Carol Levine: Testimony on HIPAA before U.S. House of Representatives, April 26, 2013
Subcommittee on Oversight and Investigations, Committee on Energy & Commerce
Carol Levine, director of the Families and Health Care Project at United Hospital Fund, presented the following testimony on HIPAA before the U.S. House of Representatives' Subcommittee on Oversight and Investigations, Committee on Energy & Commerce, on April 26, 2013.
Chairman Murphy, Ranking Member DeGette, and Subcommittee members, I am honored to be with you today to talk about the experiences of family caregivers with HIPAA, the federal privacy law.
My approach to this subject starts with a few basic assumptions.
- First, good clinical care depends on good communication.
- Second, HIPAA was not intended to override good clinical care.
- Third, the interests of the patient, not health care professionals or organizations, should be uppermost in considerations about privacy.
- Fourth, most patients, particularly those with chronic or serious illnesses, are not isolated individuals living in a world of abstract principles or hypothetical situations. They, like all of us, exist in a network of relationships that give meaning to their lives and support them through their illnesses. Family – defined broadly to include people the patient identifies and trusts whether they are related by blood or marriage – are at the center of this network.
- Fifth, the health care and long-term care systems in the community could not exist without the unpaid contributions of family members.
Although it was not the intent of the law, HIPAA has been interpreted and misapplied as a barrier to communication with the very people who have a deep and often lifelong relationship with the patient and who will be responsible for managing or providing care in the community. When a family member asks almost any question relating to a family member’s care and treatment, this is what they too often are likely to hear: “I can’t tell you because of HIPAA.” End of conversation.
This is a misinterpretation of HIPAA. Here is what the Health and Human Services’ Office of Civil Rights, responsible for monitoring HIPAA, says: “The HIPAA Privacy Rule at 45 CFR 164.510(b) specifically permits covered entities to share information that is directly relevant to the involvement of a spouse, family members, friends, or other persons identified by a patient, in the patient’s care or payment for health care.” The only exception is if the patient objects. I will say more about that later.
Family Caregivers and Why They Need Patient Information
Before I suggest some reasons why this discrepancy between the law and its implementation exists, let me say a few words about family caregivers. There are an estimated 40-50 million family caregivers in the U.S. The unpaid labor of these relatives, partners, and friends is estimated to be worth $475 billion a year.1 They provide 80–90 percent of the long-term care in the community for an aging population with multiple chronic conditions, including Alzheimer’s disease and other dementias. Without this essential family support, these individuals would require nursing home care, which is not what they or their families want, and certainly would add enormous cost to an already strained system.
Health care currently focuses on encouraging patients and families to become more “engaged,” “activated,” and “self-reliant” in care. These efforts, as well as HIPAA itself, assume a competent adult patient, able to absorb complicated information and act on it. But many of the patients most at risk for poor outcomes and hospital readmissions—older adults with multiple chronic conditions, including cognitive deficits—are not able to become actively engaged. Several studies have demonstrated that hospital patients do not remember or do not understand the medications they are supposed to take at home. In one study patients younger than 65 were unable to name 60% of their medications, and people over 65 could not remember 88% of these medications.2 Recently discharged patients rely on a family member or friend to help them at home and to manage or provide follow-up care.
Recently doctors have described a “post-hospital syndrome,” 3 a condition family caregivers know well. Even in ordinarily healthy and competent people, the experience of hospitalization itself, particularly a stay in an ICU, can create temporary lapses in cognitive function and independence. For elderly people who are already frail or confused, the problem is even worse. Dr. Peter Provonost of Johns Hopkins University says, “Patients in this state of mind are in no condition to understand discharge instructions such as how to keep wounds clean or when to take medications. It’s easy to see how the patient can quickly decline.” 4 Yet hospital staff continue to say to a family caregiver, “I explained everything to your mother. Just ask her what to do.”
For 17 years I was one of this army of invisible family caregivers. I took care of my late husband, who had a traumatic brain injury and was quadriplegic, at home. And for the past 15 years I have directed the Families and Health Care Project at the United Hospital Fund, a nonprofit health services research and philanthropic organization. We work to raise awareness among policymakers, health care professionals, and regulators about the importance of training and supporting family caregivers who take on this daunting challenge. To help family caregivers and health care providers work more closely in partnerships, we created a website—www.nextstepincare.org. The website is home to 25 guides for family caregivers in English, Spanish, Chinese, and Russian, and a robust complement of guides for providers. The guides to HIPAA were among the first on the website and in recent months they have become the most frequently downloaded.5 I think that says something about the level of confusion that exists in the public and among health care providers as well.
In 2012 the United Hospital Fund and the AARP Public Policy Institute collaborated on a national survey of family caregivers to determine the extent of the medical/nursing tasks they perform, how they learn to do these tasks, and who helps them.6 We found that nearly half (46 percent) of family caregivers were doing one or more medical/nursing tasks (defined as medication management of various kinds, wound care, monitoring medical equipment, or similarly demanding tasks), in addition to the personal care and household chores more usually associated with family caregiving. When asked who taught them, these caregivers typically responded, “I learned on my own.” Yet their family members, most of whom had multiple chronic conditions, had been to hospital ERs or had been admitted to the hospital, sometimes more than once, in the previous year. And when we asked who else helped at home, the answer again typically was, “No one.” Family caregivers arrange doctor appointments, transportation, supplies, and other necessities. In effect, they are care managers without portfolio. You can see why we titled the survey report, “Home Alone: Family Caregivers Providing Complex Care.”
We did not specifically ask about HIPAA in this survey. But in my work I hear regularly from family caregivers all over the country who tell me their stories about being shut out of important discussions about their ill family member and about feeling helpless and terrified when they get home and realize that they don’t know what to do to take care of their relative. When I talk to groups of caregivers and professionals, I often ask if anyone has had an experience with HIPAA. Invariably many hands are raised, and heads nod in agreement. I particularly remember one family caregiver, a big, burly detective who takes care of his father. He said, “It’s my job to get information from people who don’t want to talk to me. But when I come to the hospital and ask about my dad, I can’t get anyone to tell me what’s going on.” If he couldn’t jump over the HIPAA barrier, what chance do the rest of us, lacking his confidence and skills of persuasion, have?
My HIPAA Experience
In my previous professional experience, I worked at The Hastings Center, a bioethics institute, and was active in advocating for strict confidentiality protections for people with HIV/AIDS, who often suffered loss of housing, employment, and benefits because of unauthorized disclosures of their diagnosis. So it was with some chagrin that I recently found myself on the wrong side of the privacy law. My sister, who was in severe abdominal pain, asked me to accompany her to the emergency room of a major New York City medical center. We waited and waited and finally a triage nurse told my sister to follow her into a room. I got up to join her, but the nurse stood in my way, saying, “You can’t come with her. It’s a HIPAA rule.” My sister said, “But I want her with me.” No way. I should have insisted, but I had learned from my long experience with my late husband that a family member who raises questions or challenges a nurse quickly gets labeled as a pest or an even nastier epithet, and I did not want to jeopardize my sister’s care. (She recovered and is fine, despite two very unpleasant days on a gurney in the ER corridor.)
Why Did We Need HIPAA in the First Place?
Before HIPAA, confidentiality of medical information was covered by a patchwork of state laws and regulations that sometimes conflicted and certainly confused practitioners as well as patients. HIPAA was primarily intended to give workers and their families the right to transfer their health care insurance from one job to another without penalties and to simplify administrative processes in transmitting information, especially electronically. The privacy provision was included as the final section of the law, although it has come to be its most familiar segment.
The Privacy Rule, finalized in 2003 and revised several times since then, was intended to sort out these problems and give providers clear direction. In 2009, as part of the American Recovery and Reinvestment Act (ARRA), the expansion of health information technology was included as the Health Information Technology for Economic and Clinical Health (HITECH) Act. This act significantly increased the enforcement provisions of HIPAA, especially around security and transfer of electronic personal health information.
The “HIPAA Scare” and Enforcement
In many institutions, however, HIPAA was introduced by lawyers and risk managers who stressed the legal and financial consequences of failing to comply with regulations. Regardless of the trainers’ intent, staff members who attended these sessions clearly heard the message, “If you want to be safe, don’t tell anyone anything.” One professional in the United Hospital Fund’s Transitions in Care–Quality Improvement Collaborative remarked that in her organization, even asking a patient if a family member helps him at home is considered a HIPAA violation.
This training was not so much about protecting patients as protecting oneself and the institution. The result was what has been called the “HIPAA scare,” a situation in which even patients were not given information about their condition because of fears that the nurse or doctor would get into trouble. (Patients’ inability to access their own information is the third most common problem reported to the United States Department of Health and Human Services’ Office of Civil Rights.) That fear has been passed on to new employees, who may trust what they learn through informal communication more than what they are told in formal trainings.
At the same time, fears have been reinforced by reports that institutions have been fined and employees censured or fired because of HIPAA violations. The most publicized violations have been failures to protect large amounts of data, not unwarranted disclosures of an individual patient’s information. After a year-long examination of cybersecurity and vulnerability to hackers, the Washington Post concluded that health care is among the most vulnerable industries in the country, in part because of aging technology and failures to fix known software flaws.
Fears that an individual doctor or nurse can be sued for disclosing information are common but exaggerated. An individual who believes that protected health information has been inappropriately disclosed has no legal recourse under HIPAA other than a complaint to the Office of Civil Rights. Although HIPAA creates a right to privacy, there is no right to sue a doctor, nurse, or hospital. The individual can file a lawsuit under state law alleging violation of privacy, and would bear the burden of proving harm, but HIPAA would not be a factor. State investigations can, however, result in fines. Some of the HIPAA violations that have resulted in staff being fired relate to theft of social security numbers or credit care numbers, which were crimes before HIPAA. Other violations have involved staff checking out their neighbors’ or ex-spouses’ information, or a celebrity’s data. These are bad enough, but they should not be confused with a daughter’s justifiable desire to know what kind of follow-up care her mother will need, especially if she is going to be the one expected to provide it. With increasing attention under HITECH to breaches of confidentiality and increased penalties, it is possible that a new “HITECH scare” may emerge. While there is ample reason for concern about lax security, it would be unfortunate if this new wave of compliance anxiety overshadowed basic principles of communication and good clinical care.
HIPAA’S Chilling Effect on Communication
While fears of being sued or fined are certainly prevalent, in my opinion the overriding reason HIPAA is used to cut off communication is that it serves as a convenient excuse not to talk to families or listen to what they know about the patient. If families are kept at arm’s length, it is easier to avoid difficult conversations about prognosis or treatment options. With some exceptions, health care professionals are not well trained in or skilled at communicating with laypeople—patients first of all, but even more so their families. Families are welcomed in marketing material, not so much in hospital rooms.
Part of the reason HIPAA has been so misunderstood and misused is that it fits neatly into an already well-established pattern of keeping family caregivers at arm’s length. Families ask questions. They want answers. If they are doing their job, they are good advocates for their family members. A law that limits sharing information offers a convenient but misguided rationale for withholding information.
Health care providers, schooled not only in HIPAA law but also in patient autonomy, sometimes make assumptions about patients’ concerns over privacy. In fact, most patients want—and need—the support and understanding of the key people in their lives. Almost four in five respondents in a recent study of over 18,000 veterans were willing to share access to their electronic health records with family members and other nonprofessionals.7 Social support is clearly an important element in managing chronic illnesses, and it is difficult for family and friends intimately involved with the patient’s care to provide that support without relevant information.
As I noted, there are certainly cases in which a patient adamantly refuses to have information shared with some or all family members. The reasons may be varied. For example, a relative long out of the family picture shows up unexpectedly and demands information about the patient’s condition. Or the patient has had a long history of conflict with a particular family member and does not want to share any information. In our experience working with over 40 health care organizations in New York City, however, we find that the most common reason is not related to privacy at all but to a desire not to burden a family member with responsibilities.
“I don’t want my daughter to worry about me. I will be fine on my own.” Understandable but unrealistic and ultimately self-defeating. These cases require negotiation, especially if the family member is going to be responsible for follow-up care. At the same time, health care providers should not agree to withhold vital information from the patient at the family’s request unless the patient has asked not to be informed. Establishing rules for communication are important and are best accomplished at the outset of care.
- OCR should reinforce to health care providers the provision in HIPAA that permits disclosure of relevant protected patient information to family caregivers or others who are going to be responsible for providing, managing, or paying for a patient’s care.
- As part of its Conditions of Participation, the Centers for Medicare and Medicaid Services (CMS) should encourage hospitals and other covered entities to convene a group of senior leaders and staff to review relevant elements of the organization’s privacy policies and practices. This should include general information about HIPAA compliance but also any specific practices that deviate from the general rules (requiring written consent, for example, for disclosures to family members). It should also include information about the protections in place to protect the security of data collected and stored in an electronic health record.
- Staff should be trained (or retrained) on HIPAA and HITECH so that all understand the same principles and rules. As a practical matter, it helps to have one or two family members be designated to receive updates and to avoid giving information over the telephone to unfamiliar people.
- CMS should encourage health care organizations to create a simple statement of the organization’s policy and practices that patients and family can understand. Patients are required to sign a legal disclaimer that they have been informed about the organization’s policies, but these are usually written in language that only health care lawyers can understand. Instead of giving patients confidence that their information will be protected from theft and misuse, these statements usually describe the many ways in which the organization can use the patient’s information.
Thank you for your attention and I will be glad to answer any questions.
1 Feinberg, L., Reinhard, S.D., Houser, A., and Choula, R. Valuing the Invaluable: 2011 Update. The Growing Contributions and Costs of Family Caregiving. Washington: AARP Public Policy Institute, available at http://assets.aarp.org/rgcenter/ppi/ltc/i51-caregiving.pdf
2 Science Daily, December 10, 2012. http://www.sciencedaily.com/releases/2009/12/091210000845.htm
3 Krumholz, H.M. Post-hospital syndrome—an acquired transient condition of generalized risk. New England Journal of Medicine Jan 10 2013; 368(2): 100-102.
4 Quoted in http://www.usatoday.com/story/news/nation/2013/01/22/patients-post-hospital-syndrome/1853813/
6 Reinhard, S.C., Levine, C., and Samis, S. Home Alone: Family Caregivers Providing Complex Care. Washington and New York: AARP Public Policy Institute and United Hospital Fund, 2012. Available at: http://www.uhfnyc.org/publications/880853
7 Zulman, D.M., Nazi, K.M., Turvey, C.L., et al. 2011. Patient interest in sharing personal health record information. Annals of Internal Medicine 155:805-810.