HIPAA and Patient Privacy: A Conversation with Leon Rodriguez

By Carol Levine

All About HIPAA: A Resource List

—Carol Levine

Leon Rodriguez directs the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services. OCR is responsible for enforcing the privacy and security provisions of the Health Insurance Portability and Accountability Act (HIPAA) and the breach notification requirements under the Health Information Technology for Economic and Clinical Health Act (HITECH). 

Mr. Rodriguez and I testified in April 2013 at a congressional subcommittee meeting, and I asked him to share his expertise with Aging Today.

Carol Levine: What is HIPAA, and what is it intended to do?

Leon Rodriguez: HIPAA is a federal law that establishes a set of standards to protect the privacy and security of personal health information. It puts the needs and wishes of the patient at the center of determining the circumstances in which information must be kept private and when it can be used and disclosed.

CL: What has OCR learned about HIPAA’s impact on patients?

LR: We put a high priority on outreach with different stakeholder communities that represent consumers and patients, as well as industry and professional stakeholders. We make it a point to find out what is working, what’s not working, and what’s important to people. We’ve learned that two areas are critically important: patient privacy and access to records.

For patients to be comfortable talking to their doctors, they really need to trust that their medical information is confidential and secure. The more serious the situation, the more important the confidentiality. If you’re receiving mental health treatment, if you’re an HIV-positive patient, if you’re a victim of domestic violence—including elder abuse—then you need to be sure that your information is disclosed only if you want it disclosed.

The other critical area is patients’ right of access to their records. For patients to be able to monitor and manage their healthcare, and communicate effectively with providers, having access to those records is empowering. In nearly every circumstance, HIPAA guarantees access to those records. Furthermore, HIPAA entitles patients to receive that information in the form that they want. So if they want it on paper, they can get it on paper. If they want it electronically and it’s been maintained electronically, they can get it electronically.

CL: How does HIPAA apply to disclosures of personal health information to family or others involved in a patient’s care? Does the patient have to sign a release?

LR: I am fond of saying that HIPAA is a valve and not a blockage. For example, if a patient doesn’t object to a provider sharing information with a family member, then that is permissible under HIPAA. HIPAA does not require patients to sign a release to allow family members to be present when the patient is receiving care or talking to doctors.

If, however, the patient does flatly object, then we need to look at whether there are circumstances that might warrant sharing the information. Is the patient incapacitated? Is the patient communicating information about a serious threat? In those circumstances there might be authority for disclosure. So, it’s meant to be a commonsense scale. In these situations we give the provider real room to make a judgment about honoring the patient’s wishes but also determining what is in the patient’s best interests.

CL: Sometimes providers offer very complicated hypothetical situations about HIPAA.

LR: We should always avoid taking field trips far away from common sense. One way HIPAA is often misunderstood is whether family members are allowed to be present with a patient in a doctor’s office or hospital room. If the patient, by behavior or words, does not indicate any kind of objection, then in most circumstances family members and friends should be able to be present and receive information.

On the access side, providers frequently make it overly difficult for patients to get their chart. HIPAA expressly gives patients the right to this information. Sometimes providers don’t share information with each other because of misperceptions that HIPAA is a barrier, which it isn’t. For example, if there are two physicians involved in a patient’s care—one an internist, one a specialist—they clearly need to communicate to best advance the patient’s treatment.

CL: Why are providers so worried about liability? 

LR: Fear of liability comes from providers and the legal community that serves them confusing the OCR approach to privacy enforcement with fraud and abuse enforcement, where there has been a lot of liability, and appropriately so. When we do an enforcement action, it usually focuses on either serious security failure with respect to health information or clearly egregious disclosures of health information. For example, releasing health records about a celebrity to the tabloids leads to liability.

If a provider makes a judgment that disclosure is in the interest of the patient—even if we determine there was a violation—that would normally be handled through corrective action. We would help the provider to develop policies and procedures in compliance with HIPAA. 

CL: Are healthcare providers worried about compliance when they should be worried about security?

LR: This is another place where I really want providers to use common sense. When we are talking about inadequate practices and procedures that put the security of patient information at risk, or expose it to being lost, hacked or taken by identity thieves, that’s one thing. But when we’re talking about a decision that the provider in good faith thought was in the interest of the patient to disclose the information, and that maybe wasn’t a hundred percent in compliance with HIPAA, then that is a very different thing. We would handle that collaboratively with the provider.

CL: How can community service providers, especially those who aren’t clinical staff but provide important patient support, get the information they need?

LR: A few jobs back, I was the attorney for Montgomery County, Maryland, and one of my clients was the county’s Department of Health and Human Services. So that was a huge issue for us as providers of social services.

The basic point is this: if the disclosure is to advance the treatment of the patient—even though the service is not something you might think of as healthcare—and if the communication to that agency is all that is needed to do its job, and nothing more, then there are several mechanisms to ensure that agency follows HIPAA. If they are part of the same department of social services, they are covered by the same policies and procedures. If there is a third-party contract, then in most cases they may need to be treated as a business associate. And they would need to sign an agreement with whoever is sharing that information to ensure that they were taking appropriate steps to protect the security of that patient’s personal information.

CL: What can OCR do to encourage the appropriate interpretation and application of HIPAA?

LR: We’re being as nimble as we can, providing both consumer and provider education in a varied and accessible way. We recently prepared a video in which I provided instruction on privacy issues, along with a practicing physician who talked about the issues exactly as they arise. We do a variety of activities, some with live instruction; we put guides on our website; we send letters to providers.

What I would say to the people providing risk-focused seminars and instructions to providers is: “Please scare people, but scare them about the right things.” I do want institutions to be very worried about the security of their data and protecting health information. I want them to have policies and procedures that protect against flagrantly inappropriate disclosure of health information. But I don’t want them to make doctors afraid of their shadows and lead them to withhold vital information from patients and their families. 

Carol Levine directs the Families and Health Care Project at the United Hospital Fund in New York City.

Editor’s Note: This article appears in the September/October 2013 issue of Aging Today, ASA’s bi-monthly newspaper covering issues in aging research, practice and policy. ASA members receive Aging Today as a member benefit; non-members may purchase subscriptions at our online store.