15 Sep The Dark Side of Patient Privacy and HIPAA
Post written by Susan Mazer
Patient Privacy, while both righteous and regulated, is not all wonderful in all of its forms. Indeed, there is another side to patient privacy when HIPAA becomes a barrier to the social support critical for patients and families.
Historically, privacy did not exist in our society. For the sake of survival, village leaders assumed knowledge of every member of the community. Yes, there were secrets. But that is different than self-protection for the sake of insuring proprietary handling of personal information.
So, what is this dark side of HIPAA?
Metaphorically, HIPAA is a three-foot concrete wall that separates public from private information. Inside the wall, we have all personally identifiable health records. Outside the wall, we have the external, yet intimate relationships to the patient — people who have a vested interest in the health and well-being of the patient. We also have predators who would exploit this same information and the patient.
The problem is that the wall does not know friendly from unfriendly people who want access to what is inside. So, it just keeps out everyone, sometimes even the patient. The result is unwanted isolation in the name of protection.
Patients who are seriously ill are first isolated by their condition and, second, by regulation. Isolation of a person who is ill is not helpful and can be detrimental. Yes, there are medical reasons for isolation, such as infectious disease control. But even then patients don’t necessarily have to be isolated from their families by withholding information about their condition.
Furthermore, patients need social support, or at least control over who has access to them. HIPAA says that HIPAA controls, not the patient.
The pressure on hospitals to comply with HIPAA regulations has been onerous. There has been incidents of HIPAA being used as an excuse for cutting off communication with families. NPR has reported several events when HIPAA was used as a rebuttal and defense by offending parties to prevent disclosure of information.
When my 82-year-old father was in the hospital in Detroit, I was prevented from receiving any information about his condition, regardless of the fact that my father had designated me to know this information. The justification for this was HIPAA.
The hospital staff told me that any breach of HIPAA was grounds for their immediate termination. So, out went common sense and family relationships.
In the research I did on how patients make meaning of their privacy during a hospitalization, most people I interviewed initially stated that they had no issues with privacy. However, the details of their stories brought defined concerns and experiences that say the opposite.
Here are some factors to consider:
- Their need for privacy is relative to their acuity; the higher the acuity, the more receiving care trumps privacy.
- Under all conditions, patients do not want their bodies exposed unnecessarily or to strangers.
- They are protective of other patients and take breaches of others’ privacy personally.
- They are not comfortable with being isolated.
- Verbal breaches — being overheard or overhearing any conversations — are insults.
- Noise is a breach of privacy.
HIPAA was developed to help protect sensitive health information when the information is being transmitted electronically and to hold hospitals (providers) accountable for protecting that information. Today, its impact is felt from the medical record all the way to the bedside and back.
Many tweaks, changes, and final rules have been implemented to deal with the unintended consequences of HIPAA. What has not been done, though, is ensuring that the patient-provider relationship remains compassionate and accessible.
HIPAA should be invoked only when necessary and be in line with its intent, which is not to act as a barrier to the exchange of information between clinical staff, patient, and family. It was meant to help patients, not hurt them. At this point, outcomes are inconsistent at best.
What does your organization do to balance privacy protections with patient needs?