Healio
Healio
Issue: August 2009
ByAnne Tamar-Mattis, JD
August 01, 2009
4 min read
Save

HIPAA and caring for children with DSD

What HIPAA really says and what it doesn’t about situations that matter to children with DSD.

Issue: August 2009
ByAnne Tamar-Mattis, JD

I was at a medical conference last month and the subject of referring parents of children with differences of sex development to peer support groups came up. The speaker explained that this kind of support can be a lifeline to parents. One participant said, “I would like to refer parents to support groups, but I can’t because hospital administrators told me it would violate HIPAA.” The other attorney in the room and I shared a frustrated glance. We had heard stories like this before.

Since its passage in 1996, the Health Insurance Portability and Accountability Act (HIPAA), the main federal law protecting privacy of health information, has spawned a host of misconceptions. In addition, this may be heresy, but much of that is the fault of lawyers, some of whom have made careers out of scaring medical providers about HIPAA. In fact — here comes another heresy — the HIPAA privacy rules are pretty reasonable. Complying with them is not that difficult and there is nothing in them that should stand in the way of quality care. They do, however, require providers to pay attention to patient confidentiality.

Anne Tamar-Mattis, JD
Anne Tamar-Mattis

When HIPAA rears its ugly head

To be clear, there is nothing in HIPAA that prohibits referring patients to support groups. The privacy rules are about protecting patient information. If a provider gives information to a patient about a support group, the patient will decide whether to contact that group and what information to share. But how are providers supposed to make out of the swirl of myth and ominous warnings about HIPAA? To start with, do not believe everything you hear in the break room; if someone tells you that HIPAA rules out a practice that you know to be good health care, check with your liability carrier or your hospital’s compliance office.

What if these administrators are the ones issuing dire warnings? My suggestion to the aforementioned doctor was to go back and ask the hospital administrators to show him the passage in HIPAA that outlawed support group referrals. This may be enough to resolve his problem. In some cases, if an administrator’s interpretation of HIPAA interferes with good practice, it may help to explain the medical importance of the practice, to appeal to a higher authority or to organize with other providers to challenge the interpretation. Attorneys and bureaucrats prefer to err on the side of avoiding liability, so you may need to help them understand when their recommendations will lead to providing suboptimal care. Ultimately, while there are some firm rules in HIPAA, there is also quite a bit of room for exercise of sound medical judgment.

Of course, it is important to meet the standards of privacy protection that HIPAA really does mandate. In the course of my work, I have heard many stories about providers failing to implement some of the basic requirements of this law. Because privacy is so important to families of children with DSD, it is worth reviewing some of the protections most relevant to these patients.

Right to access, amend records

It is a familiar complaint among people with DSD that many have had extraordinary difficulty accessing their medical records. HIPAA makes clear that individuals (or parents of minors) have a right to their full medical records. This also means that adults with DSD have a right to access their childhood records.

I once spoke with a 17-year-old whose medical chart, on the first page, used the now-outdated term “female pseudohermaphrodite.” Insensitive reactions to this term from personnel who were unfamiliar with DSD had caused her embarrassment and annoyance on many occasions. She wanted to know if she could get her doctor to change her medical record to use modern, less stigmatizing terminology such as “androgen insensitivity syndrome” or “46, XY DSD.”

Fortunately, I told her, HIPAA gives patients and their representatives the right to request an amendment to the medical record. While the medical provider is not required to make the requested amendment, if they refuse they must issue a written explanation and allow the patient or representative to attach an explanation. Where stigmatizing language is entered in the record of a child with a DSD, medical providers can and should change the wording on request unless there is a good medical reason not to make the change.

The minimum necessary standard

When releasing protected health information for a legitimate purpose, such as for insurance reimbursement, providers are expected to take reasonable steps to limit disclosure to the minimum necessary needed to achieve the purpose. This rule does not apply to treatment-related disclosures made for treatment purposes, which means that providers may share a patient’s full record when seeking a consultation or when a patient has requested a second opinion.

However, I once heard from the parent of a high school student who needed a medical excuse for school because she had been scheduled for DSD-related surgery. The parent had specifically requested that the physician avoid disclosing the teen’s diagnosis to staff of her small-town high school (a request that, under HIPAA, should be respected). Unfortunately, the doctor’s office included the diagnosis and details of the surgery in the letter they faxed to the school. This is an example of going beyond the minimum necessary information. It would have been quite enough to write a letter on the doctor’s letterhead stating that the teen needed to be excused from school for medically necessary surgery.

Another all-too-common example of unnecessary release of information that can be harmful to children with DSD is hospital gossip. As noted above, HIPAA allows providers to exchange information necessary for treatment, education of residents or hospital operations. However, it is not necessary for every nurse, orderly or uninvolved physician on the ward to know there is a child in room 11 with an “interesting condition.” Needless gossip can constitute a HIPAA violation, as several doctors and nurses at the University of California-Los Angeles recently discovered when they let their curiosity get the better of them during Britney Spears’ hospitalization.

When providers are careful and thoughtful about their use of patient information, it shows respect for the dignity of the patient. Such respect is critical for children with DSD and their families. For them, HIPAA is not a burden — it is needed protection.

Anne Tamar-Mattis, JD, is an Executive Director of Advocates for Informed Choice, Cotati, Calif. She welcomes responses to this article at director@aiclegal.org.

For more information: