The Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy rule (1) is a complex regulation that was developed to address growing concerns about electronic access to and use of private health information. The final rule applies to "covered entities," including psychiatrists and other mental health providers who electronically transmit protected health information (2). The rule defines protected health information as individually identifiable health information transmitted or maintained in any form by a covered entity or its business associate. As such, it includes past, present, and future information related to health conditions, health care, and payment for health care.
The privacy rule also codifies acceptable uses and disclosures of protected health information. HIPAA provides for assessment of compliance through reviews (3) and establishes penalties for noncompliance (4). Up to this time, the clear focus of mental health professionals has been achieving HIPAA compliance (5,6,7). Less attention has been given to the impact that these compliance efforts may have had on patient care. We present three case vignettes that illustrate such an impact in a community-based mental health system. We then identify and discuss key issues and offer several recommendations for complying with HIPAA without sacrificing patient care.
A 36-year-old intoxicated woman with polysubstance dependence presented to a psychiatric crisis center after being turned away from a detoxification center at which she had initially been assured a bed. After obtaining the patient's state and federally required signature for release of information, the evaluating psychiatrist contacted the drug treatment center to inquire about a detoxification bed. Citing HIPAA restrictions, facility representatives refused to comment on bed availability for the patient.
A 43-year-old psychotic man was delivered to a psychiatric crisis center by police. Quite agitated, he was unable to consent to treatment or sign for the release of his protected health information. His threatening behavior was emergent and necessitated contacting his previous treatment facility, which was identified from a medication bottle, to acquire medical and allergy information. The facility refused to release information on the grounds that doing so would violate HIPAA.
An emergency department requested the transfer of a 40-year-old homeless man with a history of schizophrenia and polysubstance dependence to a local psychiatric hospital for treatment of psychosis. The man had initially been found unconscious. In his psychotic state, he was unable to sign for the release of his records and was judged unable to prevent harm to himself without inpatient treatment.
Laboratory tests were positive for tricyclics. The psychiatrist on call requested that the test results and relevant records be faxed for review before a decision could be made about transfer. The emergency department nurse refused to fax the records, stating that doing so would violate HIPAA. Furthermore, the nurse reported that even signed consent to fax the records would not protect against a HIPAA violation. After the transfer was refused, the records were faxed with the patient's name blacked out.
Several important issues emerge from these cases. First, concerns about violating HIPAA are pervasive, likely fueled by expectations of severe financial penalties. In this environment, covered entities could understandably be less willing to disclose protected health information. However, the concern appears to be out of proportion to the actual risk of penalty. Except in cases of willful misconduct, federal commentary indicates that the approach to privacy violations will first be educative and remedial (8). In addition, civil monetary penalties may be waived in certain circumstances, such as when a violation is due to a reasonable cause and the covered entity has taken timely corrective action (9). Thus clinicians are not likely to face monetary penalties if they are making reasonable efforts in good faith to balance appropriate clinical care and patient privacy.
Second, the cases reveal the presence of misinformation about HIPAA, such as the erroneous beliefs that commenting on bed availability, disclosing protected health information for treatment without written consent during an emergency, and faxing protected health information necessarily constitute violations of HIPAA. In case 1, commenting on bed availability was not a privacy issue, because no individually identifiable health information was involved. In case 2, HIPAA did not require signed patient consent or authorization, because the request was for a treatment-related disclosure (10). In case 3, HIPAA did not forbid disclosure of protected health information through faxing, because the method of disclosure is not regulated. The key issue is the permissibility of the disclosure. In this case disclosure for treatment purposes was acceptable.
Clearly, clinicians must adequately understand the HIPAA regulations. However, they must also consider how HIPAA interacts with state privacy laws and federal substance abuse privacy regulations. It is important to realize that the intent of HIPAA is to provide a minimum privacy standard. Therefore, state laws and federal regulations that provide more stringent protections will take precedence. In the context of cases 2 and 3, state law and federal substance abuse regulations generally require signed consent for disclosure. However, exceptions are allowable to prevent imminent harm to patients. In case 1, these state and federal rules were not applicable, because commenting on bed availability does not require disclosure of protected health information.
The third and most important issue arising from these cases is the potential for ethical conflict and compromise. Ethical compromise may occur when ethics are subordinated to perceived legal pressures. In these cases, HIPAA was cited inappropriately to justify refusals of disclosure, which compromised the ethical duties of beneficence and nonmaleficence. The result is that patients were needlessly exposed to harm or were denied help. This kind of outcome need not happen, for two reasons. First, ethics and legalities most often work in harmony if properly understood. Indeed, an appropriate understanding and application of HIPAA would have supported ethical patient care in these cases. Second, if a conflict does exist between ethics and the law, psychiatrists and other mental health professionals would do well to remember that their primary duty is to ensure their patients' well-being.
Perhaps a more difficult issue is the conflict these cases reveal between patient autonomy, as embedded in the privacy regulations, and the duty to help—and not harm—the patient. Conflicts of this sort are serious matters worthy of careful consideration. As to privacy, it would be difficult to overstate its importance in the effective patient-treater relationship. Indeed, it is the very foundation of trust. Mental health professionals should acknowledge the profound importance of privacy. Nevertheless, they should realize that situations may arise in which privacy concerns are subordinate to other principles. The Tarasoff duty to warn is one example; clinical emergencies are another.
Psychiatrists can address misinformation and fear of HIPAA by ensuring that they properly understand and implement the privacy rule. When appropriate, they can educate other mental health providers about HIPAA, particularly in allaying unnecessary fears of penalties. Psychiatric societies can effectively advocate by forming work groups to address HIPAA's impact on patient care. When improperly thwarted in their requests for protected health information, psychiatrists should directly contact the relevant compliance officer. This process may resolve the issue and correct systemic problems that interfere with patient care. Finally, psychiatrists must be aware that efforts to comply with HIPAA, however well-intentioned, may challenge their professional ethics. Nevertheless, they must not allow effective and ethical care of patients to be compromised. Hiding behind HIPAA will ultimately fail patients and damage their trust in those who are most able to help them.
The authors are affiliated with the department of psychiatry at the University of Oklahoma College of Medicine-Tulsa, 4502 East 41st Street, Tulsa, Oklahoma 74135 (e-mail, firstname.lastname@example.org).