.st0{fill:#FFFFFF;}

Podcast

Does HIPAA guarantee access? – Ep 397 

 March 10, 2023

By  Donna Grindle

Share0
Tweet0
Share0

Let’s face it, family dynamics can be complicated and not everyone gets along. HIPAA is designed to ensure that everyone’s health information is kept confidential and that only the appropriate individuals are given access. Believe it or not, HIPAA does not guarantee all relatives access to another relative’s protected health information.

A 5 star review is all we ask from our listeners.
1x
Apple PodcastsGoogle PodcastPlayer EmbedShare Review Us on Apple PodcastsListen in a New WindowDownloadSoundCloudStitcherSubscribe on AndroidSubscribe via RSSSpotify
Free HIPAA Training
Subscribe to the weekly email update from HMWH

I have read and agreed to your Privacy Policy

In this episode:

Does HIPAA guarantee access? – Ep 397

Today’s Episode is brought to you by:

Kardon

and

HIPAA for MSPs with Security First IT

 Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity. 

Great idea! Share Help Me With HIPAA with one person this week!

Learn about offerings from the Kardon Club

and HIPAA for MSPs!

Thanks to our donors. We appreciate your support!

If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com

Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA

If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!

Hot off the presses!

[01:49] Feds promise to trim backlog of health care investigations

The office will reorganize in an effort to more quickly investigate such complaints, the agency said Monday.

The office will keep a dedicated division to investigate HIPAA complaints, with a focus on the growing segment of cybersecurity breaches. It will also have three new different divisions with staff that focus on each of the following: policy, strategic planning, and enforcement.

“This structure will enable OCR staff to leverage its deep expertise and skills to ensure that we are protecting individuals under the range of federal laws that we are tasked with enforcing,” HHS Office of Civil Rights Director Melanie Fontes Rainer said in a statement.

[10:03] CISA Leader Tells MSPs Cyber Insurance Market ‘Fueled Rise In Ransomware’

In another kind of discussion, CISA’s Executive Director, Brandon Wales, spoke at Right of Boom, a security-focused IT conference. The article written by O’Ryan Johnson pointed out a few juicy comments in his discussion. Specifically, as the headline states, what this one:

Insurance companies didn’t price the market correctly and they suffered for it with the rise of ransomware. I would argue the insurance market fueled that same rise in ransomware because they made payment of ransoms far easier to happen. And they put a lot of companies under retainer to negotiate with criminal organizations,’ says Brandon Wales, executive director of the U.S. Cybersecurity and Infrastructure Security Agency.

HIPAA Say What!?!

[17:46] An article was passed along to me that covered a situation that someone experienced. In it, the author insisted that HIPAA “guarantees” all family members with a “blood” relationship to get access to the patient and their information. The question was, is it true? Does HIPAA “guarantee” access to family members?

Normally, I would share the link to the article but the author is not the one who sent it to me and it included very personal information. I don’t feel it is right to include it. But, here is the gist of the story.

Mom has been ill for years. Two siblings do not get along and the author even said they hadn’t seen their sister in 20 years. Not a good footing, but we know it happens. Mom has a relationship with both children. The sister is the one that lives near Mom and takes her for her healthcare appointments. However, the author insists that neither of them have a power of attorney over their Mom’s affairs.

The sister blocks the author’s access to Mom whenever she is hospitalized, which has happened a couple of times over the last year. Supposedly, the hospital requires people to have a “security code” to learn information about the patient and what room they are in. Without that code, you can’t get information, not even what room number the patient is assigned. The story goes on with all kinds of trauma and bitterness that you would expect. Now, it is important to note that we only have one side of the story, but let’s assume the details are all true.

To answer the question, HIPAA does not guarantee all blood relatives will have access to patients and their information. Period. HIPAA guarantees the patient’s right to privacy and access to their own records. No one is taking a DNA test to get access to information.

The most important part from a HIPAA perspective is the lack of legal documentation. If there truly is no POA, the hospital can only follow their internal policies. The author should address that problem one way or another. Get a POA in place or a court order that allows them access to Mom and her information. Your family issues are not their responsibility to resolve.

It is really sad how many families are fractured and that these situations occur. On one hand the hospital, and other care providers, should not be the ones forced to handle these family issues. The patient should be the focus of their efforts, not some battle between all of their family members. Especially these days, there is simply not enough bandwidth for most providers to handle the load they already have just to do their jobs.

The flip side of that point is that part of caring for the patient is to make sure they have the support and care they need from those who love and care for them. Access to patient status and even their room to visit them comforts the patient and their loved ones.

Unfortunately, this situation is a frequent issue that gets dumped in the laps of many healthcare providers. Without any personal official legal documents or court orders providers must rely on their internal policies and procedures as well as their own professional judgment as to what is best for the patient.

I hate to hear anyone use HIPAA as an excuse for things. We have discussed that many times. However, the author’s complaint that the hospital policy is the problem and their “legal” opinion are both misplaced. The problem is your family issues and your own lack of legal standing. The policies being followed according to the article written sound solid. The sister is admittedly the primary caretaker and therefore her personal representative. That is who they must listen to and deal with, unless you can provide legal standing otherwise. If I were advising the providers it sounds like they are doing exactly what they should be doing.

If I was advising the author I would suggest the only way they can get the same access as their sister is to get a court order or some official legal documentation to add to Mom’s records or a directive directly from Mom. And also, don’t advise anyone that HIPAA guarantees access to patient information other than the patient and their personal representative. It is just not true. If the “blood relative thing” was really a thing, we would have a whole new set of problems.

From personal experience, I encourage everyone to make it clear with their providers and with proper documentation who are my personal representatives. If this crap was happening when I was unable to speak for myself, they better hope I never recover. I would be on the warpath for sure the minute I learned about it.

OCR published a handy guide to share with anyone concerning sharing your information with family members and friends: Sharing Health Information with Family Members and Friends

What does HIPAA cover?

[32:03] First, you have to make sure you understand if the situation is even covered under HIPAA in the first place. We have addressed that many times over the last few years especially. All providers of care are not covered under HIPAA. Also, any entity that is covered under HIPAA could have business partners with access to your PHI and they may be covered under HIPAA. More of them are than those who are not. Another fact specific determination. For this discussion, we will assume that is affirmative.

That brings us to the next question. What information in our enterprise are we obligated to protect under HIPAA rules? Again we have discussed several times that protected health information is covered under HIPAA but not all health information is protected health information (PHI). There is also a term in HIPAA called the “designated record set”. All information about a patient may not be included in the designated record set.

I answered a question for a blogger recently asking about Google analytics being outside the recent web tracking guidelines. He wanted to know if this would make Google analytics with personally identifiable information (PII) a problem for HIPAA entities without a BAA in place. (Google’s BAA does not include their analytics tools.) My response was twofold: first you must determine if the data included in the analytics is actually PHI. Then determine if you need a BAA or make a change.

In theory, it may be possible with the URL visited and the IP address together that it could mean we have PHI. So, as another response pointed out, the devil is in the details. For every case, someone needs to determine if the information is PHI. Which is basically what the guidance says we should do. If you have PHI, then you need to figure out the rest. Otherwise, HIPAA doesn’t apply.

So, we get through the evaluation and determine we have PHI in a designated record set held by a CE or a BA. Now, and only at this point, am I responsible for the Confidentiality, Integrity, and Availability of that PHI.

[35:47] Patient rights under HIPAA:

  • To view or make a copy of the information in their designated record set. It is the only required disclosure under HIPAA (except when HHS wants to confirm you are protecting the PHI and needs to see it). The thing they have been enforcing like crazy.
  • Have corrections added to your PHI. Note: Even if the provider doesn’t agree with the amendments you requested you can ask for your request and those details to be included in your records. (Amendment Request)
  • Get information about how your information is used and disclosed (Notice of Privacy Practices)
  • Decide if you want to allow your information to be used or disclosed for the entity’s fundraising or marketing communications.
  • Request restrictions to who can use or disclose your information.
  • Get a report on why your information was shared for certain purposes. (Accounting of disclosures)

Here is the important part:

Your health information cannot be used or shared without your written permission unless this law [HIPAA] allows it.
Go to top

Patients have the right to control who has access to their medical information. If you haven’t done so, read a Notice of Privacy Practices (NPP) from your healthcare provider. It will explain a patient’s rights under HIPAA.

Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!

HIPAA is not about compliance,

it’s about patient care.TM

Listener Survey

Special thanks to our sponsors Security First IT and Kardon.

Share 0
Tweet 0
Share 0

HelpMeWithHIPAA.com Is A
Collaborative Project

Created & Sponsored By: