When HIPAA and public access laws conflict

The Health Insurance Portability and Accountability Act – HIPAA-- was enactedin 1966 . Subsequently,  the U.S. Department of Health and Human services developed a rule governing individually identifiable health information,  known as the Privacy Rule, and published it in 2002.

The Standards for Privacy of Individually Identifiable Health Information  -- the Privacy Rule -- establishes, for the first time, a set of national standards for the protection of certain individual information. The Department of Health and Human Services (HHS) issued the Privacy Rule to implement HIPAA’s requirement.

The Privacy Rule standards address the disclosure of individuals’ health information by those organizations subject to the Privacy Rule,  as well as standards for individuals' rights to understand and control how their health information is used.  HHS’s Office for Civil Rights (OCR) has responsibility for enforcing the Privacy Rule with respect to voluntary compliance activities and civil money penalties.

HIPAA placed such emphasis on privacy, in fact, that it was determined that nursing homes residents’ names and pictures could be displayed outside their doors only if the facility obtained authorization from them.  In the case of residents who were not capable of authorizing the display of their name and picture, the facility would need to seek authorization from a family member or other personal representative.

Does that mean that as a resident of a skilled nursing facility your entire experience will be kept private?  Well, yes.  And no.

Skilled Nursing Facilities found themselves having to walk a fine line under the new law, as HIPAA also provided a mandate for nursing facilities to post survey results, and to provide the public with a means of access to those results. Many turned to HHS for clarification.

HHS determined that the HIPAA Privacy rule “has not changed the statutory requirement for nursing homes to post survey results in a place readily accessible to residents, family members and legal representatives.”  It also noted that “the HIPAA Privacy Rule has not altered the state or Secretary’s obligation to provide the general public with a means to access these survey results as well.”

“(T)he HIPAA Privacy Rule has not altered the state or Secretary’s obligation to provide the general public with a means to access these survey results as well,” wrote Thomas E. Hamilton ofHHS’s Center for Medicaid and State Operations/Survey and Certification Group.  The regulations that clarify the department’s HIPAA requirements, he said,  provide that “protected health information (survey results) may be used and disclosed without the authorization of the subject of that information (nursing homes) to the extent a law mandates such use or disclosure. “

Hamilton noted that the nursing facility survey process was designed with three interests in mind:

  • to provide information to assess nursing facilities’ compliance with federal standards,

  • to inform the surveyed facility and the general public about any deficiencies determined and the bases for those deficiencies,  and

  • to protect the confidentiality of personal and clinical records of nursing facility residents.

In furthering these goals, he noted, “every effort is made during the survey process to minimize the use and disclosure of nursing facility residents’ health information during the survey process.”  However, Hamilton noted that “deficiency statements … need to provide sufficient evidence to support any deficient practice findings, as these citations serve as the ultimate basis for the non-compliance finding.”  And, he added, “While the residents selected as part of the survey sample are referred to by code rather than by name, social security number, or some other easily identified identifier, it may be possible in rare circumstances to determine the identity of a resident through the documentation of a deficient practice.”

“(HHS shares)  concerns about the privacy of nursing facility residents’ medical records, “ Hamilton concluded, “but we must balance that concern with our statutory duties to regulate the nursing facility industry through the use of surveys and public access to the results of those surveys.

“We regret that in rare circumstances the statements of deficiencies may inadvertently release information that can be traced to a particular resident of a surveyed facility. While we regret such inadvertent releases, however, we firmly believe that they do not constitute violations of the HIPAA Privacy Rule’s spirit or provisions. “

So that’s what we mean by walking a fine line: under the Privacy Rule, the skilled nursing facility must assure that individuals’ health information is properly protected, yet must provide the information needed to provide high quality health care and to protect the public's health and well-being.  


Centers for Medicare and Medicaid

HC Pro