Securing patients’ protection and the privacy of their health data is an imperative moral and legal prerequisite for players and practitioners in the healthcare industry. Various legal provisions protect individual privacy and offer guidelines to hospitals and other involved organizations. The Health Insurance Portability and Accountability Act of 1996 (English & Lewis, 2016) is a creation of the US Congress embedded in the constitution that provides a legal framework for safeguarding the medical information of patients and Americans in general. Other than confidentiality and privacy, HIPAA also seeks to minimize healthcare-related fraud and abuse, set standards for healthcare information on electronic billing and enable the transfer and continuation of health insurance coverage for patients. It has contributed to improved healthcare outcomes countrywide as well reducing costs, fraud, and protecting patient privacy and confidentiality. Notwithstanding such success, the rules are ambiguous and contradictory in some areas such as dealing with minors and have been accused of undermining health care outcomes. These contradictions may exist within or between HIPAA policies or the state laws on healthcare privacy and confidentiality. In the face of such issues, communication on the HIPAA presents severe challenges to players and stakeholders in the healthcare industry that need to be examined more closely and solutions developed. This paper examines current problems facing attempts to communicate to stakeholders about HIPAA rules and their proposed solutions.
Challenges Facing HIPAA Rules
The Department of Health and Human Services (HHS) that is tasked with enforcing the law at the federal level faces critical challenges in implementing the act where minors are involved. Healthcare practitioners, insurance companies, and hospitals have on various platforms expressed frustrations with some aspects of HIPAA. Where children are involved, the most significant concern has had to do with how much control parents and guardians as legal representatives have on minors’ privacy claims (Gray, 2017). HIPAA recognizes minors as persons who have not yet attained the legal age of 18 years. As such, the act assumes that minors are dependent on parental support and control making parental consent necessary in administering any healthcare services. On the same issue, HIPAA asserts that parents do not have unrestricted access to private health information (PHI) of minors. The rule is based on the Family Educational Rights and Privacy Act (FERPA), first enacted in 1974 and amended in 1994 to become Improving America’s School Act (IASA). FERPA recognizes that parents and guardians have some degree of control over the disclosure of some confidential information. Thus, the HIPAA rules are ambiguous on how the rights of a legal representative can shift.
The inconsistencies may apply differently in various medical scenarios with various implications. One of the most challenging ones relates to the use of drugs, (Majeed, 2017) contraceptives, and disclosure of sex-related information of minors to parents and guardians (English & Lewis, 2016). Meeting the HIPAA law for minors seeking contraceptive services has been a contentious issue for many decades. The rules seem to disregard the need and role of parental guidance in the upbringing of children and guiding their sexual activities by calling for the privacy of minors. This problem predates the HIPAA rule given a 1942 Supreme Court ruling that recognized individual rights of sexuality. In the Skinner v. Oklahoma case, the court recognized procreation as a fundamental right (Fradella & Summer 2016). Subsequent court cases would extend this liberty and in the process deny parents control over the sexual choices of minors and children. Thus, communicating to stakeholders about such cases may be problematic to stakeholders. In fact, HIPAA only allows such information to be shared with parents if only the minor consents to it or practitioners view it necessary.
Closely related to the above is compliance with state laws versus HIPAA. The Department of Health and Human Services (HHS) envisioned potential discrepancies and misunderstanding on state versus HIPAA. The guiding tenet holds that where the two laws contradict, HIPAA takes over. However, where the state law is “more stringent” than HIPAA, it should be applied. The phrase “more stringent” is ambiguous for application by practitioners and players in the field. In fact, several states have advanced laws that sometimes undermine the goals of privacy. Span (2015) indicates that practitioners use the HIPAA laws to enforce a code of silence about sharing vital information with parents of minors and other healthcare service providers. In the end, patients lose as essential information needed to enhance quality of care is not utilized
Another critical issue is the enforcement of HIPAA rules in the face of public safety concerns or emergencies. In some cases, the health information of minors may impact their health or that of family members, friends and even colleagues in school. In the case of terminal conditions, colleagues and adults handling children may be provided with private information about patients to respond immediately when the need arises. In other instances, sharing such confidential information may necessitate precautionary safety measures to be put in place (Span, 2015). For example, healthcare professionals have cited cases of mental illnesses involving minors that may predispose parents and family members to injury and other risks. In such cases, the HIPAA rules maintain that such information cannot be shared without the approval of patients or parents. Elizabeth Gray, a public policy expert at The George Washington University, in an interview indicated that the HIPAA law is enforced to enhance patient’s privacy but poor understanding and implementation undermine the very goals it pursues by not sharing vital information beyond the ‘legal representatives.’
In the modern age of mobile technology, smartphones play a huge role in the dissemination of formation including on matters to do with health. As it is HIPAA does not regulate the use of healthcare-related mobile applications. With a growing number of minors using smartphones, it is vital for the law to harmonize current HIPAA laws with policies on technology. A study by Blenner, Kollmer, and Rouse (2016) that sampled 75 diabetes applications on the Android platform revealed that 86.2% of them transmitted confidential information to third parties without consent. Again, a majority of these apps did not have comprehensive privacy policies to guide users. Therefore, as minors continuously use such technology with minimal privacy control unsupervised, it becomes harder to convince stakeholders about the efficacy of HIPAA and its role in preserving patient privacy and confidentiality.
Regarding the application of HIPPA in the face of state law, a probable solution is the provision of more precise guidelines, According to English and Lewis (2016), ‘further guidance’ on some issues as spelled out in the act should be explicitly stated. Again, the ambiguity in harmonizing state and IPPA laws should be addressed. The concept of “more stringent” cannot be validated by practitioners and players in the field and is open to interpretation by lawmakers. Such a scenario exposes hospitals, medical practitioners, insurance companies, and other players to additional legal risk. Thus, it is recommended that the HHS’s enforcement of HIPAA be only left to state laws. The federal government should only guide the state governments in creating privacy and confidentiality laws instead of subjecting practitioners and stakeholders to a set of two laws (English & Lewis, 2016). Thus, communication about privacy and confidentiality of patients to practitioners and stakeholders becomes explicit.
On the question of sharing information for public safety purposes, Gray (2017) opined that HIPPA allows sharing of information but only restricts the conditions under which such information is shared. She indicates that overzealous practitioners and stakeholders keen to evade legal liability are undermining HIPPA. She calls for providing more information to stakeholders and empowerment to embolden their decision making on sharing information where necessary.
HIPAA needs to address the use of applications on various mobile phone platforms such as Android and iOS. This suggestion comes hot on the heels of debates on setting age limits for minors’ ownership of smartphones. With minors’ private and confidential health information fed into mobile applications capable of being accessed by third parties, it becomes a question of who minors can entrust with private information, technology or parents for example (Blenner, Kollmer, & Rouse, 2016). The best way forward would be to restrict the use of some of these apps by minors as well as guide developers the methods of enhancing privacy and confidentiality of users.
All in all, it is evident that the IPAA is well-intended, but the applications, communication, and the enforcement of the law have been problematic. Sensitizing stakeholders on the legislation and even interpreting it as it applies to minors and stakeholders on many different levels is a tricky process characterized by significant pitfalls as addressed above. To enable the act to accomplish its intended goals and even protect individuals’ confidentiality and privacy better in the face of rapidly changing technology, there is a need to harmonize IPAA with laws on technology and others that touch on relevant areas such as education. This approach will allow heightened understanding and communication of the same to stakeholders.