Neighbor Law: Getting Around HIPAA


© Alice Neff Lucan

Nurses and medical administrators are not equipped to make legal decisions, nor would they want to, but they’re put in awkward positions by a federal law known as “HIPAA.” And who is shut out?  Family, friends, neighbors and, by the way, reporters.

The ugly acronym stands for Health Information Portability and Accountability Act. In theory it confines an individual’s identifiable health information to health care providers. (To better effect, the law also makes it possible for an employee to transfer health insurance to a new job.)

The Act covers all types of health care agencies, from the ambulance to the pharmacy, from the hospital to the agency-employed nurse’s aide at home. It also allows information to be shared for research, for law enforcement functions, and other necessary exceptions. Hospitals may release information to the public when, in the hospital’s judgment, that would protect public health.  Otherwise, the release of personally identifiable medical information by any of these “covered entities” could result in fines, and in extreme and rare instances, involving fraud and criminal intent, jail time. HIPAA is 563 pages long, filled with exceptions and nuances that aren’t well understood; thus, medical employees generally perceive that the prudent reaction is to say nothing, even when disclosure would be permitted or would be the compassionate thing to do.

When any one inquires about the patient by name, HIPAA allows the health care facility to confirm (but not reveal) the name of a patient, which ward the patient is on, and the patient’s status or generalized condition (“fair”, “good”, etc.) so long as specific medical information is not revealed. The facility may do this if the patient has been given the chance to object first. When there is an emergency—or the patient is otherwise unable to give consent—the health care facility can release the information if the patient has named individuals or if the facility’s staff believes disclosure is in the individual’s best interest. This makes it very difficult, sometimes distressingly difficult, for family members (or reporters) to find injured people and know what happened.

And furthermore, the two Charlottesville hospitals have chosen to release less than what HIPAA allows. U.Va. and Martha Jefferson release only the patient’s condition if you have the patient’s name. A Martha Jefferson spokesperson says their concern is for the patient’s privacy, but in fact, it is legitimate to ask whether “privacy” is all that is at stake.

Some injuries concern the whole community. When a firefighter goes to the emergency room with smoke inhalation, it is a matter of public concern on many different levels, most important to his/her colleagues, witnesses, neighbors, friends, and reporters. Injury to a public servant, especially a first responder, should not be treated as a secret. Everyone cares.

Some injuries concern family who are far from the patient. If Grandma calls the hospital from New Zealand to find out what happened to her firefighter grandson who is in intensive care, U.Va. and Martha Jefferson will tell her only his generalized condition category, nothing else. Neither of our local hospitals will tell her that Grandson is in intensive care. Grandma has to fly here, be named on a list, or get her information from Mom, assuming she can get in touch. The hospitals will say, “Oh, she’ll learn soon enough,” eventually, sometime after a few hours of agonized waiting.

If Grandson is one of hundreds injured in a flood, the HIPAA rules say that information can be released without getting the individual’s consent in order for family members to find each other.  However, according to a 2007 Troutman Sanders analysis done for Virginia Hospital and Healthcare Association, “The good news is that, during an emergency or disaster, there are numerous regular exceptions to HIPAA that will permit hospitals to share protected heath information with other providers, public health authorities and certain other designated parties.  The bad news is that, even during a disaster, the majority of HIPAA requirements will remain in effect so hospitals must plan as if they will be responsible for fulfilling all HIPAA obligations even in the midst of a disaster.”

There are other ways around this. You, as patient, can be sure that your doctor has a list of people to whom your medical information may be released. More often now, HIPAA consent forms include a request for that information.

Disclosure of personal medical information is permitted to anyone involved with the patient’s health care, and this creates a list of possible sources outside “covered entities.” If Mom comes to the hospital with Grandson, she’s probably not going to have trouble getting information nor is she restrained by HIPAA. Or, if a non-medical stranger brings an injured person to the emergency room, that Good Samaritan is not restrained by HIPAA. And in a similar way, when the firefighter goes to the hospital, the chief or a fellow firefighter may talk toa reporter because the fire department (and the police department) are not restrained by HIPAA. This assumes the fire chief can get the information from the hospital.

So while there are legitimate ways to get information, medical staff is confused by ambiguity and exceptions. Instead of erecting stone walls (and stony faces), application of HIPAA rules should be done with common sense plus compassion added in for the patient, family and friends. It is nearly impossible for medical staff to understand the advice from hospital lawyers and so they make the default, safe choice: say nothing.

This column provides legal information, not advice. Should you need to get advice concerning HIPAA, consult with an experienced attorney. Facts change legal outcomes.


Please enter your comment!
Please enter your name here