Without evidence of benefit, an intervention should not be presumed to be beneficial or safe.

- Rogue Medic

Hospital Cries ‘HIPAA’ in Investigation of Hepatitis C Outbreak

Standard of care and HIPAA (Health Insurance Portability and Accountability Act of 1996) are probably the most misunderstood misused terms in medicine.

Standard of care does not mean that all the cool kids are doing it, so if I don’t do it I will be sued, but that is essentially the way it is treated by many people. This is superstition, not medicine.

We must immobilize him because he might have been exposed to a mechanism of injury that might result in a spinal injury that might not be made much worse by immobilization and we might be sued.

HIPAA does not mean that the hospital, or EMS, cannot give out confidential information. HIPAA is about how access to that information is controlled.
 

The Rule strikes a balance that permits important uses of information, while protecting the privacy of people who seek care and healing. Given that the health care marketplace is diverse, the Rule is designed to be flexible and comprehensive to cover the variety of uses and disclosures that need to be addressed.[1]

 

Is it acceptable to release information for billing, but not to investigate, and attempt to control, an infectious disease outbreak. At least 60 people appear to be infected with hepatitis C. Since hepatitis C is often asymptomatic, less access to medical information will mean less knowledge of who is infected and who may be continuing to infect others.

Is the hospital protecting patients, protecting itself, doing something else, or just getting bad legal advice?

The hospital hired someone who apparently abused drugs and contaminated equipment that should have been sterile, which led to the infection of at least 60 patients.
 

Herrick argued that Exeter Hospital won’t even give the state the names and contact information for employees that investigators want to see for follow-up interviews.

“Exeter Hospital is a business and there are good business reasons for them not to want any new patients (infected) or further investigation into this matter,” she said.[2]

 

Should any organization be trusted to investigate itself, or to limit its investigation by others?

Should we trust any organization that claim that it is too good to be investigated by others?
 

Exeter Hospital told Seacoast Online that there was no information available prior to Kwiatkowski’s hiring that would have provided the hospital with a reason to not employ him. “His criminal background checks were clear, he had no restrictions placed on his professional licensure/certification, he was not included on the Health & Human Services Office of Inspector General’s list of sanctioned healthcare workers, he passed a drug test, and he had very strong references from his previous employers.”[3]

 

That is a different problem, but it has a similar origin – lawyers telling hospitals to hide information about problems with employees, because of a greater interest in protecting itself from liability, than in protecting patients from harm.

Why should we trust the hospital to provide all relevant information?

Why should we expect the hospital to recognize what is relevant?

We can expect the lawyers to represent their client (the hospital, not the patients), since the lawyers legal obligation is to the hospital, not to the patients.

Maybe you do not believe this. Maybe you think that the hospital’s lawyers will be objective in any malpractice cases brought against the hospital. Maybe the lawyer will help the patient to find stronger evidence against the hospital.

Do we believe the hospital’s lawyers would do that?

Then why should we believe that the hospital’s lawyers are acting in the interest of the patients, where that might be a conflict with the interests of the hospital?

Footnotes:

[1] Summary of the HIPAA Privacy Rule
US Department of Health and Human Services
OCR Home
Health Information Privacy
Understanding HIPAA Privacy
Web page

[2] State, hospital spar over access to patient data – Judge mulls records request
By Aaron Sanborn asanborn@seacoastonline.com
October 19, 2012 2:00 AM
Seacoastonline
Article

[3] Could a national registry save hospitals from hiring problem workers?
Fierce Healthcare
August 6, 2012
By Karen Cheung-Larivee
Article

.

Comments

  1. While the hospital does have a (moral) obligation to its patients, the state is overreaching in this case.

    First, the accusation that the state doesn’t trust the hospital is uncalled for.

    When McNamara asked why the state couldn’t provide the hospital the names of the patient records they wanted to review, Herrick said the state doesn’t trust the hospital.

    If they think the hospital broke the law (i.e. tampering with records), then they need to prove it just like any other criminal investigation.

    Second, why does the state need access to ALL the medical records? The state is asking for unfettered access to the medical records system, not just the records of people in parts of the hospital that the infected worker went. Why does the state need to know the medical history of someone who was in Med-Surg, or at the outpatient laboratory; something that would be available to the state under their request.

    Yes, the hospital is acting despicably in limiting information on potentially exposed patients; but the state asking to go on “fishing expeditions” in the entire database doesn’t help, it shows why hospitals are so cautious (and callous) in giving out information.

    • mpatk,

      McNamara (the judge hearing the case) compared the case to the use of wiretapping, where authorities are asked to use their professional discretion in listening for incriminating comments and ignoring a conversation that has no relation to an investigation. He said health officials would have to use professional discretion to locate the medical information needed for their investigation.

      Would you limit investigation of a disease that is often asymptomatic to only those known to be infected?

      Would you require the state to divine the names of infected patients?

      Why should the state limit itself to those patients the hospital already admits are infected?

      .

      • Rogue,

        I never said limit the investigation to those patients that the hospital said were infected. What I did say was limit it to the patients that were in departments where the infected employee was working or interacted with.

        The investigators don’t need to divine the name of infected patients. The state needs to get a census of those affected departments (surgery, ICU, cath lab) over the time period in question; and then get those records AFTER determining if the patients are/were infected (the state can do their own testing). The reason the state wants access to the system is because they don’t trust the hospital to give an accurate list, and/or to tamper with the records.

        If a government agency is going to accuse someone of a crime (falsifying records), they need some sort of evidence on which to base their accusations; particularly if they’re demanding abnormal access to PHI as a result of those accusations. To use the wiretapping analogy, the state is asking to wiretap an entire apartment complex to monitor two or three apartments.

        • mpatk,

          I never said limit the investigation to those patients that the hospital said were infected. What I did say was limit it to the patients that were in departments where the infected employee was working or interacted with.

          That is assuming that he followed the rules about where he is supposed to be, and what he has access to, although he was breaking all of the other rules.

          The reason the state wants access to the system is because they don’t trust the hospital to give an accurate list, and/or to tamper with the records.

          If a government agency is going to accuse someone of a crime (falsifying records), they need some sort of evidence on which to base their accusations; particularly if they’re demanding abnormal access to PHI as a result of those accusations.

          If they trust everyone, then nobody will ever be investigated for anything.

          If a spouse is murdered, one of the first things the police will do is question the surviving spouse about where they were.

          That is not an accusation and does not require any evidence. That is just prudent investigation. If the surviving spouse is offended, that does not mean that the questions are inappropriate.

          Is there good reason that Mr. Kwiatkowski did not use contacts in other departments to gain access to opioids?

          Is there good reason to believe that everyone in other departments would come forward with information about how they violated hospital policy and were fooled by Mr. Kwiatkowski?

          Is there good reason to believe that everyone in other departments would come forward with information about how they may not have been aware of the actions of Mr. Kwiatkowski in their department – especially if they were unaware of it?

          .

        • Problem is, the employee would have been able to go any where in the facility he wanted. It’s already been established that one of the victims was treated in the cath lab where Mr. Kwiatkowski worked before Kwiatkowski was employeed. This particular patient was later admitted to another area of the hospital. An area where Kwiatkowski should not have been but obviously he was. I can see how he accessed medication that was prepped in advance for use in a Cath proceedure but how was he able to obtain medication on a hospital floor where medication should only be accessed and used immediately, not prepared and left laying around for someone to lift/divert. Obviously he not only was accessing areas he didnt belong but was also either able to access the pixis machine or medication was being mishandled on the floor and not secured……..or since mr kwiatkowski claims to simply be a victim himself there is always the far chance that there is a secondary person……….perhaps someone who shared drugs and access with mr kwiatkowski………..point is we don’t know and without unfettered access the state would have to guess at what the heck was going on.

  2. My personal experiences of dealing with hospitals and HIPAA is that it is simply a stall tactic. The hospital legal departments all know the ins and outs of HIPAA, but the rest of the general public does not. Hospitals throw out the HIPAA excuse; people balk and get flustered; and the hospital has given themselves a couple of weeks to outline their response, and also to let the news cycle pass by, thus letting any potential bad press die down and be almost forgotten about.

Speak Your Mind