It is fair to ask whether there will be any confidentiality after all the newly-mandated HIPAA rules? In truth, there will be different answers to this question depending on the way in which medical provider systems seek to implement the HIPAA provisions internally. At this moment in time, no one knows.

Confidentiality will be determined by practice, not the regulations themselves, as they are implemented. Why? In the 1940s there was a play on Broadway about a simple country woman who was a sharpshooter by profession. By the end of the first act, she is given a contract to join Buffalo Bill's Wild West Show. She likes the work and dislikes her contract. And she says profoundly about her contract words to the effect of: "It's the big print that gives it to you and the little print that takes it away."

In HIPAA there is nice big print: the law protects confidentiality.

Then the little print comes -- a flexible list of exceptions that fit two very broad categories. The first category is the "minimum necessary" that one needs to know to perform treatment, billing or patient care (doesn't the nurse need to know who is to get that prescription? doesn't the insurer need to know who created the billable event and whether the patient requires further treatment? doesn't the government need to know that person's name for follow-up of certain types of research, for public health reasons, for investigative reasons or in cases of national emergency or in cases of criminal acts? or a patient who falls sick suddenly and must have decisions made by an authorized representative or other third party?).

Then the second category -- patients can waive their rights if they so desire. They have a bundle of rights that are listed in at least five different categories:

• Right to a notice of a covered entity's privacy practices
• Right to request restrictions and confidential communications concerning protected health information
• Right to obtain access to protected health information for inspection and copying
• Right to obtain an accounting of certain disclosures
• Right to request amendment of protected health information.

Authorizations and Waivers

The regulations allow for a HIPAA Authorization -- a specific type of permission given by the individual patient that enables providers to use and/or disclose protected health information about the individual. The requirements of a valid authorization are defined in the HIPAA regulations. These rights can be waived in whole or in part and given to some people and not others: family members, friends, authorized representatives. Patients have the right to pick and choose the recipient of information for different purposes.

Suddenly, there is a whole crowded room full of people in this second category. Now the question for practice will emerge: Since there is a penalty for unauthorized disclosure, and since patients have the right to waive confidentiality so that information can be disclosed with impunity, won't smart practitioners and providers require that patients sign a waiver before they administer health care? If that happens once or twice, in exceptional circumstances, it will not be a problem. But if the requirement to sign a waiver happens routinely, what becomes of the right to privacy and confidentiality that the regulators worked so hard to protect?

Consequently, if a covered entity or the system as a whole consistently require complete waivers, there will be no confidentiality. If a covered entity generates documents and keeps track of them, there may be some confidentiality left to patients. There is another problem: the confidentiality tends to extend from patient to people they know, and not strangers embedded within the health care system. The receptionist can know the reason for treatment, but possibly not the wife, mom, sister, daughter, father, son or live-in lover standing next to the patient in the waiting room, extending a hand for moral support during treatment. HIPAA makes no effort to resolve this. In fact, the right not to waive such confidentiality is an important cornerstone of the regulations.

Privacy Security Requirements are designed to balance the need to have access to information and the global interactions that may surround a patient's care and thereby inadvertently compromise a patient's medical privacy, but do not broach the needs of family members to have information for a patient's care without that patient's consent.

Working With HIPAA: Hypothetical Scenarios

Medical Scenario #1

The patient's chart, with name clearly displayed, is attached to the outside door of examining room for passersby to notice.

Under HIPAA, it is now a violation of the regulations for the chart to be displayed with information so visible, but there exists a category of "minimum necessary" medical information that can be displayed without identifiers. Even though covered units may use PHI for the purposes of treatment, payment and health care operations (TPO) without any special permission from a patient, it would be difficult to explain why such information should be readily available to the general public in a visible location.

Medical Scenario #2

A patient (X) waiting at the front desk to reschedule/pay bill overhears a secretary making an appointment for another patient Y, a friend of patient X, who subsequently tells patient Y, whose husband, an attorney, files a privacy complaint.

This resonates like an old joke among lawyers who worked in privacy, "Oh Mr XYZ. Are you the Mr. XYZ with VD or the Mr. XYZ scheduled with complaints of impotence?" says the secretary scheduling appointments for Tuesday. HIPAA will cause facilities to think twice about how their staff handle information. This also explained the rush to get so many people HIPAA training. These are not necessary disclosures and should be routinely prevented so that privacy remains protected; in the past this was also true but only as a matter of courtesy, not law.

Even though covered units may use PHI for the purposes of treatment, payment and health care operations (TPO) without any special permission from a patient, it would undo all the work of the regulations if there was no sensible division between the general public and the TPO contact with the patient. Since this problem pervades every patient contact for every appointment, it would be hard to argue that the circumstances were unusual or unique, and therefore the covered entity would be expected to have developed some method for handling such PHI without breaching medical privacy. It would not be unreasonable either, for a covered entity to be compelled to demonstrate the steps it has taken to institute such safeguards, even if there had been no complaints by any patients against the provider.

Medical Scenario #3

Unaware that a couple are in the midst of a divorce proceeding, a doctor answers questions from a spouse on the telephone about a patient's health and the information will find its way into the negotiations for maintenance and child support. The patient sues the doctor's office for violation of HIPAA.

The answer to this question depends upon the circumstances and whether the patient had waived disclosure to the spouse at any previous time. Under the new regulations, any patient must be informed of the five categories of individual rights to privacy regarding information:

• Right to a notice of a covered entity's privacy practices; Right to request restrictions and confidential communications concerning protected health information; Right to obtain access to protected health information for inspection and copying; Right to obtain an accounting of certain disclosures.
• Right to request amendment of protected health information
• There should also be established a set of compliance practices that parallel the federal regulations governing authorization to disclose PHI.

The patient or patient representative (if the patient has been deemed incompetent) then must be asked by staff from the covered entity whether to disclose information to certain third parties including family members. This authorization and waiver need not be in writing. This is a tricky situation because, technically, an authorization to disclose to family members or friends need not be in writing -- although, in this situation, the covered entity would be much more settled if a written consent (rather than oral consent) existed.

Thus, if the patient began treatment before the divorce and the M.D. had followed the steps for protecting patient rights, the patient may well have waived the right to prevent disclosure and then failed to inform the M.D. of any change due to divorce proceedings.

On the other hand, if the patient had been apprised of rights to confidentiality and had specifically requested that confidentiality be maintained, the disclosure was inappropriate regardless of whether there were proceedings for divorce or even if the family lived intact and in harmony. The divorce and custody dispute in this hypothetical situation is a bit of a distraction from the actual authorization question. The circumstances where the information might be used concern damages and harm -- the patient was subsequently harmed by the disclosure -- but that does not matter if the patient gave consent to the disclosure itself.

The real question of interest under HIPAA regulations concerns whether the patient was apprised of privacy rights, whether the patient understood those rights, whether the patient had the opportunity to waive those rights and then whether the patient was able to make a sound mental judgment and then actually waived those rights. The M.D. and covered entity are protected, however, if the patient did agree to the limited disclosures allowed to family. Again, the fact that the information could be used in divorce is a distraction from the real issue under HIPAA, which is, was the patient properly informed about the five categories of individual rights to patient privacy and if so, was a valid authorization to disclose the information to the spouse granted?

Medical Scenario #4

A doctor consults/emails another doctor about whether a practice guidelines/decision tree algorithm should be modified for a specific patient given the following detailed exam and physical data that may enable patient to be identified. Did this communication need to be adjusted in some way to avoid running afoul of the HIPAA rules?

Yes, in two regards. First, the information should be de-identified unless the consulting physician is somehow actually involved in the patient care. Second, the information should be encrypted before transfer. The encryption rules should follow established in-house procedures that are administered by the Privacy Security Officer. Oversight and accountability for following HIPAA is vested in this office, a vital and new component of the in-house compliance program HIPAA requires.

Under the HIPAA regulations, it is now required that all providers have in-house programs to ensure the privacy of PHI. Each covered entity must exhibit demonstrable efforts to develop policies, procedures and guidelines for use of personal computing devices (workstations, laptops, hand-held devices), and for ensuring mechanisms are in place that allow, restrict and terminate access (access control lists, user accounts, etc.) appropriate to an individual's status, change of status or termination.

Medical Scenario #5

A medical student extern in a doctor's office requests and receives permission from the doctor to make a copy of an X-ray or ECG to use in a class presentation, but the student doesn't remove the identifiers. What does this mean for compliance with regulations pertaining to confidentiality?

Actually, although likely to occur in the first few months of the HIPAA regulations, this hypothetical presents a significant compliance problem. First of all, in order to have authorized access to the patient information, the student extern must be working with the patient or in approved research that has been re-authorized by the IRB. Second, the information, if approved, should be protected by a variety of safeguards, such as following the procedures for de-identification and also applying any relevant encryption technology. How it happened that the student and the faculty advisor had access to the identifiers in the information without anyone else noticing and without asking any questions about this irregularity themselves, is also an important problem. This suggests there was inadequate HIPAA compliance training and perhaps some disregard within the covered entity's system regarding HIPAA compliance procedures and training. Lastly, this matter would be a problem raising the accountability issues for which the Privacy Security Officer might be required to provide some oversight.

Conclusions: Physicians Need to Be Aware of Relevant Laws

The new regulations that implement long-promised protections for medical privacy (as mandated by the U.S. Congress in 1996 when it wrote HIPAA) make sense. The complexity of the regulations underscores, once again, the importance of understanding the legal system that surrounds and sometimes confines the practice of medicine in the United States.

To do so, however, is easier said than done. The best solution to the problems raised by HIPAA implementation is to have more legal education at every level of medical education and practice. Physicians should read the best legal literature they can find -- on different sides of issues and from varied professional perspective -- in order to be apprised of these complex matters. These efforts will not solve all the problems that may arise but will definitely help doctors to be better informed consumers of the laws that today surround every facet of medical practice. Legal issues at the interface between law and medicine in daily medical practice will not go away. Indeed, as the world grows smaller, work becomes more ubiquitous and genetic conditions are better understood, the ramifications of this interface will become more profound.

Practical Tips

• Keep in touch with lawyers for advice in specific circumstances
• Anyone can sue anybody for any reason at any time
• Document your work.

Resources

U.S. Department of Health and Human Services

HIPAA and ADA and other confidentiality provisions (under OSH Act) discussed in Designing An Effective OSHA Compliance Program, Ilise L. Feitshans, J.D. and Sc.M. Westlaw.com under "treatises."