ProPublica has been running a series of lengthy articles about HHS Office for Civil Rights (OCR) enforcement that are worth reading.
A Sustained and Vigorous Critique of OCR HIPAA Enforcement
A ProPublica article from early in 2015 noted that HIPAA fines were quite rare. The article noted that from 2009 through 2014, more than 1,140 large data breaches were reported to OCR, affecting 41 million people. Another 120,000 HIPAA violations were reported affecting fewer than 500 people. “Yet, over that time span,” the article notes, “the Office for Civil Rights has fined health care organizations just 22 times. . . . By comparison, the California Department of Public Health . . . imposed 22 penalties last year alone.”
Whenever I go to a doctor and am asked what I do for a living, I say that I focus on information privacy law.
“HIPAA?” the doctors will ask.
“Yes, HIPAA,” I confess.
And then the doctor’s face turns grim. At first, it looks like the face of a doctor about to tell you that you’ve got a fatal disease. Then, the doctor’s face crinkles up slightly with disgust. This face is so distinctive and so common that I think it should be called “HIPAA face.” It’s about as bad as “stink eye.”
HIPAA doesn’t handle patient access to medical records very well. There are many misunderstandings about patient access under HIPAA that make it quite difficult for patients to obtain their medical information quickly and conveniently.
Getting records is currently like a scavenger hunt. Patients have to call and call again, wait seemingly forever to get records, and receive them via ancient means like mail and fax. I often scratch my head at why fax is still used today — it’s one step more advanced than carrier pigeon.
Suppose your elderly mother is being treated at the hospital for a heart condition. Your mother tells her doctor that you can have access to her health information. The doctor, however, doesn’t disclose the information to you.
The doctor thinks that you can only have the information with a signed written authorization. Is this correct?
No. HIPAA doesn’t require a signed or even a written authorization. If a patient tells a doctor that protected health information (PHI) can be shared with family or friends, then that’s all that is needed. The doctor can disclose it to you.
So has the doctor violated HIPAA by refusing to disclose the PHI?