The Patient Privacy Trap

A patient arrives in the emergency department and is taken to the resuscitation bay. He is pale, clammy, and very confused. Paramedics say his heart is in an abnormal rhythm. They tried electrically shocking him but it did not help. 

The patient was at a store and does not have any medical information with him. He cannot provide his medical history due to his condition and his family is unreachable. Once registered, the physician realizes that the patient has never been to her hospital so there are no previous records. He has an ID card in his wallet from a hospital across town. 

The physician contacts the hospital to get records but they require a permission form to be faxed before they will provide information. She iterates the urgency of the situation, but the hospital says they must follow policy, and so the physician is left with limited information to treat a serious condition. She tries multiple treatments to no avail. Had she been able to obtain the patient records, they would have shown that the patient is on a medication that, in excess, can cause arrhythmia. Furthermore, there is an antidote.

How did we get here?

This needless delay in care occurred because of the misinterpretation of a rule known as HIPAA, the Health Insurance Portability and Accountability Act, created in 1996. The law was not originally written to protect patient privacy, though this was a small portion of the larger document. It was created to ensure patients would not have a lapse in insurance coverage when changing jobs, hence the portability part of the title. A patient’s bill of rights was debated at the time but never came to fruition, and thus the patient privacy part of HIPAA was left to interpretation, much of which has been taken to the extreme leading to unnecessary duplicate testing and delayed diagnosis when time matters.

In a 2018 JAMA article, Dr. Donald Berwick, President Emeritus of the Institute for Healthcare Improvement (IHI), writes: 

“Every day, patients seeking second opinions or transferring to new clinicians experience treatment delays when wrongly conceived procedural hurdles prevent their physicians from talking to previous clinicians and obtaining timely access to test results and treatment histories. Family members seeking information about a loved one involved in a motor vehicle crash are wrongly told that HIPAA prevents even a confirmation of whether their family member is at that facility.”

There are a number of patient privacy myths that lead to administrative policies. Fear of legal or financial penalties further potentiates these misguided beliefs, creating restrictions on information exchange that can harm patients. Privacy is an important part of medical care, but only when it does not harm patients. Berwick notes that “absolute” patient privacy is not the intention of HIPAA nor is it required and that an interpretation of HIPAA that strikes a balance between improved health and privacy is more likely to be beneficial.

Some potential solutions.

There are a number of steps the country must take to protect privacy as well as ensure optimal patient care.

1. With the advent of new technology, electronic health records (EHRs) and other forms of information exchange are ripe to improve the system. The lack of a universal health record throughout the country creates barriers, but new information exchange systems are starting to improve the ability to access health records between health systems within and even across state lines. EPIC, one of the largest electronic health record systems in the country, has a function known as Care Everywhere that allows clinicians to access patient information from other EPIC platforms anywhere in the world by simply requesting the information once the patient is registered. The state of Michigan developed MiHIN, a network that allows hospitals to share information about patients easily, without the hassle of permission forms. Other states are following suit. These technologies improve patient care, but as more information is stored in the cloud, they are also at risk for hacks that can swipe patient information if strict protections are not created. Nevertheless, if we capitalize on the benefits of EHRs, we can improve health while maintaining patient privacy.
   
2. Standard guidelines should be created by Health and Human Services (HHS) that can be followed by clinicians and organizations alike. These guidelines should spell out misconceptions regarding patient privacy laws and easy ways to integrate standard processes at the local and state level. In an article by Dr. Jesse Pines, the Director of the Center for Healthcare Innovation and Policy Research at Georgetown University, 10 scenarios are presented regarding some of the misinterpretations of HIPAA. These include misunderstandings about the information that can be provided to family members, other treating clinicians, and even the media. By being transparent regarding what is and is not allowable, patients will benefit from efficient information exchange and enhanced care.
   
3. Patient education regarding potential barriers empowers them to advocate for themselves. If patients don’t know their rights, how are they supposed to prevent privacy misinterpretations from harming them? Specialty organizations and state health departments are in the best position to provide this information. While clinicians and healthcare systems should be well informed about HIPAA policy, patients can make an important mark on their health by participating in their own advocacy.
   
4. Research regarding the consequences of misguided patient privacy policies should be a priority. Berwick emphasizes this in the JAMA article. We need more information regarding whether HIPAA fails to protect patients. If it is found to be a more frequent occurrence, then immediate steps would need to be taken to stop patient harm.

While most would regard patient privacy as well-intentioned and ethically responsible, the hidden consequences of a rule that offers a number of potential misinterpretations can also cause patient harm. We must be careful not to protect patient privacy too diligently when doing so may neglect good patient care.