Health care leaders are working hard to improve transitional care for patients who are moving from the hospital to home or a rehab program. Most efforts to improve discharge processes focus on identifying patients at high risk of preventable readmissions, providing better patient education and following up with phone calls or coaching after discharge. Rarely, if ever, is the Health Insurance Portability and Accountability Act identified as a possible barrier to smooth transitions. Yet in my experience working with health care providers and family caregivers, misunderstandings about HIPAA sometimes cut off essential lines of communication.

HIPAA is, of course, high on health care executives' worry lists. Data thefts, data losses and unauthorized disclosures of patients' personal medical information, resulting in fines and embarrassing publicity, have revealed gaps in security. Health & Human Services is conducting audits of health plans and employers to measure compliance. Almost 10 years after its official launch, HIPAA seems to be a source of unending concerns. Yet these concerns almost exclusively focus on what information cannot be shared, rather than what can and should be.

HIPAA was intended to protect the privacy of patients' medical information from employers, marketers, media, nosy neighbors who happen to work at the hospital — anyone who does not have a legitimate need to know. In a classic example of the law of unintended consequences, however, HIPAA has been used to keep information from people who do have a need to know.

The prime example is family caregivers who, after a patient's discharge, are thrust into the role of health care providers and expected to perform all kinds of medical and nursing tasks as well as manage the day-to-day activities of chronically ill or disabled individuals. Family caregivers are often the main source of continuity in a transition, especially when, as is often the case, the patient is too sick or otherwise unable to understand or follow complex directions. Such continuity is essential to the success of a transition.

Misreading the Law

The law is clear: HIPAA does not prevent disclosure of relevant information to family members, friends or other individuals the patient may identify, as long as they are involved with his or her health care or responsible for health care bills. In a May 2004 letter to providers, the HHS Office of Civil Rights states, "HIPAA does not cut off all communication between providers and the families and friends of patients." Furthermore, it states, "Doctors and other providers covered by HIPAA can share needed information with family, friends — or even with anyone a patient identifies as involved in his or her care — as long as the patient does not object … . Even if the patient is incapacitated, a provider can share appropriate information … if he believes it is in the best interests of the patient."

Why, then, the disconnect between law and practice? HIPAA was introduced with a frenzy of legalistic training and warnings. The rules have been seen largely as a series of "do nots." Hospital and other staff heard a clear message: Don't talk to anyone or you might lose your job, get fined or go to jail. "I can't tell you because of HIPAA" became a facile response to questions. And family members, lacking any information to the contrary, believed it. They still do.

Caregiver Confusion

Another contributing factor is less well-understood. Transition protocols focus on the patient. If the caregiver is included, it is as the add-on in "patient/caregiver." This label presumes that the provider knows who the caregiver is. Yet, that is rarely the case.

In the United Hospital Fund's Transitions in Care–Quality Improvement Collaborative, or TC-QuIC, multidisciplinary team members from 37 hospitals, nursing home rehab programs, home care agencies and hospices reviewed patient charts and mapped discharge processes. None had a systematic process for identifying the person or persons responsible for managing the patient's care at home or after discharge. Even if a person was identified, there was no place in the patient's chart for that information. The sometimes noted "emergency contact" or "next of kin" — and even the person at the bedside at a particular moment — may not be the right person to learn about medication management, for example.

Hospitals must change their policies and practices. Someone has to ask the patient, "Who helps you most at home? Who helps you manage your medications?" If the patient cannot answer, someone has to do a little digging to find out who does those important tasks. This inquiry is not lost staff time, but an investment in preventing an avoidable readmission.


Patients' Interests in Protecting Privacy

Health care providers, schooled not only in HIPAA warnings, but also in patient autonomy, sometimes assume that patients don't want anyone to know about their medical care. In fact, most patients want — and need — the support and understanding of the key people in their lives. Almost four in five respondents in a recent study of more than 18,000 veterans were willing to share access to their electronic health records with family members and other nonprofessionals. (See "Patient interest in sharing personal health record information," Annals of Internal Medicine 155:805-810, Dec. 2011.)

But what if the patient objects? Here our experience in TC-QuIC may be helpful. Team members occasionally report, for example, that the patient "doesn't want us to talk to his wife." Further probing usually reveals that the patient is not concerned about his privacy, but about burdening his wife with responsibilities, even though the wife is going to need information to provide care at home. Sometimes an older person is afraid to acknowledge dependency, fearful of being placed in a nursing home, and says, "I can manage my pills by myself!"

Some patients have real privacy concerns that should be respected, but it is important to find out whether these are really at the heart of patient objections. Once patients understand that sharing information may help keep them from coming back to the hospital, the objection usually fades.

Of course, not everyone who claims to have an interest in the patient's medical information should obtain it. If family caregivers are correctly identified and HIPAA rules are explained to them, they can be asked to communicate with other family members as appropriate. For example, when people call the patient information number wanting to know why their uncle is in the hospital and what is being done for him, the answer can be a referral to the appropriate family caregiver.

Removing Barriers

Here are some suggestions for improving transitional care and complying with HIPAA:

  • Review existing training about HIPAA. Make sure that in addition to covering all the unauthorized disclosures, the training includes permissible disclosures.
  • Review existing policies about HIPAA. If the organization has a policy requiring written consent to talk to a family member, is it really necessary? HIPAA does not require written consent in these situations. If this policy is maintained, at least staff should not say, "HIPAA requires it."
  • Review ongoing transitional care protocols. Is there a systematic process for identifying family members who will be responsible for managing care post-discharge? Are they involved in medication reconciliation and developing the care plan?

Improving transitional care is a major challenge. Misunderstandings about HIPAA should not be one of the barriers.

Carol Levine is the director of the United Hospital Fund's Families and Health Care Project, which created Next Step in Care (, a website that offers free guides for family caregivers and health care providers working together to improve patient transitions. She is also a co-chair of the United Hospital Fund's Transitions in Care–Quality Improvement Collaborative.