Hospitals overly cautious with HIPAA when authorities request patient info

Double check legality of patient info requests, consider compliance
Tools

Even though hospitals may want to cooperate with authorities, legal experts warn that "official-looking" requests for access to patient information may violate HIPAA (Health Insurance Portability and Accountability Act) and advise providers to think twice, American Medical News reported.

"Because it looks very official and it's on pleading paper and is legally formatted, there's a presumption that the [request] is valid," Catherine J. Flynn, chair of the Health Law Group at Weber Gallagher Simpson Stapleton Fires & Newby in New Jersey, told amednews. "In many cases, the subpoena is not valid."

The recent hepatitis C outbreak at Exeter (N.H.) Hospital played out the conflict of HIPAA and public health interests. When the state Health & Human Services Department requested "ridiculously broad" patient information, according to the hospital's attorney, Exeter worried that turning over such information would violate the federal patient privacy regulation.

However, a Superior Court judge this month ruled that the state has demonstrated a valid need for the records, thus offering the hospital guidance.

HIPAA does not require patient consent for medical records obtained for public health purposes, Patricia A. Markus, a health law attorney and chair of the Health Information and Technology Practice Group for the American Health Lawyers Association, told amednews.

"It's important to have a policy to determine under which circumstances you have to release information and when you can't," she said.

Overly cautious hospitals, however, tend to have far more restrictive policies that go beyond what HIPAA requires, according to Abner Weintraub, president of consulting firm HIPAA Group.

When a patient allegedly assaulted a staff member last month at Pittsburgh's UPMC McKeesport, the hospital refused to give information about the patient, including his name, to police, because of HIPAA, the Pittsburgh Post-Gazette reported.

The hospital employee, nevertheless, divulged his name and police were able to identify him, using the state's criminal justice database.

Weintraub said the hospital was misapplying HIPAA in this case. Healthcare organizations are allowed disclose certain information when police are looking for a criminal, according to Weintraub.

"Based on my experience, the majority [of hospitals] have policies that do go beyond what the law requires," he said. "They do err on the side of restrictiveness, of not disclosing, because the perception is that it's simpler just to keep the information close to the vest ... rather than opening up the potential for a lawsuit of wrongful disclosure."

For more information:
- see the amednews article
- read the Pittsburgh Post-Gazette article

Related Articles:
Government investigators entitled to hospital's EHR after hep C outbreak
Hep C investigation at Exeter puts HIPAA to the test
Exeter Hospital: Turning over records to state could violate patient privacy