Kelly Petryszyn of The Morning Journal newspaper serving Northern Ohio reported on October 26, 2011, that New Life Hospice Center of St. Joseph at Mercy Regional Medical Center in Lorain, Ohio, refused to permit family members of Vernon Kapucinski, 60, to be at his bedside as he expired because they didn’t know the HIPAA password. His brother, Jim, and his long-time nursing aide arrived well before his death but were turned away because they didn’t provide the password. After Jim returned home, a nurse called, all apologetic, and asked him to come to his brother’s bed side because his condition had worsened. But he got there too late to comfort his brother before his death.
Neither Jim nor the nursing aide had ever had to provide the code previously, and Jim had actually asked whether he needed a code to come back when he left the day before his abortive attempt to be with his brother and was told that he did not.
In an email, Mercy Marketing Director Kasha Frese said that, to protect patient safety and privacy, Mercy requires that “persons visiting patients when the building is secured must have the patient’s code to gain entry.” She added that Mercy issues a private code to each patient and the patient’s primary contact person during the admitting process. The patient and the primary contact person can give this code to friends and family members as desired.
Of course, nothing in HIPAA requires such a code. Some covered entities use such a code as part of the communications with family members and others who are involved in the patient’s care unless the patient objects or unless another law affording more privacy protection requires a patient consent or authorization (such as 42 C.F.R. Part II would for substance abuse treatment information) on the theory that the patient must not have objected to the disclosure to a person in possession of the code. Of course, absent such a code requirement, the covered entity can talk to any family member involved in the care unless the patient has actually objected to that family member receiving such communications. The two individuals denied being there for the patient’s death had clearly been involved in the care. In fact, one could view the nursing aide as a provider that did not require consent, authorization, or opportunity to object for access if she would have been providing care or comfort to the patient.
This action by the hospice is just plain stupid. Giving the two individuals access to the dying patient would not have been a HIPAA violation. Even if it had been, what would the harm have been? A complaint to DHHS would not have resulted in any significant sanctions. And I don’t know whether Ohio recognizes the tort of negligent infliction of emotional distress, but if I were a member of the family, I might find out whether such a lawsuit or a related one would be viable.
For the entire article from The Morning Journal, including a video, click here.
