A practice is discovering that the universal truth around HIPAA compliance is there is no universal truth. Every scenario is different.
The minimum penalty for violating HIPAA is $50,000 and up to one year in jail. And just like my annual mandatory HIPAA training does, let me repeat that: The minimum penalty for violating HIPAA is $50,000 and up to one year in jail.
This fact was running through my mind last month when my receptionist informed me that transferred medical records that we had mail via USPS certified mail to another physician's office never reached their intended address. But, I argued, I have a signed, certified mail return card. My receptionist nodded and quietly said, "The other doctor's office has never heard of the man who signed the certified mail card." Panic set in.
Thinking back now, I tell myself that my panic was silly. But was it? What if the patient's parents were going through a nasty divorce and a HIPAA complaint to one parent's choice of pediatrician's office was just the fodder the other parent needed to inflict legal pain? After a decade in practice, I'm convinced that my practice's biggest legal and financial threat isn't profit-seeking insurance companies and their meaningless quality metrics or poorly-funded Medicaid primary-care programs, the biggest threat is, in fact, the hell that is two adults who use their children and our office to settle their marital arguments.
We sent the records, per the parent's written consent, to another HIPAA covered-entity, a physician's office no less. We took on the extra burden and cost of sending said records, as we always do, via certified mail return receipt. We've mailed records certified for more than 10 years not just because of my fear of HIPAA, but because of my distrust of other physicians' office staff. There is nothing like the feeling of schadenfreude when another office calls to say they never received the records we mailed, and I can gleefully tell them exactly who in their office signed for them.
It took half a day, but eventually, with the help with my receptionists and nurse, we tracked down the post office that handled the mail piece and even spoke with the mail carrier who made the error. She couldn't have been nicer or more apologetic. The mail carrier tracked down the records, delivered them to the correct address, and the receiving doctor's office confirmed they hadn't been opened. In addition, we did the right thing by both recording the incident in our HIPAA log and informing the patient. I enjoyed a very dry martini that night.
Every week it seems I am being asked to make calculated risks in releasing medical records. There are the parents who call and claim their child is going to be kicked out of daycare, which means the parent will lose their job, if our office doesn't get vaccine records over to the daycare that very hour. There are the domestic abuse victims on phoneline 1 who request that we not let their abusive ex know when their mutual child's next appointment is while the lawyer of the other parent is on phoneline 2 tersely explaining that his client has a right to know the date of the child's next appointment. And don't even get me started on parents in a panic because little Johnny is going to lose a perfect attendance award unless we write a compelling note excusing his two weeks off from school.
Clouding my judgement as I act on all these little, mostly low-risk, and yet not HIPAA-compliant requests to share or withhold medical records, are media stories. Anti-HIPAA arguments are made clear when tragedies like the attack on the Pulse nightclub in Orlando happen. Nurses and administrators, wanting to do the right thing, fail to release comforting information to friends and family in a timely manner. Equally persuasive are stories like that of Henrietta Lacks and her decedents whose privacy and consent rights were trampled on by doctors who sought both cures and profits. I have no doubt the HBO movie about Ms. Lacks and the famous HeLa cells premiering on April 22 will make a solid, if not complex, pro-HIPAA argument.
HIPAA law is, I think, like a lot of laws: complicated and contradictory. In my own work experience, I can spend the morning lecturing a medical records person at a hospital about why he doesn't need written consent to release records to us, the patient's primary-care practice, and then hear myself explain to a parent that very afternoon that I can't give the step-parent, who is by all evidence is a primary parent in the child's life, a copy of the vaccine record for fear of his ex-wife's legal vengeance.
The legal, ethical and financial risk of releasing or withholding medical records is a tremendous burden for any professional working in healthcare today. For now, I will continue to take my annual training seriously, pay the cost to mail medical records certified return receipt, and pray I never have make the compassionate choice to violate HIPAA in the wake of a tragedy.
What do you think? Do you always follow the exact letter of the law or do you sometimes fudge when you release or withhold protected health information?