John Shufeldt, MD, JD, MBA, FACEP
You are working in an urgent care center when a mother shows up with her 18-year-old daughter, who is “mildly developmentally delayed,” per her mom. The daughter turned 18 yesterday and the mother is concerned that she may have gotten a little “too wild” while celebrating her birthday at a friend’s house and she would like her tested for drugs and STDs. The daughter appears to understand what is necessary to comply with her mother’s demands and reluctantly agrees. Your tech obtains the urine and runs a pregnancy test and rapid drug screen. After her exam, the patient tells you not to disclose the results to her mother under any circumstances. Her mother is adamant that you tell her the results of the testing. Now what?
I don’t have very many “pet peeves.” The only ones I can think of are hate rhetoric, flag burning, animal cruelty, broccoli in Chinese food, and when someone says “It’s against HIPAA.”
I have heard “It’s against HIPAA” so many times and for such patently random things that I feel compelled to spend some time writing about it.
Candidly, what pushed me over the edge was when someone remarked that, “It was against HIPAA to tell the family members of a demented Alzheimer’s patient the result of the CT of the brain.” Really? First, a bit of background. The Health Insurance Portability and Accountability Act of 1996 was enacted by Congress in response to the rising cost of administrative expenses due largely to complex coding taxonomy and lack of communication among providers about diagnostic and billing information (i.e., the morass that is modern medicine.) Enter the government trying to save us all!
Generally speaking, HIPAA attempts to: (1) make it easier for people to keep their health insurance; (2) protect the confidentiality and security of health care information while balancing the need to protect the public’s interest; and (3) help control administrative costs.
The “portability” requirement in the Act helps avoid “job lock.” That is, it eliminated insurance companies’ ability to deny coverage to people with pre-existing conditions, which impeded people in moving to new jobs because they could not get health insurance coverage.
In many ways, HIPAA does not change the way we practice, inasmuch as privacy and confidentiality have always been a priority. It does, however, provide legal recourse when dealing with breaches. Under the Act, patients’ control of health information includes the ability to review their own medical records, request corrections to those records, and determine who is looking at them and why. It sets limits without deterring research or undermining care. And it strikes a balance between privacy and public responsibility by accounting for public uses related to public health concerns (ex., communicable diseases), health oversight (ex., provider compliance audits), research, law enforcement (offender identification), and investigations of abuse, neglect, and violence. Remedies for violations of the privacy rule include both civil and criminal penalties while acknowledging, however, that the right to privacy is not absolute (see appropriate public uses exceptions above).
HIPAA helps control administrative costs in two ways. It simplifies coding and defines standards under which health care providers can share information. That helps ensure coordination of care, eliminates repeat testing and procedures, and fosters quality of care. The Act also reduces fraud, waste, and abuse by eliminating unnecessary repeat services and tests for which providers would bill but a patient would get not benefit.
HIPAA does not cover everyone or every entity, but health care providers are among those who must comply with it. The Privacy Rule and what is considered protected health information
(PHI) are what we as providers are most likely to have to address. PHI includes:
- Information your doctors, nurses, and other health care providers put in a patient’s medical record
- Conversations that a doctor has with nurses and others about a patient’s treatment
- Information about a patient in a health insurer’s computer system
- Billing information about a patient
- Past, present or future physical or mental health or conditions
- Services provided for health care to an individual
- Past, present, or future payment for the provision of health care
- Any other information that identifies an individual or for which there is a reasonable basis to believe it could be used to identify an individual, including name, address, birth date, and Social Security Number.
The list above raises the question: If everything is PHI then should an urgent are provider never share anything about a patient with anyone? The answer is no! If, in your judgment, it is in the patient’s best interest, it is completely appropriate to share information. You can release PHI when the patient consents/gives authorization or one of the various exceptions applies. Consent simply means agreeing to the use of PHI for treatment, payment, or for the smooth operation of the health care system.
Providers obtain patient consent before using or disclosing information for the purpose of providing treatment, related to payment for treatment, and for health care operations. The consent form must:
- Contain clear language that an average patient can easily understand
- Refer to the privacy notice and the right to change notice
- Advise a patient of his/her right to request restrictions on use/disclosure of PHI and a provider’s right to deny that request
- Advise of a patient’s right to revoke consent in writing
- Be signed by a patient.
The exceptions regarding the need for consent are when care is provided to an incarcerated inmate or when a reasonable attempt was made to obtain written consent after emergency treatment. By contrast, an “authorization” is required by the Privacy Rule for uses and disclosures of PHI not otherwise allowed by the Rule (i.e., for uses other than treatment, payment, and health care operations, such as marketing).
Where the Privacy Rule requires patient authorization, voluntary consent is not sufficient to permit use or disclosure of PHI unless it also satisfies the requirements of a valid authorization. An authorization is a detailed document that gives covered entities permission to use PHI for specified purposes, which are generally other than treatment, payment, or health care operations, or to disclose PHI to a third party specified by the individual.
An authorization must specify a number of elements, including a description of the PHI and the person authorized to use or disclose it, the person to whom the covered entity may make the disclosure, an expiration date, and, in some cases, the purpose for which the PHI may be used or disclosed. With limited exceptions, covered entities may not condition treatment or coverage on the individual providing an authorization.
An authorization form is not required for:
- Disclosures required by law
- Victims of abuse, neglect, or domestic violence
- Warrants or court orders
- Coroners, medical examiners, or funeral directors
- Organ, eye, or tissue donations
- Workers’ Compensation compliance
- Law enforcement to avert a serious threat to health or safety
- Public health purposes and health oversight activities.
The Privacy Rule gives patients the right (except with psychotherapy notes) to:
- Inspect medical information
- Make copies of medical information
- Request corrections to medical information
- Request a release of information or request restrictions on release.
There are exceptions to when you can disclose PHI:
- De-identified information – There are no restrictions on the use or disclosure of de-identified health information. Thus, removal of specified identifiers of an individual and of his/her relatives, household members, and employers is required and is adequate only if the covered entity has no actual knowledge that the remaining information could identify the individual.
- Informal permission – Informal permission may be obtained by asking the individual outright, or in circumstances that clearly give the individual the opportunity to agree, acquiesce, or object (e.g., when family or others are present and a patient asks that they stay during medical conversation).
- Emergency situations – When an individual is incapacitated, in an emergency situation, or not available, covered entities generally may make such uses and disclosures if, in the exercise of their professional judgment, the use or disclosure is determined to be in the best interests of the individual.
Covered entities and providers generally may make use of and disclose PHI if, in the exercise of their professional judgment, the use or disclosure is determined to be in the best interests of the individual. Generally, professional judgment comes into play as an exception during emergency situations, but it is also exercised in situations in which an individual is determined to be incapacitated due to a physical or psychological condition at a time when treatment is needed. Upon restoration of capacity, a patient’s privacy must again be honored unless disclosure is authorized by that patient.
The verification requirements of this paragraph are met if the covered entity relies on the exercise of professional judgment in use or disclosure in accordance with §164.510 (opportunity for individual to agree or object) or acts on a good faith belief in making a disclosure in accordance with §164.512(j) (opportunity for individual to agree or object not required).
The HIPAA Privacy Rule at 45 CFR 164.510(b) specifically permits covered entities to share information that is directly relevant to the involvement of a spouse, family members, friends, or other persons identified by a patient in the patient’s care or in payment for health care.
If the patient is present, or is otherwise available prior to the disclosure, and has the capacity to make health care decisions, the covered entity may discuss this information with the family and these other persons if the patient agrees or, when given the opportunity, does not object.
The covered entity may also share relevant information with the family and these other persons if it can reasonably infer, based on professional judgment, that the patient does not object. For example:
- A doctor may give information about a patient’s mobility limitations to a friend driving the patient home from the hospital.
- A hospital may discuss a patient’s payment options with her adult daughter.
- A doctor may instruct a patient’s roommate about proper medicine dosage when she comes to pick up her friend from the hospital.
- A physician may discuss a patient’s treatment with the patient in the presence of a friend when the patient brings the friend to a medical appointment and asks if the friend can come into the treatment room.
Even when the patient is not present or it is impractical because of emergency circumstances or the patient’s incapacity for the covered entity to ask the patient about discussing her care or payment with a family member or other person, a covered entity may share this information with the person when, in exercising professional judgment, it determines that doing so would be in the best interest of the patient. [See 45 CFR 164.510(b)].
Thus, for example, a physician may, if consistent with such professional judgment, inform a patient’s spouse, who accompanied her husband to the emergency room, that the patient has suffered a heart attack and provide periodic updates on the patient’s progress and prognosis. Also, a provider may, if consistent with such professional judgment, discuss an incapacitated patient’s condition with a family member over the phone.
In addition, the Privacy Rule expressly permits a covered entity to use professional judgment and experience with common practice to make reasonable inferences about a patient’s best interests in allowing another person to act on behalf of the patient to pick up a filled prescription, medical supplies, x-rays, or other similar forms of PHI. For example, when a person comes to a pharmacy asking to pick up a prescription on behalf of an individual he/she identifies by name, a pharmacist, based on professional judgment and experience with common practice, may allow the person to do so.
So, if we have always been careful to not share PHI, what’s all the hubbub? As I mentioned, HIPAA added some legal teeth to the practice of confidentiality. Fines for violating the Statute range from $100 to $50,000 per offense and up to $1.5 million for identical violations occurring within a calendar year. The statute of limitations for HIPAA–related infractions is 6 years.
Returning to the scenario with the mildly developmentally delayed party girl, how should you proceed, given the HIPAA regulations? Although under HIPAA you could share information with her mother, it is clear to you that the patient does, in fact, have the capacity to object to sharing her PHI. Therefore, you should very tactfully tell the mother that unless her daughter consents or unless she has guardianship, you cannot share her daughter’s results with her.
Next month, I plan to explore weird variations of HIPAA or HIPAA-like scenarios that I have experienced or can envision an urgent care provider facing.