HIPAA Compliance Strategies

Ethical Issues Can Stump Privacy Officers and Pose Unique HIPAA Challenges

Reprinted from the October 2006 issue of REPORT ON PATIENT PRIVACY, the industry's most practical source of news on HIPAA patient privacy provisions.

The physician came to the privacy officer with a dilemma. A patient he used to see was now in the care of another physician and pregnant — even though she had been warned that infertility treatments could kill her.

He learned about the pregnancy from the patient's sister, who said the woman admitted withholding this information about her illness from her new physician. While the situation was complicated, at its core the question was simple: Is it ever permissible to violate a patient's privacy intentionally?

In this case, the hospital compliance officer, who did not wish to be identified, recommended that the physician contact the patient to share his concerns, and then suggested he alert the second physician if the patient didn't comply.

But among others who weighed in on the issue, there was no consensus of opinion as to whether this was the correct route to take, which experts say points to a bigger issue. Sticky situations occur every day in medicine, but may infrequently come to the privacy official's attention.

Most privacy officers are competent to interpret HIPAA and state laws on routine matters, yet few officials have training in how to handle ethical issues like this one, and little, if any, formal guidance ever comes from the Office for Civil Rights (OCR), which enforces the privacy rule. Privacy officials may not be aware of the other resources that are available to help with situations like this.

No Easy Answers for Ethical Issues

While state regulations include requirements for reporting suspected victims of domestic violence or child abuse, other instances arise in which the legal thing to do might conflict with the "right" course of action, or that which might lead to a greater good. These issues can pose particular challenges in medicine, where paternalistic beliefs of some providers can run headlong into a patient's right to autonomy, confidentiality and self-determination.

That was the mix of factors facing the physician and the privacy officer in this case. The physician recalled that he was actually duped by this patient years earlier. When she first came to him, she said nothing of her condition, and he learned of it only because his transcriptionist coincidentally had transcribed her record when she was in the care of the physician who made the original diagnosis.

So, here was a patient with a history of dissembling. She seemed to be putting her life on the line, and the life of her fetus. This physician firmly believed the woman would not survive the pregnancy, but he presumably already met his obligation to warn her of the dangers. Yet, did he have an obligation to alert the other physician, and if so, would he be violating the patient's privacy?

And, perhaps as important to the hospital, would not warning the physician lead to liability?

"If I were the privacy officer in this case, I would probably have suggested to the physician...that he contact the patient directly, and it would have ended there," says Joseph Verheijde, a physical therapist and bioethicist at Mayo Clinic and a certified compliance professional, a designation offered through the Council of Ethical Organizations.

Verheijde says he does not believe the communication between the physician and the patient would violate the privacy rule, because they had a prior treatment relationship. But he would not go beyond that action.

"I would stand on patient autonomy," adds Verheijde, who is also co-chairman of Mayo's ethics committee and a member of its institutional review board. "You have to have very good reasons to out maneuver that. I would champion that notion unless there is severe risk of damage to the patient or society as a whole or a group within society."

Understanding the difference between privacy and confidentiality is key to the decision about how to proceed in this and similar situations, he says.

"The initial diagnosis given to the patient is and should be protected by confidentiality and privacy rules. Confidentiality means the right of the individual to prevent disclosure of information originally disclosed in the confines of a confidential relationship. Privacy is defined in terms of the maintenance of the public and private divide. It means the limited access to a person, the right to be left alone, and the right to keep certain information from disclosure to other individuals," Verheijde explains.

"The general principle of English law is that patients are the best judges of what is good for them, and is firmly set against paternalistic interference. In other words," he adds, "people have a recognized entitlement to be selfish in their choices."

Mark Pastin, president and founder of the Council of Ethical Organizations, says he would err on the side of protecting the woman — and the second physician. "I value my privacy more than anyone else [does] but my privacy isn't worth much if I'm dead," he says in explaining why the second physician should be informed.

"My first concern is for the woman, and for my colleague," says Pastin "I don't want him to kill someone based on a lie. I think I can find an ethical way to prompt the other doctor to ask me questions" which would ultimately reveal his concern without violating the patient's privacy.

He adds that "if the first doctor was a conscientious person, he would find a way to talk to the second doctor. Can you ask the doctor to take their lumps for a patient who isn't acting responsibly?"

Pastin is sensitive to the special issues infertility patients face. "What you see in infertility is a lot of people who've tried for years. Almost everybody is disappointed," he says. "Patients with complex problems will go to so many doctors that they learn the code words to use — and what not to say."

Where to Get Help on Tough Privacy Questions

Pastin's nuanced knowledge of privacy may be rare in the field. Among privacy compliance folks, "the absence of substance [in knowledge or training] comes through as soon as you deal with these difficult, hard-to-determine gray issues," Verheijde says.

There are resources to help privacy officials deal with similar situations — and consulting attorneys may not be the best way, Pastin says.

Compliance officers "could go to a legal expert, [but] because the law is so new and difficult they could spend a large budget trying to get [opinion] letters for lawyers," Pastin says. "Or they could kick it up to in-house counsel."

Another, perhaps more effective option that Pastin recommends is to assemble a "working group" or small committee that can act as a kind of quick response team. Perhaps just three members are sufficient. Each should represent a different perspective — the interests of the hospital, of the patient (perhaps the head of nursing) — and someone should also have expertise in privacy issues.

Or you could try running the issue up the flag pole with your hospital ethics committee, which most medical centers have in place. Take a hard look at yours before you decide to take this route.

Some ethics committees "are in disarray," and "wouldn't deal with this," says Pastin. Verheijde agrees, saying ethics committees are often wrestling with "very big issues," such as allocation of scarce resources and end-of-life decisions. Members may not be well versed in privacy laws.

Don't forget to contact OCR. Start at the regional level. You may also want to get confirmation from the D.C. office. A couple of list servs might also be helpful. You could try http://www.hipaadvisory.com/live/, which operates a lively group, as well as http://www.corporateethics.com/tac.html, a list serv moderated by Pastin's organization.

HIPAA Compliance Is Evolving Issue

One bright spot in this example is that the physician even came to the privacy officer for advice. That he did so could be viewed as a testament to the officer's reputation and openness. Experts say it is hard to get a read on how often this happens, or whether decisions — perhaps wrong ones — are being made without consultation with an institution's privacy experts.

Those who function as "police agents who make sure that we follow the rules" are less likely to be approached for help with thorny issues, Verheijde says.

"The privacy officers tend to be very conservative. [Tough issues] tend to get kicked up levels," Pastin adds. Typically the answer will be to do nothing if the issue is too complicated to figure out.

But, he adds, sometimes "they will say `I think it is a violation but I don't think it will come back at you.'"

Say a health care worker learns through her job that her co-worker is dating someone who is HIV positive, and she knows the coworker doesn't know. If she told her friend, she would be violating the man's privacy.

But, says Pastin, "every time I ask a good litigator if she spilled the beans, what would happen, they say no jury will convict on this."

"Compliance is an ever-expanding enterprise," Verheijde agrees. "What I am against is compliance for the sake of compliance."

Advertise With AIS

Privacy

Site Map