The situations when a medical professional can release information vary depending on who is releasing the information, what information is being released, when it is being released, and where it is being released.
It is fair to say there is a fair amount of misunderstanding both within and outside the healthcare industry about which situations allow a medical professional to release information. To find evidence supporting this statement, you only have to look at stories covered by mainstream news channels in which patients and their families have been denied their HIPAA rights by medical professionals, or in which politicians have failed to grasp the basics of health information privacy.
To find further evidence supporting this statement, you need only visit the Enforcement Highlights page on the Department of Health and Human Services (HHS) website. The page reveals that, since 2003, the agency has received more than 300,000 complaints alleging violations of HIPAA. Of those 300,000 complaints, more than 200,000 have been rejected because “the complaint did not present an eligible case for enforcement”. The most common reasons for complaints being rejected were:
- The alleged privacy violation was by an entity not covered by HIPAA.
- The complaint was withdrawn, or submitted after the 180-day limit.
- The activity described was not a health information privacy violation.
So, which situations allow a medical professional to release information? We look at the who, what, when, and where of health information privacy to not only establish which situations allow a medical professional to release information but also the situations where medical professionals are not allowed to release information. To do this, it is necessary to answer the questions who is releasing the information, what information is being released, when is information being released, and where?
Who is Releasing the Information?
In the context of which situations allow a medical professional to release information, there are three types of medical professionals to consider:
- A solo practitioner that qualifies as a Covered Entity under HIPAA.
- A solo practitioner that does not qualify as a HIPAA Covered Entity.
- A medical professional that is employed by a Covered Entity.
The difference between the three is that a solo practitioner that qualifies as a Covered Entity is required to comply with the HIPAA Privacy, Security, and Breach Notification Rules and any state laws that preempt the HIPAA Rules because they provide more protection to individually identifiable health information or allow greater rights to patients.
A solo practitioner does not qualify as a HIPAA Covered Entity if they do not conduct electronic transactions for which HHS has published standards in 45 CFR Part 162. However, although they do not have to comply with the HIPAA Privacy, Security, and Breach Notification Rules, they do have to comply with state privacy and breach notification legislation.
A medical professional that is employed by a Covered Entity is required to comply with their employer’s employment policies. Therefore, although some releases of information may be permitted by HIPAA, the medical professional’s employer may have decided that the release of certain information cannot be adequately monitored and has prohibited its release.
The difference between the three types of medical professionals is not absolute. If a Covered Entity refers a patient to a solo practitioner who does not qualify as a HIPAA Covered Entity, the solo practitioner becomes a Business Associate of the Covered Entity and is required to comply with the HIPAA Rules. Therefore, a solo practitioner may be operating under one set of health information privacy regulations in the morning, and a different set of regulations in the afternoon.
What Information is Being Released?
The nature of information being released can also determine which situations allow a medical professional to release information. Generally, Covered Entities and employees of Covered Entities are permitted to release certain types of health information in the circumstances described below when the information being released is Protected Health Information or is individually identifiable (non-health) information maintained in the same record set as Protected Health Information.
The protection of non-health information maintained in the same record set as Protected Health Information is one of the primary reasons why misunderstandings exist about which situations allow a medical professional to release information. This is because information such as a patient’s name, address, and phone number are protected by the Privacy Rule all the time they are maintained in a record set with the patient’s health information, but not when they are maintained in a separate database for operational purposes (although state privacy regulations may apply).
It is also the case that any information can be released by a medical professional with the written authorization of the subject of the information (or their personal representative). Conditions apply to authorizations inasmuch as the subject of the information must be informed what information is being released, what it is being released for, who it is being released to, and for how long it is being released. Therefore, in terms of the nature of information being released, it could be:
- Individually identifiable health information protected by the HIPAA Privacy Rule.
- Individually identifiable non-health information maintained in the same record set.
- Individually identifiable non-health information maintained in a separate database.
- Any information – the release of which has been authorized by the subject.
The same distinctions in the nature of information can also apply to solo practitioners that do not qualify as a HIPAA Covered Entity depending on the content of state legislation. There are currently forty-four states with medical privacy statutes on their books (the remaining states include medical privacy in digital privacy legislation), and some states have multiple medical privacy statutes dealing with separate medical disciplines. Dissecting them all is beyond the scope of this article.
When is Information being Released?
The HIPAA Privacy Rule protects the privacy of individually identifiable health information by stipulating the permissible uses of Protected Health Information, disclosures of Protected Health Information that require authorization from the subject of the information, and disclosures for which the individual should be given the opportunity to agree or object if possible. These situations when information can be released by medical professionals include (but are not limited to):
- To individuals exercising their rights to request copies of Protected Health Information.
- To the HHS’ Office for Civil Rights in response to a patient complaint or compliance audit.
- Internally or to other Covered Entities for treatment, payment, or healthcare operations.
- To Business Associates for the purposes stipulated in a Business Associate Agreement.
- To personal representatives of adult patients and unemancipated minor patients.
- To authorized public health authorities to prevent or control disease, injury, or disability.
- To the Federal Drug Administration to report adverse events and track FDA-regulated products.
- To employers when the release of information is required to fulfill OSHA or state reporting requirements.
There is also a long list of scenarios when authorization or an opportunity to agree or object is not required (45 CFR §164.512). In these scenarios, it is often the case that the information that can be released is limited in content rather than limited to the minimum necessary amount to achieve the purpose of the use or disclosure. These too can create misunderstandings about which situations allow a medical professional to release information and what information can be released.
The misunderstandings can be amplified by state laws that preempt the HIPAA Rules because they provide more protection for individually identifiable health information. As demonstrated in the next section, state laws can limit what information is being released and when it is being released by both Covered Entities and solo practitioners that do not qualify as HIPAA Covered Entities. As mentioned previously, employees of Covered Entities may also be limited on what information can be released – and when – by their employer’s HIPAA policies.
Where is Information being Released?
To demonstrate the challenges of determining which situations allow a medical professional to release information, we have provided two examples that show why it matters who is releasing information (and who the information is being released to), what information is being released, and where the information is being released. Scenarios similar to these could apply anywhere in the country, regardless of whether a medical professional is a Covered Entity, does not qualify as a Covered Entity, or is an employee or a Business Associate of a Covered Entity.
Scenario A – Releasing Information to a Support Group
Patient A and Patient B have been receiving mental health treatment – Patient A from a hospital that qualifies as a Covered Entity and Patient B from a private counselor that does not qualify as a HIPAA Covered Entity. Both the hospital and the counselor are located in California.
The hospital and the private counselor agree it would benefit their respective patients if they were to join the same support group. There is no treatment relationship between either of the medical professionals and the support group. The support group is a voluntary organization that neither qualifies as a Covered Entity nor is part of an Organized Health Care Arrangement.
The hospital cannot disclose any information about Patient A to the support group without the patient´s authorization because there is no treatment relationship. If authorization is provided, the hospital can only provide the minimum necessary information about why the patient is joining the support group.
The private counselor is not subject to the same restrictions as the hospital but is subject to California’s Confidentiality of Medical Information Act (CMIA). Under §56.10 of the Act, the private counselor is allowed to release as much information as they feel is appropriate to benefit the patient without authorization.
Analysis of Scenario A
Although the private counselor has the option to provide more information about Patient B without the patient’s authorization, there is no accountability with regard to Patient B’s health information privacy. Patient B has not been advised there may be no control over what happens to the health information once it has been released to the support group and the private counselor could be held liable (under CMIA) if it is further disclosed.
Because of the requirements of the HIPAA Privacy Rule, only the minimum necessary health information about Patient A can be released by the hospital to the support group (with Patient A’s authorization). This not only limits how much health information is released but, because Patient A has been advised there is no control over what happens to the health information, the hospital is not liable if it is further disclosed.
Scenario B – Reporting Domestic Abuse to Authorities
One of the most complex situations in which medical professionals may – or may not – be permitted to release information relates to reporting domestic abuse and intimate partner violence (IPV). HIPAA permits medical professionals to release information about an individual to agencies authorized by law to receive reports of abuse, neglect, or domestic violence, provided the information released is limited to the minimum necessary amount.
Whether or not a medical professional is allowed to report domestic violence to authorities – either with or without the patient’s authorization – is more often controlled by state regulations; and in some cases, these can be very different.
For example, in Georgia, medical professionals are required by OCGA §31-7-9 to report any non-accidental patient injuries. The state requires “all physicians, nurses, and other medical personnel [to] be supported and encouraged to assess, intervene, and refer in cases of alleged or suspected IPV” and provides immunity from any civil liability to “any person or persons participating in the making of a report or causing a report to be made to the appropriate police authority.”
In neighboring Florida, the situation is practically reversed. Medical professionals are only permitted to report domestic violence to authorities if the injuries suffered by the victim are life-threatening (Fla. Stat. §790.24) or consist of second- or third-degree burns (Fla. Stat. §877.155). Any other report of domestic violence without a patient’s authorization is a violation of the Florida Information Protection Act, which – because it has more stringent privacy protections in this scenario – preempts HIPAA.
Analysis of Scenario B
In this scenario, a medical professional working on one side of the border between Florida and Georgia will be in violation of state laws if they report domestic abuse that does not involve a life-threatening injury; while a medical professional working on the other side of the border will be in violation of state laws if they fail to report the same domestic abuse. In theory, the Floridian medical professional could be charged with a misdemeanor for something that is a legal requirement in the next town.
While this may be an extreme example of how difficult it can be to determine which situations allow a medical professional to release information, the preemption of HIPAA in this scenario is significant. Throughout the country, there will be laws such as the Florida Information Protection Act that apply in just one or two scenarios to Covered Entities and Business Associates, and it is important to know when these laws – or clauses within laws – apply to prevent unintentional health information privacy violations.
Conclusion
As can be seen from the above examples and the discussions that preceded them, there are no absolute rules about which situations allow a medical professional to release information. Medical professionals of all HIPAA statuses should identify which health information privacy regulations govern the release of information in their locations, what information can be released, and when.
While it is important to comply with state and federal health information privacy regulations, the risk exists that securing health information too rigidly can obstruct the flow of information required for operational efficiency. Additionally, securing health information too rigidly can delay responses to patient access requests – which can result in more stories being published by mainstream news channels. Therefore, if you are a medical professional or an employee of a Covered Entity with responsibility for compliance with health information privacy regulations, and you have any doubts about which situations allow a medical professional to release information in your location, you should seek professional compliance advice.
Steve Alder, Editor-in-Chief, The HIPAA Journal
The post Which Situations Allow a Medical Professional to Release Information? appeared first on HIPAA Journal.