HIPAA Insanity

Thanks to a recent article in the New York Times on the HIPAA Privacy Rule, I have a new favorite definition of insanity.  My old favorite definition is, repeating the same behavior and expecting a different outcome.  It is a timeless and classic definition but lacks the medical relevance and topical urgency of my new favorite definition of insanity in the electronic age.  It is brought to us by an article in the New York Times on August 9, 2014, entitled “Baby Pictures at the Doctor’s?  Cute, Sure, but Illegal.”  Insanity can now be defined as applying a well-intentioned, and ethically grounded federal regulation in such a way that leaves well intentioned clinicians unable to experience an essential joy of their profession. What is “insane” about this article is its complete and utter mangling of both the intent and the actual language of the rules regarding medical record privacy that we all have come to know as HIPAA.  The fatal flaw in the argument put forward by the author and the “authorities” that she cites is the notion that any information whatsoever given to a doctor by someone who is or has been a patient is covered under the rules that we call HIPAA.  

The practice of parents sending in pictures of their children for posting on the walls of their obstetrician’s or pediatrician’s offices is a proud and joyous one, which was neither intended to be infringed upon, nor actually, legally, infringed upon by the adoption of the HIPAA privacy regulations.  The reason for this legal conclusion is threefold.  First, a photograph taken by a parent outside the context of medical treatment is by definition not health information. It is both axiomatic and obvious that anything which is not health information cannot be protected health information.  Second, even if a photograph of an individual who was formerly, or is currently a patient of a clinician is posted, if the photograph is not identifiable as that of a particular patient, typically the case with baby pictures, it is not individually identifiable.  The HIPAA regulations contain extensive descriptions of what is or is not a de-identified piece of protected health information, but those regulations are clear that the information, in this case a photograph, has to be protected health information in the first place, in order to necessitate de-identification, in conformity with the HIPAA regulations.  The third, and most important reason that a baby picture posted in a doctor’s office ought not be, and is not, prohibited by the HIPAA regulations, is that whether that photograph might be health information in a different context, when it is supplied by a patient or the patient’s surrogate, their parent, for a purpose that has no relation to or bearing upon medical treatment it is certainly not the health information of that clinician. Patients have an unrestricted right to do whatever they want with their health information, including posting it to the internet, or even on a highway billboard, if they want.

It is true that in certain situations information supplied by a patient when it is received by a clinician for clinical purposes, and incorporated into the patient’s medical record can become protected health information. But it is equally true that this is not the case for all information supplied by a patient to a doctor, it is only true when that information is supplied for the purpose of, and used for the purpose of diagnosing, treating or preventing illness in individual concerning whom the doctor has receives the information.  In the case of the baby wall photographs, if the picture was supplied by a parent, but maintained by the doctor for the purpose of monitoring the progression of a skin disease for example, that would certainly constitute conversion of a document supplied by a patient to a doctor to protected health information. But if a patient, perhaps one with a longstanding relationship with his or her doctor were to supply a recommendation for an Italian restaurant, that information would not and could never become protected health information, simply because it is not health information.  The same can be said of baby pictures offered for public posting by glowing new parents.

There are some notable exceptions to the general rule that information that can be considered protected health information. An important example, one which directly relates to the initial hysteria over posting patients’ names outside their doors, is the situation involved in identifying a particular patient as being under the treatment of physicians whose medical specialty necessarily reveals the patient’s diagnosis.  So, for example, if a patient is admitted to the hospital on a general medical surgical floor it is common and good practice for that patient’s name to be posted on the door, in order to enable clinicians to properly identify which patient is intended to receive which treatment.  That is not a HIPAA violation, but if that patient were to be admitted to a med-surg floor that is specifically designated for treatment of patients with HIV, then posting that patient’s name would of necessity disclose the fact of the patient’s HIV diagnosis.  While it is not specifically addressed in the HIPAA privacy regulations, posting the name of individual, particularly an individual who has a distinctive name, or posting the name of patient in a small town with a very limited choice of health care institutions might constitute a HIPAA violation. It is therefore a legitimate and appropriate exercise of medical judgment on the part of the clinicians treating HIV patients not to post their names in a publicly visible location on a hall specifically designated for treatment of individuals with that diagnosis. 

The concern that drove Congress to first propose the adoption of a medical record privacy rule has been characterized, accurately or not, as being defined by a conversation between a doctor and his friend, a medical device supply company CEO -on the proverbial golf course- on an otherwise innocent golfing excursion.  As the story goes, the medical device company owner said to his physician friend, “Boy do I waste money on all the advertising I do for my business. I would really like to be able get my hands on a list of patients who have diabetes so I don’t have to advertise in the newspaper to thousands of people who will never be customers for my diabetic testing supply business because they don‘t have diabetes. But where could I find such a list.”  As the fable goes- or maybe it’s true- the physician responded, “Oh, I have lists of patients of mine who are diabetic and I can’t see any reason in the world why I shouldn’t be able to give them to you.” 

The obvious sequela of such a golf course compact is the creation of a booming market for such lists. In fact the practice of sharing patient information for commercial marketing purposes is well established and for a time was considered an entirely legitimate and beneficial form of medical commerce.  With the adoption of the HIPAA privacy regulations those practices became unlawful and doctors became well informed of their obligation to maintain the privacy of patient medical information, referred to under the HIPAA regulations as Protected Health Information (PHI), absent the explicit written consent and authorization of the patient to the release of that PHI for specific, and appropriate purposes.  The insanity that is the purported or alleged prohibition on posting photographs of babies born to particular obstetrical practices arises from the same lack of common sense and regulatory insight that produced the early restriction, or at least presumed restriction, on putting the name of a patient on the door to his or her hospital room. 

An interesting case that falls along the middle of the spectrum of permissible and impermissible identification of patients and their conditions arises when patients are admitted for treatment at hospitals that specialize in the treatment of one broad category of disease.  The paradigm example of this phenomenon is of course the prevalence of hospitals that are dedicated solely to the treatment of cancer.  It is worth noting that at most, if not all specialized cancer treatment hospitals, patients’ names are posted on the door to enable clinicians to identify the appropriate individual to receive a particular treatment.  The distinction between the appropriateness of name posting for cancer patients and the appropriateness of naming posting for HIV patients obviously derives from the social stigma attached to one diagnosis versus the other.  The point that this distinction illustrates is that HIPAA and its privacy regulations, as specific and detailed as they are, cannot provide clear guidance as to how they should be implemented in each and every clinical situation.  However it is abundantly clear that HIPAA is only intended to provide protection of patients, and is only intended to provide protection for patient’s privacy with regard to protected health information, which must always, first, be actual health information.  Baby pictures are fine.