HIPAA Hysteria


Recently I read a blog post by Girlvet concerning the suspension of 27 hospital employees of Palisades Medical Center for allegedly leaking Doug Ross’ George Clooney’s privileged health information to the media.

I say allegedly, because it is not immediately clear which, if any, of the 27 actually leaked the information.

Predictably, rather than address the lack of internal controls that allowed tangentially or totally uninvolved caregivers access George Clooney’s records, they instead resorted to wholesale employee suspensions.

Typical administrative response, actually.

By the way, the potential fine to Palisades Medical Center for such an offense?

A hundred measly bucks.

That’s total, not per instance, folks.

It never fails to astound me the misinformation passed between health care providers regarding HIPAA regulations. I’ve been subjected to my share of erroneous HIPAA information and outright falsehoods disguised as continuing education, myself.

Which, of course, leads me to the unprecedented (for me) step of inviting a guest blogger to post on A Day In The Life Of An Ambulance Driver.

My friend Gene Gandy is a retired lawyer, distinguished EMS educator, former Assistant US Attorney for the northern district of Texas, expert witness and consultant, published author, airway management guru, Texas licensed paramedic, certified curmudgeon and grenade thrower par excellence. He is uniquely qualified to dispense some common sense wisdom on complex medical and legal issues.

He is irascible, opinionated and profane.

In other words, my kinda guy.

What follows is his guest post (with a few of my comments interspersed) about the Health Insurance Portability and Accountability Act, known to most of us in health care as HIPAA.

**********

In regard to the recent flap over George Clooney’s medical records and a bunch of folks getting suspended for viewing them:

I find myself answering more and more HIPAA questions every day. Maybe it’s because the first batch of folks trained in HIPAA compliance have either left or forgotten the training, or, more likely, the initial training was flawed.

And maybe it’s because so many folks never understood it to begin with and far overreacted to it.

People forget, or never knew, that the Privacy Rule is only one part of a great big Act called the Health Insurance Portability and Accountability Act of 1996. The Act is made up of five titles, and the so-called Privacy Rule is a part of Title II.

It was enacted to accomplish a couple of different things—making sure that folks could maintain health insurance for a reasonable period of time when they change jobs or are between jobs. That’s the “portability” part.

The other big reason was to make sure that patient data transmitted over the Internet was secure.

When the Act first came out and the first set of regulations were written, lots of folks, particularly the nurses and hospital folks, got so anally cramped over it, they went nuts trying to make it way more serious than it was, and lots of the misunderstanding that people have comes from that era. In fact, the first set of rules, which imposed unworkable standards, were extensively rewritten, so that the current rules were the result. When the first rules came out on November 3, 1999, there were over 52,000 comments about it. The “final rules” [which, it turned out were far from final] were published in December, 2000, and over 11,000 public comments ensued about them. So they were modified, and the FINAL final rules came out in August, 2002.

Anybody who wants to understand HIPAA need only look up the OCR Privacy Rule Summary, available through Google. By the way, OCR stands of Office of Civil Rights of the US Department of Health and Human Services, and that’s the office that enforces the rules.

That document, called Summary of the HIPAA Privacy Rule, lays it all out in language even SuperMongo can understand. Mongo is more likely to understand it than Nurse Wretched, but then SuperMongo is less likely to have accumulated all his feces and kept them in freezer bags than The Nurse Manager who thinks she/he is a HIPAA expert and invents problems with it on a daily basis. But I show my prejudice. I am not apologetic.

Told ya’ll he was irascible, profane and a grenade thrower.

To be fair, and as I pointed out in the comments on Girlvet’s blog, much of the initial education on HIPAA was done by the nursing educators. They were proactive, and led the educational charge, as it were. That was commendable.

It was also highly flawed, because much of the information disseminated was misinterpreted, and the final rules were far less draconian than what the nursing educators and hospital administrators initially told us.

For what it’s worth, I agree with Gene. I like nurses. I’ve dated several, married one and currently date another. I respect nurses. Some of my best friends are nurses. But some of the most anally retentive, pretentious old biddies you will ever meet are senior nurse managers and educators. They have literally forgotten what it’s like to be at the bedside.

The rule only applies to health care providers, so cops and dispatch centers not dedicated to EMS or a part of the health care system are not covered by it. First responders are only covered if they transmit information electronically, and “electronically” means transmission of health information in electronic form in connection with transactions for which the Secretary of HHS has adopted standards under HIPAA. Radio or email or telephone communications alone do not qualify.

Hear that, EMS field crews and dispatchers? Giving names, addresses or medical conditions over a radio link or cellular phone is not a potential HIPAA violation.

The Privacy Rule protects all “individually identifiable health information” held or transmitted by a covered entity or its business associates, in any form or media, whether electronic, paper, or oral. This is called protected health information (PHI).

Now, that last paragraph seems to contradict the one before. Well, I owe it to you to try to provide a pathway to figuring this out. Think about it this way: If you’re a covered entity, no matter what sort, then all your PHI is covered, no matter how you transmit it or communicate it. But first you have to meet the test of a “covered entity” by transmitting health care information electronically in such a way that you’re a covered entity. If you’re not a covered entity, you can do what you please, but if you’re a covered entity, you’ve got to mind your P’s and Q’s. Make sense?

The stuff that causes all the problems falls into a few categories: What can we tell law enforcement, what c
an we tell other health care providers about the patient, what can we tell the press, and who can access the files?

A covered entity must disclose PHI in only two circumstances: to individuals or their legal representatives when they request it, and to HHS when it is conducting an investigation.

A covered entity is permitted to use and disclose PHI without an individual’s authorization:

1. For treatment, payment, and healthcare operations.
2. Otherwise as permitted by law.

When the HIPAA regulations first were promulgated, some idiots wanted to make it worse than it is, so they came up with silly notions like one doctor could not disclose a patient’s PHI to another treating physician without the patient’s consent in writing. A family member could not pick up a patient’s prescription from the drugstore. The nurses wouldn’t tell a family member squat about their loved one who was zonked out in the ICU.

Some really stupid stuff happened before folks got that straightened out. Some of them still don’t have it figured out. I get emails all the time asking me why it is that when a Paramedic who has taken a post-cardiac arrest patient to Podunk Medical Center, and she calls up the hospital to find out how the patient did, some nurse says, with attitude, “I cannot tell you anything about the patient.” Sometimes they even refuse to acknowledge that the patient is there.

What crap! That blather! What stupidity. All a perversion of what HIPAA is about.

Basically, you can and should disclose pertinent PHI to anyone in the treatment chain, starting at the first responder level and going all the way from ER doc to cardiologist, et cetera.

And the flow of information works in both directions, contrary to what some believe.

So it is perfectly permissible for hospital folks to give feedback to EMS crews, and the efficient delivery of health care demands it. There is no excuse for anybody in the hospital to tell an EMS crew member that HIPAA prohibits them from telling them how the patient did. It’s either ignorance, laziness, or plain old assholiness.

The reason that information is allowed to flow back to the EMS services is because disclosure is permitted for “health care operations.”

Here’s what the Privacy Rule Summary says about health care operations:

“Health care operations are any of the following activities:

(a) Quality assessment and improvement activities, including case management and care coordination [feedback is essential for quality assessment];

(b) competency assurance activities, including provider or health plan performance evaluation, credentialing, and accreditation [once again, competency assurance activities require feedback from the hospital people];

(c) conducting or arranging for medical review, audits, or legal services, including fraud and abuse detection and compliance programs;’

I have omitted some other activities that are not as pertinent to EMS operations. Suffice it to say that anyone at the hospital level who refuses to provide patient feedback to EMS is unaware of the meaning of the rules.

Or any ICU nurse who refuses to give feedback to the ER nurse after admission, or any nurse at the receiving tertiary hospital who refuses to give feedback to the ER nurse who transferred the patient from Podunk General Hospital, Nail Salon, Tire Repair and Crawfish Hut. HIPAA and patient privacy concerns are an oft-cited excuse for being an asshole.

Now, regarding Mr. Clooney’s records.

The definition of “health care operations” is quite broad. What does “quality assessment and improvement activities” really mean? The meaning is in the eye of the beholder. HIPAA’s statutory language nor the regulations provide a detailed definition of what is meant by “health care operations” or “quality assessment and improvement activities.” If you work in the EMS field, you know perfectly well that those terms mean. They mean figuring out if you did the right thing for your patient, how what you did affected your patient, and what his outcome was. Simple. Makes sense, doesn’t it?

Anally retentive caregivers will assert that it doesn’t mean anything beyond a formal process with rigid rules. Practical caregivers know that much can be learned from patient records.

I’m not going to sit here and say that some of the folks who accessed George’s records did not do so purely for curiosity. HIPAA says that the system should be set up so that unauthorized people cannot access records.

So if that many folks were able to access George’s records, where does the fault lie? With the individual or the system? HIPAA regulations say that every covered entity must have in place policies and procedures to minimize unauthorized leakage of PHI.

Another misconception is that individual employees of a health care provider can be disciplined by OCR for individual breaches of privacy. Not so. Only the “provider,” which means the covered entity, can be disciplined, and the fine for the sort of breach that seems to have occurred regarding George gets a $100 fine. Nothing more.

And, HIPAA has yet to levy a fine for a simple violation, at least as far as I can tell. The enforcement policy is to work with the covered entity to correct the situation that led to the violation.

Read those last two paragraphs again. As an individual, you cannot be disciplined by the .gov for violating HIPAA’s Privacy Rule. You can get your employer into hot water, and they may in turn discipline you for your actions. And in the five years it has been law, not one fine has yet been levied. If you can provide me with documentation to the contrary, I’ll gladly post it.

If you happen to leak a celebrity’s name and a laundry list of his injuries and other protected health information to the media, as happened in George Clooney’s case, you can be hit with that $100 fine.

Let’s be clear now: We don’t yet know if Palisades Medical Center has been fined at all.

But still, 27 nurses, doctors and assorted health care professionals have been deprived of their livelihoods for one month because of the potential of a $100 fine being levied in the future.

And my fellow bloggers worry that the HIPAA Monster will wreck your career because you blogged about a patient, while writing under a pseudonym, using a fictitious hospital name, and purposely muddying the identifying details of the patient himself before daring to post it?

Hell, even if you said “At 10:45 pm on Tuesday, March 18 in the Year of Our Lord 2005, John P. Smith was treated for gonorrhea and methamphetamine overdose at My Specific Medical Center, while handcu
ffed to a goat that bore the marks of recent sodomy, and he had kiddie porn in his wallet and a dead puppy stuck in his rectum…”

…you still won’t take a hit. But it may cost My Specific Medical Center a hundred bucks.

Of course, that won’t stop John Smith from suing/beating/shooting your ass for violating patient confidentiality under statutes that have been on the books far longer than HIPAA.

So you cover your bases by changing John Smith to Freida Kleinmuller, change the goat to a German Shepherd, and make Freida the one sodomized. With a dead puppy.

It still makes for an entertaining story.

It seems that the hospital, by taking the action it has against its employees, is using HIPAA in a way it was not intended to be used.

Not being aware of the particular hospital’s internal policies and procedures, I can’t say for sure whether or not the disciplined employees violated policy, but if they were allowed access without being a member of the treatment team, or having a legitimate interest as a caregiver involved with George’s care, then the HIPAA violation is the hospital’s, not the individual’s.

This sounds like a knee jerk reaction by some stupid suits trying to cover their asses for the media, when there’s no problem to begin with. Even Clooney says he doesn’t find it to be anything to be concerned about.

On to another subject, just one mention of what you can tell law enforcement. I get asked about this all the time.

There are six specific situations in which covered entities can disclose PHI to LE officials for LE purposes. They are:

(1) As required by law (including court orders, court-ordered warrants, subpoenas) and legal administrative requests;

(2) to identify or locate a suspect, fugitive, material witness, or missing person;

(3) in response to a law enforcement official’s request for information about a victim or suspected victim of a crime;

(4) to alert law enforcement of a person’s death, if the covered entity suspects that criminal activity caused the death;

(5) when a covered entity believes that protected health information is evidence of a crime that occurred on its premises; and

(6) by a covered health care provider in a medical emergency not occurring on its premises, when necessary to inform law enforcement about the commission and nature of a crime, the location of a crime or crime victims, and the perpetrator of the crime.

Now read the 6th part and tell me whether or not you can answer the question posed by a LE officer, “Is the guy drunk?”

Both Gene and I would like to hear your thoughts and experiences on that subject.

HIPAA is a difficult law to interpret in some ways, but in other ways, it’s just common sense.

Also, never forget that HIPAA does not preempt state laws that are equally or more stringent than its provisions. You, as a provider, should know what your state law requires you to do about patient confidentiality and what you can disclose to whom and when.

When in doubt, hold off on disclosure till you think it over, seek legal advice, and so forth.

HIPAA is used as an excuse by many for actions that are not required by the Act. It is used as an excuse for laziness, for misunderstanding, for stupidity, ignorance, and a total lack of common sense.

When I’m in the ICU and my wife calls up and asks about me, and some hospital staff member says, “I can’t tell you anything according to HIPAA,” they’re lying.

It is often violated, but in technical ways.

HIPAA is not the solution to how to handle PHI. It’s vague in some instances, too specific in others, and doesn’t address real life problems well. And the folks who wrote the regulations didn’t have a clue that it would apply to EMS, nor did any of them have a clue about what EMS is or does and what the practical problems are with dealing with PHI as a prehospital provider.

In Mr. Clooney’s case, it would have been absolutely prohibited for anyone to disclose his PHI to the press, and if anyone had been paid for leaking PHI, that would be a felony criminal offense.

But let’s not go crazy over accessing PHI for legitimate reasons. As members of the healthcare team, we learn by talking about patients, their complaints and conditions, treatments, and outcomes.

There were probably some folks who looked at his records purely out of curiosity, and they ought to have their hands slapped, but if they only looked, there’s little harm done. When we kill the curiosity of medical providers about patients, whether they be a Clooney or a homeless mope, we set medical care back.

Medical professionals who are more interested in whether or not an employee violated a technical rule than whether or not that employee can provide good patient care are the despicable examples of form over substance that infects medicine and makes us less than the best system in the world, when we clearly ought to be.

Much more troubling is the refusal of nurses and other hospital personnel to provide feedback to EMS crews about a patient’s progress and outcomes, based upon a skewed notion of HIPAA’s requirements. Lack of communication does nobody any good.

A couple of paragraphs above I used the term “health care team.” That’s a joke, when one considers that EMS people are not considered to be a part of the team by a lot of hospital folks. There may be reasons for hospital people to doubt the education, training, and capabilities of EMS providers, because some of them are idiots, but I have yet to find many hospital folks who have done anything to improve the relationships between themselves and the EMS folks. I’m sure there are exceptions, as there are to almost anything other than gravity.

Gene Gandy, JD, LP

That last is purely Gene’s opinion, although I share it to some degree. I see the same attitude mirrored throughout health care.

Some specialists neglect to provide feedback and updates to the referring physician, even though he happens to be the patient’s primary care physician.


ER nurses at the big hospitals balk at providing feedback to the nurses sending them patients from the rural and community hospitals.


ICU nurses play dumb when the ER nurses call upstairs and ask how their patient is doing.


ER nurses treat EMTs as knuckle-dragging stretcher jockeys incapable of understanding big medical words, so why bother giving them any feedback?


EMTs regard nursing home nurses as panicky cretins who are fit only to wipe asses, push pills, and suffocate little old ladies with oxygen masks hooked to oxygen at two liters per minute.


While we have all met health care providers that confirm our negative opinions, they can’t all be incompetent idiots. Most of them can learn from their mistakes, provided those mistakes are constructively brought to their attention.


The only reason we don’t is apathy and rudeness. HIPAA makes a weak excuse.

Browse by Category