News, Developments, and Insights

high-tech technology background with eyes on computer display

HIPAA Privacy Rule


A Not-So-Far-Fetched Seinfeld Episode

In a Seinfeld episode called “The Package” from 1996 (click here to see the scene), airing just months after HIPAA was passed,  Elaine goes to see a doctor for a rash.

She discovers that her medical record says “difficult,” so she complains to her doctor.

The doctor says that he’ll erase it, and he starts to erase. But Elaine notices that the notation is written in pen and accuses the doctor of lying about erasing the notation.

The doctor then starts scribbling notes in Elaine’s file. Elaine asks: “What are you writing?” The doctor walks out.

Elaine goes to a new doctor, who seems quite cheerful and friendly at first. Then a nurse hands him Elaine’s chart. “Oh, where did you get my chart?” Elaine asks.

“From your last doctor,” the doctor replies. “Standard procedure.”

Elaine exclaims: “Oh, I can tell you my whole history, let’s just . . .”

The doctor looks up from the chart with a grimace.  He glances at Elaine’s arms quickly, says that the rash doesn’t look serious, and dashes out the door.

Although fictional, this scenario isn’t so far from reality.

But there’s HIPAA, right? Doesn’t HIPAA provide patients with a lot of control over their medical records?

The answer: Not really.

HIPAA provides a right to access one’s medical record. HIPAA gives people the right to consent to disclosure of their protected health information (PHI) for certain purposes (such as marketing). But HIPAA doesn’t provide patients with consent over the disclosure of their PHI when their own treatment is involved.

HIPAA Fails to Provide Enough Control Over Medical Records

HIPAA doesn’t actually allow people to correct their medical records – instead, it provides people with a right to “amend” the record by adding in additional information.  But if a person wants to remove erroneous information, that person is generally out of luck. Additionally, if a person wants to share selective information with a doctor, that person cannot readily do so.

HIPAA Privacy Rule

HIPAA also fails to provide patients with the right to restrict disclosure of PHI for treatment purposes. Patients may not want every doctor to have their medical records because they might want the doctors to look at their case with fresh eyes – especially when seeking a second opinion.

But can’t people just hide the fact that they saw other doctors from a new doctor? These days, it’s not easy. For example, it won’t work for medical records in hospital chains or university hospitals, where every doctor in the system has access to the records. Increasingly, independent physician practices and hospitals are being bought up by large chains and systems.

Why Does Patient Control Matter?

One might wonder why all this matters. Records can be amended to add corrective information. And why would a patient not want medical information shared with other doctors for treatment purposes?

Here are a few hypotheticals that illustrate concretely why patients need more control:

1. The Rare Disease Ordeal

Harry has a rare difficult-to-diagnose disease affecting multiple organ systems. He is initially given a diagnosis, but he has doubts. As he researches more online, his doubts grow. He sees another doctor for a second opinion. That doctor reviews his medical file and agrees with the first doctor.

But Harry is concerned that the second doctor is not approaching the case with an open mind. The doctor dismisses Harry’s online research and says a few times how respected and esteemed the first doctor is. Harry sees a number of other doctors – specialists in a variety of fields — but with each one, the record becomes more unanimous.

HIPAA Privacy Rule

Harry is frustrated because he just wants a doctor to look at his condition with an open mind, and that is becoming harder to do because it is harder for doctors to depart from the opinions of so many others.

Many rare diseases can take years to diagnose, and many wrong diagnoses are collected during the process of finding the correct one.  These wrong diagnoses can impede the patient’s ability to progress because they stick around and never go away. A person’s journey to find a diagnosis for a rare condition will wreak havoc on his or her medical record as bad information starts accumulating like barnacles.

A cognitive bias known as “anchoring” can lead doctors to accept initial diagnoses without sufficient skepticism. For example, according to an article by a physician, anchoring “explains [many doctors’] willingness to accept a patient’s initial diagnosis made in the emergency room without further thought.” As another physician-authored article notes, anchoring “is often considered the Achilles’ heel of diagnostic reasoning. . . . Once a patient is ‘billed’ as a heart attack, or gastroenteritis, or anxiety, we view every data point through that particular lens.” The article goes on to note that sometimes an initial diagnosis can be like a “label” attached to people that “takes on a life of its own.”

To help counteract the cognitive biases, Harry would like to withhold information about his prior diagnoses from new doctors who evaluate him. But he will have a very difficult time doing so.

2. Mental Illness Discrimination

Sandra has been diagnosed with bipolar disorder. This diagnosis is correct. She begins to experience a number of new physical symptoms such as fatigue and memory loss. But when she goes to doctors to get a diagnosis, the doctors quickly ascribe her symptoms to her mental illness or dismiss her complaints because they doubt the accuracy of her description. Sandra is concerned that her mental illness diagnosis is biasing doctors, and she wants to exclude it from her records when she sees doctors to explore her new symptoms.

HIPAA Privacy Rule

As a New York Times article notes, numerous studies show that people with mental illness receive worse medical care than those without mental illness.  The article discusses how studies demonstrate that people with mental illness diagnoses experience great trouble when treated for other conditions. They “end up with wrong diagnoses and are under-treated.”

People with mental illness — even those with common mental illnesses such as depression and anxiety — are frequently not taken seriously by doctors. These patients are often not trusted when providing accounts of their health conditions — even when unrelated to the mental illness.

Sandra thus has sensible reasons not to want all her doctors to know about her mental illness, as it might impair her ability to get the best treatment. Moreover, she doesn’t feel comfortable with every doctor knowing about her mental illness. She doesn’t want to discuss it with every doctor. When she sees a doctor for her injured knee, she doesn’t believe that her mental illness is relevant and doesn’t want to talk about it.

A common myth about HIPAA is that it provides special protection for records involving mental illness. It doesn’t. HIPAA’s special protections are only for psychotherapy notes, not for all PHI related to mental health.

3. Insinuation of Hypochondria

Mark had a terrible experience with a doctor, who insinuated in his report that Mark was a hypochondriac. The doctor didn’t directly accuse Mark of faking illness, but the doctor’s notes are highly suggestive of this. Mark now is concerned that when doctors look at his file, they might be biased by this one doctor’s report.  He views himself as marked with a kind of scarlet letter that will make all future doctors skeptical of his veracity.

4. The Error-Riddled Record

Amber visited a doctor who issued a report that was riddled with errors. The report made dozens of mistakes in her medical history. Amber has amended her record to add in correct information, but she is concerned that the presence of all the errors will not fully be cured by adding in the correct information. Doctors who read both the report and Amber’s amendment might forget which one is accurate as there are a lot of details and it is a challenge to keep it straight what is correct and wrong.

HIPAA Privacy Rule

What Rights of Control Should HIPAA Provide?

In all of the cases above, patients lack much recourse under HIPAA. This is a serious shortcoming of HIPAA.

Of course, there are some valid reasons why patients cannot just delete any information they want from their medical record. Information, even if in error, is important to preserve in the event of a lawsuit.

However, patients should have a right to control the protected health information (PHI) that doctors provide to other doctors for treatment purposes. HIPAA should not allow doctors to share patient PHI when patients have indicated they don’t want it to be shared. Patients should be able to limit the sharing of their PHI by being allowed to withhold some or all of their PHI unless there is a compelling need to override patient wishes.

Doctors are human, and they are subject to bias just like any other person. Patients should be able to exercise better control over the PHI about them that doctors are exposed to. Some doctors might object, arguing that patients might withhold useful information or try to hide or distort things. Although some patients might do these things, ultimately, this is a small price to pay, as many patients have legitimate reasons for restricting doctor access to their records.

One of the core tenets of the medical profession is that effective treatment depends upon patients developing a relationship of trust with their doctors. Doctors rely on patients to tell them many things, and the patient is in control. So it is not asking too much for patients to have more control over the records that doctors can see.

HIPAA should foster patient self-determination. Healthcare is for patients, and patients must be at the center of their own treatment.  How one’s PHI is shared with other doctors can have a significant aspect of a patient’s treatment. Patients should have more control over the information they want their doctors to see about them. On this issue, HIPAA falls short.

Other Posts of Interest on HIPAA

HIPAA’s Long Arm — and Why It’s a Good Thing

Is HIPAA Enforcement Too Lax?

Why HIPAA Matters: Medical ID Theft and the Human Cost of Health Privacy and Security Incidents

Patient Access to Medical Records Under HIPAA: Significant Reform Needed

HIPAA’s Friends and Family Network: Access to Health Information

* * * *

This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of awareness training on privacy and security topics.  This post was originally posted on his blog at LinkedIn, where Solove is a “LinkedIn Influencer.” His blog has more than 1 million followers.

Privacy+Security ForumProfessor Solove is the organizer, along with Paul Schwartz of the Privacy + Security Forum (Oct. 24-26, 2016 in Washington, DC), an annual event that aims to bridge the silos between privacy and security. 

If you are interested in privacy and data security issues, there are many great ways Professor Solove can help you stay informed:
 LinkedIn Influencer blog

TeachPrivacy HIPAA privacy and security training 08