Skip to site content

HIPAA Protects Privacy and Fosters Frustration

Mention the acronym “HIPAA” to a roomful of clergy and the immediate response is frustration.

Six months after full implementation, it appears that the HIPAA Privacy Rule is not well understood by some hospital personnel and religious leaders. As a result, confusion is rampant as to what the imposed regulations actually state and require. Care providers are increasingly irritated, and some hospitalized congregants are wondering aloud why their clergy are not coming around as much anymore.<?xml:namespace prefix = o ns = “urn:schemas-microsoft-com:office:office” />
 
“HIPAA” stands for the 1996 federal legislation titled Health Insurance Portability and Accountability Act. The intent of Congress was manifestly noble. Rationale included such goals as improving the “portability” and continuity of healthcare insurance so that switching carriers would not necessarily mean loss of benefits. It was hoped that new legislation would improve access to long-term care and promote use of medical savings accounts. HIPAA drafters intended also to combat waste, fraud and abuse, while simplifying administration of healthcare insurance. Of particular concern to HHS and the Office of Civil Rights was the increasing use of electronically stored and transmitted patient data, and the notoriously easy access gained to such private information by literally thousands of healthcare personnel.
 
In order to emphasize and maximize confidentiality of patients’ records, HHS supplemented the 1996 legislation with its own “Standards for Privacy of Individually Identifiable Health Information”–or the “HIPAA Privacy Rule.” Effective <?xml:namespace prefix = st1 ns = “urn:schemas-microsoft-com:office:smarttags” />April 14, 2001, full compliance with the new privacy regulations was required by April 14, 2003, for entities covered under HIPAA.
 
I first encountered the privacy regulations while completing a unit of Clinical Pastoral Education during academic sabbatical early in 2003. An online HIPAA tutorial was required of all hospital employees, including CPE chaplains. As I recall, there was no mention of how to deal with clergy inquiries for patient information. The clear institutional mandate issued–under threat of dismissal or even criminal prosecution (perhaps particular to my Veterans hospital context)–was that of protecting patient information from all but those with a demonstrable “need to know.”
 
In recent months, I have attempted to grasp the basic tenets of HIPAA as it applies not only to hospital personnel but also to community clergy and congregations. In doing so, the primary source of confused interpretation and application has become apparent. It comes down to an unfortunate communication mix-up over what was initially proposed in the Privacy Rule and what was ultimately adopted and written as mandate in “the final Rule.”
 
The initial draft of the Rule, section 164.510(a), included an “opt-in” provision for patients upon admission to the hospital. It would have required hospitals to ask permission before publishing patient information in a directory that could be made available to clergy visitors. Patients desiring such release of information had to opt in to this provision via expressed consent. HHS floated this proposal during the time allotted for public comments. Predictably, many commenters protested that “opt-in” measures would have the effect of keeping out clergy and other legitimate hospital visitors.
 
So HHS changed “the final Rule” to accommodate the public outcry. A press release explains, “The final Rule promotes access to care by removing mandatory consent requirements that would inhibit patient access to health care,” or to pastoral care.
 
In other words, “opt-in” became “opt-out.”
 
HHS states: “In the final Rule, we change the … opt-in authorization requirement to an opt-out approach for inclusion of patient information in a health care facility’s directory.”
 
Except in emergency situations, hospitals must provide patients privacy information upon admission, including that of their right to opt out of any patient directory made available to visiting clergy. If patients do not choose to opt out–or if admitted emergently–their information may be included and made available to clergy requesters without the patient’s expressed consent.
 
What sorts of information are hospitals allowed to provide to clergy who ask to see the facility directory or who otherwise ask for a patient by name? Four types of patient data may be disclosed: name, location in the facility, general health condition (fair, stable, serious, critical, etc.) and religious affiliation
 
Only clergy may be given access to the directory and to information specifying religious affiliation. Lay visitors and others (family members, friends, reporters, etc.) who ask for a patient by name may be given the patient’s room number and condition if, in the judgment of hospital personnel, this will not endanger the patient.
 
Hospitals need to decide how they will ascertain who is clergy and who is not; but if HIPAA privacy regulations are interpreted and applied as stated in the final Rule, no great hindrance to patient access should be encountered by legitimate clergy visitors.
 
However, information disseminated by some entities still carries the “opt-in” version, with its more restrictive consequences for those who would visit patients. Herein lies the confusion.
 
For example, a Web site of the Missouri Hospital Association claims that clergy may be given access to a patient directory to check on a hospitalized congregant only “if a patient has given permission.” This, of course, reflects the “opt-in” proposal that was never adopted.
 
Likewise, the HIPAA notice to area clergy by the Methodist Hospital in Houston claims that “limited health information is disclosed to clergy only by permission from the patient.” Wrong, according to “the final Rule.”
 
A Web site maintained by an entity of the Evangelical Lutheran Church in America provides accurate “opt-out” information to their clergy at one point and inaccurate “opt-in” information as one scrolls down a bit further! No wonder clergy are confused–and are increasingly frustrated in their ongoing efforts to provide pastoral care to hospitalized congregants.
 
Fortunately, most hospitals I deal with are beginning to interpret and apply HIPAA privacy regulations as the final Rule intends. Unfortunately, due to confusing misinformation, too many frustrated clergy colleagues do not yet understand that access to patients for pastoral care, under HIPAA, should remain mostly unfettered.
           
Tarris Rosell is associate professor of pastoral care and practice of ministry at Central Baptist Theological Seminary.