Confusion over HIPAA Causes Grief in Orlando

Screen Shot 2016-06-14 at 6.20.58 PM

After the horrific shootings in the gay dance nightclub that killed 49 individuals, 53 survivors were rushed to surrounding hospitals.  In the hours that followed family members anxiously sought updates about their loved ones.  Yet, confusion over the privacy rules that govern health information prevented them from getting immediate access to what they surely needed to know. Confusion was not restricted to hospital staff.  Reporters and political officials alike were confused about what the law permitted.

This is not the first time that HIPAA related confusion affected a gay patient: in 2010 President Obama took steps to address anti-gay discrimination when Janice Langbehn was denied visitation and updates about her partner’s condition in a Florida hospital. 

Rules under the Health Insurance Portability and Accountability Act (HIPAA) generally prohibit release of patient information without their explicit consent.  The CEO of the Orlando Regional Medical Center reportedly asked Orlando Mayor Buddy Dyer for a HIPAA “waiver” so that the victims’ loved ones could be informed of their condition.  The Mayor sought such a waiver from the White House. 

Numerous news outlets reported that the mayor had received his waiver.  One outlet called this waiver “unique.”   By declaring a “national emergency,” it explained, “President Barack Obama and Secretary of Health and Human Services Sylvia Mathews Burwell made it easier for family and friends to gain quicker access to information—the right move in such a circumstance.

”Very little of this is correct.  As officials later noted, there was no waiver at all.  Rather, HIPAA allows the common sense release of information to relatives of patients that are incapacitated.  When CEOs of major hospital systems and healthcare reporters get essential aspects of HIPAA wrong, it is important to know why.

HIPAA permits release of information without patient consent in two different scenarios.  First, in some cases, a health care provider may release information as long as the patient has been given a reasonable opportunity to object to the release.    This category includes releasing information to update family members and close friends in certain circumstances. 

Next, there are a limited set of situations where no authorization is needed.  This includes cases where the patient may pose a threat to public health, or for law enforcement needs, such as reporting child abuse.

This category also includes situations where the President declares a national emergency and the Secretary of HHS declares a public health emergency.  Most news outlets appeared to believe that this was what had happened here—except that the HHS Secretary appears not to have issued any such declaration. Nor did she need to: the release of information to family members would not have helped avert any emergency.  The crime had already been committed.  The release here was more about notifying loved ones.  The privacy issue in this vile mass murder is no different than keeping loved ones informed during any other kind of medical incident. 

HIPAA allows release of information to “a family member, a personal representative of the individual, or another person responsible for the care of the individual of the individual’s location, general condition, or death.”   If the patient is in a condition to object to the disclosure, the provider must give the patient an opportunity to object.  Otherwise, if the patient cannot object—because, for example, he is incapacitated—then the provider can “in the exercise of professional judgment, determine whether the disclosure is in the best interests of the individual”.  If she believes the disclosure is in the best interest, she can release information that is relevant at the time. That means, for example, a doctor or hospital cannot generally just release the entire medical record to a family member, but can notify the family member how the patient is faring after the particular incident.

HIPAA permits doctors to update family members of any shooting victims. Clarity over HIPAA rules is necessary to address both mass shootings as well as cases where family members simply seek to learn about their loved ones after far more routine injuries and accidents. 

–Arthur Caplan is Director, Division of Medical Ethics at NYU Langone Medical Center. Craig Konnoth is a Sharswood Fellow & Lecturer at Penn Law School and Rudin Fellow in Bioethics at NYU Langone Medical Center.

Categories: Uncategorized

Tagged as: ,

8 replies »

  1. To be sure, per this excellent and timely post and the comments, this is a HIPAA “teaching moment” that should not go unused by the feds, hospitals and both lay and trade news outlets.

  2. Indeed. And the problem is, you can get fined heavily for infractions of which no one completely understands.

  3. 1996: Let’s write and pass a law titled Health Insurance Portability and Accountability Act. Oh, and let’s throw in some stuff about information and privacy in there, but make it as unreadable as everything else we push out of our legislative sausage factory. What could go wrong?

    Every.Single.Year.Since.: You need information on your loved one, or even YOURSELF, from the medical-industrial complex? We can’t. Because HIPAA.

    No one understands HIPAA. Not even HHS/ONC. Any surprise, then, that providers have no earthly clue what HIPAA does, and does not, allow re information disclosure? I have to battle like a dragon to get my OWN information. So that whole “common sense disclosure” thing is a canard.

  4. So you’re saying HIPAA allows the use of common sense, rather than requiring a declaration of national emergency from Washington? How un-dramatic. No wonder everyone got it wrong.

  5. There is so much confusion and disinformation on this policy it has affected many avenues of patient care and information dissemination, most of it adversely.

  6. It’s not only old, in addition only 13 of the 167 pages address privacy. Privacy was an afterthought added in at the 11th hour in some legislative horsetrading, according to JD Kleinke.

  7. Right on, Leo.

    This is a good example of the need for most policy to come from the bottom up…,by incremental evolution. Before HIPAA really works it is going to have to go through many exigencies and trials in the trenches…like forging iron into steel. Policy makers don’t have the imagination to guess reality’s impact on policy.

    Today, Russian hackers got into opposition research at the Democratic National Committee. I think the EHR is hanging on by a frazzled thread in the public’s mind after each of these IT disasters.

  8. This is not new legislation. How was it so misunderstood? Too complicated? Too much fear mongering behind any possible infraction? Policy that intelligent people cannot understand or interpret is bad policy.