Next year marks the 20th anniversary of the passage of the (HIPAA). HIPAA's purpose is to protect the privacy and security of protected health information or PHI.
PHI is individually identifiable information in any form relating to an individual's healthcare, payment for healthcare, or physical or mental health condition. HIPAA serves as as the protector of PHI, limiting disclosures without patient authorization, and generally ensuring that people's private medical conditions are not broadcast in public. But HIPAA is often misunderstood and misapplied in practice. Incorrectly applied invocations of HIPAA can sometimes limit access to vital information and harm patients. A detailed cases where important clinical information did not reach providers, all in the name of HIPAA.
When it comes to emergency medical care, complete information is vital to making the best clinical decision. Timely access to existing records often affects clinical actions, such as decisions to admit, orders for expensive imaging tests, or the use of narcotic pain relievers. For example, incorrectly using HIPAA as the reason for not sharing important information -- such as old EKGs or stress tests results for patients with chest pain, or prior imaging results in patients with abdominal pain -- can cause providers to overuse inpatient and radiology resources. Unfortunately, pertinent information is often absent or kept protected during the emergency department (ED) visit, limiting easy access by providers.
When providers don't understand how HIPAA applies to a particular situation, the knee-jerk response is often to err on the side of caution. Certainly you've heard a colleague say, "That's a HIPAA violation!" but have not been so sure yourself. Yet for providers, there is a real reason to be careful: HIPAA violations can carry significant penalties for individual and institutional providers (referred to under HIPAA as "covered entities") and their "business associates" (individuals and organizations doing work on their behalf, e.g., claims processor or business manager).
When it comes to gray-area situations, it is important to recognize that HIPAA is not intended to interfere with a patient's medical care. In many cases, HIPAA permits disclosure of PHI without patient authorization (See figure 1 below). Providers may avail themselves of any applicable permissive disclosure exceptions at their discretion, but must comply with relevant requirements. For example, the "minimum necessary" rule requires that the PHI disclosed for nontreatment related purposes must be limited to the minimum amount necessary to accomplish the intended purpose of the disclosure. In other words, only relevant information may be disclosed.
Below are 10 clinical situations in the ED where HIPAA is commonly invoked and how HIPAA actually applies to those situations. Keep in mind, however, that every investigation of an alleged HIPAA violation is very fact-specific.
Situation #1: A family member calls to ask about the status of their relative in the ED
What HIPAA says: Providers may disclose "directory information" (i.e., patient's location and general health status) if the caller identifies the patient by name. This exception permits callers to locate friends or family who may have been involved in an accident. Providers must first provide patients the opportunity to agree or object to the disclosure of "directory information." If the patient is incapacitated, the provider must inform the patient that such disclosures were made and give the patient the opportunity to object to further disclosures as soon as practicable. This requirement protects, for example, victims of domestic abuse who may not want their whereabouts divulged to their abuser. This opportunity to object may be offered verbally or in writing, such as through the notice of privacy practices that is given to patients upon arrival in the ED.
Situation #2: A person identifying herself as a patient's physician calls the ED provider to ask about their patient's status
What HIPAA says: Disclosures of PHI from one provider to another provider for treatment purposes are permissible without the patient's authorization. The disclosing provider must use professional judgment to determine whether the requested PHI relates to the patient's treatment by the requesting physician.
Situation #3: A member of the press calls to ask about the status of a patient in the ED
What HIPAA says: Location and general health status (i.e., directory information) can be disclosed if the requester identifies the patient by name unless the patient has objected to such disclosures. This rule prevents inappropriate disclosures when, for example, a caller inquires about the status of "the gunshot victim." A provider may disclose PHI to the media where necessary to identify, locate, or notify individuals responsible for the patient's care, but media-initiated inquiries about a specific patient do not fall within this exception.
Situation #4: A patient is in a hallway bed and another patient overhears their medical history
What HIPAA says: Disclosures made "incident to" an otherwise permitted disclosure of PHI (such as disclosures for treatment purposes) are permissible. While HIPAA does not define exactly what "incident to" means, it requires that providers "reasonably protect" PHI with appropriate safeguards to limit incidental disclosures. This may include speaking quietly when discussing PHI or moving patients to private areas. For example, physicians discussing a specific patient's case on a crowded elevator could be a HIPAA violation. In this situation, a reasonable safeguard -- such as not disclosing PHI in a crowded, public setting -- would be expected when the case could easily be discussed in a more private setting.
Situation #5: A provider calls another hospital to obtain a patient's records; the hospital requires that the provider send a signed form from the patient authorizing the disclosure
What HIPAA says: Most of HIPAA's disclosure exceptions are permissive; meaning that the provider may use professional judgment when deciding whether or not to disclose the information. If the records request is for treatment purposes, HIPAA permits disclosure to another provider without patient authorization, i.e., without an authorization document that meets certain requirements. It is important to note that HIPAA does not require that the PHI be disclosed to the requesting provider in this example. In fact, HIPAA only requires disclosures in two circumstances: to the patient and to the U.S. Department of Health and Human Services (HHS) for compliance purposes.
Situation #6: A patient's family member asks the provider not to inform the patient of a serious diagnosis (i.e., brain tumor) made in the ED that was shared with the family for a patient who came in incapacitated (i.e. in status epilepticus) and is now awake and alert because the family doesn't think the patient cannot handle the information
What HIPAA says: HIPAA requires providers to give a patient access to his/her PHI when the patient specifically requests it, unless the PHI or patient is subject to special protections or another law authorizes the provider to withhold the information (e.g., a state law further restricting disclosure of mental health information). Absent such a request and assuming the patient has not objected to the provider's disclosure of PHI to family members, this situation raises ethical rather than HIPAA concerns. Providers should use their professional judgment and consider the best interests of the patient as well as any organizational policies and procedures for such situations.
Situation #7: ED staff call a patient to provide a test result that became available after the patient was discharged, but the patient is unavailable. The family member who answers the phone asks for the result stating that they will share it with the patient
What HIPAA says: Disclosures to family and friends involved with a patient's care are permissible under HIPAA. Patients must have an opportunity to agree or object to such disclosures while they are in the ED. However, providers may use their professional judgment to infer from the situation that a patient does or does not object. If, while in the ED, the patient agreed to disclosures to the family member and the provider determines that it is in the patient's best interest, disclosure of the test results may technically be permissible. However, verifying the family member's identity and determining whether the patient's prior permission extends to this situation may not be possible. In these situations, providers should use their professional judgment and consider the best interests of the patient as well as any organizational policies and procedures. For example, many facilities commonly ask the patient to call the hospital for the results.
Situation #8: The police bring a patient in to the trauma bay; after resuscitation, the police ask about the patient's status
What HIPAA says: PHI may be disclosed to law enforcement without patient authorization in limited situations. For example, if a law enforcement official requests PHI about a patient who is suspected to be a crime victim and the patient cannot agree to disclosure due to incapacity or other emergency circumstances, the provider may disclose the PHI if he determines that disclosure is in the patient's best interest and the law enforcement official represents that:
- The PHI is needed to determine whether another person violated the law
- The PHI is not intended to be used against the patient
- An immediate law enforcement activity depends on disclosure
- The activity would be materially and adversely affected by waiting until the patient is able to agree to the disclosure
Disclosures without authorization outside the specified law enforcement exceptions must be limited to directory information or for purposes of notifying the patient's family, unless the patient has objected to such disclosures.
Situation #9: A supervisor brings in an employee for a medical issue; after treatment, the supervisor requests an update on their employee's status
What HIPAA says: In general, providers must have the employee's authorization to disclose health-related information to an employer, unless the provider is treating the employee for a work-related illness or injury at the employer's request. In that case, the provider may disclose pertinent findings only if the employer needs such information for reporting requirements mandated by law. Providers must alert patients to these types of disclosures, which can be done in their Notice of Privacy Practices. Providers may also disclose PHI without patient authorization to the extent authorized by laws relating to worker's compensation programs providing benefits for work-related injury or illness.
Situation #10: The hospital CEO calls the ED to inquire for his personal concern about the status of a VIP patient
What HIPAA says: Directory information (e.g., location, general health status) may be disclosed if the patient has not objected to such disclosures. Additional information may be disclosed if it is to be used for a "healthcare operations" purpose, which includes six broad categories of activities such as quality improvement and customer service. If information beyond directory-level information is sought for personal interest, such disclosures are impermissible. Depending on the policies and procedures of a particular organization, looking up a patient's PHI without a permissible purpose may lead to disciplinary action in addition to any HIPAA related penalties.
Practical Considerations
HIPAA attempts to balance individuals' right to control access to their health information against providers' need to exchange information for treatment, payment, and healthcare operations. While the previous 10 situations may sound familiar, many other situations may cause confusion. Despite common misperceptions, the HIPAA Privacy Rule vests fairly broad discretion in healthcare providers to exchange prudent amounts of patient information related to treatment, payment, and operations without written patient authorization.
However, beyond these purposes, there are important exceptions, some of which require written patient authorization or an opportunity for the patient to object to the disclosure of information. To help, here are some practical considerations in determining how HIPAA applies to a particular ED situation. In addition, guidance on where to find additional information is in figure 2.
Patients' Best Interests: HIPAA's treatment, payment, and operations exceptions cover most routine healthcare activities. While providers may not be familiar with all the specifics of these exceptions, a basic guideline to help determine whether an exception applies is to consider whether the disclosure facilitates or improves patient care and is in the best interest of the patient. If failure to disclose would materially and adversely impact care, it is probable that the disclosure would be permissible under HIPAA.
Law versus Ethics: A provider may use his/her professional judgment as to whether to disclose when a permissive exception applies. However, there are several conceivable situations that HIPAA does not prohibit but which may raise ethical concerns. Examples include withholding PHI from the patient at a family member's request as described in Situation #6 above. Ultimately, disclosures must be in the patient's best interest. Providers should follow professional practice standards and their organization's policies and procedures when making, or choosing not to make, permissive disclosures.
Disclosures During versus After Treatment: When patients are treated in the ED, there may be a need to disclose PHI without authorization. As such, EDs must provide patients with a notice of privacy practices upon arrival describing permitted and required disclosures. After discharge, HIPAA still applies. However, applying disclosure exceptions outside the care delivery context may be complex and risky. Providers should be aware of how the specific care setting may change disclosure exceptions and should consider soliciting the patient's preferences during treatment on how and to whom they prefer to have certain PHI disclosed after discharge, such as test results.
Special Situations: HIPAA defers to state law with respect to minors' and other incompetents' PHI. Other federal laws (e.g., 42 CFR Part 2) contain more restrictive requirements applicable to PHI such as substance abuse information. State law may be more restrictive than HIPAA or protect certain types of PHI, such as HIV-related information. Providers should be familiar with all applicable laws and their organization's policies on disclosures and consider their application to the specific type of PHI being disclosed.
Don't Be Vague: HIPAA does not specify processes relevant to permissive disclosures. For example, there is no specified method to verify the identity of a requesting provider or an exhaustive list of activities that qualify as treatment, payment, or operations. Providers should consult their organization's policies on protocols relevant to these situations and utilize their best professional judgment in carrying out disclosures.
Jesse Pines, MD, is a practicing emergency physician and a professor of emergency medicine and health policy at George Washington University in Washington.
Elizabeth Gray, JD, MHA, is a senior research associate at the Milken Institute School of Public Health at George Washington University.
Jane Hyatt Thorpe, JD, is an associate professor at the Milken Institute School of Public Health and director of the Healthcare Corporate Compliance Program at George Washington University.
A version of this article originally appeared at .
Primary Source
Health Insurance Portability and Accountability Act of 1996
HIPAA, Pub. L. No. 104-191, 110 Stat. 1936 (codified as amended in scattered sections of 18, 26, 29, and 42 U.S.C.); for purposes of this article, references to "HIPAA" are to the HIPAA Privacy Rule, 45 C.F.R. 164.500 et seq.
Secondary Source
New York Times
Source Reference: Span P "HIPAA's Use as Code of Silence Often Misinterprets the Law" New York Times, July 17, 2015.