Your browser does not support modern web standards implemented on our site
Therefore the page you accessed might not appear as it should.
See www.webstandards.org/upgrade for more information.

Whatcom Watch Bird Logo


Past Issues


Whatcom Watch Online
HIPAA: The High Cost of Privacy


December 2014

Whatcom: Chronic & Acute

HIPAA: The High Cost of Privacy

by Robert A. Duke

Robert A. Duke is author of “Waking Up Dying: Caregiving When There Is No Tomorrow,” he lives in Bellingham. His email: boshduke@gmail.com

What do moths and health information privacy have in common? Metamorphosis.

The larval stage of health information privacy was the 1996 Healthcare Insurance Portability and Accountability Act (HIPAA). Today, HIPAA has morphed into a destructive pest that terrifies healthcare providers and impedes care and treatment of patients.

Signing a HIPAA release authorizes the release of health information, not prevents it from being released. The notion that HIPAA protects your health information privacy is a misrepresentation.

The act no longer fulfills the privacy purpose for which it was created. It was enacted to prevent insurers from using your health information to deny coverage for pre-existing medical conditions. Now, the only people guaranteed access to your private health information are the insurers themselves.

When I recently asked my Whatcom healthcare provider for copies of all of my healthcare forms, it failed to deliver my HIPAA release form because it wasn’t in my health records. It resided, I was told, in the practice’s billing file. I guess it was not the health privacy form I was led to believe it was.

For one thing there is no law that entitles you to privacy, health or otherwise. “Here in the (United States), the right to privacy is a subject for scholarly debate,” says forbes.com, “established not within the law itself but the murky zone of its penumbra.”

For another thing, if an individual chooses to decline privacy what authority should force it upon him?

Vanishing Privacy

Back in olden days, in the 1996 “Internet and Information Technology Stone Age,” some form of privacy might have been possible:

• Google didn’t exist.

• There were only 100,000 websites, compared to 672,985,183 in 2013.

• Netscape Navigator was the web browser of choice followed by Microsoft Internet Explorer, a distant second.

• Most people used dial-up Internet connections.

Today, privacy is no longer what it was. Just ask the National Security Agency (NSA) cyber spies, Edward Snowden’s boss, or anyone with a Facebook account. Recently, Bloomberg West television estimated that 210 million Americans have been hacked.

Facebook, Amazon, Target and Visa already collect so much information about you and your buying habits, that they can direct ads to you about your every condition -- including your health. They know before your friends and family that you are pregnant, have cancer or need a catheter.

Outside of hospitals and medical practices, where the archaic HIPAA concept of privacy still flourishes, few other healthcare providers meet HIPAA standards. Your dentist and pharmacy may have much of your health care history, but both tend to view protecting healthcare information as an auditing and lawsuit risk rather than a patient privacy issue. Just ask them — I did.

Others with access to information about your health include home care aides, chiropractors, physical therapists, community services organizations, senior centers, and patient and caregiver support groups. And consider what’s coming:

“Face Book is planning to experiment with healthcare systems and apps to create support communities for people with similar illnesses or conditions with preventative care platforms and apps to help people live healthier lives. Apple and Google each have their own healthcare monitoring platforms,” reported Valentina Palladino on tomsguide.com on Oct. 3, 2014.

So even if that’s all true, what’s the problem with filling out a one-page form? Consider:

• Patients impaired by aphasia or dementia may not be able to speak coherently, read, write or understand spoken instructions;

• Many patients and caregivers are elderly, infirm, dying, sick, depressed, confused and hopeless and unable to fill out forms;

• A caregiver’s role in patient treatment is compromised when information is withheld;

• Appointments are disrupted and delayed until the release is resolved.

• Provider assurances of trust in treatment are eroded.

Seeds of doubt are sown about the quality of medical records.

Put bluntly, the healthcare system often treats the form before the patient. It takes precedent over care and treatment, and a disproportionate amount of time, attention and resources are devoted to it that could be better spent.

In 2009, for example, a HIPAA release typically expired in 30 to 90 days. Even if the patient were terminally ill, the patient’s HIPAA release could not be valid for her lifetime. New forms with new expirations were always demanded as a condition of care. After lifetime expirations were finally accepted the form was again revised to delete the expiration date. But a release was still necessary and an individual release was required for each person to whom the patient’s health information could be released — or so some providers insisted. If the paper or electronic form couldn’t be found, a new form was demanded before treatment could proceed.

I was caregiver for my wife, who was terminally with brain cancer, for 531 days. She had to sign a HIPAA release for me to receive any of her health information even from providers we saw frequently.

Why is this 18-year old mandatory release still impeding caregiving? I am not the first person to want to repeal the form. Except for a handful of administrators and bureaucrats, I have never met anyone who wants it or will defend it. It is uniformly hated and reviled.

Of the dozens of HIPAA release forms I have collected and seen, no two are identical. The forms can say practically anything. But if we can’t abolish it, I propose that we each create our own form.

HIPAA Release Forms

My sister-in-law’s HIPAA release, rather than authorizing a named person to receive her health information, authorizes persons designated her agents on her Power of Attorney for Health Care or similar documents to receive it. There is no expiration date and it forces the HIPAA release to be treated the same as her other healthcare documents and not be sloughed off to billing.

Mt. Baker Imaging’s release form never mentions HIPAA and devotes only about 50 words authorizing release of health information. The 2010 version of the form expires 12 months after the date it is signed. Interestingly, half of the one-page form, with twice as many words, is devoted to payment responsibility. So this release is probably in the billing file, too.

A local acupuncturist’s HIPAA release consists of two single- spaced pages of 10 point type, but requires no signature and is not dated.

Whatcom’s Family Care Network’s (FCN) 2013 release is titled “Perpetual Authorization to Disclose Health Care Information.” The term HIPAA is omitted. It allows you to name three persons to release information to and authorize leaving phone messages. It offers three options for ending authorization: on a specific date, when the following event occurs (I entered “My Death”) and, in 90 days from the date signed – if disclosure is to a financial institution or an employer of the patient for purposes other than payment.

Washington’s PeaceHealth’s 2005 form signed by me in February 2013 and still in file as my current release is an entire densely printed page that does not include the term HIPAA. In bold print under “Dates” the form says: Unless revoked, this authorization is valid for 90 days from the signature date below, or for the following time period. In the space labeled “Ending date,” I wrote “Lifetime”. However in parentheses beneath the dates’ space is the following statement: “In Washington state, expiration date can be no later than 90 days after this authorization is signed if disclosure is to employer or financial institution.” (Emphasis added).

Because insurance companies are financial institutions and the main purpose of the HIPAA form is to authorize release of health information to insurers and others, I suppose all HIPAA forms expire 90 days after the authorization if insurance is involved. So insurance –- read “financial institution” – interests trump all others.

What Form For You?

Since it appears that a HIPAA release can be anything anyone wants it to be I recommend you find a form you like, fill it out as you please, and produce it when a release is demanded. Have it copied and returned to you.

Even if healthcare providers don’t like your form, you can refuse to sign their form. They cannot refuse care for you and are trained to make only a “good faith effort” to get you to sign their form. My personal FCN release says: “I understand I do not have to sign this authorization in order to get health care benefits.”

My sister-in-law’s attorney-drawn HIPAA release is the nearest thing to a HIPAA waiver I have found, so maybe my ultimate proposal is still possible.

The illustrated HIPAA release form is the simplest one I could find online and has all the features a caregiver or patient desires (in my opinion). Print it or cut it out, fill in the blanks and put it in your wallet or purse.

Alternatively, if you can tolerate dirty looks, or being shunned or designated “uncooperative,” refuse the next HIPAA form you confront.

News of Fire Victims Barred by Lack of HIPAA Release

After Whatcom Watch’s deadline for this article I received a startling news release from the Health Care Journalist Association, which demonstrates the bizarre impact HIPAA is having on our lives outside of healthcare:

HIPAA was invoked in Los Angeles recently to prevent the fire department from releasing the names and conditions of fire victims because the fire department didn’t have signed HIPAA releases from the patients and victims. Under order of the Los Angeles city attorney the fire department refused the information to the Los Angles Times. A Los Angeles Times attorney had to get involved to obtain the info in order for the paper to report the news.

Go to the following link to view the full video of this development:

http://www.nbclosangeles.com/news/local/LA-Fire-Department-Lifts-News-Blackout-235778571.html.)

HIPAA was never intended for this. It has mutated into a monster.


Back to Top of Story