The Health Insurance Portability and Accountability Act, better known as HIPAA, is a federal law passed in 1996 that includes a privacy section establishing national standards for patient confidentiality.
But Michigan has its own laws on the books regarding a patient’s right to privacy.
How do our state laws interact with federal legislation? Is one set of rules more stringent than others?
According to Elizabeth Callahan-Morris, an attorney who is involved in areas of HIPAA, that decision comes down to whichever set of rules better protects the patient’s information.
“When Michigan law is more protective, Michigan law will control. When HIPAA is more protective, HIPAA will control,” she says.
The system is designed this way to play to the advantage of the patient by providing them the best protection, but Callahan-Morris says it's complicated.
“On the good side, it’s flexible. But the downside is it doesn’t give a lot of clear-cut, black and white rules,” she says.
Callahan-Morris says the undefined boundary between these sets of rules causes a lot of misunderstanding of the laws.
She says health care professionals are put in a difficult position because they want to protect their patients’ information in accordance with the law, but they also want to have a good line of communication with patients’ friends and family.
According to Callahan-Morris, a patient’s best course of action to mitigate any confusion is to know who they want to have access to their medical information and to make those wishes known to their health care professionals.
If the patient is unconscious or otherwise unable to communicate, she says the burden is on the health care professional to decide what information to share with whom.
“They have to make the decision on the spot,” she says. “Sometimes they get it right, sometimes they get it wrong.”
Withholding information is perfectly within their rights, Callahan-Morris tells us, and again the decision to do so is generally made when the provider is unsure whether disclosing information will break any rules.
“The rule allows providers to disclose information to involved family members, like the parent of an adult child who’s in the hospital,” she says. “So they’re allowed to. They’re not required to.”
It’s often unclear on which side to err.
Generally, she says if a child is unable to specify their preference, information that pertains to that specific medical visit will be shared with the parent.
Callahan-Morris recommends three resources for those looking to learn more about HIPAA as well as their rights and responsibilities:
First, the Office for Civil Rights has produced pieces of guidance for both the public and the provider that talk about HIPAA and communication with friends and family.
She recommends that people review the document and keep a copy.
Next, she advises that individuals declare their trusted persons in writing.
“It doesn’t have to be a full-blown HIPAA Authorization, which is rather formal,” she says. Rather, she recommends simply designating at least one or two people on paper whom you would trust with your information.
Last, Callahan-Morris says it’s a good idea to plan for complete incapacitation.
“Designate a patient advocate and put it in writing,” she says. “The State of Michigan does have forms online that can be completed that are extremely helpful.
In a similar vein, she recommends looking into filling out Durable Power of Attorney forms.
-Ryan Grimes, Stateside