Mar
10 Questions With Amy Fehn
DJ Smith / Mar 27th / Comments
This week our 10 Questions With… series interviews healthcare attorney Amy Fehn. Amy has been counseling healthcare providers and other covered entities on the HIPAA Privacy and Security Regulations since their inception. Prior to graduating from law school, Ms. Fehn was a Registered Nurse at Summa Health System in Akron, Ohio, and later worked as a clinical systems analyst for the hospital’s clinical information system.
Ms. Fehn has authored and co-authored numerous articles on healthcare issues and has spoken on HIPAA to various local and national organizations. She is the co-author of workbooks on HIPAA Privacy for the Michigan Osteopathic Association (MOA), the Federated Ambulatory Surgery Association (FASA) and United Communications Group and is the co-author of a workbook on HIPAA Security, published by United Communications Group. She was also a member of the State Bar of Michigan’s HIPAA Task Force.
DJ: Why are so many healthcare organizations fearful of HIPAA?
Amy: I think they are afraid, and rightfully so, of complaints to the Office of Civil Rights and also negative public perception if patients perceive that they are violating HIPAA, even if they technically aren’t. The problem with HIPAA is that many areas aren’t black and white but instead allow some discretion or judgment calls on behalf of healthcare organizations. Organizations don’t want to take chances by authorizing too many people to make judgment calls, so they implement policies and procedures that might be stricter than they would technically need to be.
DJ: Many healthcare professionals feel that HIPAA blocks effective communication and education. Is that a fair assessment?
Amy: HIPAA should never block communication that is related to patient care, because any uses or disclosures for “treatment” can be made without an authorization or any “permission” on the part of the patient. It also shouldn’t be a barrier to most education because training programs are considered “healthcare operations,” for which uses and disclosures of protected health information can also be made without patient authorization.
DJ: Do you think there is enough emphasis placed on educating healthcare professionals and consumers on HIPAA?
Amy: I think that larger entities definitely get the fact that they need to educate employees and have processes set up to handle it. I usually find that smaller entities do a good job with initial training but aren’t as likely to have processes set up for training updates and reminders.
DJ: Henry Ford Hospital recently used Twitter to “tweet” a surgery as it occurred. Many people thought that such communication was a HIPAA violation. Did a violation actually occur?
Amy: I don’t know that I have all of the facts; but, to my knowledge, they did not post any identifiable information about the patient. If information is adequately de-identified then it is no longer considered “protected health information” and is no longer subject to HIPAA protection. I recently wrote a post on my blog about the identifiers that need to be removed for information to be considered “de-identified.” They also stated that the patient consented to have the surgery posted on Twitter, so they may have had a HIPAA authorization signed as well.
DJ: Can a healthcare organization or professional effectively use social networking tools, such as Twitter, without fear of violating HIPAA?
Amy: There are ways to use Twitter that would not violate HIPAA, as long as the healthcare organization is not posting protected health information about patients. If the patients choose to post their own health information or identify themselves as a patient, that is their prerogative. My only concern would be to make sure that patients understand that it is a public forum and to not in any way solicit or encourage the posting of personal health information in a public forum, unless the patient signed a valid HIPAA authorization specifically for that purpose.
DJ: Regarding HIPAA, what should a healthcare organization be aware of when marketing themselves?
Amy: Again, they can’t do anything that would include the disclosure of protected health information (otherwise known as individually identifiable health information) unless they have an authorization signed by the patient for that specific purpose. Healthcare organizations are also limited on the types of mailings or e-mail campaigns they can send to lists they derived from their patient admissions. For example, a healthcare organization would be able to send a notice about other services offered by their organization, but they couldn’t use their list to market another entity’s products (although there are exceptions for certain care management communications tailored toward a specific patient).
DJ: You wrote a great blog post titled “Analysis of Changes to HIPAA in Stimulus Bill.” What do you see is the most significant change to HIPAA that the stimulus bill makes?
Amy: I think that the biggest change is that healthcare organizations can expect greater enforcement because the new revisions empower state attorney generals to bring lawsuits for HIPAA breaches. Also, the new law states that future regulations will allow patients to share in a portion of penalties which will incentivize patients to voice complaints.
DJ: If a patient signs a HIPAA authorization form and decides to share their personal health information, is the healthcare provider still at risk?
Amy: The patient can share their own information even without signing an authorization form. It’s their information and if they want to post a copy of their information on the internet, that is up to them. As far as authorizations, once the information has been released pursuant to an authorization, it is no longer protected by HIPAA and there should be a line on every HIPAA authorization that reminds patients of that fact. So, for example, if I authorize a hospital to disclose my information to a disability insurance company and the disability insurance company wrongfully discloses it to someone else, it would not be a HIPAA violation on the part of the hospital so long as the hospital had a valid HIPAA authorization.
DJ: Has HIPAA gotten away from its original intent or has the lack of understanding caused it to become something larger than life?
Amy: It definitely depends on who you talk to, although nobody seems to be happy with HIPAA. Most providers see it as adding administrative burdens that don’t really change the protections they were already providing for patient information (health care providers already had a duty of confidentiality before HIPAA was enacted). Privacy advocates are critical of the law because they don’t think that it goes far enough and they also don’t think that it is properly enforced.
DJ: What impact does the recent CVS Pharmacy settlement with HIPAA have on healthcare as a whole?
Amy: I think it raises awareness and sets an example. It should cause all covered entities to take a good look at their disposal policies, especially with regard to items that can’t go through a paper shredder, such as empty pill vials or empty IV bags with patient names on them.
Bonus Question:
DJ: If you could change one thing about healthcare what would it be?
Amy: If I could change anything, it would definitely be access to quality healthcare for everyone.
I’d like to say thank you to Amy for taking the time to answer 10 questions with me. It was a pleasure interviewing her. If you would like to expand the discussion about HIPAA with Amy she can be contacted through her website at www.healthlawoffices.com. You can follow her blog as well as her postings on Twitter.
If you or someone you know would like to be interviewed for 10 Questions With…please drop me a line at dj@talstone.com. Thanks for reading.
