Overprotective HIPAA rules oftenf rustrate rather than help healthcare workers

Ask health professionals about the privacy protections of HIPAA—the Health Insurance Portability and Accountability Act—and they likely will say it has changed the way they work, and not necessarily for the better.

"It's meant to protect patient privacy but it goes beyond that," says Renee Setteducato, a nurse in the post-anesthesia unit at Lutheran Medical Center in Brooklyn, N.Y. "It hinders care. HIPAA is supposed to protect your privacy against outsiders but puts up obstacles for those on the inside."

Setteducato ran into a lot of obstacles while caring for her sick father. Although she and her mother were the sole caregivers for her father, doctors couldn't share information directly with Setteducato; they only communicated with her mother, who often had trouble understanding. As a result, information was not always passed along to Setteducato, on whom her parents were relying for guidance.

"It just became a circus," says Setteducato, who is a member of the Federation of Nurses/United Federation of Teachers. "Patients don't always understand what the doctors say, and if doctors want to confer with the patient's relatives, they can't do that unless there is consent. It delays care."

Even though healthcare facilities have been complying with the HIPAA privacy rules for five years now, there is still confusion regarding what the rules require, what is covered, and what can and cannot be shared. Advocates of HIPAA say that confusion is not because of the rules themselves, but because providers have chosen to take a more restrictive approach to following the rules than is required.

Nurses become the ‘bad guys'

"Unfortunately, nurses look like the bad guys sometimes because they can't release information without the patient's permission," says attorney Kathleen Gialanella. Based in Westfield, N.J., Gialanella trains health professionals to help them understand their obligations under HIPAA. She also has defended health professionals accused of violating the law.

Patients, family members and friends need to be educated on HIPAA, and that is part of the nurse's role as the front-line caregiver, says Gialanella. "Communication is key. Let the family know what information you are allowed to share."

Setteducato hears a lot of complaints about HIPAA from patients and colleagues alike. "We get yelled at by patients," she says. "But even more heart-wrenching is having to turn away family members or neighbors who have taken care of the patient and are not entitled [under HIPAA] to any information."

Multiple moments of chaos

There are times when it seems impossible to be 100 percent HIPAA compliant. In emergency situations, regulations often go by the wayside because your focus is on the patient, says Michelle Smith-Young, a nurse who works in the intensive care unit at Centerpoint Medical Center in Independence, Mo. She is also a member of Nurses United for Improved Patient Care. "If a patient isn't doing well or is crashing, you'll see all sorts of violations—open charts, paperwork or lab work laid out in the open," says Smith-Young. "The fact is that in many nursing units, there are multiple moments of total chaos. It is difficult to make sure all the i's are dotted and t's are crossed when it comes to protecting privacy. Things might be easier if there was proper staffing in the hospital. We probably could be more compliant."

Setteducato agrees that HIPAA is a big problem in emergency situations. "I have seen it work against the patient. Not all patients are well enough to give consent when it is needed. For example, if a patient is unconscious and has let it be known to family and friends that he never wants to be on a respirator, the patient's wishes may not be met."

'It's like stealing or sleeping on the job'

For Irene Emmer, HIPAA is an annoyance, but it also has made her job more difficult. "We've always looked out for our patients. It's always been a part of our integrity as healthcare workers. HIPAA doesn't change that," says Emmer, a medical technologist in the blood bank department of Dynacare Laboratory in Milwaukee. She points out that HIPAA requirments don't necessarily serve patients' best interests.

"Sometimes you need information in a hurry. You're waiting to care for your patients, trying to get a picture of what's happening with them, but that care can be delayed for hours" because of HIPAA, says Emmer, who is a member of the Wisconsin Federation of Nurses and Health Professionals. "The process used to be easy: You'd call the hospital, give the patient's name and birthday. But now you have to go through all the rigamarole of filling out paperwork. It's time-consuming."

HIPAA puts workers in a tough spot, warns Setteducato. "It puts you in a very bad situation. Some people bend the rules, but they are subjecting themselves to trouble. You can jeopardize your license, your livelihood."

Emmer agrees that workers are in a precarious position. "If someone believes you are not following HIPAA regulations, you can get fired. It's frustrating. We are all walking the line because we've seen people get fired for not following HIPAA. [Violating] HIPAA is so serious. It's like stealing or sleeping on the job. You ask yourself, ‘Am I supposed to give this information out?' It seems so natural to give out information, but you can't."

There are plenty of examples of HIPAA violations healthcare workers can study. Anyone who feels his or her rights have been violated in some way can lodge a formal complaint with the hospital or the federal Office for Civil Rights (OCR). In fact, there have been 36,374 HIPAA privacy complaints since healthcare facilities began complying with HIPAA in April 2003.

The most common complaints received by the OCR have involved wrongfully using or disclosing protected health information, failing to safeguard protected health information, failing to allow patients' access to their protected health information, and disclosing more than the minimum necessary protected health information.

If a healthcare worker is accused of violating HIPAA, the hospital will conduct an investigation and the worker may face disciplinary action. The penalties for HIPAA violations include remediation/training, progressive discipline, suspension and termination.

Attorney Gialanella says the rule of thumb is to share information on a need-to-know basis. To stay out of trouble, she advises, the best thing to do before you access a patient's information is ask yourself, "Do I need to know?" "Sometimes people are driven by curiosity and human nature gets the better of them. Whatever the explanation, accessing someone's information when you are not caring for that patient is clearly inappropriate."
Gialanella acknowledges the privacy rules have created some problems. But she believes if the problems are significant enough, they will be addressed through regulatory changes. "Most hospitals are doing it the right way," says Gialanella. "While enforcement may not be consistent, it will get better over time."

But Setteducato says that even after five years, things are the same. "There are still very strict policies in place. People are afraid to work within the realm of common sense. I know there must be boundaries, but you should be allowed a little flexibility. In the old days, things were much easier. Before HIPAA came along, if a patient asked us not to discuss a situation, we honored that request."