Breaches of Protected Health Information

Breaches of Protected Health Information
Breaches of PHI

Breach Notification Rule

The HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414, requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information. Similar breach notification provisions implemented and enforced by the Federal Trade Commission (FTC), apply to vendors of personal health records and their third party service providers, pursuant to section 13407 of the HITECH Act.

Definition of Breach

A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.  An impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors:

  1. Firstly, the nature and extent of the PHI involved, including the types of identifiers and the likelihood of identification
  2. Secondly, the unauthorized person to whom the disclosure was made.
  3. Third, whether the PHI was acquired or viewed.
  4. Finally, the extent to which the risk to the patient was mitigated.

Breaches Are A Serious Matter

Many breaches of Protected Health Information are a serious matter.  A breach is an impermissible use or disclosure of protected health information or PHI.  Consequently, it compromises privacy or security of PHI.  It is presumed to be a breach unless certain criteria are met.  The covered entity or business associate must demonstrate there is a low probability that the phi has been compromised based on a risk assessment.

Paper Breaches

There are many forms of Breaches of Protected Health Information.  Some examples of breaches of paper phi are loss of paper files, unsecure disposal, and paperwork given to the wrong person.  As a result, all entities that handle paper PHI must be aware of how important it is when sharing  or disposing of this information.  It is not uncommon for patients to receive the discharge summary of other patients or to see old medical records simply thrown away in the trash.

Electronic Beaches

Examples of electronic PHI breaches include loss of an unencrypted mobile device, lap top computers and sharing PHI on an unsecured document sharing internet site.  Most importantly, all organizations must create a process by which electronic PHI is protected on the cloud such that only the authorized person would have access.

Consequently all of these have been the subject of Office for Civil Rights penalties.

Verbal Breaches

Verbal breaches of PHI occur if PHI is disclosed to the wrong individual or if its overheard when safeguards are not used.  This is common in waiting rooms, hospital hallways, clinics and pharmacies.  Every organization must make an effort to consider how verbal PHI can be protected.

It is important for all covered entities and business associates to review their policies.  As A result they will be able to better protect PHI whether it is paper, electronic or spoken.

Covered entities and business associates, in some situations, have permission to provide the required breach notifications following an impermissible use or disclosure without performing a risk assessment to determine the probability that the protected health information has been compromised.

Three exceptions to definition of breach

  • “Applies to the unintentional acquisition, access, or use of protected health information by a workforce member or person acting under the authority of a covered entity or business associate, if such acquisition, access, or use was made in good faith and within the scope of authority.” 
  • “Applies to the inadvertent disclosure of protected health information by a person authorized to access protected health information at a covered entity or business associate to another person authorized to access protected health information at the covered entity or business associate, or organized health care arrangement in which the covered entity participates. In both situations, the information cannot be further used or disclosed in a manner not permitted by the Privacy Rule. 
  • “Applies if the covered entity or business associate has a good faith belief that the unauthorized person to whom the impermissible disclosure was made, would not have been able to retain the information.

Unsecured Protected Health Information

Covered entities and business associates must only provide the required notifications, if the breach involved unsecured protected health information. If the information has been secured using available technology, it may not be necessary to report.  Unsecured protected health information is protected health information that has not been rendered unusable, unreadable, or indecipherable to unauthorized persons using a technology or methodology specified by the Secretary in guidance. 

It is of great importance that all protected health information be protected by appropriate technological tools such as encryption or by complete destruction of the PHI such that it cannot be used by unauthorized individuals. These technologies and methodologies will render PHI unusable, unreadable, or indecipherable to unauthorized individuals.  An organization is given the opportunity to choose the appropriate technology that works best for their needs.

Encryption of PHI

Electronic PHI can be encrypted by “the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key” (45 CFR 164.304 definition of encryption) and such confidential process or key that might enable decryption has not been breached.  To avoid a breach of the confidential process or key, these decryption tools should be stored on a device or at a location separate from the data they are used to encrypt or decrypt. 

Destruction of PHI

The media on which the PHI is stored or recorded may be destroyed in one of the following ways:

  • Paper, film, or other hard copy media may be shredded or destroyed in a way that the PHI is not readable or otherwise cannot be reconstructed. Redaction is specifically excluded as a means of data destruction due to the ability of reversing the process.
  • Electronic media may be cleared, purged, or destroyed consistent with NIST Special Publication 800-88 such that the PHI cannot be retrieved.  This will ensure complete obliteration of the data.

Breach Notification Requirements

In the case of a breach of unsecured protected health information, covered entities must provide notification of the breach to affected individuals, the Secretary, and, in certain circumstances, to the media. In addition, business associates must notify covered entities if a breach occurs at or by the business associate.  The notification process is important to stay in compliance with the HIPAA Privacy Rule.  There are several key features to remember dependent on the number of records involved in the breach.

Notification of Individuals

Covered entities must notify all affected individuals as soon as a breach of unsecured protected health information is discovered or recognized. Covered entities must provide individuals notice in written form by first-class mail or by e-mail if the affected individual has agreed to receive such notices in a prior interaction. 

Public Notice

If the covered entity is unable to reach 10 or more individuals due to  insufficient or out-of-date contact information, the covered entity must provide substitute individual notice by either posting the notice on the home page of its web site for at least 90 days or by providing the notice in major print or broadcast media where the affected individuals likely reside. The covered entity must include a toll-free phone number that remains active for at least 90 days where individuals can learn if their information was involved in the breach. 

If the covered entity has insufficient or out-of-date contact information for fewer than 10 individuals, the covered entity may provide substitute notice by an alternative form of written notice, by telephone, or other means.  

Notification Process

These individual notifications must be provided as soon as feasible and no later than 60 days following the disclosure of a breach.  The notification must include a brief description of the breach, a description of the types of information that were involved in the breach, the steps affected individuals should take to protect themselves from potential harm, a brief description of what the covered entity is doing to investigate the breach, mitigate the harm, and prevent further breaches, as well as contact information for the covered entity (or business associate, as applicable).

In the case of a breach involving a business associate, while the covered entity is ultimately responsible for ensuring individuals are notified, the covered entity may delegate the responsibility of providing individual notices to the business associate.  Covered entities and business associates should consider which entity is in the best position to provide notice to the individual.  This may depend on various circumstances, such as the functions the business associate performs on behalf of the covered entity and which entity has the relationship with the individual.  

Media Notice

Covered entities that experience a breach affecting more than 500 residents of a State or jurisdiction are, in addition to notifying the affected individuals, required to provide notice to prominent media outlets serving the State or jurisdiction.  Covered entities will likely provide this notification in the form of a press release to appropriate media outlets serving the affected area.  Like individual notice, this media notification must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach and must include the same information required for the individual notice.

Notice to the Secretary

In addition to notifying affected individuals and the media (where appropriate), covered entities must notify the Secretary of breaches of unsecured protected health information. Covered entities will notify the Secretary by visiting the HHS web site and filling out and electronically submitting a breach report form.

500 or more individuals

If a breach affects 500 or more individuals, covered entities must notify the Secretary as soon as possible and in no case later than 60 days following a breach.

Fewer than 500

If a breach affects fewer than 500 individuals, the covered entity may notify the Secretary of such breaches on an annual basis.

Reports of breaches affecting fewer than 500 individuals are due to the Secretary no later than 60 days after the end of the calendar year in which the breaches are discovered.

Please contact us, for more information about breaches or about HIPAA. 

Notification by a Business Associate

If a breach of unsecured protected health information occurs due to a business associate, the business associate must notify the covered entity following the discovery of the breach.  A business associate must provide notice to the covered entity without delay and no later than 60 days from the discovery of the breach. 

As completely as possible, the business associate should provide the covered entity with the identification of each individual affected by the breach as well as any other available information required to be provided by the covered entity in its notification to affected individuals. 

Administrative Requirements and Burden of Proof

Covered entities and business associates must be able to demonstrate that all required notifications have been provided or that a use or disclosure of unsecured protected health information did not constitute a breach. In the case of an impermissible use or disclosure, a covered entity (or business associate) should maintain documentation that all required notifications were made.   

Documentation must be made to demonstrate that notification was not required by the following: (1) its risk assessment demonstrating a low probability that the protected health information has been compromised by the impermissible use or disclosure; or (2) the application of any other exceptions to the definition of “breach.”

Covered entities are also required to comply with certain administrative requirements with respect to breach notification.  For example, covered entities must have in place written policies and procedures regarding breach notification, must train employees on these policies and procedures, and must develop and apply appropriate sanctions against workforce members who do not comply with these policies and procedures.

Please contact us, for more information about breaches or about HIPAA.

Direction from HHS on Penalties

 New HIPAA Penalties are now available from the Department of Health and Human Services after it published a notice on April 30th.    HHS is exercising its discretion in how it applies its regulations on the assessment of Civil Monetary Penalties (CMPs) under HIPAA. As of this time HHS applied the same cumulative annual limit to the four categories of violations.

Pending further rule making HHS will now apply different cumulative annual CMP limits.  This will be instead of the maximum $1.5 million for each level of violation. This is a reduction in the maximum limit, scaling down based on the level of culpability. Consequently HHS will use the new penalty structure until further notice.  It is important to understand the new HIPAA Penalties from HHS.

The Four Categories

Based on four categories of culpability HHS has provided covered entities and business associates with a whole new structure for penalties.  In most cases the amount of penalty will be significantly less than what we have experienced in the past.

For a category of no knowledge the minimum penalty is now $100, and the annual limit will be $25,000 down from $1.5 million.

For a reasonable cause $1,000 is the minimum and $100,000 for an annual limit down from $1.5 million.

Willful neglect with a correction it would be $10,000 as a minimum and $250,000 for annual limit.

Finally the highest is for Willful neglect with no correction with $50,000 as a minimum with an annual limit of $1,500,000.

This new guidance changes significantly the penalty structure for HIPAA violations and must be considered and understood by covered entities and business associates who deal with protected health information.

Social Media & PHI

Social media offers many benefits for health care organizations because it allows interaction with patients and others.  It offers education, and services.  As a result, it is an essential communication and marketing tool and part of strategic marketing plans.  Due to this organizations turn to social media to communicate with their employees. Unfortunately HIPAA and Social Media can be problematical.

Authorization to use PHI

It is possible to violate HIPAA Rules and patient privacy while using social media, if not managed correctly.  Due to this it is important for health care organizations to disclose protected health information carefully.   An organization must do so only with patient authorization for interviews, photographs and marketing communications.

Media Posts May Risk Privacy

Posts of PHI done by employees will violate the HIPAA Rules and result in a reportable breach of PHI. Social media posts are not a permissible use or disclosure of PHI.   The ability to post simultaneously in several platforms increases the risk for an organization. Remember that to de-identify PHI, all 18 identifiers must be removed.   There must also be low risk it could be used to identify the patient. Facial images, and other identifiers such as tattoos must also be removed.   

Preventing HIPAA Privacy Risk

Employees should be trained on the dangers of using social media inappropriately from the very onset of their employment.  Many organizations deal with the issue through development of a social media use policy.   They also monitor social media activity.  If not addressed, HIPAA and Social Media can be problematical.

HIPAA and Social Media can be Problematical

HIPAA and Social Media
Social Media and HIPAA

 

Benefits of Social Media

Social media offers many benefits for health care organizations because it allows interaction with patients and others.  It offers education, and services.  As a result, it is an essential communication and marketing tool and part of strategic marketing plans.  Due to this organizations turn to social media to communicate with their employees. Unfortunately HIPAA and Social Media can be problematical.

Authorization to use PHI

It is possible to violate HIPAA Rules and patient privacy while using social media, if not managed correctly.  Due to this it is important for health care organizations to disclose protected health information carefully.   An organization must do so only with patient authorization for interviews, photographs and marketing communications.

Media Posts May Risk Privacy

Posts of PHI done by employees will violate the HIPAA Rules and result in a reportable breach of PHI. Social media posts are not a permissible use or disclosure of PHI.   The ability to post simultaneously in several platforms increases the risk for an organization. Remember that to de-identify PHI,  all 18 identifiers must be removed.   There must also be low risk it could be used to identify the patient. Facial images, and other identifiers such as tattoos must also be removed.    Learn more.

Preventing HIPAA Privacy Risk

Employees should be trained on the dangers of using social media inappropriately from the very onset of their employment.  Many organizations deal with the issue through development of a social media use policy.   They also monitor social media activity.  If not addressed, HIPAA and Social Media can be problematical.

Permitted Uses and Disclosures of PHI

Privacy & Compliance

Sharing Protected Health Information

The Privacy, Security and Breach notification rules under the Health Insurance Portability and Accountability Act of 1996 was intended to allow information sharing by ensuring that sensitive health data is maintained securely and shared only for appropriate purposes or with the authorization of the individual.


Permitted Uses and Disclosures

Authorizations

Psychotherapy Uses and Disclosures

Opportunities to Agree or Object

Public Interest and Benefit Activities


1. Permitted Uses and Disclosures

There are permitted uses and disclosures of PHI for different purposes within the healthcare sector.   All employees of an organization that acts as a covered entity or business associate must be aware of these guidelines.   It is always permitted to use and disclose PHI for treatment, payment and health care operations.  If the reason for disclosing the PHI is not for one of these purposes an authorization must be obtained. By following these guidelines, an organization may stay in compliance with HIPAA’s rules and be able to share protected health information.

“Disclosure” refers to the transfer, release, provision of access to, or divulging in any other manner of information outside the entity holding the information.  These definitions are applicable to the sharing of electronic, paper or oral communications.  This does not include the disclosure of PHI to the Individual himself or herself.

“Use” is a sharing, employment, application, use, examination or analysis identifiable health information within the entity that maintains such information.

A major difference between “Disclosure” and “Use” is that use pf PHI is internal to the covered entity while disclosure focuses on external communication of PHI.

Sharing with Health Care Providers

Keep in mind that HIPAA was written to not only protect PHI but to assist treatment providers in caring for the patient without requiring patient authorization in order to share their PHI.  For example, it is permissible to share protected health information with health care providers who will treat the patient in their office or after hospital discharge. The sharing may be electronically and must be in a manner that is compliant with the Security Rule.

Doctor Providing Care
Doctor Giving Care

Sharing for Care Coordination

We now see the need to share data with health care providers for purposes of care coordination.  This has expanded the “permitted uses and disclosures of PHI.”  This activity didn’t exist when HIPAA was written and is now required by CMS and is part of a treatment plan.  A health care provider may disclose PHI to another for this treatment purposes without patient authorization.  This information must be shared with all employees of the organization.

Sharing PHI for Treatment

Keep in mind that the purpose of HIPAA is to protect PHI.  In addition, it assists treatment providers in caring for the patient without requiring patient authorization to share their PHI.  For example, it is permissible to share PHI with health care providers who will treat the patient in their office or after hospital discharge. As a result, PHI can be shared for treatment electronically and must be in a manner that is compliant with the Security Rule.  The disclosure of PHI may be made also for payment purposes as with a billing company.  Finally, the PHI may be shared for healthcare operation activities. One must also understand these rules may vary from state to state as in the State of Ohio.

2. Authorizations

Health care providers, health care clearinghouses and health plans are obligated to obtain authorizations prior to using or disclosing PHI for purposes other than treatment, payment or health care operations.  Psychotherapy notes cannot be disclosed to any other entity, for any purpose, without specific authorization according to the Privacy Rule.

Disclosure to an attorney’s office, and to a life or disability insurance company is an example of when an authorization is needed.

An Authorization must be obtained to disclose medical records in certain circumstances.  First, one is not required when a patient consent to participate in a research project. Secondly, it is not required when they request a transfer of medical records to another medical providers office.

A covered entity can use one authorization form for all purposes.  Of course, if the authorization is for multiple purposes, it must give a description of each purpose of the use or disclosure.

The authorization must be for a limited amount of time.  The documentations must be retained for six years from the date of its creation or the date it last was in effect.  

Writing Authorizations

Authorizations must be simply written using plain language.  It must focus on the needs of the reader.  It must contain the following items:

  • A description of the information to be used or disclosed.
  • The name of the person who will be authorized to make the requested use or disclosure.
  • The person to whom the covered entity may make the covered the requested use or disclosure
  • An expiration date that relates to the individual or purpose of the use or disclosures.
  • A description of each purpose of the use or disclosure.
  • The signature of the individual and the date

In addition to the above elements, the authorization must also contain other statements.  These must contain the following:

  • The individual has the right to revoke the authorization in writing and the exceptions to the right to revoke.  There may also be a description of how the individual may revoke the authorization.
  • A statement that treatment, payment, enrollment or eligibility for benefits is not affected by the refusal to sign the authorization.
  • The potential for the information to be redisclosed by the recipient.
  • If the authorization is signed by the personal representative of the individual, a description of such representative’s authority to act for the individual. 

Combined Authorizations

Authorizations for use or disclosure of PHI created for any research project that includes treatment may combined only with a notice of privacy practices.

Permissions authorizing the use or disclosure of psychotherapy notes may be combined only with other authorizations for such use or disclosure.

Authorizations may not be combined if treatment, payment, enrollment in a health plan or eligibility for benefits is conditioned upon a patient’s grant of one of the authorizations.

Revoking Authorization

An authorization may be revoked at any time, upon written notice, except to the extent that the authorization already has been relied upon. If an authorization is used to participate in a health plan it may not be revoked if other state or federal law provides the health plan with the right to contest a claim under the policy.

Authorization Created for Research with Treatment

Authorization is required to use or disclose PHI related, in part or whole, as part of any research that includes treatment.  These research authorizations must also contain the following:

Description of how much the PHI created will be used to carry out treatment, payment and health care operations.

Description of PHI that will not be used for those purposes when individuals are required to have an opportunity to agree or object to the use od their PHI .

Description of PHI not to be used in situations when authorization or an opportunity to agree or object to the use of PHI is not required by the privacy standard.

State Law Requirements

The HIPAA compliant authorization permitting use of protected health information must contain certain elements.  It is important to not forget to look at state law requirements.  There are many states with laws that are more protective of PHI than the Federal HIPAA Rules.   Organizations will require additional elements added to the authorization.  It is necessary for the covered entity and/or business associate to determine which is most restrictive.

Deficient Authorizations

Authorization is not valid if it has one of the following defects:

  • Expiration date has passed
  • Authorization does not contain all required elements
  • Authorization is attached or combined with other documents in a manner to not be valid under the privacy standard
  • Authorization has false information

3. Psychotherapy Uses and Disclosures

“Psychotherapy notes” are described by the rule as notes recorded, either orally, written or otherwise, by a mental health professional who is documenting or analyzing the conversation with a counseling session.  The psychotherapy notes generally do not include medication prescriptions and monitoring; the form and frequency of treatment; clinical test results; and summaries of diagnoses, functional status, the treatment plan, symptoms, prognosis and progress to date.

Psychotherapy Notes

The disclosure of psychotherapy notes by a covered entity requires patient authorization, including when using or disclosing for another covered entity’s treatment, payment or health care operation purposes.  The entity may use and disclose psychotherapy notes without an authorization to carry out its own treatment, payment and health care operation purposes as long as the originator of the notes uses it for treatment, the entity is using or disclosing the notes for its own training purposes for its mental health professionals, students and trainees or the entity is using or disclosing the notes to defend itself in a legal action or other proceeding brought by the individual.

If the notes are PHI for research that includes treatment of individuals it must obtain an authorization for the use or disclosure of such information.

There are situations in which these notes allow limited uses or disclosure without authorization.  These are the following:

  • If required by DHHS to enforce regulations
  • If certain uses or disclosures are required by law
  • For oversight of the health care provider who created the note
  • For coroners or medical examiners to conduct their duties
  • To avert a serious and imminent threat to health or safety

An individual does not have a right to access psychotherapy notes as part of their PHI.  DHHS does encourage providers to allow patients to access these notes when appropriate.

Sharing Mental Health Information

In certain circumstances HIPAA allows sharing of mental health information by mental health providers based on professional judgment.   It can be when it is in the best interests of the patient, or to prevent or lessen a risk of harm.

There are several ways the provider may address the situation. If the patient lacks ability to make decisions or is unconscious, the provider can share information with the patient’s personal representative (if applicable).  

They can also share with family or friends involved in their care if it’s determined in the patients’ best interest.

A provider may contact anyone reasonably able to lessen the risk of harm.   This is important when they believe that a patient presents a serious and imminent threat to the health or safety to themselves or another person.

If there is a risk of harm to themselves or others, or if exhibiting behavior that may threaten their health or safety, providers need to be able to use professional judgment.   As a result, they can identify the potential or likely risk and determine who can help lessen it.

The Office for Civil Rights (OCR)states it won’t second guess mental health provider’s judgement when a patient is a threat to himself or others. HIPAA allows mental health providers to share information in the appropriate circumstances.

For more detail see the OCR guidance on this vital topic.  Remember to check state law for any restrictions on sharing.  It is the responsibility of all providers of mental health treatment to know the rules before managing this information.

By following these simple guidelines organizations will be able to stay in compliance with HIPAA as they manage their PHI.  One must also realize that there are other ways that one may safely share PHI without having to obtain permission.  An example would be if there is an order from a court or for law enforcement purposes.

4. Disclosures Requiring Opportunity to Agree or Object

HIPAA allows the use and disclosure of PHI when an individual receives oral or written advance notice of the use and disclosure and is given the opportunity to object orally or agree.  (In other words they are given an opt-out opportunity.)

The Privacy Rule realizes there are times an individual and covered entity make informal, oral agreements to disclose PHI.  This can happen at a hospital when a relative calls a hospital to check on a patient’s health status.  The hospital may disclose some information regarding the presence of the patient if there are no prior agreements preventing this.  The provider must always give the patient the opportunity to opt out of such disclosures.

In most situations a covered entity may use the patient’s name, location in the facility, general condition and religious affiliation in order to maintain a directory for its facility.

A covered entity may disclose to a relative, close friend or any other person identified by the individual, any PIH that is related directly to person’s involvement with the patient’s care or health care payment.  These disclosures do not include detailed information about the patient’s health history.

If a patient is present or available when PHI is to be disclosed to a relative, friend or other third party, the covered entity must give the patient the opportunity to refuse disclosure.  If the individual is not present, or the individual cannot object or agree due to circumstances, the covered entity may use professional judgement and infer the patient does not object.  An entity may also allow a third party to act on the patient’s behalf by picking up prescriptions, or other forms of PHI.

A covered entity is not required to verify the identity of relatives or other third parties involved in the individual’s treatment.  If the individual has not objected to the involvement of third parties the covered entity can infer the individual would not object to the involvement of a third party and further verification is not necessary.  All permissions must be evaluated on a case by case basis.

All disclosures must be related to a patient’s current condition but none of the specifics of the medial history.  Disclosures should be narrowed to closest relationships of the patient and only information relevant to the condition.

HIPAA and Same-sex Marriage

Same Sex Marriage

The HIPAA Privacy Rule recognizes the important role that family members, such as spouses, often play in a patient’s health care.  Most importantly HIPAA and Same Sex marriage has become an important topic to be understood. It requires covered entities to treat an individual’s personal representative, who may be a spouse, as the individual responsible under the Privacy Rule, including the right to access the individual’s health information.  In addition, the Privacy Rule provides protections against the use of genetic information about an individual, which also includes certain information about family members of the individual, for underwriting purposes. 

A Major Court Decision

On June 26, 2013, the Supreme Court held section 3 of the Defense of Marriage Act (DOMA) to be unconstitutional in United States v. Windsor.  Section 3 of DOMA had provided that federal law would recognize only opposite-sex marriages. By making this decision the federal government recognizes the rights of individuals in same-sex marriages.  This decision did not resolve the status of such rights under state law.  Two years later, on June 26, 2015, in Obergefell v. Hodges, the Court held that the Fourteenth Amendment requires a state to license a marriage between two people of the same sex and to recognize same-sex marriages lawfully performed in other States.

Effects of the Decisions

In light of the Windsor and Obergefell decisions, this guidance makes clear that the terms marriagespouse, and family member include, respectively, all lawful marriages, lawfully married spouses, and both the lawful spouses and the dependents of all lawful marriages, and clarifies certain rights of individuals under the Privacy Rule. This guidance also updates and expands on related guidance issued in September 2014.     

Marriage, Spouse & Family Member

The definition of family member in the Privacy Rule at 45 CFR 160.103 includes the terms spouse and marriage.  The term marriage includes all lawful marriages. A lawful marriage is any marriage sanctioned by a state, territory, or a foreign jurisdiction if a U.S. jurisdiction would also recognize the marriage performed in the foreign jurisdiction. The term spouse includes all individuals who are in lawful marriages without regard to the sex of the individuals. The term family member includes lawful spouses and dependents of all lawful marriages.  In addition, the terms marriagespouse, and family member apply to all individuals who are legally married, regardless of where they live or receive health care services.

family member is relevant to the application of §164.510(b) regarding permitted uses and disclosures of PHI related to another person’s involvement in an individual’s care, and for making notifications about the individual’s location, general condition, or death.  In addition, under certain circumstances, HIPAA permits covered entities to share an individual’s protected health information with a family member of the individual.  Legally married spouses are family members for the purposes of applying this provision.

Disaster Relief

Covered entities may use or disclose PHI to disaster relief agencies to notify family members or other caregivers of the patient’s condition or location.

Providers and business associates may provide PHI during an emergency to another party so the second party may manage health information and share it to provide health care to people affected by emergency disasters.

The Privacy Rule allows covered entities to disclose necessary PHI without the individual’s authorization to a public health authority for the purpose of preventing or controlling disease, injury or disability.

The OCR has previously stated it will not seek penalties for violations of business associate provisions under emergency situations.

The Office for Civil Rights (OCR) issued a bulletin November 10, 2014 on “HIPAA Privacy in Emergency Situations.” The purpose of the bulletin was to assure that covered entities and their business associates know how protected health information.  Covered entities may share information during an emergency and that the privacy protections continue during emergencies. The OCR issued the bulletin in part due to the recent Ebola outbreak. Read the OCR bulletin Here.

Due to the outbreak this led many healthcare organizations to voice their concern regarding how best to keep their staff members safe.  In addition, there was much discussion about how to remain HIPAA compliant and not to disclose inappropriately patients’ protected health information (PHI).  Since then other public catastrophes such as hurricanes and extensive flooding have also created significant concern.  They want to know how to serve the communities’ healthcare needs and stay in compliance with the HIPAA rule.

The Department for Health and Human Services (HHS), Office for Civil Rights (OCR) has previously outlined how healthcare organizations can still follow HIPAA.  OCR gave guidelines on treating in the midst of public crisis and ensure that appropriate uses and disclosures of health information are made.  This allows them to treat patients, protect the nation’s public health and perform other critical functions.

The OCR stated, “The HIPAA Privacy Rule recognizes the legitimate need for public health authorities and others responsible for ensuring public health and safety to have access to protected health information that is necessary to carry out their public health mission.”

The Privacy Rule allows covered entities to disclose necessary PHI without the individual’s authorization to a public health authority for the purpose of preventing or controlling disease, injury or disability.

5. Public Interest and Benefit Activities

The Privacy Rule allows the use and disclosure of PHI without authorization, and without providing and opportunity to agree or object for 12 national priority purposes.  These are permitted, though not required by the Rule due to the important uses made of health information.

Required by Law

Covered entities may use and disclose protected health information without individual authorization as required by law (this includes statute, regulation or court orders).

Public Health Activities

There are several circumstances requiring release of PHI without the need of authorization or opt-out opportunities.

  • Public health authorities authorized by law to collect or receive such information for preventing or controlling disease, injury, or disability and to public health or other government authorities authorized to receive reports of child abuse and neglect; 
  • Entities subject to FDA regulation regarding FDA regulated products or activities for purposes such as adverse event reporting, tracking of products, product recalls, and post-marketing surveillance;
  • Individuals who may have contracted or been exposed to a communicable disease when notification is authorized by law; and 
  • Employers, regarding employees, when requested by employers, for information concerning a work-related illness or injury or workplace related medical surveillance, because such information is needed by the employer to comply with the Occupational Safety and Health Administration (OHSA), the Mine Safety and Health Administration (MHSA), or similar state law.

Abuse, Neglect or Domestic Violence

PHI concerning victims of abuse, neglect or domestic violence may be disclosed to a government authority, including social service or protective service agencies authorized to receive such reports.  In these cases the disclosure must be required by law and limited to what the law allows.

OCR allows disclosure of information if there is imminent danger to the patient.  In addition, you may share if the information will lessen serious or imminent threat to the health and safety of the patient.

The covered entity does not have to inform the personal representative, such as the person responsible for the abuse, neglect or injury of the disclosure.

Health Oversight Activities

Covered entities may disclose PHI to a health oversight agency for such activities as audits, civil, administrative or criminal investigations or proceeding, inspections, licensure or disciplinary actions or other activities necessary to the oversight of the following:

  • Audits
  • Investigations necessary for oversight of the health care system
  • Government benefit programs

Judicial and Administrative Proceedings

According to the HIPAA regulations, covered entities may disclose PHI in the course of certain judicial or administrative proceedings such as a response to a court or administrative tribunal order provided the covered entity discloses only the PHI authorized by the order.

PHI can be disclosed in response to a subpoena, discovery or other lawful process that is not accompanied by a court order if the party seeking the PHI has made reasonable efforts to notify the individual of the request, if the time for the individual to object has elapsed and if reasonable efforts have been made to secure a protective order.

HIPAA Penalties
Judge & Court Orders

Law Enforcement

The privacy rule allows a Covered entitiy to disclose protected health information to law enforcement officials for law enforcement purposes under the following six circumstances, subject to specified conditions: 

  • As required by law (including court orders, court-ordered warrants, subpoenas) and administrative requests;
  • To identify or locate a suspect, fugitive, material witness, or missing person; 
  • To alert law enforcement of a person’s death, if the covered entity suspects that criminal activity caused the death; 
  • When a covered entity believes that protected health information is evidence of a crime that occurred on its premises; and 
  • By a covered health care provider in a medical emergency not occurring on its premises, when necessary to inform law enforcement about the commission and nature of a crime, the location of the crime or crime victims, and the perpetrator of the crime.

A covered entity may disclose PHI in response to a law enforcement official’s request to identify or locate a fugitive, material witness, suspect or missing person.

This must be limited to the following information:

  • Name and address
  • Date and birthplace
  • Social security number
  • Type of injury
  • ABO blood type and rh factor
  • Date and time of treatment
  • Description of distinguishing physical characteristics, including height, weight, gender, race, hair and eye color

Disclosures to Law Enforcement

Sometimes it is hard to determine under what circumstances PHI disclosure to law enforcement is permissible. For example, HIPAA permits disclosures to law enforcement in certain situations. It is reasonable to disclose if a signed authorization from the patient or their legal representative exists.

A picture of a police with a warrant
Police With Warrant

When to Respond

It may be disclosed as required by law including those that require the reporting of certain types of wounds or other physical injuries, except for laws that require special reporting to special agencies.

This may be necessary to respond to subpoena’s and court orders or court-ordered warrant, or a summons issued by a judicial officer, grand jury or administrative request provided that the information sought is relevant and material the request is reasonably specific and limited in scope and if de-identified information could not reasonably be used. requirements.  

In addition, this may be necessary to investigate a crime, to locate a missing person and to prevent serious threats to public health and safety.  State law requires reporting for reports of child and adult abuse and neglect, and to report certain injury and disease.

State Law

Besides considering the federal HIPAA law, review state law because it may be more protective than HIPAA. If that is the case the entity must follow state law. It is important for your organization to know what the permissible disclosures to law enforcement are.

Decedents

Covered entities may disclose protected health information to funeral directors as needed, and to coroners or medical examiners to identify a deceased person, determine the cause of death, and perform other functions authorized by law.

Cadaveric Organ, Eye, or Tissue Donation

Covered entities may use or disclose protected health information to facilitate the donation and transplantation of cadaveric organs, eyes, and tissue.

Research

The Privacy Rule permits a covered entity to use and disclose protected health information for research purposes, without an individual’s authorization, provided the covered entity obtains either: 

  • Documentation that an alteration or waiver of individuals’ authorization for the use or disclosure of protected health information about them for research purposes has been approved by an Institutional Review Board or Privacy Board; 
  • Representations from the researcher that the use or disclosure of the protected health information is solely to prepare a research protocol or for similar purpose preparatory to research, that the researcher will not remove any protected health information from the covered entity, and that protected health information for which access is sought is necessary for the research; or 
  • Representations from the researcher that the use or disclosure sought is solely for research on the protected health information of decedents, that the protected health information sought is necessary for the research, and, at the request of the covered entity, documentation of the death of the individuals about whom information is sought.

Serious Threat to Health or Safety

Covered entities may disclose protected health information that they believe is necessary to prevent or lessen a serious and imminent threat to a person or the public, when such disclosure is made to someone they believe can prevent or lessen the threat (including the target of the threat). Covered entities may also disclose to law enforcement if the information is needed to identify or apprehend an escapee or violent criminal.

In any emergency covered entities must continue to use reasonable safeguards to protect PHI against intentional or unintentional impermissible uses and disclosures. In summary it is important for any covered entity to review and follow HIPAA Privacy in emergency situations.  This will allow them to continue to protect PHI even in a catastrophic situation.

Essential Government Functions

An authorization is not required to use or disclose protected health information for certain essential government functions. Such functions include: assuring proper execution of a military mission, conducting intelligence and national security activities that are authorized by law, providing protective services to the President, making medical suitability determinations for U.S. State Department employees, protecting the health and safety of inmates or employees in a correctional institution, and determining eligibility for or conducting enrollment in certain government benefit programs.

Workers’ Compensation

Covered entities may disclose protected health information as authorized by, and to comply with, workers’ compensation laws and other similar programs providing benefits for work-related injuries or illnesses.

HIPAA Associates – Ready to Help

We can help you get a clear picture of the HIPAA requirements. Call us to get started.

SaveSave

PHI Can Be Disclosed For Treatment

PHI Can be Disclosed for Treatment

Disclosing PHI for Treatment
Doctor Treating a Child

PHI can be disclosed for treatment.  A covered entity may use and disclose PHI for a number of different purposes and stay in compliance with HIPAA permitted uses and disclosures.  For instance, covered entities are permitted to use and disclose PHI for treatment, payment and health care operations.

Sharing PHI for Treatment

Keep in mind that the purpose of HIPAA is to protect PHI.  In addition, it  assists treatment providers in caring for the patient without requiring patient authorization to share their PHI.  For example, it is permissible to share PHI with health care providers who will treat the patient in their office or after hospital discharge. As a result, PHI can be shared for treatment electronically and must be in a manner that is compliant with the Security Rule.  The disclosure of PHI may be made also for payment purposes as with a billing company.  Finally the PHI may be shared for healthcare operation activities. One must also understand these rules may vary from state to state as in the State of OHIO.

New Disclosures of PHI

We now see the need to share data with health care providers for purposes of care coordination.   When HIPAA was first written this activity didn’t exist.  On the other hand, today CMS requires this disclosure and is part of a treatment plan.  As a result, a health care provider may disclose PHI to another for this treatment purposes without patient authorization.

HIPAA has been around for some time but continues to change.  It is important for providers to continuously monitor the HIPAA rule and offer HIPAA training to your organization

Contact us for more information on this important topic.

SaveSave

SaveSave

SaveSave

SaveSave

SaveSave

SaveSave

SaveSave

SaveSave

SaveSave

SaveSave