What Information Can Hospitals Give Over the Phone? – HIPAA Journal
What Information Can Hospitals Give Over the Phone? HIPAA Journal
What Information Can Hospitals Give Over the Phone?
What information hospitals can give over the phone depends on the purpose of the phone call, the recipient of the information, and any restrictions or authorizations in force at the time. The phone system being used can also impact what information hospitals can give over the phone.
The most common reasons for asking the question what information can hospitals give over the phone are:
- Healthcare providers want to make sure they comply with HIPAA,
- Patients want to know if their privacy rights have been violated, or
- Families want the maximum information possible about a loved one.
Unfortunately, there is no A, B, and C answer to the question what information can hospitals give over the phone because patients have the right to restrict some or all disclosures and restrict who information is shared with. Additionally, patients have the right to authorize disclosures beyond those permitted by the Privacy Rule to individuals who enquire about the patient’s health.
Therefore, although §164.510 of the Privacy Rule permits hospitals to disclose directory information to individuals who enquire about a patient by name, there are many scenarios in which a request for information could be denied (including because a healthcare provider believes the disclosure is not in the patient’s best interest) or in which it is possible to disclose more than directory information.
What is Directory Information?
Directory information – in the context of what information can hospitals give over the phone – consists of the name of the patient, the location of the patient in the healthcare facility, the patient’s religious affiliation, and the patient’s condition described in general terms that does not communicate specific medical information about the individual.
Hospitals cannot provide any information over the phone about a patient’s past medical history if it is unrelated to the current medical condition, but can discuss treatment plans, drugs, and therapies with a caregiver over the phone provided the identity of the caregiver is verified. Note: some hospitals may require identity verification for any individual enquiring about a patient’s condition even though this is not required by HIPAA.
The Right to Restrict or Authorize Information
The right to restrict what information hospitals can give over the phone not only appears in §164.510 of the Privacy Rule. §164.522 gives patients the right to request privacy protections for PHI; and, although hospitals do not have to agree to most requests, the failure to agree to justifiable requests for privacy protections could result in a complaint to HHS’ Office for Civil Rights.
With regards to patient authorizations, in most cases authorizations are initiated by a covered entity to facilitate a use or disclosure of PHI not permitted by the Privacy Rule. However, there is nothing in the Privacy Rule that prevents a patient authorizing the disclosure of PHI to friends or family members over the phone – although hospitals need to be conscious of the fact that a patient also has the right to revoke an authorization at any time.
What Information Can Hospitals Give Over the Phone for TPO Purposes?
Hospitals can make disclosures of PHI over the phone for treatment, payment, and healthcare operations (TPO). However, how much PHI can be disclosed in a phone call depends on the purpose of the phone call. For example, there are no limitations on what information can be provided to a healthcare provider for the treatment of a patient; but, if the phone call is to a health plan to request authorization for the treatment, the minimum necessary standard applies.
It is also the case that restrictions and authorizations can apply to what information hospitals can give over the phone for TPO purposes. For example, a healthcare provider cannot refuse a request from a patient to restrict PHI disclosures to a health plan if the disclosures relate to a healthcare service the patient (or somebody on behalf of the patient) has paid for privately.
Why the Phone System being Used Might also Matter
Phone calls made by hospitals are either made over a Public Switched Telephone Network (PSTN) or over a Voice over Internet Protocol (VoIP) system. If using a VoIP system, it is necessary for a Business Associate Agreement to be in place with the software vendor before PHI is disclosed in a phone call. The same requirement does not apply to PSTN phone services.
If a hospital has deployed a VoIP system, and a Business Associate Agreement is not in place with the vendor of a VoIP system, the hospital is not allowed to disclose PHI over the phone. Note: some healthcare telephone communications are possible with patients under the FCC’s TCPA Omnibus Declaratory Ruling and Order unless a patient has rescinded their consent to be contacted by phone.
Conclusion: Why it is Important to Know What Information Hospitals Can Give over the Phone
The reasons it is important to know what information hospital can give over the phone are the same as the reasons for asking the question what information can hospitals give over the phone:
- Healthcare providers want to make sure they comply with HIPAA,
- Patients want to know if their privacy rights have been violated, and
- Families want the maximum information possible about a loved one.
The failure to comply with HIPAA, a violation of a patient’s privacy rights, or refusing to give families information that a patient has authorized can result in complaints to HHS’ Office for Civil Rights and a potential compliance investigation. To mitigate the risk of an investigation and the disruption this will cause, hospitals should develop policies and procedures for giving information over the phone.
The post What Information Can Hospitals Give Over the Phone? appeared first on HIPAA Journal.
Lawsuit Alleges Unum Group at Fault for MOVEit Data Breach – HIPAA Journal
Lawsuit Alleges Unum Group at Fault for MOVEit Data Breach
A Florida resident is taking legal action against the employee benefits provider, Unum Group, over its MOVEit Transfer data breach and alleges a failure to safeguard the personal information stored within its network. Unum Group was one of hundreds of victims of the mass exploitation of a zero-day vulnerability in the MOVEit Transfer solution. Progress Software issued a security alert about the vulnerability on May 31, 2023, and released a patch the same day; however, the vulnerability had already been exploited in attacks by the Clop group, resulting in the theft of sensitive data.
Unum Group announced on August 3, 2023, that it had been affected and there had been unauthorized access to the protected health information of former and current customers of its subsidiary insurance companies, including names, birth dates, addresses, Social Security numbers, and health insurance claim information. The breach was reported to the HHS’ Office for Civil Rights as affecting 531,732 individuals.
The lawsuit argues that Unum Group had an obligation to keep consumers’ data private and confidential under the Federal Trade Commission Act and HIPAA, yet failed to do so. A company cannot reasonably be expected to prevent a vulnerability from being exploited that is unknown at the time of exploitation when the software vendor has not confirmed a vulnerability exists and has not released a patch or suggested any mitigations.
The lawsuit – Williams v. Unum Group – alleges Unum was at fault for the data breach because it failed to properly encrypt data transmitted through the file transfer solution, did not redact consumers’ private information, and failed in its legal duty to audit, monitor and verify the security practices of its IT vendors. The lawsuit also takes issue with the time it took Unum Group to issue notifications – more than two months after the suspicious activity was detected – and for the lack of information in the notifications about the root cause of the breach. The lack of information made it difficult for victims of the breach to mitigate harm.
The lawsuit alleges the plaintiff and class members now face a present and continuing risk of identity theft and fraud and are required to pay out-of-pocket expenses to prevent, detect, and recover from the misuse of their information, which is now in the hands of criminals. The lawsuit seeks class action certification, a jury trial, an award of actual damages, compensatory damages, statutory damages, and nominal damages, an award of punitive damages, and attorneys’ fees.
The post Lawsuit Alleges Unum Group at Fault for MOVEit Data Breach appeared first on HIPAA Journal.
iCoreConnect Stock Forecast, Price & News (NASDAQ:ICCT) – MarketBeat
Remembering Dr. Bishop | City Insider – Chico Enterprise-Record
Remembering Dr. Bishop | City Insider Chico Enterprise-Record
Pharma industry rips ‘draconian’ price negotiation provision – FierceHealthcare
Pharma industry rips 'draconian' price negotiation provision FierceHealthcare