Shortly after the recent massacre at an Orlando nightclub, the city’s mayor declared that the White House had agreed to waive federal privacy rules to allow doctors to update victims’ families. News of the waiver was widely reported, but as the Obama administration later clarified, both the mayor and the media were “simply mistaken.” No waiver was granted because none was needed. The confusion amid the tragedy in Orlando underscores widespread misconceptions about the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. Here we shed light on a handful of myths that bedevil doctors and patients alike.
HIPAA sets national standards to safeguard the privacy of individuals’ health information. As in Orlando, it is often perceived as a barrier to effective communication between doctors and patients’ loved ones. Virginia state Sen. Creigh Deeds — whose mentally ill son attacked him before committing suicide in 2013 — recently testified before Congress that “HIPAA prevented me from accessing the information I needed to keep him safe and help him towards recovery.”
Such stories are heart-wrenching but misattributed to HIPAA. In most cases, the privacy regulation permits doctors and nurses to communicate with a patient’s family, friends or caretakers. The rules were crafted to account for the realities of health care, including the integral role often played by those closest to the patient.
As the former head of HIPAA enforcement told Congress, “HIPAA is meant to be a valve, not a blockage.” When the patient is present and clearheaded, the law allows hospitals to share relevant information with loved ones so long as the patient does not protest. This can be accomplished through the patient’s agreement or acquiescence, or based on a doctor’s professional judgment that the patient does not object. If a person accompanies the patient to an appointment, for example, doctors can reasonably infer that discussing the patient’s treatment in front of that individual is appropriate.
When the patient is unavailable or incapacitated, doctors can also exercise professional judgment to determine whether disclosure is in the patient’s best interests. A clear example is when the patient is unconscious, but this provision can also apply if the patient is suffering from temporary psychosis and lacks the ability to make health-care decisions.
Still, studies have shown that confusion and fear over privacy laws often lead hospitals to unnecessarily withhold information and reflexively cite HIPAA as justification — an approach that can make families feel locked out of care.
But overall, HIPAA affords doctors significant flexibility to communicate with patients’ loved ones, whether about routine or time-sensitive matters. The only time the law truly forecloses the sharing of such information is when the patient is present, lucid and tells doctors not to — and even then, patients’ wishes can be overridden in the event that they pose a serious and imminent threat to health or safety.
Before the rumors of a HIPAA waiver in Orlando were quelled, various news outlets reported that it marked a “victory for gay rights.” Waiving medical privacy laws was portrayed as a prerequisite for sharing information with same-sex partners.
In reality, HIPAA enables discussions with relatives, friends or anyone else identified by the patient, meaning that the impact of the Supreme Court’s marriage-equality rulings on permissible communication was marginal at best. HIPAA does not require doctors to obtain proof of identity when inquirers say they are a patient’s friends or relatives. Providing information to family and friends under HIPAA is linked to their involvement in the patient’s medical affairs, not the legal status of their relationship. Patients’ sexual preferences were irrelevant long before same-sex marriage became the law of the land.
Early in his administration, President Obama emphasized the importance of hospital visitation rights for same-sex partners and sought to enforce this policy through Medicare rules. However, spouses — unlike parents vis-a-vis their minor children — are not automatically presumed to have access to patient records. It is up to the patient to designate them or doctors to involve them as clinically appropriate.
Rep. Tim Murphy, also a psychologist from Pennsylvania, believes that amending HIPAA is crucial to mental health reform. Rep. Eddie Bernice Johnson, a registered nurse from Texas, says that “individuals with mental illness and substance use disorders often face obstacles to treatment because of the Privacy Rule within HIPAA.” New York’s chief psychiatrist has described HIPAA as “the tragedy of mental health law.”
Yet HIPAA does not distinguish between physical and mental health information, nor does it provide extra protections for the latter. Indeed, HIPAA is generally agnostic as to the type of health information being protected. The drafters of the privacy regulation acknowledged that many states had laws specifically guarding records related to mental illness and “other stigmatized conditions” but declined to follow their lead. While the HIPAA rules in no way erode these additional state protections, they do not confer any special status on mental health information.
The rare instance in which HIPAA affords greater protection to sensitive information involves “psychotherapy notes.” However, this exception is much narrower than is commonly understood. Psychotherapy notes are therapists’ private, desk-drawer notes reflecting on conversations during counseling sessions. They exist for therapists’ personal use as memory joggers and must be kept separate and apart from patient charts in order to retain their designation. Any information of wider utility — such as treatment or diagnosis — is excluded from the definition and associated protections. In fact, a main reason psychotherapy notes are shielded from disclosure is because they would have so little relevance or use to anyone other than the doctor who created them.
Mass shootings involving mentally ill suspects often prompt discussion about what warning signs doctors should have reported. These questions persist even in cases when doctors had alerted authorities, as happened before the 2012 movie theater tragedy in Aurora, Colo.
After the Sandy Hook Elementary School shooting, one of Obama’s 23 executive actions was to clarify that “no federal law” prohibits health-care professionals from reporting threats of violence to the police. This mandate was accomplished via an open letter to the health-care community explaining that HIPAA allows doctors to issue appropriate warnings when they believe that patients present a serious and imminent threat to themselves or someone else. In such cases, doctors can disclose necessary information to law enforcement, school officials, family members, the target of a credible threat or anyone else in a position to avert the danger. Under the HIPAA rules, doctors who take these steps are generally presumed to have acted in good faith.
When patients make threats or pose a high suicide risk, doctors often have a “duty to warn” emanating from state laws, court decisions or professional ethics rules. HIPAA does not in itself impose such a duty, but it explicitly permits health-care professionals to take action “consistent with” these standards.
HIPAA is often singled out as the basis of patient confidentiality. Yet privacy was a core value in health care long before the HIPAA rules were promulgated in the early 2000s. The Hippocratic Oath admonishes doctors to keep secret what they “see or hear” from patients. The American Medical Association’s first code of ethics, adopted in 1847, emphasized the “obligation of secrecy” at the heart of the doctor-patient relationship.
In practice, HIPAA provides a federal floor of privacy protections, not a ceiling. It defers to state laws that are “more stringent” or protective of patient rights. State laws that create additional safeguards for conditions deemed especially sensitive — whether HIV/AIDS, communicable diseases, cancer or mental illness — remain in full force. Neither does HIPAA override other federal laws. Thus, for example, substance-abuse programs subject to 1970s-era federal confidentiality requirements continue to follow those stricter standards in the vast majority of cases.
Even where HIPAA allows health information to be shared, it almost never requires it. Doctors and hospitals must still be cognizant of other applicable laws or professional ethics guidelines that impose stricter limitations. HIPAA is designed to align with these obligations as often as possible, but those instances where gaps arise tend to be the most complex and emotionally fraught.
HIPAA established a procedural framework for doctors, hospitals and other health-care players to exchange information without compromising patient privacy. Even if the law disappeared tomorrow, the legal precepts and ethical norms that long preceded it would remain in place — as would many of the frustrations cited by HIPAA’s most ardent detractors. This month, the House of Representatives proclaimed that “there exists confusion in the health care community around what is currently permissible under HIPAA rules.” Alas, that just may be the most accurate statement about HIPAA ever uttered.