Accessibility links

Family Members of Patients Say U.S. Medical Privacy Rules Go Too Far - 2003-07-07

About two months ago, I received a phone call most of us dread. My mother had been rushed into emergency surgery. Her appendix had ruptured, massive infection had set in and her kidneys had failed.

During the next week, as my brother and I stood watch at the hospital, the five doctors and dozens of nurses who helped save my mother’s life increasingly told us less and less about her condition. Ultimately, the staff at St. Joseph Health Center in St. Charles, Missouri -- about 30 kilometers west of St. Louis -- wouldn’t speak with us about her care.

We had little choice but to hire a lawyer to serve papers on the hospital, demanding that we be apprised of our mother’s condition. Our attorney was Charles Niedner.

“Your mother was telling them right in front of you and the hospital personnel to go ahead and inform you as to what was going on and what the test results were,” he says. “They just wouldn’t do it. There’s really no excuse for ignoring her directions to keep you informed. That’s incomprehensible to me. But things as far as getting medical information have tightened quite a bit lately because of the new federal HIPAA law.”

HIPAA -- the Health Insurance Portability and Accountability Act -- was originally passed by Congress in 1996. In the wake of failed health care reform during the Clinton administration, there was political pressure to address many of the concerns of middle class voters. Chief among them was insurance portability, the ability for people to change jobs and still be covered by their health care plans, and to have already existing medical conditions covered under new policies.

But the HIPAA legislation also provided for “other purposes.” And in April of this year, new regulations were enacted to safeguard the privacy rights of patients like my mother.

Debby Vosenkemper, Administrative Director of Quality at S.S.M. St. Joseph Health Center, says privacy right laws are supposed to be flexible. “The HIPAA regulations are not black and white,” she says. “There is some level of interpretation with that. Staff often probably take it upon themselves to make them black and white. And I think that’s where you got caught.”

The new HIPAA regulations require patients to be given what’s called a Notice of Privacy Practices that details their rights. The notice varies widely among health care providers. But it’s often long and complicated. And most patients find it confusing or they’re too ill to understand it.

When a person checks into a hospital, he or she can choose to be included in the hospital’s public directory so loved ones can find out whether they’ve been admitted. But even if a patient is listed on the directory, most hospitals will give you only a one-word description about their condition -- “critical,” “serious” or “stable,” for example, and only if you ask about the person by name -- even if you’re the next of kin.

Melinda Hatton is chief Washington counsel for the American Hospital Association, which represents nearly 5,000 hospitals across the country. “If you’re following this, you can tell this is where it’s getting a little complicated,” she says. “If a person is a family member who is responsible for care or who is involved in the patient’s care, then you as a hospital or care provider are allowed under the regulations to tell that friend or relative or whomever anything they need to know that is directly relevant to the care that is being provided to their loved one.”

But it’s entirely subjective. The hospital or doctor decides what a particular person “needs to know.” These new regulations emerged from a fear that medical information is too readily accessible. Insurance companies, for example, might deny individuals coverage based on what they find in a person’s health records. Or a person’s medical information might be used to sell products to them or solicit charitable donations.

But Joy Pritz, a Research Professor at Georgetown University’s Health Policy Institute here in Washington, says these powerful interests still want a person’s medical information. “Everybody says that they’re for protecting the privacy of health information,” she says. “Yet when it comes to actually writing the rules as to how it’s going to be protected, you will find almost every sector also saying, ‘Yes, it’s really important to protect that information, but I need it for my purposes.’ And the health care consumer [i.e., patient] kind of stands on the sidelines and says, ‘But it’s my information. I should have some say here.’ And they really don’t have a whole lot of say as to how it’s shared.”

That worries Tom Miller, Director of Health Policy Studies at the Cato Institute here in Washington. He says that while a spouse or child may have trouble finding out about a loved one’s medical condition, the federal government has virtually unlimited access to a person’s medical records.

“The government gave itself an exemption,” he says, “a speed pass through all of these privacy safeguards. So while we’re worried about the private sector finding out all of this information and perhaps selling you another product, the government can collect all of this information about all of your health care because they just want to make sure no one else is abusing it. And that’s where the real worry is, and nothing has been done to actually police that.”

Other aspects of HIPAA, which go into effect during the next few months, involve the secure electronic storage and transfer of medical files. New computer technologies could ultimately help lower the cost of health care in America by reducing paper work and facilitating the sharing of information among health care providers. But most analysts estimate that in the short run, the new HIPAA rules will cost tens-of-billions of dollars.

And most experts agree that the cost of upgrading medical information systems will be passed on to patients.

Erik von Kiel is a physician in rural Pennsylvania, about 100 kilometers west of Philadelphia. Because he’s the only doctor in his practice, Dr. von Kiel is exempt from many of HIPAA’s privacy rules. But he fears that could change.

“If I were in a larger office,” he says, “and wasn’t covered by the ‘Country Doctor’ exclusion right now, I would have to have a person hired virtually full-time just for chart privacy -- to go through all of the regulations and make sure that it’s all being done. If and when it gets to the point when the ‘Country Doctor’ exclusion is no longer an exclusion, I expect that I would retire from practice.”

With little more than a set of regulations mandated by Washington, states, cities, hospitals and doctors across the country are struggling to make sense of the new HIPAA rules. And most analysts agree with Georgetown University’s Joy Pritz who says that problems associated with the new regulations may take years to resolve.

“The rules are very detailed because the health care system is very complicated,” she says. “And people are struggling with trying to find the right balance between abiding by the rules and just using common sense. There are many parts of the rules that say a health care provider can use professional judgment, which basically is the legal term for ‘use your common sense, your professional common sense in how you interpret this.’ But that part of the regulation seems to have gone out the window for a lot of people.”

“The lesson to be learned here is not to bite off more than you can chew,” says Melinda Hatton of the American Hospital Association. “You need to take slow and thoughtful steps to make sure that patient care is your primary concern and that that isn’t compromised at all by what you’re trying to achieve in terms of privacy protections for patients.”

As for my mother . . . she recently was re-admitted to the hospital for complications related to her surgery. This time, it took only about an hour to convince the nurses to tell me about her condition.