Shooting from the HIPAA: Confessions of a Provider Trying to Provide

widex moment app
Holly Hosford-Dunn
February 23, 2016

Oh what a tangled web we weave when first we practice to achieve. (With apologies to Sir Walter Scott)

Speaking as a dispensing audiologist (“provider”) who writes on economic issues related to hearing care (“blogger”), let the record show that the confusing landscape of rules and regulations (R&Rs) these days has brought on writer’s block and a fear of failure to practice and provide.  Every thought for a post conjures myriad questions but elusive answers.   Every patient encounter mirrors those questions and begs for answers. It’s circular. It’s personal.

Today’s post is an attempt to break out of the writer’s block by admitting that — in the role of dispensing audiologist — I no longer feel confident in my professional ability to understand and respect the R&Rs.  The confession is made in hopes that readers will set me straight by sending in clarifications.  Or– if the confusion is justified– perhaps they’ll send in suggestions for regulatory changes.

There’s no good place to start, so I’ll begin with HIPAA, otherwise known as the Health Insurance Portability and Accountability Act of 1996, and the PCAST report.    As part of the ensuing discussion, please note that the act’s title refers to Insuring, not Ensuring.


Q:  What Part of Portability Don’t I Understand?


Two of the four recommendations in the PCAST report call for the FCC to free up customer data by:

  • requir[ing] audiologists and hearing-aid dispensers … to provide the customer with a copy of their audiogram and the programmable audio profile for a hearing aid at no additional cost and in a form that can be used by other dispensers and by hearing-aid vendors.
  • and “defin[ing] a process by which patients may authorize hearing aid vendors (in-state or out-of-state) to obtain a copy of their hearing test results and programmable audio profile from any audiologist or hearing-aid dispenser who performs such a test, and it should require that the testers furnish such results at no additional cost.

Sounds OK to me.  For healthcare providers that fall under HIPAA regs, such items are part of the patients’ personal health information (PHI) records.  PHIs must be kept under lock and key but must also be made available to patients upon their request. That is, the data is portable by the patient.

It’s doubtful that the PCAST recommendations would have made it into the final report if data access and portability weren’t a problem, at least to some and at least in some locales.  Recent comments at HHTM support that assumption. What audiologists and dispensers are blocking portability?  And why?

Hearing healthcare providers are not alone in denying PHI portability to their patients.  The Office for Civil Rights lists problems accessing medical records as one of the top five issues it investigates.  A former Department of Health and Human Services (HHS) official suggests the problem may be less about misunderstanding than willful misinterpretation of the regs to gain an edge over the competition:

“many health care providers still don’t understand that patients have a right to get their medical records… It may be contrary to the financial interests of health care providers to give patients broad access to their medical records. …Once patients have that information, they can share it with competing health care providers.” (Joy L. Pritts, former Dept of health and Human Services (HHS) official. Quoted in NYTimes, Jan 16 2016)

“When [covered entities] … talk about Hipaa or charge for releasing records what they’re really saying is, ‘I don’t want to do this and I have to find an excuse … Hipaa is used in all sorts of distorted ways, because ‘protecting privacy’ sounds good.”(Dr. David Blumenthal, former national health information technology coordinator. Quoted in NYTimes, Sept 11 2014). 

Motive aside, HIPAA published new guidelines last month to explain the old guidelines.  To wit, HIPAA types (aka “covered entities“) cannot:

  • require patients to state a reason for requesting their records,
  • deny access out of a general concern that patients might be upset by the information.
  • require patients to pick up their records in person if they ask that the records be sent by mail or email.
  • deny a request for access to health information because a patient has failed to pay [their] bills.
  •  charge for the cost of searching for data and retrieving it.

And with that flourish, HIPAA seems to answer my question by ensuring Portability to all and satisfying PCAST except for the business of copying costs.  Is that all there is? Half the PCAST recommendations can’t boil down to a 15¢/page copying fee and “clarification” of existing regs.  Really?

What Part of “Covered” Don’t  I Understand?


Perhaps the portability deniers are not Covered Entities and therefore not subject to HIPAA regulations? If so, the argument turns on economics: Uncovered Entities could simply claim a proprietary right to data created in the process of fitting hearing aids.

Simplification efforts by HIPAA (Fig 1) support the vision of HIPAA-free providers to include those who bill manually or not at all for Covered Transactions.  As expected,  Covered Transactions are defined in exquisite detail by a set of regs, which the American Association of Physicians and Surgeons summarizes but fails to simply:

 A transaction is a covered transaction if it meets the regulatory definition for the type of transaction.

Figure 1. Simple means of figuring out whether you are a Covered Entity under HIPAA.

The preceding logic suggests that providers who do not or cannot bill health plans for services and product are not Covered Entities and therefore not subject to HIPAA.  This seems to answer my question.

Likely candidates for Uncovered status include most hearing aid dispensers, Internet providers, and a handful of audiologists who still use HCFA 1500s.  Can this be right?


What Part of Personal Health Information Don’t  I Understand?


If Uncovered Entities actually exist in hearing healthcare, what do we make of the test data, entries, and hearing aid adjustments they compile for individual fittings?  Do those data comprise PHI records protected by the HIPAA Privacy Rule and accessible by the individuals? HSS own verbiage points to “no” for the same reason the providers are not covered by HIPAA (ital added for emphasis):

The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. 

That seems to answer my question.  Uncovered Entities own their data and can chose to share (or not) with their clients.  Can this be right?

Probably Not


Just because I read it at HSS does not make it so, no matter the degree of Simplification; no matter whether transactions are covered, billed electronically, given away free, or bartered; no matter the licensure of the provider.   Those with better vision and understanding  in our field provide a very different, and more confident, view of the regs, as evidenced by Mike Metz’ recent “Locked in” post and these responses from a knowledgeable source:
  • Anything that happens within the office, falls under HIPAA as part of the medical record.  Insurance coverage, or lack of, doesn’t impact HIPAA compliance.
  • To my knowledge, any PHI, falls under HIPAA.  An aid in a nursing home, for example, has to be compliant/HIPAA trained.  A dispenser can’t share protected healthcare information.
  • Where it is purchased shouldn’t matter.  There is a national obligation to protect healthcare information.


The Circularity


This post is back where it started, completely lost in the regs versus realities, as is the system itself.  Why else must HSS issue guidelines to explain the guidelines and complicated charts for simplification?  I have questions but I don’t have answers nor do most of the colleagues I query.  As one put it, it’s above our pay grade.  Can that be right?

Meanwhile, and seemingly parallel to old regs: standards, policies and technology march on in form of HIEs (Health Information Exchanges).  Those include Consumer-Mediated Exchange, which provide “ability for patients to aggregate and control the use of their health information among providers” and promises  the patient-centered care that many of us aspire to.  Sadly, but not surprisingly, the way audiologists and hearing aid dispensers fit into new world of HIE regs is not immediately obvious, at least to me as a (covered?) provider.

Next post in this series will continue the circular route, with stops scheduled at the FDA, FCC, and state licensure regs.


feature image courtesy of


  1. Hello,
    Your articles on HHTM are extremely informative, but the collection is rather hard to browse or search. Some are linked in chains by convenient arrow links, others such as this one are free standing. Is there a easier way to access them?

    1. Holly Hosford-Dunn Author

      The search function will bring up all posts according to category (e.g., HIPAA). You’re right that posts in a series are often linked below for convenience. Since this post is the first in the “Confusion” series, it is stand alone at present. When I get unconfused enough to write another in the series, it will be linked. FYI, I have the same problem finding things, largely because there is so much on the site written by so many people. But, sometimes I have trouble finding my own stuff in the pile! Used judiciously, the search function helps a lot. Also, each of our writers is encouraged to link to url’s of others posts and they work hard to do so. Nevertheless, I’m with you on wishing there were a perfect search method; it’s something we keep trying to perfect.
      Meanwhile, thank you for your nice comment on the informative value of these posts. That is much appreciated.

Leave a Reply