HIPAA's Gaping Loophole: A Privacy Myth

[Fiction based on fact.]

Late on a Friday afternoon a couple months ago when I heard a noise in the waiting room, I went to the reception window to see whether a patient I expected might have arrived early. A middle-aged man standing there, leaning on papers on the counter, asked if one of the psychotherapists who shares the office was there. When I responded that she was with a client, he asked me whether I would be willing to sign for a subpoena. I told him I would not and returned to my office. I called my patients to warn them with whom they might unexpectedly find themselves sharing the waiting room. They rescheduled rather than take the risk that this individual might recognize them.

HIPAA and related state statutes and case law provide penalties for unauthorized release of identifiable patient information, even, I believe, addressing the sign-in sheets some physicians used to keep at the reception window. But I know of no law or rule to prevent someone else in a waiting room from recognizing a patient.

Here's a (probably incomplete) list of people who might recognize you as you sit in my waiting room.

People who have business there:
Letter carriers, delivery people, attorneys, court reporters, people from neighboring offices, other patients and their: kids, partners, parents, friends, and other people they care for.

People who need not have business there, at least during office hours:
Cleaning and maintenance people, walk-ins, solicitors (despite the signs that tell them to stay away), the landlord.

People who need not have business there:
Process servers, federal agents.

I have visited at least one office where the exit from the solo physician 's office bypassed the waiting room. But even with this arrangement patients arriving early or on the wrong day, and many of the others listed above might see you waiting or entering. And the cost of building could be prohibitive.

Going back many years (pre-HIPAA) an agent from some federal agency or other appeared in my waiting room, showed his badge, and told me I should hand over records of a patient who apparently had applied for a job with the agency. He informed me, wrongly, that I did not need to obtain the patient's authorization to release the records. I have heard similar stories from at least two other psychiatrists, both of which took place since HIPAA took effect. In all these cases the agencies could have requested records by mail rather than sending an agent.

We will never likely enjoy complete health privacy. Telemedicine promises reduction in waiting room appearances but opens the possibility of electronic hacking or eavesdropping. But government agencies should respect privacy concerns and alter policy and procedures accordingly. We can try to schedule patients we have reason to believe might know each other when they will not present at the same time. We can try to schedule non-patients when patients will not be present. But realistically we cannot assure privacy in waiting rooms.

On the evening described above I glanced into the waiting room as I was preparing to leave. Even though my office mate had signed for the subpoena, the process server still sat reading. When my office mate asked him whether he had any further business there, he replied that he wanted to finish an article he had started to read. I thought briefly about demanding that he leave, but I was on my way out, no one else was waiting, and I figured no one really needed my intervention.

It’s Nice to be N.a.C.E (Not a Covered Entity)

From soon after HIPAA, and its subsequent Privacy Rule took effect, I tried hard to comply in my psychiatric practice, handing out notices of my "privacy policy" to patients (who rarely, if ever, read them) and informing forensic clients and examinees of what I could only guess my duties, and their rights, might be. Who would have thought a complaint by a disgruntled forensic examinee to the Office of Civil Rights (OCR) would free me, at least for now, from the mysterious Privacy Rule?

I also understood from the beginning that the Privacy Rule might only apply to those meeting the criteria to be considered a “covered entity”. At the beginning it seemed less than clear how these criteria might be applied. Indeed it seemed at first glance that I might not meet these criteria, but my risk management advisors, arguing that the Privacy Rule would become a national standard regardless, and apparently thinking they were playing it safe, always encouraged me to assume that I was a covered entity and comply with the rule as well as I might.

Denial of Access

It seemed at first that forensic evaluations would be exempt from some of the many requirements of the Privacy Rule, one of which addresses limitation of right of access to the medical record. Indeed according to 45 CFR Subtitle A, Subchapter C, § 164.524 (a) (1) (ii):

“Except as otherwise provided in paragraph (a)(2) or (a)(3) of this section, an individual has a right of access to inspect and obtain a copy of protected health information about the individual in a designated record set, for as long as the protected health information is maintained in the designated record set, except for: …

“(ii) Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding;... ”

It seemed to me that "civil" and "criminal" probably referred to lawsuits and trials, and that “administrative action or proceeding” might include termination of employment, disability determination, and the like. If this was true, I reasoned that the Privacy Rule might not entitle examinees to a copy of records of forensic examination.

But then a case summary or “guidance” published at the OCR Web site described a case in which the covered entity had denied access in what sounded to me like a case of “administrative action.” OCR draws attention to the “payment source” (presumably the insurance company rather than the examinee) as a critical factor. (I find no reference to payment source in the regulation.):

“Private Practice Revises Process to Provide Access to Records
Covered Entity: Private Practices
Issue: Access

“At the direction of an insurance company that had requested an independent medical exam of an individual, a private medical practice denied the individual a copy of the medical records. OCR determined that the private practice denied the individual access to records to which she was entitled by the Privacy Rule. Among other corrective actions to resolve the specific issues in the case, OCR required that the private practice revise its policies and procedures regarding access requests to reflect the individual's right of access regardless of payment source.”

(http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/allcases.html#case10)

Because of this interpretation of the regulation, and in spite of the fact that medical records law in my state seems to specifically exclude right of access to such records, I dutifully began to inform examinees of this apparent right to a copy of my report. I also began to inform my forensic clients that I might have to allow access even against the client’s wishes.

I even cancelled two scheduled forensic examinations when the client, an insurance company, refused to withdraw their requirement that I deny the examinee access to my report. The letter requesting the examinations included a statement I had not seen before:

“By accepting this engagement, you agree that information provided by us and your report shall not become part of or constitute a ‘designated record set’ as that term is defined in the HIPAA Privacy Rule. In addition, this information and your report shall not be subject to an individual’s rights of access or amendment under the Privacy Rule.”

Again, my risk management consultants, taking what they probably thought was the safest path, and having failed to inform me that I was N.a.C.E, advised me not to agree to that condition because it might set me up for a violation of the Privacy Rule. I cancelled the evaluations.

The Complaint

In 2008 I examined a worker at the request of the employer. The examinee requested a copy of my report at the time of the examination. I probably would have complied with this request, but my client, the examinee’s employer, asked me not to. I was caught in the middle. After the examinee threatened to file a complaint with OCR, I convinced the employer to release a copy of my report to the treating psychotherapist. That did not satisfy the examinee. Ultimately I convinced the client to release a copy of my report directly to the examinee. That did not satisfy the examinee.

I expected a visit from an FBI agent, or at least a certified letter, but instead someone identified as a representative of OCR left a message on my voice mail that a complaint had been filed. My professional liability carrier assigned (and paid for) an attorney to represent me.

My attorney, after contacting the attorney from OCR, asked me, “Do you bill electronically?” I asked her what that meant. She said she did not know. But she said that if I could answer that I do not bill electronically, OCR might not investigate further. She also confirmed my suspicions about the source of the complaint, but she said OCR had not described the allegations.

For someone who thrives on conflict, that disappointed me. I had envisioned a real investigation. I would have an opportunity to tell of my valiant efforts to do the right thing. I would show OCR the examinee's written acknowledgement of receipt of my report. (I assumed there would be an allegation that I had refused to provide it. Which was true. The employer, not I, provided it to the examinee, but only after I exerted pressure.) I would learn something about how OCR interprets and enforces the Privacy Rule. Maybe the case would even help establish legal precedent which might clarify the regulation for other forensic examiners. After all, what’s so bad about a $100 fine or a couple years in Club Fed (where I would be entitled to free medical care). Best of all: I could write about the experience.

My attorney did not agree with this approach.

My attorney asked again, “Do you bill electronically?” I said, “Tell them I don’t know, and we will see what they do.” I started a list of questions for OCR.

My attorney advised against it. “Let sleeping dogs lie,” she might have said. I might have said, “Make sleeping dogs tell the truth.”

In the end I relented: I print bills and claim forms with a computer and mail them. Apparently OCR does not consider that electronic. I fax prescriptions for controlled substances directly from my computer. I order prescriptions for non controlled substance drugs using a Web-based service. I keep patient records on three computers. I keep my office schedule on the computers and my smart phone. I take notes during patient visits and forensic evaluations on a tablet PC and dictate progress notes with voice recognition software. I dictate evaluations (free of identifying information) using audio recording software, encrypt them and ftp (upload) them to New Delhi for transcription. Sometimes I feel like my whole professional life is electronic. However, I do not communicate with my patients via email, and I do not, and perhaps never have, submit(ted) bills via the Internet. I described all this to my attorney.

My attorney wrote the attorney at OCR describing how I bill. OCR wrote back promptly. OCR did not question the veracity of my statement, did not require me to prove that I do not bill electronically, did not ask me whether I ever billed electronically, and did not ask whether I might start billing electronically tomorrow. The letter to myself and the complainant was unequivocal: [the doctor] “… does not meet the definition of a covered entity as he does not bill electronically for his services. Therefore, the requirements of the Privacy Rule do not apply to him.”

It’s official. I am Not a Covered Entity.

“N.a.C.E”

Nice!

What does this get me? In theory at least:

• I do not have to pass out the never-to-be-read and comprehensively hedged Notice of Privacy Policies.

• I do not have to provide forensic examinees a copy of my report.

• I do not have to try to get “business associates” who might see protected health information to sign a “business associates” agreement.

• I do not have to worry about what “minimum necessary” might mean.

• I do not have to tell anyone how to file a complaint with OCR.

I am not a covered entity. I can just try to practice ethically and comply with state medical records law, and Tarasoff, and specific authorization for sexually transmitted diseases and substance abuse records. (Did I miss any?)

Nice!

How can you be N.a.C.E? (Consult an attorney and…) Do not bill electronically, and if you were thinking about starting, put those thought stopping techniques to work right now.

The attorney who handled the complaint at my local OCR answered most of my questions, apparently to the best of her ability. She explained that my status as a covered entity could change. If I start to bill electronically, I become a covered entity, and, if the examinee alluded to previously finds out that I am not N.a.C.E. and again demands access to my report, I will be obligated to provide it subject to the Privacy Rule. If I stop billing electronically, I will once more be N.a.C.E.

If you were the examinee in a forensic evaluation and you believe you were mistreated, do not lose heart. Even if the examiner is N.a.C.E. you can still retaliate by filing a complaint. Who knows? With the vicissitudes of federal bureaucracy all of this could change at moment’s notice – or more likely without any notice – and you will have a chance to really annoy the examiner and give those OCR workers some added job security. But be warned: You risk doing the examiner the same favor my examinee did me: providing the examiner with written proof that they are N.a.C.E.

You might wonder what could ever induce me to give up my N.a.C.E status. I have no desire to start billing for my services electronically. The Electronic Medical Record? My last flirtation with EMR resulted in an enormous waste of time and money. Opt back in with Medicare? No way. Contract with health plans? Not if I can help it. But as this case was unfolding, and as dealing with pharmacies has reached the point of pain, a company that sets up physicians to dispense medications from their offices approached me, and the attorney at OCR advised me that use of the electronic pharmacy benefit billing system that goes along with it would render me no longer N.a.C.E.

But that’s another story.

Enforcement of the Privacy Rule represents yet another nail in the coffin of private practice of medicine, including forensic medicine, and it acts as an unwanted and unnecessary disincentive to movement of health care into the digital age. With the escalating cost of health care none of us can afford to waste resources in a futile attempt to understand how to comply with an ill-defined regulation. Enforcement of this regulation appears to contradict the exclusion in paragraph ii. Regardless of whether you believe an examinee should be denied access to the record of a forensic examination, enforcement should parallel to some degree the wording of the regulation. I recently interviewed two OCR representatives in the hope of finding a clearer interpretation of what "civil," "criminal," and "administrative" might mean to OCR. Neither could provide a clear or credible explanation. When the very agency charged with enforcement is incapable of clearly stating where the regulation applies and where it does not our government has failed us. With respect to this particular regulation at least, enforcement appears to be arbitrary, and OCR has failed miserably to clearly and adequately inform "covered entities," or anyone else for that matter, of what is required of them to comply with the regulation. OCR should immediately take steps to clarify paragraph ii. Furthermore, for such a law to hinge on whether a provider "bills electronically" seems to fly in the face of the equal protection clause of the Fourteenth Amendment. This regulation should apply to everyone or no one