularly those with distinctive names or those residing in a small town with very limited choice of health care institutions might constitute a HIPAA violation. It is therefore an appropriate exercise of medical judgment by clinicians treating HIV patients not to post patient names in a publicly visible location specifically designated for treatment of individuals with that diagnosis.
The concern that drove Congress to first propose the adoption of a medical record privacy rule has been characterized, as a conversation between a doctor and the CEO of a medical device supply company on the proverbial golf course. As the story goes, the CEO says to his physician friend, “Boy do I waste money on all the advertising I do for my business. I would really like to be able get my hands on a list of patients who have diabetes so I don’t have to advertise in the newspaper to thousands of people who will never be customers for my diabetic testing supply business because they don‘t have diabetes. But where could I find such a list?” The physician responds, “Oh, I have lists of patients of mine who are diabetic and I can’t see any reason in the world why I shouldn’t be able to give them to you.”
The obvious sequela of such golf-course-dialogue is the creation of a booming market for such lists. In fact the practice of sharing patient information for commercial marketing purposes is well established and for a time was considered an entirely legitimate and beneficial form of medical commerce. With the adoption of the HIPAA privacy regulations those practices became unlawful and doctors became well informed of their obligation to maintain the privacy of patient medical information. This is referred to under the HIPAA regulations as Protected Health Information (PHI), absent the explicit written consent and authorization of the patient to the release of that PHI for specific and appropriate purposes. The insanity that is the purported or alleged prohibition on posting photographs of babies born to particular obstetrical practices arises from the same lack of common sense and regulatory insight that produced the early restriction, on putting the name of a patient on the door to his or her hospital room.
An interesting case that falls along the middle of the spectrum of permissible and impermissible identification of patients and their conditions arises when patients are admitted for treatment at hospitals that specialize in the treatment of one broad category of disease. The paradigm example of this phenomenon is of course the prevalence of hospitals that are dedicated solely to the treatment of cancer. It is worth noting that at most, if not all specialized cancer treatment hospitals, patients’ names are posted on the door to enable clinicians to identify the appropriate individual to receive a particular treatment. The distinction between the appropriateness of name posting for cancer patients and the appropriateness of naming posting for HIV patients derives from the social stigma attached to one diagnosis versus the other. The point that this distinction illustrates is that HIPAA and its privacy regulations, as specific and detailed as they are, cannot provide clear guidance as to how they should be implemented in each and every clinical situation. However it is clear that HIPAA is only intended to provide protection of patients’ privacy with regard to protected health information, which must always be actual health information. In context of the preceding HIPAA evaluation, baby pictures sent to show a physician their happy thriving patients are fine.