When it comes to HIPAA, is it always better to be safe than sorry? Security experts say there is a thing as being too cautious.
Many providers have the belief that HIPAA should be treated like well-regarded advice from your mom: It's better to be safe than sorry.
But that mentality is not always the way to go. Sometimes, practices can be too cautious with HIPAA. There's a difference between ensuring protected health information (PHI) doesn't fall in the wrong hands and preventing patients from rightfully accessing their PHI. While a practice staff is the biggest weakness in defending PHI and complying with HIPAA, they can also go too far in the other direction, experts say.
"People just say, 'Oh it's a HIPAA violation.' You can actually get into trouble when it's not a HIPAA violation and people have a right to their information, or need access to reconcile an issue," says Rachel V. Rose, a Houston-based attorney that focuses on various healthcare regulatory compliance issues.
Under HIPAA, there is a section titled, "Individuals' Right under HIPAA to Access their Health Information." This privacy rule guarantees HIPAA covered entities, such as providers and payers, have to provide individuals', upon request, access to their PHI. In other words, by trying to enforce HIPAA, in these circumstances, practice staff can actually be breaking the law. Rose says this comes down to a lack of training and has experienced this firsthand.
"I had a billing issue with a hospital. I went into the finance department and I said, 'I have this diagnostic procedure, can we pull this up and work through this?' [Their finance person responded to me], 'Oh I can't pull up your records, it's a HIPAA violation,'" recalls Rose.
As Rose says, that sentiment was false. HIPAA defines PHI as any past, present, or future medical treatment, diagnoses, or financial statement that relates back to the patient. "How can someone in billing that gets the code from the medical records they are reviewing say they don't have access to the medical records?" she says. The situation got cleared up when Rose got on the phone with the hospital's general counsel, who cleared it up for the billing staff.
It's not just providers being too cautious with patients, its providers being overly careful with fellow providers too, says Kyle Haubrich, counsel with St. Louis-based Sandberg Phoenix & von Gontard P.C., a healthcare law firm. In order to transfer a patient record between offices, Haubrich says he's seen examples of specialty practices having primary-care practices sign a business associate's agreement as well as asking the patient to sign another HIPAA release form.
"Under the law, doctor to doctor can have anything they want in order to treat the patient…you don't need a BAA between the [specialty] and [primary-care] physicians. You don't need the patient to fill out another release form. The information flow under HIPAA from doctor to doctor is endless. They can literally have whatever they want, to treat the patient," Haubrich says.
Haubrich says often, practices that have been breached or have known someone that got breached will respond by going "way overboard." Those practices have to be reined back in, he says.