HIPAA

Where can we find the risk assessment, so we can conduct an assessment for HIPAA compliance in organization?

To access our HIPAA section just login to HelpDeskSuites.com and then click LAUNCH>HelpDesk for Human Resources>HIPAA Compliance Help.

Under the various sections, you will find risk assessment guides and samples.

Please let me know if I can assist you in any way. We are here to HELP!

If a business drops below 50 FTEs, does it still have to provide healthcare coverage?

Probably. The IRS FAQs say:

Employers Subject to the Employer Shared Responsibility Provisions
I understand that the employer shared responsibility provisions apply only to employers that are ALEs, meaning that they employ at least a certain number of employees. How many employees must an employer have to be an ALE and, therefore, be subject to the employer shared responsibility provisions?

Whether an employer is an ALE in a particular calendar year generally depends on the size of the employer’s workforce in the preceding calendar year. For example, an employer will use information about the size of its workforce during 2016 to determine if it is an ALE for 2017.

To be an ALE for a calendar year, an employer must have employed an average of at least 50 full-time employees (including full-time equivalent employees) during the preceding calendar year. To determine its workforce size for a calendar year, an employer adds its total number of full-time employees for each month of the prior calendar year to the total number of full-time equivalent employees for each month of the prior calendar year and divides by 12.

In general, for this purpose, an employer determines its number of full-time employees for a month by counting individuals employed on average for at least 30 hours of service per week during the month or at least 130 hours of service during the month. An employer determines its number of full-time equivalent employees for a month by combining the number of hours of service of all non-full-time employees for the month (but not including more than 120 hours of service per employee), and dividing the total by 120. For example, an employer that employs 40 full-time employees and 20 employees each with 60 hours of service in a month has the equivalent of 50 full-time employees in the month (40 full-time employees plus 10 full-time equivalent employees (20 X 60 = 1200, and 1200/120 =10)).

For section 4980H purposes, the number of an employer’s full-time equivalent employees is relevant only to determine if the employer is an ALE; full-time equivalent employees are not taken into account in determining the amount of employer shared responsibility payment, if any, that an ALE may owe.

https://www.irs.gov/affordable-care-act/employers/questions-and-answers-on-employer-shared-responsibility-provisions-under-the-affordable-care-act

June 2018

What is the difference between “consent” and “authorization” under the HIPAA Privacy Rule?

Answer:

The Privacy Rule permits, but does not require, a covered entity voluntarily to obtain patient consent for uses and disclosures of protected health information for treatment, payment, and health care operations. Covered entities that do so have complete discretion to design a process that best suits their needs.

By contrast, an “authorization” is required by the Privacy Rule for uses and disclosures of protected health information not otherwise allowed by the Rule. Where the Privacy Rule requires patient authorization, voluntary consent is not sufficient to permit a use or disclosure of protected health information unless it also satisfies the requirements of a valid authorization. An authorization is a detailed document that gives covered entities permission to use protected health information for specified purposes, which are generally other than treatment, payment, or health care operations, or to disclose protected health information to a third party specified by the individual.

An authorization must specify a number of elements, including a description of the protected health information to be used and disclosed, the person authorized to make the use or disclosure, the person to whom the covered entity may make the disclosure, an expiration date, and, in some cases, the purpose for which the information may be used or disclosed. With limited exceptions, covered entities may not condition treatment or coverage on the individual providing an authorization.

October 2018

When is an authorization required from the patient before a provider or health plan engages in marketing to that individual?

The HIPAA Privacy Rule expressly requires an authorization for uses or disclosures of protected health information for ALL marketing communications, except in two circumstances:

When the communication occurs in a face-to-face encounter between the covered entity and the individual; or
The communication involves a promotional gift of nominal value.

If the marketing communication involves direct or indirect remuneration to the covered entity from a third party, the authorization must state that such remuneration is involved.

October 2018

Tags: HIPPA, Authorizations

Will the HIPAA Privacy Rule hinder medical research by making doctors and others less willing and/or able to share with researchers information about individual patients?

We do not believe that the Privacy Rule will hinder medical research. Indeed, patients and health plan members should be more willing to authorize disclosures of their information for research and to participate in research when they know their information is protected. For example, in genetic studies conducted at the National Institutes of Health, nearly 32 percent of eligible people offered a test for breast cancer risk declined to take it. The overwhelming majority of those who refuse cite concerns about health insurance discrimination and loss of privacy as the reason. The Privacy Rule both permits important research and, at the same time, encourages patients to participate in research by providing much needed assurances about the privacy of their health information.

The Privacy Rule will require some covered health care providers and health plans to change their current practices related to documenting research uses and disclosures. It is possible that some covered health care providers and health plans may conclude that the Rule’s requirements for research uses and disclosures are too burdensome and will choose to limit researchers’ access to protected health information. We believe few providers will take this route, however, because the Common Rule includes similar, and more rigorous requirements, that have not impaired the willingness of researchers to undertake Federally-funded research. For example, unlike the Privacy Rule, the Common Rule requires an Institutional Review Board (IRB) review for all research proposals under its purview, even if informed consent is to be sought. The Privacy Rule requires documentation of IRB or Privacy Board approval only if patient authorization for the use or disclosure of protected health information for research purposes is to be altered or waived.

See our research section and fact review our frequently asked questions for more information about the Common Rule and Institutional Review and Privacy Boards.

October 2018

Tags: HIPPA, Authorizations

Are some of the criteria so subjective that inconsistent determinations may be made by Institutional Review Boards (IRB) and Privacy Boards reviewing similar or identical research projects?

Under the HIPAA Privacy Rule, Institutional Review Boards (IRBs) and Privacy Boards need to use their judgment as to whether the waiver criteria have been satisfied. Several of the waiver criteria are closely modeled on the Common Rule’s criteria for the waiver of informed consent and for the approval of a research study. Thus, it is anticipated that IRBs already have experience in making the necessarily subjective assessments of risks.

While IRBs or Privacy Boards may reach different determinations, the assessment of the waiver criteria through this deliberative process is a crucial element in the current system of safeguarding research participants’ privacy. The entire system of local IRBs is, in fact, predicated on a deliberative process that permits local IRB autonomy. The Privacy Rule builds upon this principle; it does not change it. Nonetheless, the Department will consider issuing guidance as necessary and appropriate to address concerns that may arise during implementation of these provisions.

See our research section and fact review our frequently asked questions for more information about the Common Rule and Institutional Review and Privacy Boards.

October 2018

Tags: HIPPA, Authorizations

Does the HIPAA Privacy Rule prohibit researchers from conditioning participation in a clinical trial on an authorization to use/disclose existing protected health information?

No. The Privacy Rule does not address conditions for enrollment in a research study. Therefore, the Privacy Rule in no way prohibits researchers from conditioning enrollment in a research study on the execution of an authorization for the use of pre-existing health information.

October 2018

Tags: HIPPA, Authorizations

Does the HIPAA Privacy Rule permit the creation of a database for research purposes through an Institutional Review Board (IRB) or Privacy Board waiver of individual authorization?

Yes. A covered entity may use or disclose protected health information without individuals’ authorizations for the creation of a research database, provided the covered entity obtains documentation that an IRB or Privacy Board has determined that the specified waiver criteria were satisfied. Protected health information maintained by a covered entity in such a research database could be used or disclosed for future research studies as permitted by the Privacy Rule – that is, for future studies in which individual authorization has been obtained or where the Rule would permit research without an authorization, such as pursuant to an IRB or Privacy Board waiver.

October 2018

Tags: HIPPA, Authorizations

How does the Rule help Institutional Review Boards (IRB) handle the additional responsibilities imposed by the HIPAA Privacy Rule?

Recognizing that some institutions may not have Institutional Review Boards (IRBs), or that some IRBs may not have the expertise needed to review research that requires consideration of risks to privacy, the Privacy Rule permits the covered entity to accept documentation of waiver of authorization from an alternative body called a Privacy Board–which could have fewer members, and members with different expertise than IRBs. See the fact sheet and frequently asked questions about the research provisions on this web site for more information about Institutional Review and Privacy Boards.

In addition, the Rule allows an IRB to use expedited review procedures as permitted by the Common Rule to review and approve requests for waiver of authorizations. Similarly, the Rule permits Privacy Boards to use an expedited review process when the research involves no more than a minimal privacy risk to the individuals. An expedited review process permits covered entities to accept documentation of waiver of authorization when only one or more members of the IRB or Privacy Board have conducted the review.

October 2018

Tags: HIPPA, Authorizations

By establishing new waiver criteria and authorization requirements, hasn’t the HIPAA Privacy Rule, in effect, modified the Common Rule?

No. Where both the Privacy Rule and the Common Rule apply, both regulations must be followed. The Privacy Rule regulates only the content and conditions of the documentation that covered entities must obtain before using or disclosing protected health information for research purposes.

October 2018

Tags: HIPPA, Authorizations

Is documentation of Institutional Review Boards (IRB) and Privacy Board approval required by the HIPAA Privacy Rule before a covered entity would be permitted to disclose protected health information for research purposes without an individual’s authorization?

No. The HIPAA Privacy Rule requires documentation of waiver approval by either an IRB or a Privacy Board, not both.

October 2018

The preparatory research provision permits covered entities to use or disclose protected health information for purposes preparatory to research, such as to aid study recruitment. However, the provision at 45 CFR 164.512(i)(1)(ii) does not permit the researcher to remove protected health information from the covered entity’s site. As such, a researcher who is an employee or a member of the covered entity’s workforce could use protected health information to contact prospective research subjects.

The preparatory research provision would allow such a researcher to identify prospective research participants for purposes of seeking their authorization to use or disclose protected health information for a research study. In addition, the Rule permits a covered entity to disclose protected health information to the individual who is the subject of the information. See 45 CFR 164.502(a)(1)(i).

Therefore, covered health care providers and patients may continue to discuss the option of enrolling in a clinical trial without patient authorization, and without an Institutional Review Board (IRB) or Privacy Board waiver of the authorization. See our research section and frequently asked questions about the research provisions for more information about Institutional Review and Privacy Boards.

Yes. Under the Privacy Rule, a covered entity may use or disclose protected health information pursuant to a copy of a valid and signed Authorization, including a copy that is received by facsimile or electronically transmitted.

October 2018

Tags: HIPPA, Authorizations

Must an authorization include an expiration date?

The Privacy Rule requires that an Authorization contain either an expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure. For example, an Authorization may expire “one year from the date the Authorization is signed,” “upon the minor’s age of majority,” or “upon termination of enrollment in the health plan.”

An Authorization remains valid until its expiration date or event, unless effectively revoked in writing by the individual before that date or event. The fact that the expiration date on an Authorization may exceed a time period established by State law does not invalidate the Authorization under the Privacy Rule, but a more restrictive State law would control how long the Authorization is effective.

October 2018

Tags: HIPPA, Authorizations

May a covered entity disclose protected health information specified in an authorization, even if that information was created after the authorization was signed?

Yes, provided that the Authorization encompasses the category of information that was later created, and that the Authorization has not expired or been revoked by the individual. Unless otherwise expressly limited by the Authorization, a covered entity may use or disclose the protected health information identified on the Authorization regardless of when the information was created.

October 2018

Tags: HIPPA, Authorizations

Does the Privacy Rule require that an authorization be notarized or include a witness signature?

The Privacy Rule does not require that a document be notarized or witnessed.

Tags: HIPPA, Authorizations

Can an authorization be used together with other written instructions from the intended recipient of the information?

A transmittal or cover letter can be used to narrow or provide specifics about a request for protected health information as described in an Authorization, but it cannot expand the scope of the Authorization.

For example, if an individual has authorized the disclosure of “all medical records” to an insurance company, the insurance company could by cover letter narrow the request to the medical records for the last 12 months. The cover letter could also specify a particular employee or address for the “class of persons” designated in the Authorization to receive the information. By contrast, an insurance company could not by cover letter extend the expiration date of an Authorization, or expand the scope of information set forth in the Authorization.

October 2018

Tags: HIPPA, Authorization

Does the HIPAA Privacy Rule permit doctors, nurses, and other health care providers to share patient health information for treatment purposes without the patient’s authorization?

Yes. The Privacy Rule allows those doctors, nurses, hospitals, laboratory technicians, and other health care providers that are covered entities to use or disclose protected health information, such as X-rays, laboratory and pathology reports, diagnoses, and other medical information for treatment purposes without the patient’s authorization. This includes sharing the information to consult with other providers, including providers who are not covered entities, to treat a different patient, or to refer the patient. See 45 CFR 164.506.

October 2018

Tags: HIPPA, Authorization

What were the major modifications to the HIPAA Privacy Rule that the Department of Health and Human Services (HHS) adopted in August 2002?

Based on the information received through public comments, testimony at public hearings, meetings at the request of industry and other stakeholders, as well as other communications, HHS identified a number of areas in which the Privacy Rule, as issued in December 2000, would have had potential unintended effects on health care quality or access. As a result, HHS proposed modifications that would maintain strong protections for the privacy of individually identifiable health information, address the unintended negative effects of the Privacy Rule on health care quality or access to health care, and relieve unintended administrative burdens created by the Privacy Rule.

Final modifications to the Rule were adopted on August 14, 2002. Among other things, the modifications addressed the following aspects of the Privacy Rule:

Uses and disclosures for treatment, payment and health care operations, including eliminating the requirement for the individual’s consent for these activities;
The notice of privacy practices that covered entities must provide to patients;
Uses and disclosures for marketing purposes;
Minimum necessary uses and disclosures;
Parents as the personal representatives of unemancipated minors;
Uses and disclosures for research purposes; and
Transition provisions, including business associate contracts.

In addition to these key areas, the modifications included changes to certain other provisions where necessary to clarify the Privacy Rule, and a list of technical corrections intended as editorial or typographical corrections to the Privacy Rule.

For more information about the final modifications to the Privacy Rule, see Modifications to the Standards for Privacy of Individually Identifiable Health Information – Final Rule.

October 2018

Does the HIPAA Privacy Rule require a business associate to create a notice of privacy practices?

No. However, a covered entity must ensure through its contract with the business associate that the business associate’s uses and disclosures of protected health information and other actions are consistent with the covered entity’s privacy policies, as stated in covered entity’s notice. Also, a covered entity may use a business associate to distribute its notice to individuals.

October 2018

May a HIPAA covered entity or business associate use a cloud service to store or process ePHI?

Yes, provided the covered entity or business associate enters into a HIPAA-compliant business associate contract or agreement (BAA) with the CSP that will be creating, receiving, maintaining, or transmitting electronic protected health information (ePHI) on its behalf, and otherwise complies with the HIPAA Rules. Among other things, the BAA establishes the permitted and required uses and disclosures of ePHI by the business associate performing activities or services for the covered entity or business associate, based on the relationship between the parties and the activities or services being performed by the business associate. The BAA also contractually requires the business associate to appropriately safeguard the ePHI, including implementing the requirements of the Security Rule. OCR has created guidance on the elements of BAAs.^[i]

A covered entity (or business associate) that engages a CSP should understand the cloud computing environment or solution offered by a particular CSP so that the covered entity (or business associate) can appropriately conduct its own risk analysis and establish risk management policies, as well as enter into appropriate BAAs. See 45 CFR §§ 164.308(a)(1)(ii)(A); 164.308(a)(1)(ii)(B); and 164.502. Both covered entities and business associates must conduct risk analyses to identify and assess potential threats and vulnerabilities to the confidentiality, integrity, and availability of all ePHI they create, receive, maintain, or transmit. For example, while a covered entity or business associate may use cloud-based services of any configuration (public, hybrid, private, etc.),^[ii] provided it enters into a BAA with the CSP, the type of cloud configuration to be used may affect the risk analysis and risk management plans of all parties and the resultant provisions of the BAA.

In addition, a Service Level Agreement (SLA)^[iii] is commonly used to address more specific business expectations between the CSP and its customer, which also may be relevant to HIPAA compliance. For example, SLAs can include provisions that address such HIPAA concerns as:

System availability and reliability;
Back-up and data recovery (e.g., as necessary to be able to respond to a ransomware attack or other emergency situation);
Manner in which data will be returned to the customer after service use termination;
Security responsibility; and
Use, retention and disclosure limitations.^[iv]

If a covered entity or business associate enters into a SLA with a CSP, it should ensure that the terms of the SLA are consistent with the BAA and the HIPAA Rules. For example, the covered entity or business associate should ensure that the terms of the SLA and BAA with the CSP do not prevent the entity from accessing its ePHI in violation of 45 CFR §§ 164.308(b)(3), 164.502(e)(2), and 164.504(e)(1).^[v]

In addition to its contractual obligations, the CSP, as a business associate, has regulatory obligations and is directly liable under the HIPAA Rules if it makes uses and disclosures of PHI that are not authorized by its contract, required by law, or permitted by the Privacy Rule. A CSP, as a business associate, also is directly liable if it fails to safeguard ePHI in accordance with the Security Rule, or fails to notify the covered entity or business associate of the discovery of a breach of unsecured PHI in compliance with the Breach Notification Rule.

For more information about the Security Rule, see OCR and ONC tools for small entities ^[vi] and OCR guidance on SR compliance.^[vii]

[i] See http://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html.

[ii] As adapted from NIST Special Publication 800-144, vi:

A Public cloud is open for use by the general public and may be owned, managed, and operated by any organization. Examples are the message storage services offered by major email providers, photo-sharing sites, and certain EMR providers. Many large organizations use Private clouds that exclusively serve their business functions. A Community cloud serves exclusively a specific community of users from organizations that have shared concerns. A Hybrid cloud is a combination of any of the above, bound together by standardized or proprietary technology that enables data and application portability.

October 2018

If a CSP stores only encrypted ePHI and does not have a decryption key, is it a HIPAA business associate?

Yes, because the CSP receives and maintains (e.g., to process and/or store) electronic protected health information (ePHI) for a covered entity or another business associate. Lacking an encryption key for the encrypted data it receives and maintains does not exempt a CSP from business associate status and associated obligations under the HIPAA Rules. An entity that maintains ePHI on behalf of a covered entity (or another business associate) is a business associate, even if the entity cannot actually view the ePHI.^[1] Thus, a CSP that maintains encrypted ePHI on behalf a covered entity (or another business associate) is a business associate, even if it does not hold a decryption key^[i] and therefore cannot view the information. For convenience purposes this guidance uses the term no-viewservices to describe the situation in which the CSP maintains encrypted ePHI on behalf of a covered entity (or another business associate) without having access to the decryption key.

While encryption protects ePHI by significantly reducing the risk of the information being viewed by unauthorized persons, such protections alone cannot adequately safeguard the confidentiality, integrity, and availability of ePHI as required by the Security Rule. Encryption does not maintain the integrity and availability of the ePHI, such as ensuring that the information is not corrupted by malware, or ensuring through contingency planning that the data remains available to authorized persons even during emergency or disaster situations. Further, encryption does not address other safeguards that are also important to maintaining confidentiality, such as administrative safeguards to analyze risks to the ePHI or physical safeguards for systems and servers that may house the ePHI.

As a business associate, a CSP providing no-view services is not exempt from any otherwise applicable requirements of the HIPAA Rules. However, the requirements of the Rules are flexible and scalable to take into account the no-view nature of the services provided by the CSP.

Security Rule Considerations

All CSPs that are business associates must comply with the applicable standards and implementation specifications of the Security Rule with respect to ePHI. However, in cases where a CSP is providing only no-view services to a covered entity (or business associate) customer, certain Security Rule requirements that apply to the ePHI maintained by the CSP may be satisfied for both parties through the actions of one of the parties. In particular, where only the customer controls who is able to view the ePHI maintained by the CSP, certain access controls, such as authentication or unique user identification, may be the responsibility of the customer, while others, such as encryption, may be the responsibility of the CSP business associate. Which access controls are to be implemented by the customer and which are to be implemented by the CSP may depend on the respective security risk management plans of the parties as well as the terms of the BAA. For example, if a customer implements its own reasonable and appropriate user authentication controls and agrees that the CSP providing no-view services need not implement additional procedures to authenticate (verify the identity of) a person or entity seeking access to ePHI, these Security Rule access control responsibilities would be met for both parties by the action of the customer.

However, as a business associate, the CSP is still responsible under the Security Rule for implementing other reasonable and appropriate controls to limit access to information systems that maintain customer ePHI. For example, even when the parties have agreed that the customer is responsible for authenticating access to ePHI, the CSP may still be required to implement appropriate internal controls to assure only authorized access to the administrative tools that manage the resources (e.g., storage, memory, network interfaces, CPUs) critical to the operation of its information systems. For example, a CSP that is a business associate needs to consider and address, as part of its risk analysis and risk management process, the risks of a malicious actor having unauthorized access to its system’s administrative tools, which could impact system operations and impact the confidentiality, integrity and availability of the customer’s ePHI. CSPs should also consider the risks of using unpatched or obsolete administrative tools. The CSP and the customer should each confirm in writing, in either the BAA or other documents, how each party will address the Security Rule requirements.

Note that where the contractual agreements between a CSP and customer provide that the customer will control and implement certain security features of the cloud service consistent with the Security Rule, and the customer fails to do so, OCR will consider this factor as important and relevant during any investigation into compliance of either the customer or the CSP. A CSP is not responsible for the compliance failures that are attributable solely to the actions or inactions of the customer, as determined by the facts and circumstances of the particular case.

Privacy Rule Considerations

A business associate may only use and disclose PHI as permitted by its BAA and the Privacy Rule, or as otherwise required by law. While a CSP that provides only no-view services to a covered entity or business associate customer may not control who views the ePHI, the CSP still must ensure that it itself only uses and discloses the encrypted information as permitted by its BAA and the Privacy Rule, or as otherwise required by law. This includes, for example, ensuring the CSP does not impermissibly use the ePHI by blocking or terminating access by the customer to the ePHI.^[ii]

Further, a BAA must include provisions that require the business associate to, among other things, make available PHI as necessary for the covered entity to meet its obligations to provide individuals with their rights to access, amend, and receive an accounting of certain disclosures of PHI in compliance with 45 CFR § 164.504(e)(2)(ii)(E)-(G). The BAA between a no-view CSP and a covered entity or business associate customer should describe in what manner the no-view CSP will meet these obligations – for example, a CSP may agree in the BAA that it will make the ePHI available to the customer for the purpose of incorporating amendments to ePHI requested by the individual, but only the customer will make those amendments.

Breach Notification Rule Considerations

As a business associate, a CSP that offers only no-view services to a covered entity or business associate still must comply with the HIPAA breach notification requirements that apply to business associates. In particular, a business associate is responsible for notifying the covered entity (or the business associate with which it has contracted) of breaches of unsecured PHI. See 45 CFR § 164.410. Unsecured PHI is PHI that has not been destroyed or is not encrypted at the levels specified in HHS’ Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals.^[iii] If the ePHI that has been breached is encrypted consistent with the HIPAA standards set forth in 45 CFR § 164.402(2) and HHS’ Guidance,^[iv] the incident falls within the breach “safe harbor” and the CSP business associate is not required to report the incident to its customer. However, if the ePHI is encrypted, but not at a level that meets the HIPAA standards or the decryption key was also breached, then the incident must be reported to its customer as a breach, unless one of the exceptions to the definition of “breach” applies. See 45 CFR § 164.402. See also 45 CFR § 164.410 for more information about breach notification obligations for business associates.

October 2018

Can a CSP be considered to be a “conduit” like the postal service, and, therefore, not a business associate that must comply with the HIPAA Rules?

Generally, no. CSPs that provide cloud services to a covered entity or business associate that involve creating, receiving, or maintaining (e.g., to process and/or store) electronic protected health information (ePHI) meet the definition of a business associate, even if the CSP cannot view the ePHI because it is encrypted and the CSP does not have the decryption key.

As explained in previous guidance,^[i] the conduit exception is limited to transmission-only services for PHI (whether in electronic or paper form), including any temporary storage of PHI incident to such transmission. Any access to PHI by a conduit is only transient in nature. In contrast, a CSP that maintains ePHI for the purpose of storing it will qualify as a business associate, and not a conduit, even if the CSP does not actually view the information, because the entity has more persistent access to the ePHI.

Further, where a CSP provides transmission services for a covered entity or business associate customer, in addition to maintaining ePHI for purposes of processing and/or storing the information, the CSP is still a business associate with respect to such transmission of ePHI. The conduit exception applies where the only services provided to a covered entity or business associate customer are for transmission of ePHI that do not involve any storage of the information other than on a temporary basis incident to the transmission service.

October 2018

Which CSPs offer HIPAA-compliant cloud services?

OCR does not endorse, certify, or recommend specific technology or products.

October 2018

What if a HIPAA covered entity (or business associate) uses a CSP to maintain ePHI without first executing a business associate agreement with that CSP?

If a covered entity (or business associate) uses a CSP to maintain (e.g., to process or store) electronic protected health information (ePHI) without entering into a BAA with the CSP, the covered entity (or business associate) is in violation of the HIPAA Rules. 45 C.F.R §§164.308(b)(1) and §164.502(e). OCR has entered into a resolution agreement and corrective action plan with a covered entity that OCR determined stored ePHI of over 3,000 individuals on a cloud-based server without entering into a BAA with the CSP.[1]

Further, a CSP that meets the definition of a business associate – that is a CSP that creates, receives, maintains, or transmits PHI on behalf of a covered entity or another business associate – must comply with all applicable provisions of the HIPAA Rules, regardless of whether it has executed a BAA with the entity using its services. See 78 Fed. Reg. 5565, 5598 (January 25, 2013). OCR recognizes that there may, however, be circumstances where a CSP may not have actual or constructive knowledge that a covered entity or another business associate is using its services to create, receive, maintain, or transmit ePHI. The HIPAA Rules provide an affirmative defense in cases where a CSP takes action to correct any non-compliance within 30 days (or such additional period as OCR may determine appropriate based on the nature and extent of the non-compliance) of the time that it knew or should have known of the violation (e.g., at the point the CSP knows or should have known that a covered entity or business associate customer is maintaining ePHI in its cloud). 45 CFR 160.410. This affirmative defense does not, however, apply in cases where the CSP was not aware of the violation due to its own willful neglect.

If a CSP becomes aware that it is maintaining ePHI, it must come into compliance with the HIPAA Rules, or securely return the ePHI to the customer or, if agreed to by the customer, securely destroy the ePHI. Once the CSP securely returns or destroys the ePHI (subject to arrangement with the customer), it is no longer a business associate. We recommend CSPs document these actions.

While a CSP maintains ePHI, the HIPAA Rules prohibit the CSP from using or disclosing the data in a manner that is inconsistent with the Rules.

October 2018

If a CSP experiences a security incident involving a HIPAA covered entity’s or business associate’s ePHI, must it report the incident to the covered entity or business associate?

Yes. The Security Rule at 45 CFR § 164.308(a)(6)(ii) requires business associates to identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the business associate; and document security incidents and their outcomes. In addition, the Security Rule at 45 CFR § 164.314(a)(2)(i)(C) provides that a business associate agreement must require the business associate to report, to the covered entity or business associate whose electronic protected health information (ePHI) it maintains, any security incidents of which it becomes aware. A security incident under 45 CFR § 164.304 means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system. Thus, a business associate CSP must implement policies and procedures to address and document security incidents, and must report security incidents to its covered entity or business associate customer.

The Security Rule, however, is flexible and does not prescribe the level of detail, frequency, or format of reports of security incidents, which may be worked out between the parties to the business associate agreement (BAA). For example, the BAA may prescribe differing levels of detail, frequency, and formatting of reports based on the nature of the security incidents – e.g., based on the level of threat or exploitation of vulnerabilities, and the risk to the ePHI they pose. The BAA could also specify appropriate responses to certain incidents and whether identifying patterns of attempted security incidents is reasonable and appropriate.

Note, though, that the Breach Notification Rule specifies the content, timing, and other requirements for a business associate to report incidents that rise to the level of a breach of unsecured PHI to the covered entity (or business associate) on whose behalf the business associate is maintaining the PHI. See 45 CFR § 164.410. The BAA may specify more stringent (e.g., more timely) requirements for reporting than those required by the Breach Notification Rule (so long as they still also meet the Rule’s requirements) but may not otherwise override the Rule’s requirements for notification of breaches of unsecured PHI.

October 2018

Do the HIPAA Rules allow health care providers to use mobile devices to access ePHI in a cloud?

Yes. Health care providers, other covered entities, and business associates may use mobile devices to access electronic protected health information (ePHI) in a cloud as long as appropriate physical, administrative, and technical safeguards are in place to protect the confidentiality, integrity, and availability of the ePHI on the mobile device and in the cloud, and appropriate BAAs are in place with any third party service providers for the device and/or the cloud that will have access to the e-PHI. The HIPAA Rules do not endorse or require specific types of technology, but rather establish the standards for how covered entities and business associates may use or disclose ePHI through certain technology while protecting the security of the ePHI by requiring analysis of the risks to the ePHI posed by such technology and implementation of reasonable and appropriate administrative, technical, and physical safeguards to address such risks. OCR and ONC have issued guidance on the use of mobile devices and tips for securing ePHI on mobile devices.^[1]

October 2018

Do the HIPAA Rules allow health care providers to use mobile devices to access ePHI in a cloud?

October 2018

Tags: HIPPA, Business Associates

Do the HIPAA Rules require a CSP to maintain ePHI for some period of time beyond when it has finished providing services to a covered entity or business associate?

No, the HIPAA Rules generally do not require a business associate to maintain electronic protected health information (ePHI) beyond the time it provides services to a covered entity or business associate. The Privacy Rule provides that a business associate agreement (BAA) must require a business associate to return or destroy all PHI at the termination of the BAA where feasible. 45 CFR § 164.504(e)(2)(J).

If such return or destruction is not feasible, the BAA must extend the privacy and security protections of the BAA to the ePHI and limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible. For example, return or destruction would be considered ‘‘infeasible’’ if other law requires the business associate CSP to retain ePHI for a period of time beyond the termination of the business associate contract.^[1]

October 2018

Tags: HIPPA, Business Associates

Do the HIPAA Rules allow a covered entity or business associate to use a CSP that stores ePHI on servers outside of the United States?

Yes, provided the covered entity (or business associate) enters into a business associate agreement (BAA) with the CSP and otherwise complies with the applicable requirements of the HIPAA Rules. However, while the HIPAA Rules do not include requirements specific to protection of electronic protected health information (ePHI) processed or stored by a CSP or any other business associate outside of the United States, OCR notes that the risks to such ePHI may vary greatly depending on its geographic location. In particular, outsourcing storage or other services for ePHI overseas may increase the risks and vulnerabilities to the information or present special considerations with respect to enforceability of privacy and security protections over the data. Covered entities (and business associates, including the CSP) should take these risks into account when conducting the risk analysis and risk management required by the Security Rule. See 45 CFR §§ 164.308(a)(1)(ii)(A) and (a)(1)(ii)(B). For example, if ePHI is maintained in a country where there are documented increased attempts at hacking or other malware attacks, such risks should be considered, and entities must implement reasonable and appropriate technical safeguards to address such threats.

October 2018

Tags: HIPPA,

If a CSP receives and maintains only information that has been de-identified in accordance with the HIPAA Privacy Rule, is it is a business associate?

When using interpreter services, a covered entity may use and disclose protected health information regarding an individual without an individual’s authorization as a health care operation, in accordance with the Privacy Rule, in the following ways:

When the interpreter is a member of the covered entity’s workforce (i.e., a bilingual employee, a contract interpreter on staff, or a volunteer) as defined at 45 CFR 160.103;
When a covered entity engages the services of a person or entity, who is not a workforce member, to perform interpreter services on its behalf, as a business associate, as defined at 45 CFR 160.103. A covered entity may disclose protected health information as necessary for the business associate to provide interpreter services on the covered entity’s behalf, subject to certain written satisfactory assurances set forth in 45 CFR 164.504(e). For instance, many providers including those that are recipients of federal financial assistance and are required under Title VI of the Civil Rights Act of 1964 to take reasonable steps to provide meaningful access to persons with limited English proficiency — will have contractual arrangements with private commercial companies, community-based organizations, or telephone interpreter service lines to provide such language services. If a covered entity has an ongoing contractual relationship with an interpreter service, that service arrangement should comply with the Privacy Rule business associate agreement requirements.

In addition, a covered health care provider may, without the individual’s authorization, use or disclose protected health information to the patient’s family member, close friend, or any other person identified by the individual as his or her interpreter for a particular healthcare encounter. In these situations, that interpreter is not a business associate of the health care provider. As with other disclosures to family members, friends or other persons identified by an individual as involved in his or her care, when the individual is present, the covered entity may obtain the individual’s agreement or reasonably infer, based on the exercise of professional judgment, that the individual does not object to the disclosure of protected health information to the interpreter. 45 CFR 164.510(b)(2).

For example, if a covered health care provider encounters a patient who speaks a language for which the provider has no employee, volunteer member of the workforce or contractor who can competently interpret, but then is able to identify a telephone interpreter service to communicate with the patient, the provider may contact the telephone interpreter service and identify the language used by the patient, so that the interpreter may explain to the patient that the interpreter is available to assist the patient in communicating with the provider. If the provider reasonably concludes that the patient has chosen to be assisted by the interpreter, and, by the patient’s willingness to continue the health care encounter using the interpreter, reasonably infers that the individual does not object to the disclosure, protected health information may be disclosed in accordance with 45 CFR 164.510(b) without a business associate contract.

Organizations that are subject to both HIPAA and Title VI must comply with the requirements of both laws, though not all HIPAA covered entities are recipients of federal financial assistance and thus, required to comply with Title VI; and not all recipients of federal financial assistance are also HIPAA covered entities, subject to the Privacy Rule. For information about the obligation of recipients of federal financial assistance to take reasonable steps to provide meaningful access to persons who are limited English proficient, see Guidance to Federal Financial Assistance Recipients Regarding Title VI Prohibition Against National Origin Discrimination Affecting Limited English Proficient Persons. This guidance includes information for recipients of federal financial assistance about important considerations for determining the competency of interpreters, such as their understanding of applicable confidentiality requirements, that should be taken into account when using interpreters arranged by the provider or when individuals elect to use friends, family or others as interpreters. HIPAA covered entities may also be required to comply with the Americans with Disabilities Act and/or Section 504 of the Rehabilitation Act of 1973, both of which have requirements for the provision of sign language and oral interpreters for people who are deaf or hard of hearing. See our frequently asked question on the use of communications assistants as part of a Telecommunications Relay Service (TRS).

October 2018

Instead of entering into a contract, can business associates self-certify or be certified by a third party as compliant with the HIPAA Privacy Rule?

No. A covered entity is required to enter into a contract or other written arrangement with a business associate that meets the requirements at 45 CFR 164.504(e).

October 2018

Is a business associate contract required for a covered entity to disclose protected health information to a researcher?

No. Disclosures from a covered entity to a researcher for research purposes do not require a business associate contract, even in those instances where the covered entity has hired the researcher to perform research on the covered entity’s own behalf. A business associate agreement is required only where a person or entity is conducting a function or activity regulated by the Administrative Simplification Rules on behalf of a covered entity, such as payment or health care operations, or providing one of the services listed in the definition of “business associate” at 45 CFR 160.103.

However, the HIPAA Privacy Rule does not prohibit a covered entity from entering into a business associate contract with a researcher if the covered entity wishes to do so. Notwithstanding the above, a covered entity is only permitted to disclose protected health information to a researcher as permitted by Rule, that is, with an individual’s authorization pursuant to 45 CFR 164.508, without an individual’s authorization as permitted by 45 CFR 164.512(i), or as a limited data set provided that a data use agreement is in place as permitted by 45 CFR 164.514(e).

October 2018

No. The hospital and such physicians participate in what the HIPAA Privacy Rule defines as an organized health care arrangement (OHCA). Thus, they may use and disclose protected health information for the joint health care activities of the OHCA without entering into a business associate agreement.

October 2018

Are accreditation organizations business associates of the covered entities they accredit?

Yes. The HIPAA Privacy Rule explicitly defines organizations that accredit covered entities as business associates. See the definition of “business associate” at 45 CFR 160.103.

Like other business associates, accreditation organizations provide a service to the covered entity which requires the sharing of protected health information. The business associate provisions may be satisfied by standard or model contract forms which could require little or no modification for each covered entity. As an alternative to the business associate contract, covered entities may disclose a limited data set of protected health information, not including direct identifiers, to an accreditation organization, subject to a data use agreement. See 45 CFR 164.514(e).

If only a limited data set of protected health information is disclosed, the satisfactory assurances required of the business associate are satisfied by the data use agreement.

October 2018

When is a health care provider a business associate of another health care provider?

The HIPAA Privacy Rule explicitly excludes from the business associate requirements disclosures by a covered entity to a health care provider for treatment purposes. See 45 CFR 164.502(e)(1).

Therefore, any covered health care provider (or other covered entity) may share protected health information with a health care provider for treatment purposes without a business associate contract. However, this exception does not preclude one health care provider from establishing a business associate relationship with another health care provider for some other purpose.
For example, a hospital may enlist the services of another health care provider to assist in the hospital’s training of medical students. In this case, a business associate contract would be required before the hospital could allow the health care provider access to patient health information.

October 2018

Are the following entities considered “business associates” under the HIPAA Privacy Rule: US Postal Service, United Parcel Service, delivery truck line employees and/or their management?

No, the Privacy Rule does not require a covered entity to enter into business associate contracts with organizations, such as the US Postal Service, certain private couriers and their electronic equivalents that act merely as conduits for protected health information. A conduit transports information but does not access it other than on a random or infrequent basis as necessary for the performance of the transportation service or as required by law. Since no disclosure is intended by the covered entity, and the probability of exposure of any particular protected health information to a conduit is very small, a conduit is not a business associate of the covered entity.

October 2018

If the only protected health information a business associate receives is a limited data set, does the HIPAA Privacy Rule require the covered entity to enter into both a business associate agreement and data use agreement with the business associate?

No. Where a covered entity discloses only a limited data set to a business associate for the business associate to carry out a health care operations function, the covered entity satisfies the Rule’s requirements that it obtain satisfactory assurances from its business associate with the data use agreement.

For example, where a State hospital association receives only limited data sets of protected health information from its member hospitals for the purposes of conducting and sharing comparative quality analyses with these hospitals, the member hospitals need only have data use agreements in place with the State hospital association.

October 2018

Are business associates required to restrict their uses and disclosures to the minimum necessary? May a covered entity reasonably rely on a request from a covered entity’s business associate as the minimum necessary?

A covered entity’s contract with a business associate may not authorize the business associate to use or further disclose the information in a manner that would violate the HIPAA Privacy Rule if done by the covered entity. See 45 CFR 164.504(e)(2)(i). Thus, a business associate contract must limit the business associate’s uses and disclosures of, as well as requests for, protected health information to be consistent with the covered entity’s minimum necessary policies and procedures. Given that a business associate contract must limit a business associate’s requests for protected health information on behalf of a covered entity to that which is reasonably necessary to accomplish the intended purpose, a covered entity is permitted to reasonably rely on such requests from a business associate of another covered entity as the minimum necessary.

October 2018

Is a physician or other provider considered to be a business associate of a health plan or other payer?

Generally, providers are not business associates of payers. For example, if a provider is a member of a health plan network and the only relationship between the health plan (payer) and the provider is one where the provider submits claims for payment to the plan, then the provider is not a business associate of the health plan. Each covered entity is acting on its own behalf when a provider submits a claim to a health plan, and when the health plan assesses and pays the claim. However, a business associate relationship could arise if the provider is performing another function on behalf of, or providing services to, the health plan (e.g., case management services) that meet the definition of “business associate” at 45 CFR 160.103.

October 2018

Under the Privacy Rule, a covered entity such as a doctor can contact a patient using a Telecommunications Relay Service (TRS), without the need for a business associate contract with the TRS. The sharing of protected health information between a covered health care provider and a patient through the TRS is permitted by the Privacy Rule under 45 C.F.R. 164.510(b), and a business associate contract is not required in these circumstances.

By way of background, the TRS enables telephone communication for people with hearing or speech impairments by using a communications assistant (CA) who transliterates conversations. The TRS CA relays information, which may include protected health information, between a text telephone (also known as “TTY”) user and another person communicating via voice. The CA must communicate what is said by the parties without alteration. The Federal Communications Commission (FCC), pursuant to the Americans with Disabilities Act (ADA), certifies all State TRS programs, which in turn contract with one or more TRS providers. All TRS providers must comply with standards for operators established by the FCC pursuant to Title IV of the ADA, including protecting the privacy of all relayed communications. The TRS is a public service that is available without cost to all persons and businesses, none of whom need to employ, contract with or otherwise establish business relationships with the TRS. Thus, when performing these services, the TRS is not acting for or on behalf of the covered entity and is not the covered entity’s business associate.

As permitted by 45 C.F.R. 164.510(b), protected health information can be shared during a telephone communication using the TRS because the individual will have an opportunity to agree or object to disclosures of protected health information to the CA. The following typical scenarios describe how this opportunity can be provided in the course of, or prior to, using the TRS:

Where the individual initiates the call through the TRS, it is reasonable for a covered health care provider to infer from these circumstances that the individual has identified the CA as involved in the individual’s care, and that the individual does not object to the disclosure. See 45 C.F.R. 164.510(b)(2)(iii).
Where the need for use of the TRS becomes apparent prior to a call being placed, such as when, during an office visit, the individual gives the health care provider his or her TTY number, the opportunity to agree or object to the TRS can be provided at that time. See 45 C.F.R. 164.510(b)(2).
Even where the covered health care provider initiates a call using the TRS without the individual’s prior agreement, the individual will have an opportunity to agree or object at the outset of the call. Typically, the CA will begin the call by identifying the service to the party called, and if that party is unfamiliar with the TRS, the CA will briefly explain how the service operates. This initial contact by the CA provides the individual with the opportunity to agree to the disclosure by proceeding with the call using the TRS, or to object by terminating the call. See 45 C.F.R. 164.510(b)(2)(i)-(ii).

October 2018

In providing legal services to a covered entity, must a lawyer who is a business associate require that those persons to whom it discloses protected health information agree to abide by the privacy restrictions and conditions that apply to the lawyer?

It depends on who the recipient is. The business associate agreement between the covered entity and the lawyer-business associate must provide that the lawyer will ensure that any agents, including subcontractors, to whom it provides protected health information agree to the same restrictions and conditions that apply to the business associate with respect to the information. See 45 CFR 164.504(e)(2)(ii)(D).

Thus, if a lawyer-business associate enlists the services of a person or entity in furtherance of the lawyer’s legal services to a covered entity, and the lawyer must provide protected health information to the person or entity for such purpose, the lawyer’s business associate contract with the covered entity requires that the lawyer ensure that these persons agree to the same restrictions and conditions with respect to the protected health information they receive that apply to the lawyer as a business associate.

For example, pursuant to its business associate contract, a lawyer must ensure that other legal counsel, jury experts, document or file managers, investigators, litigation support personnel, or others hired by the lawyer to assist the lawyer in providing legal services to the covered entity, will also safeguard the privacy of the protected health information the lawyer receives to perform its duties. Conversely, a lawyer-business associate need not ensure that opposing counsel, fact witnesses, or other persons who do not perform functions or services that assist the lawyer in performing its services to the client, agree to the business associate restrictions and conditions, even though the lawyer may have to disclose protected health information to these third parties.

October 2018

Does the HIPAA Privacy Rule require a business associate to provide individuals with access to their protected health information or an accounting of disclosures, or an opportunity to amend protected health information?

The Privacy Rule regulates covered entities, not business associates. The Rule requires covered entities to include specific provisions in agreements with business associates to safeguard protected health information, and addresses how covered entities may share this information with business associates. Covered entities are responsible for fulfilling Privacy Rule requirements with respect to individual rights, including the rights of access, amendment, and accounting, as provided for by 45 CFR 164.524, 164.526, and 164.528. With limited exceptions, a covered entity is required to provide an individual access to his or her protected health information in a designated record set. This includes information in a designated record set of a business associate, unless the information held by the business associate merely duplicates the information maintained by the covered entity. Therefore, the Rule requires covered entities to specify in the business associate contract that the business associate must make such protected health information available if and when needed by the covered entity to provide an individual with access to the information. However, the Privacy Rule does not prevent the parties from agreeing through the business associate contract that the business associate will provide access to individuals, as may be appropriate where the business associate is the only holder of the designated record set, or part thereof.

Under 45 CFR 164.526, a covered entity must amend protected health information about an individual in a designated record set, including any designated record sets (or copies thereof) held by a business associate. Therefore, the Rule requires covered entities to specify in the business associate contract that the business associate must amend protected health information in such records (or copies) when requested by the covered entity. The covered entity itself is responsible for addressing requests from individuals for amendment and coordinating such requests with its business associate. However, the Privacy Rule also does not prevent the parties from agreeing through the contract that the business associate will receive and address requests for amendment on behalf of the covered entity.

Under 45 CFR 164.528, the Privacy Rule requires a covered entity to provide an accounting of certain disclosures, including certain disclosures by its business associate, to the individual upon request. The business associate contract must provide that the business associate will make such information available to the covered entity in order for the covered entity to fulfill its obligation to the individual. As with access and amendment, the parties can agree through the business associate contract that the business associate will provide the accounting to individuals, as may be appropriate given the protected health information held by, and the functions of, the business associate.

October 2018

May a business associate of a HIPAA covered entity block or terminate access by the covered entity to the protected health information (PHI) maintained by the business associate for or on behalf of the covered entity?

No.

First, a business associate may not use PHI in a manner or to accomplish a purpose or result that would violate the HIPAA Privacy Rule. See 45 CFR § 164.502(a)(3). Generally, if a business associate blocks access to the PHI it maintains on behalf of a covered entity, including terminating access privileges of the covered entity, the business associate has engaged in an act that is an impermissible use under the Privacy Rule. For example, a business associate blocking access by a covered entity to PHI (such as where an Electronic Health Record (EHR) developer activates a “kill switch” embedded in its software that renders the data inaccessible to its provider client) to resolve a payment dispute with the covered entity is an impermissible use of PHI. Similarly, in the event of termination of the agreement by either party, a business associate must return PHI as provided for by the business associate agreement. If a business associate fails to do so, it has impermissibly used PHI.

Second, a business associate is required by the HIPAA Security Rule to ensure the confidentiality, integrity, and availability of all electronic PHI (ePHI) that it creates, receives, maintains, or transmits on behalf of a covered entity. See 45 CFR § 164.306(a)(1). Maintaining the availability of the ePHI means ensuring the PHI is accessible and usable upon demand by the covered entity, whether the PHI is maintained in an EHR, cloud, data backup system, database, or other system. 45 CFR § 164.304. This also includes, in cases where the business associate agreement specifies that PHI is to be returned at termination of the agreement, returning the PHI to the covered entity in a format that is reasonable in light of the agreement to preserve its accessibility and usability. A business associate that terminates access privileges of a covered entity, or otherwise denies a covered entity’s access to the ePHI it holds on behalf of the covered entity, is violating the Security Rule.

Third, a business associate is required by the HIPAA Privacy Rule and its business associate agreement to make PHI available to a covered entity as necessary to satisfy the covered entity’s obligations to provide access to individuals under 45 CFR § 164.524. See 45 CFR §§ 164.502(a)(4)(ii), 164.504(e)(2)(ii)(E). Therefore, a business associate may not deny a covered entity access to the PHI the business associate maintains on behalf of the covered entity if the covered entity needs the PHI to satisfy its obligations under 45 CFR § 164.524.

OCR recognizes, however, that there may be certain arrangements that authorize the business associate to destroy or dispose of PHI, or perform data aggregation or otherwise combine data from multiple sources, and where, because of the nature of the services to be performed by the business associate with the PHI as specified in the contractual arrangements between the parties, the covered entity and business associate agree that the business associate will not provide the covered entity access to the PHI. For example, a covered entity may engage a business associate to perform data aggregation of information from multiple sources that renders the disaggregated original source data unreturnable to the covered entity. OCR does not consider these contractual arrangements to constitute the types of impermissible data blocking or access termination described above.

Finally, OCR notes that a covered entity is responsible for ensuring the availability of its own PHI. To the extent that a covered entity has agreed to terms in a business associate agreement that prevent the covered entity from ensuring the availability of its own PHI, whether in paper or electronic form, the covered entity is not in compliance with 45 CFR §§ 164.308(b)(3), 164.502(e)(2), and 164.504(e)(1).

October 2018

The HIPAA Privacy Rule recognizes that a deceased individual’s protected health information may be relevant to a family member’s health care. The Rule provides two ways for a surviving family member to obtain the protected health information of a deceased relative.

First, disclosures of protected health information for treatment purposes—even the treatment of another individual—do not require an authorization; thus, a covered entity may disclose a decedent’s protected health information, without authorization, to the health care provider who is treating the surviving relative.

No. The Rule does not require a physician or any other covered entity to send medical information to the government for a government data base or similar operation. This Rule does not require or allow any new government access to medical information, with one exception: the Rule does give the Department of Health and Human Services Office for Civil Rights (OCR) the authority to investigate complaints that Privacy Rule protections or rights have been violated, and otherwise to ensure that covered entities comply with the Rule.

For enforcement purposes, OCR may need to look at how a covered entity handled medical records and other personal health information, as is typical in many enforcement settings. This investigative authority is needed so that the Rule can be enforced, and to ensure the independent review of consumers’ concerns over privacy violations.

Even so, the Privacy Rule limits disclosures to OCR to information that is “pertinent to ascertaining compliance.” OCR will maintain stringent controls to safeguard any individually identifiable health information that it receives. If covered entities could avoid or ignore enforcement requests, consumers would not have a way to ensure an independent review of their concerns about privacy violations under the Rule.

October 2018

Tags: HIPPA, Law Enforcement

Does the HIPAA Privacy Rule require my doctor to send my medical records to the government?

October 2018

Tags: HIPPA, Law Enforcement

Why would HIPAA Privacy Rule require covered entities to turn over anybody’s personal health information as part of a government enforcement process?

An important ingredient in ensuring compliance with the Privacy Rule is the Department of Health and Human Services’ (HHS) responsibility to investigate complaints that the Rule has been violated and to follow up on other information regarding noncompliance. At times, this responsibility entails seeing personal health information, such as when an individual indicates to the Department that they believe a covered entity has not properly handled their medical records.

What information would be needed depends on the circumstances and the alleged violations. The Privacy Rule limits HHS Office for Civil Rights’ (OCR) access to information that is “pertinent to ascertaining compliance.” In some cases, no personal health information may be needed. For instance, OCR would need to review only a business contract to determine whether a health plan included appropriate language to protect privacy when it hired an outside company to help process claims.

Examples of investigations that may require OCR to have access to protected health information include:

Allegations that a covered entity refused to note a request for correction in a patient’s medical record, or did not provide complete access to a patient’s medical records to that patient.
Allegations that a covered entity used health information for marketing purposes without first obtaining the individuals’ authorization when required by the Rule. OCR may need to review information in the marketing department that contains personal health information, to determine whether a violation has occurred.

October 2018

Tags: HIPPA, Law Enforcement

Will this HIPAA Privacy Rule make it easier for police and law enforcement agencies to get my medical information?

No. The Rule does not expand current law enforcement access to individually identifiable health information. In fact, it limits access to a greater degree than currently exists, since the Rule establishes new procedures and safeguards that restrict the circumstances under which a covered entity may give such information to law enforcement officers.

For example, the Rule limits the type of information that covered entities may disclose to law enforcement, absent a warrant or other prior process, when law enforcement is seeking to identify or locate a suspect. It specifically prohibits disclosure of DNA information for this purpose, absent some other legal requirements such as a warrant. Similarly, under most circumstances, the Privacy Rule requires covered entities to obtain permission from persons who have been the victim of domestic violence or abuse before disclosing information about them to law enforcement.

In most States, such permission is not required today. Where State law imposes additional restrictions on disclosure of health information to law enforcement, those State laws continue to apply. This Rule sets a national floor of legal protections; it is not a set of “best practices.” Even in those circumstances when disclosure to law enforcement is permitted by the Rule, the Privacy Rule does not require covered entities to disclose any information. Some other Federal or State law may require a disclosure, and the Privacy Rule does not interfere with the operation of these other laws. However, unless the disclosure is required by some other law, covered entities should use their professional judgment to decide whether to disclose information, reflecting their own policies and ethical principles. In other words, doctors, hospitals, and health plans could continue to follow their own policies to protect privacy in such instances.

October 2018

Tags: HIPPA, Law Enforcement

Does the HIPAA Privacy Rule permit covered entities to disclose protected health information, without individuals’ authorization, to public officials responding to a bioterrorism threat or other public health emergency?

Yes. The Rule recognizes that various agencies and public officials will need protected health information to deal effectively with a bioterrorism threat or emergency. To facilitate the communications that are essential to a quick and effective response to such events, the Privacy Rule permits covered entities to disclose needed information to public officials in a variety of ways.

Covered entities may disclose protected health information, without the individual’s authorization, to a public health authority acting as authorized by law in response to a bioterrorism threat or public health emergency (see 45 CFR 164.512(b)), public health activities). The Privacy Rule also permits a covered entity to disclose protected health information to public officials who are reasonably able to prevent or lessen a serious and imminent threat to public health or safety related to bioterrorism (see 45 CFR 164.512(j)), to avert a serious threat to health or safety). In addition, disclosure of protected health information, without the individual’s authorization, is permitted where the circumstances of the emergency implicates law enforcement activities (see 45 CFR 164.512(f)); national security and intelligence activities (see 45 CFR 164.512(k)(2)); or judicial and administrative proceedings (see 45 CFR 164.512(e)).

October 2018

Tags: HIPPA, Law Enforcement

When does the Privacy Rule allow covered entities to disclose protected health information to law enforcement officials?

The Privacy Rule is balanced to protect an individual’s privacy while allowing important law enforcement functions to continue. The Rule permits covered entities to disclose protected health information (PHI) to law enforcement officials, without the individual’s written authorization, under specific circumstances summarized below. For a complete understanding of the conditions and requirements for these disclosures, please review the exact regulatory text at the citations provided. Disclosures for law enforcement purposes are permitted as follows:

To comply with a court order or court-ordered warrant, a subpoena or summons issued by a judicial officer, or a grand jury subpoena. The Rule recognizes that the legal process in obtaining a court order and the secrecy of the grand jury process provides protections for the individual’s private information (45 CFR 164.512(f)(1)(ii)(A)-(B)).
To respond to an administrative request, such as an administrative subpoena or investigative demand or other written request from a law enforcement official. Because an administrative request may be made without judicial involvement, the Rule requires all administrative requests to include or be accompanied by a written statement that the information requested is relevant and material, specific and limited in scope, and de-identified information cannot be used (45 CFR 164.512(f)(1)(ii)(C)).
To respond to a request for PHI for purposes of identifying or locating a suspect, fugitive, material witness or missing person; but the covered entity must limit disclosures of PHI to name and address, date and place of birth, social security number, ABO blood type and rh factor, type of injury, date and time of treatment, date and time of death, and a description of distinguishing physical characteristics. Other information related to the individual’s DNA, dental records, body fluid or tissue typing, samples, or analysis cannot be disclosed under this provision, but may be disclosed in response to a court order, warrant, or written administrative request (45 CFR 164.512(f)(2)).
This same limited information may be reported to law enforcement:
- About a suspected perpetrator of a crime when the report is made by the victim who is a member of the covered entity’s workforce (45 CFR 164.502(j)(2));
- To identify or apprehend an individual who has admitted participation in a violent crimethat the covered entity reasonably believes may have caused serious physical harm to a victim, provided that the admission was not made in the course of or based on the individual’s request for therapy, counseling, or treatment related to the propensity to commit this type of violent act (45 CFR 164.512(j)(1)(ii)(A), (j)(2)-(3)).
To respond to a request for PHI about a victim of a crime, and the victim agrees. If, because of an emergency or the person’s incapacity, the individual cannot agree, the covered entity may disclose the PHI if law enforcement officials represent that the PHI is not intended to be used against the victim, is needed to determine whether another person broke the law, the investigation would be materially and adversely affected by waiting until the victim could agree, and the covered entity believes in its professional judgment that doing so is in the best interests of the individual whose information is requested (45 CFR 164.512(f)(3)).
Where child abuse victims or adult victims of abuse, neglect or domestic violence are concerned, other provisions of the Rule apply:
- Child abuse or neglect may be reported to any law enforcement official authorized by law to receive such reports and the agreement of the individual is not required (45 CFR 164.512(b)(1)(ii)).
- Adult abuse, neglect, or domestic violence may be reported to a law enforcement official authorized by law to receive such reports (45 CFR 164.512(c)):
  - If the individual agrees;
  - If the report is required by law; or
  - If expressly authorized by law, and based on the exercise of professional judgment, the report is necessary to prevent serious harm to the individual or others, or in certain other emergency situations (see 45 CFR 164.512(c)(1)(iii)(B)).
  - Notice to the individual of the report may be required (see 45 CFR 164.512(c)(2)).
To report PHI to law enforcement when required by law to do so (45 CFR 164.512(f)(1)(i)). For example, state laws commonly require health care providers to report incidents of gunshot or stab wounds, or other violent injuries; and the Rule permits disclosures of PHI as necessary to comply with these laws.
To alert law enforcement to the death of the individual, when there is a suspicion that death resulted from criminal conduct (45 CFR 164.512(f)(4)).
- Information about a decedent may also be shared with medical examiners or coroners to assist them in identifying the decedent, determining the cause of death, or to carry out their other authorized duties(45 CFR 164.512(g)(1)).
To report PHI that the covered entity in good faith believes to be evidence of a crime that occurred on the covered entity’s premises (45 CFR 164.512(f)(5)).
When responding to an off-site medical emergency, as necessary to alert law enforcement about criminal activity, specifically, the commission and nature of the crime, the location of the crime or any victims, and the identity, description, and location of the perpetrator of the crime (45 CFR 164.512(f)(6)). This provision does not apply if the covered health care provider believes that the individual in need of the emergency medical care is the victim of abuse, neglect or domestic violence; see above Adult abuse, neglect, or domestic violence for when reports to law enforcement are allowed under 45 CFR 164.512(c).
When consistent with applicable law and ethical standards:
- To a law enforcement official reasonably able to prevent or lessen a serious and imminent threat to the health or safety of an individual or the public (45 CFR 164.512(j)(1)(i)); or
- To identify or apprehend an individual who appears to have escaped from lawful custody(45 CFR 164.512(j)(1)(ii)(B)).
For certain other specialized governmental law enforcement purposes, such as:
- To federal officials authorized to conduct intelligence, counter-intelligence, and other national security activities under the National Security Act (45 CFR 164.512(k)(2)) or to provide protective services to the President and others and conduct related investigations (45 CFR 164.512(k)(3));
- To respond to a request for PHI by a correctional institution or a law enforcement official having lawful custody of an inmate or others if they represent such PHI is needed to provide health care to the individual; for the health and safety of the individual, other inmates, officers or employees of or others at a correctional institution or responsible for the transporting or transferring inmates; or for the administration and maintenance of the safety, security, and good order of the correctional facility, including law enforcement on the premises of the facility (45 CFR 164.512(k)(5)).

Except when required by law, the disclosures to law enforcement summarized above are subject to a minimum necessary determination by the covered entity (45 CFR 164.502(b), 164.514(d)). When reasonable to do so, the covered entity may rely upon the representations of the law enforcement official (as a public officer) as to what information is the minimum necessary for their lawful purpose (45 CFR 164.514(d)(3)(iii)(A)). Moreover, if the law enforcement official making the request for information is not known to the covered entity, the covered entity must verify the identity and authority of such person prior to disclosing the information (45 CFR 164.514(h)).

October 2018

Tags: HIPPA, Law Enforcement

State public records laws, also known as open records or freedom of information laws, all provide for certain public access to government records. How does the HIPAA Privacy Rule relate to these state laws?

If a state agency is not a “covered entity”, as that term is defined at 45 CFR 160.103, it is not required to comply with the HIPAA Privacy Rule and, thus, any disclosure of information by the state agency pursuant to its state public records law would not be subject to the Privacy Rule.

If a state agency is a covered entity, however, the Privacy Rule applies to its disclosures of protected health information. The Privacy Rule permits a covered entity to use and disclose protected health information as required by other law, including state law. See 45 CFR 164.512(a). Thus, where a state public records law mandates that a covered entity disclose protected health information, the covered entity is permitted by the Privacy Rule to make the disclosure, provided the disclosure complies with and is limited to the relevant requirements of the public records law.

However, where a state public records law only permits, and does not mandate, the disclosure of protected health information, or where exceptions or other qualifications apply to exempt the protected health information from the state law’s disclosure requirement, such disclosures are not “required by law” and thus, would not fall within § 164.512(a) of the Privacy Rule. For example, if a state public records law includes an exemption that affords a state agency discretion not to disclose medical or other information where such disclosure would constitute a clearly unwarranted invasion of personal privacy, the disclosure of such records is not required by the public records law, and therefore is not permissible under § 164.512(a). In such cases, a covered entity only would be able to make the disclosure if permitted by another provision of the Privacy Rule.

As an example of how the Privacy Rule would apply in the case where an exemption exists in a freedom of information law, see the December 2000 Privacy Rule preamble discussion regarding the relationship of the Privacy Rule with the federal Freedom of Information Act (64 FR 82482).

October 2018

Tags: HIPPA, Law Enforcement

May a health plan disclose protected health information to a state child support enforcement (IV-D) agency in response to a National Medical Support Notice?

The Privacy Rule permits a health plan to respond to a request for information by a IV-D agency pursuant to a National Medical Support Notice (NMSN), as described below.

The Privacy Rule at 45 CFR 164.512(f) permits a covered entity to disclose protected health information to a “law enforcement official” for law enforcement purposes in compliance with court orders, grand jury subpoenas, or certain written administrative requests. 45 CFR 164.512(f)(1)(ii). As defined in 45 CFR 164.501, a “law enforcement official” means an officer or employee of any agency or authority of the United States, a State, a territory, a political subdivision of a State or territory, or an Indian tribe, who is empowered by law to investigate or conduct an official inquiry into a potential violation of law or to prosecute or otherwise conduct a criminal, civil, or administrative proceeding arising from an alleged violation of law. An employee of a IV-D agency, including a contract employee, who is empowered by state or federal law to enforce a medical child support order, meets this definition of a law enforcement official.

The NMSN, a nationally uniform form which is sent by the IV-D agency to the employer and health plan for completion, constitutes a written administrative request by a law enforcement official. As such, the Privacy Rule allows a health plan to disclose protected health information in response to the NMSN, provided it includes or is accompanied by written assurances by the law enforcement official that (1) the information sought is material and relevant to a legitimate law enforcement inquiry; (2) the request is specific and limited in scope; and (3) de-identified information cannot reasonably be used. 45 CFR 164.512(f)(1)(ii)(C).

The Privacy Rule requires the covered entity to verify that these three conditions are met, as well as the identity and authority of the public official making the request, unless already known to the covered entity. The covered entity must also limit the disclosures to the minimum necessary for the purpose. To meet these requirements, the covered entity may reasonably rely on the following:

the NMSN, or a separate written statement that, on its face, demonstrates that the three assurances required for these disclosures have been met. 45 CFR 164.514(h)(2)(i)(A).
the NMSN is sufficient to verify the identity and legal authority of the public official requesting the protected health information. 45 CFR 164.514(h)(2)(ii) and (iii).
the NMSN is sufficient as a request from a public official for the minimum information needed to meet the law enforcement purpose of the request. 45 CFR 164.514(d)(3)(iii)(A).

October 2018

Tags: HIPPA, Law Enforcement

Are location information services of collection agencies, which are required under the Fair Debt Collection Practices Act, permitted under the HIPAA Privacy Rule?

“Payment” is broadly defined as activities by health plans or health care providers to obtain premiums or obtain or provide reimbursements for the provision of health care. The activities specified are by way of example and are not intended to be an exclusive listing. Billing, claims management, collection activities and related data processing are expressly included in the definition of “payment.” See the definition of “payment” at 45 CFR 164.501.

Obtaining information about the location of the individual is a routine activity to facilitate the collection of amounts owed and the management of accounts receivable, and, therefore, would constitute a payment activity. See 45 CFR 164.501. The covered entity and its business associate would also have to comply with any limitations placed on location information services by the Fair Debt Collection Practices Act (Federal Trade Commission).

October 2018

Tags: HIPPA, Disclosures

Won’t the HIPAA Privacy Rule’s minimum necessary standard impede the ability of workers’ compensation insurers, state administrative agencies, and employers to obtain the health information needed to pay injured or ill workers the benefits guaranteed them under State workers’ compensation system?

No. The Privacy Rule is not intended to impede the flow of health information to those who need it to process or adjudicate claims, or coordinate care, for injured or ill workers under workers’ compensation systems. The minimum necessary standard generally requires covered entities to make reasonable efforts to limit uses and disclosures of, as well as requests for, protected health information to the minimum necessary to accomplish the intended purpose. For disclosures of protected health information made for workers’ compensation purposes under 45 CFR 164.512(l), the minimum necessary standard permits covered entities to disclose information to the full extent authorized by State or other law. In addition, where protected health information is requested by a State workers’ compensation or other public official for such purposes, covered entities are permitted reasonably to rely on the official’s representations that the information requested is the minimum necessary for the intended purpose. See 45 CFR 164.514(d)(3)(iii)(A).

For disclosures of protected health information for payment purposes, covered entities may disclose the type and amount of information necessary to receive payment for any health care provided to an injured or ill worker.

The minimum necessary standard does not apply to disclosures that are required by State or other law or made pursuant to the individual’s authorization.

October 2018

Tags: HIPPA, Disclosures

I am a health care provider and my state law says I have to provide a workers’ compensation insurer, upon request, with an injured workers’ records that related to treatment or hospitalization for which compensation is being sought. Am I permitted to disclose the information required by my state law?

Yes. The HIPAA Privacy Rule permits a covered entity to disclose protected health information as necessary to comply with State law. No minimum necessary determination is required. See 45 CFR 164.512(a) and 164.502(b).

October 2018

Tags: HIPPA, Disclosures

Yes. The HIPAA Privacy Rule permits health care providers to communicate with patients regarding their health care. This includes communicating with patients at their homes, whether through the mail or by phone or in some other manner. In addition, the Rule does not prohibit covered entities from leaving messages for patients on their answering machines. However, to reasonably safeguard the individual’s privacy, covered entities should take care to limit the amount of information disclosed on the answering machine. For example, a covered entity might want to consider leaving only its name and number and other information necessary to confirm an appointment, or ask the individual to call back.

A covered entity also may leave a message with a family member or other person who answers the phone when the patient is not home. The Privacy Rule permits covered entities to disclose limited information to family members, friends, or other persons regarding an individual’s care, even when the individual is not present. However, covered entities should use professional judgment to assure that such disclosures are in the best interest of the individual and limit the information disclosed. See 45 CFR 164.510(b)(3).

In situations where a patient has requested that the covered entity communicate with him in a confidential manner, such as by alternative means or at an alternative location, the covered entity must accommodate that request, if reasonable. For example, the Department considers a request to receive mailings from the covered entity in a closed envelope rather than by postcard to be a reasonable request that should be accommodated. Similarly, a request to receive mail from the covered entity at a post office box rather than at home, or to receive calls at the office rather than at home are also considered to be reasonable requests, absent extenuating circumstances. See 45 CFR 164.522(b).

October 2018

Tags: HIPPA, Disclosures

Can a patient have a friend or family member pick up a prescription for her?

Yes. A pharmacist may use professional judgment and experience with common practice to make reasonable inferences of the patient’s best interest in allowing a person, other that the patient, to pick up a prescription. See 45 CFR 164.510(b). For example, the fact that a relative or friend arrives at a pharmacy and asks to pick up a specific prescription for an individual effectively verifies that he or she is involved in the individual’s care, and the HIPAA Privacy Rule allows the pharmacist to give the filled prescription to the relative or friend. The individual does not need to provide the pharmacist with the names of such persons in advance.

October 2018

Tags: HIPPA, Disclosures

Does the HIPAA Privacy Rule permit hospitals and other health care facilities to inform visitors or callers about a patient’s location in the facility and general condition?

Yes. Covered hospitals and other covered health care providers can use a facility directory to inform visitors or callers about a patient’s location in the facility and general condition. The Privacy Rule permits a covered hospital or other covered health care provider to maintain in a directory certain information about patients – patient name, location in the facility, health condition expressed in general terms that does not communicate specific medical information about the individual, and religious affiliation. The patient must be informed about the information to be included in the directory, and to whom the information may be released, and must have the opportunity to restrict the information or to whom it is disclosed, or opt out of being included in the directory. The patient may be informed, and make his or her preferences known, orally or in writing. The facility may provide the appropriate directory information – except for religious affiliation – to anyone who asks for the patient by name. Religious affiliation may be disclosed to members of the clergy, who are given additional access to directory information under the Rule. (See other FAQs at this site by searching on the term “clergy”.)

Even when, due to emergency treatment circumstances or incapacity, the patient has not been provided an opportunity to express his or her preference about how, or if, the information may be disclosed, directory information about the patient may still be made available if doing so is in the individual’s best interest as determined in the professional judgment of the provider, and would not be inconsistent with any known preference previously expressed by the individual. In these cases, as soon as practicable, the covered health care provider must inform the patient about the directory and provide the patient an opportunity to express his or her preference about how, or if, the information may be disclosed. See 45 CFR 164.510(a).

October 2018

Tags: HIPPA, Disclosures

Does the HIPAA Privacy Rule permit a hospital to inform callers or visitors of a patient’s location and general condition in the emergency room, even if the patient’s information would not normally be included in the main hospital directory of admitted patients?

Yes. The Privacy Rule permits covered entities to maintain more than one type of patient directory, and to maintain multiple versions of them, provided that the other requirements at 45 CFR 164.510(a) – PDF also are followed. For instance, emergency rooms that maintain directory information, even though separate from, or in a form different than, the hospital directory of admitted patients, may still disclose the information consistent with the requirements of the Privacy Rule. For further information about how this section of the Rule applies, see our other FAQs on this topic by searching on the term “directory.”

October 2018

Tags: HIPPA, Disclosures

Can the fact that a patient has been “treated and released,” or that a patient has died, be released as part of the facility directory?

Yes. The fact that a patient has been “treated and released,” or that a patient has died, may be released as part of the directory information about the patient’s general condition and location in the facility, provided that the other requirements at 45 CFR 164.510(a) also are followed. For further information about how this section of the Rule applies, see our other FAQs on this topic by searching on the term “directory.”

October 2018

Tags: HIPPA, Disclosures

Can the phone number of a patient’s room be released as part of the facility directory?

Yes. The phone number of the patient’s room in the facility may be released as part of the directory information about the patient’s location in the facility, provided that the other requirements at 45 CFR 164.510(a) also are followed. For further information about how this section of the Rule applies, see our other FAQs on this topic by searching on the term “directory.”

October 2018

Tags: HIPPA, Disclosures

May a hospital or other covered entity notify a patient’s family member or other person that the patient is at their facility?

Yes. The HIPAA Privacy Rule, at 45 CFR 164.510(b), permits covered entities to notify, or assist in the notification of, family members, personal representatives, or other persons responsible for the care of the patient, of the patient’s location, general condition, or death. Where the patient is present, or is otherwise available prior to the disclosure, and has capacity to make health care decisions, the covered entity may notify family and these other persons if the patient agrees or, when given the opportunity, does not object. The covered entity may also use or disclose this information to notify the family and these other persons if it can reasonably infer from the circumstances, based on professional judgment, that the patient does not object. Under these circumstances, for example:

A doctor may call a patient’s wife to tell her that her husband was in a car accident and is being treated in the emergency room for minor injuries.
A doctor may contact a pregnant patient’s husband to let him know that his wife arrived at the hospital in labor and is about to give birth.
A nurse may contact the patient’s friend to let him know that his roommate broke his leg falling down the stairs, has had surgery, and is in recovery.

Even when the patient is not present or it is impracticable because of emergency or incapacity to ask the patient about notifying someone, a covered entity can still notify family and these other persons when, in exercising professional judgment, it determines that doing so would be in the best interest of the patient. See 45 CFR 164.510(b). For example, a doctor may, using such professional judgment, call the adult daughter of an incapacitated patient to inform her that her father suffered a stroke and is in the intensive care unit of a hospital.

October 2018

Tags: HIPPA, Disclosures

Under the HIPAA Privacy Rule, may a health care provider disclose protected health information about an individual to another provider, when such information is requested for the treatment of a family member of the individual?

Yes. The HIPAA Privacy Rule permits a covered health care provider to use or disclose protected health information for treatment purposes. While in most cases, the treatment will be provided to the individual, the HIPAA Privacy Rule does allow the information to be used or disclosed for the treatment of others. Thus, the Rule does permit a doctor to disclose protected health information about a patient to another health care provider for the purpose of treating another patient (e.g., to assist the other health care provider with treating a family member of the doctor’s patient). For example, an individual’s doctor can provide information to the doctor of the individual’s family member about the individual’s adverse reactions to anesthetics prior to the family member undergoing surgery. These uses and disclosures are permitted without the individual’s written authorization or other agreement with the exception of disclosures of psychotherapy notes, which requires the written authorization of the individual.

However, the HIPAA Privacy Rule permits but does not require a covered health care provider to disclose the requested protected health information. Thus, the doctor with the protected health information may decline to share the information even if the Rule would allow it. The HIPAA Privacy Rule may also impose other limitations on these disclosures. Under 45 CFR § 164.522, individuals have the right to request additional restrictions on the use or disclosure of protected health information for treatment, payment, or health care operations purposes. If the health care provider has agreed to the requested restriction, then the doctor is bound by that agreement and (except in emergency treatment situations) would not be permitted to share the information. However, the health care provider maintaining the records does not have to agree to the requested restriction. For example, an individual who has obtained a genetic test may request that the health care provider not use or disclose the test results. If the health care provider agrees to the restriction, the information could not be shared with providers treating other family members who are seeking to identify their own genetic health risks.

October 2018

Tags: HIPPA, Disclosures

Does the HIPAA Privacy Rule permit a doctor to discuss a patient’s health status, treatment, or payment arrangements with the patient’s family and friends?

Yes. The HIPAA Privacy Rule at 45 CFR 164.510(b) specifically permits covered entities to share information that is directly relevant to the involvement of a spouse, family members, friends, or other persons identified by a patient, in the patient’s care or payment for health care. If the patient is present, or is otherwise available prior to the disclosure, and has the capacity to make health care decisions, the covered entity may discuss this information with the family and these other persons if the patient agrees or, when given the opportunity, does not object. The covered entity may also share relevant information with the family and these other persons if it can reasonably infer, based on professional judgment, that the patient does not object. Under these circumstances, for example:

A doctor may give information about a patient’s mobility limitations to a friend driving the patient home from the hospital.
A hospital may discuss a patient’s payment options with her adult daughter.
A doctor may instruct a patient’s roommate about proper medicine dosage when she comes to pick up her friend from the hospital.
A physician may discuss a patient’s treatment with the patient in the presence of a friend when the patient brings the friend to a medical appointment and asks if the friend can come into the treatment room.

Even when the patient is not present or it is impracticable because of emergency circumstances or the patient’s incapacity for the covered entity to ask the patient about discussing her care or payment with a family member or other person, a covered entity may share this information with the person when, in exercising professional judgment, it determines that doing so would be in the best interest of the patient. See 45 CFR 164.510(b). Thus, for example:

A surgeon may, if consistent with such professional judgment, inform a patient’s spouse, who accompanied her husband to the emergency room, that the patient has suffered a heart attack and provide periodic updates on the patient’s progress and prognosis.
A doctor may, if consistent with such professional judgment, discuss an incapacitated patient’s condition with a family member over the phone.

In addition, the Privacy Rule expressly permits a covered entity to use professional judgment and experience with common practice to make reasonable inferences about the patient’s best interests in allowing another person to act on behalf of the patient to pick up a filled prescription, medical supplies, X-rays, or other similar forms of protected health information. For example, when a person comes to a pharmacy requesting to pick up a prescription on behalf of an individual he identifies by name, a pharmacist, based on professional judgment and experience with common practice, may allow the person to do so.

October 2018

Tags: HIPPA, Disclosures

May a doctor or hospital disclose protected health information to a person or entity that can assist in notifying a patient’s family member of the patient’s location and health condition?

Yes. The HIPAA Privacy Rule permits a covered doctor or hospital to disclose protected health information to a person or entity that will assist in notifying a patient’s family member of the patient’s location, general condition, or death. See 45 CFR 164.510(b)(1)(ii). The patient’s written authorization is not required to make disclosures to notify, identify, or locate the patient’s family members, his or her personal representatives, or other persons responsible for the patient’s care. Rather, where the patient is present, or is otherwise available prior to the disclosure, and has capacity to make health care decisions, the covered entity may disclose protected health information for notification purposes if the patient agrees or, when given the opportunity, does not object. The covered entity may also make the disclosure if it can reasonably infer from the circumstances, based on professional judgment, that the patient does not object. See 45 CFR 164.510(b)(2).

Even when the patient is not present or it is impracticable because of emergency or incapacity to ask the patient about notifying someone, a covered entity can still disclose a patient’s location, general condition, or death for notification purposes when, in exercising professional judgment, it determines that doing so would be in the best interest of the patient. See 45 CFR 164.510(b)(3).

Under these circumstances, for example:

A doctor may share information about a patient’s condition with the American Red Cross for the Red Cross to provide emergency communications services for members of the U.S. military, such as notifying service members of family illness or death, including verifying such illnesses for emergency leave requests.

A hospital may ask police to help locate and communicate with the family of an individual killed or injured in an accident.
A hospital may contact a patient’s employer for information to assist in locating the patient’s spouse so that he/she may be notified about the hospitalization of the patient.

October 2018

Tags: HIPPA, Disclosures

If I do not object, can my health care provider share or discuss my health information with my family, friends, or others involved in my care or payment for my care?

Yes. As long as you do not object, your health care provider is allowed to share or discuss your health information with your family, friends, or others involved in your care or payment for your care. Your provider may ask your permission, may tell you he or she plans to discuss the information and give you an opportunity to object, or may decide, using his or her professional judgment, that you do not object. In any of these cases, your health care provider may discuss only the information that the person involved needs to know about your care or payment for your care.

Here are some examples:

An emergency room doctor may discuss your treatment in front of your friend when you ask that your friend come into the treatment room.
Your hospital may discuss your bill with your daughter who is with you at the hospital and has questions about the charges.
Your doctor may talk to your sister who is driving you home from the hospital about your keeping your foot raised during the ride home.
Your doctor may discuss the drugs you need to take with your health aide who has come with you to your appointment.
Your nurse may tell you that he or she is going to tell your brother how you are doing, and then your nurse may discuss your health status with your brother if you did not say that he or she should not.

BUT:

Your nurse may not discuss your condition with your brother if you tell your nurse not to.

October 2018

Tags: HIPPA, Disclosures

If I am unconscious or not around, can my health care provider still share or discuss my health information with my family, friends, or others involved in my care or payment for my care?

Yes. If you are not around or cannot give permission, your health care provider may share or discuss your health information with family, friends, or others involved in your care or payment for your care if he or she believes, in his or her professional judgment, that it is in your best interest. When someone other than a friend or family member is asking about you, your health care provider must be reasonably sure that you asked the person to be involved in your care or payment for your care. Your health care provider may share your information face to face, over the phone, or in writing, but may only share the information that the family member, friend, or other person needs to know about your care or payment for your care.

Here are some examples:

A surgeon who did emergency surgery on you may tell your spouse about your condition, either in person or by phone, while you are unconscious.
A pharmacist may give your prescription to a friend you send to pick it up.
A doctor may discuss your drugs with your caregiver who calls your doctor with a question about the right dosage.

BUT:

A nurse may not tell your friend about a past medical problem that is unrelated to your current condition.

Here are some examples:

An emergency room doctor may discuss a patient’s treatment in front of the patient’s friend if the patient asks that her friend come into the treatment room.
A doctor’s office may discuss a patient’s bill with the patient’s adult daughter who is with the patient at the patient’s medical appointment and has questions about the charges.
A doctor may discuss the drugs a patient needs to take with the patient’s health aide who has accompanied the patient to a medical appointment.
A doctor may give information about a patient’s mobility limitations to the patient’s sister who is driving the patient home from the hospital.
A nurse may discuss a patient’s health status with the patient’s brother if she informs the patient she is going to do so and the patient does not object.

BUT:

A nurse may not discuss a patient’s condition with the patient’s brother after the patient has stated she does not want her family to know about her condition.

October 2018

Tags: HIPPA, Disclosures

If the patient is not present or is incapacitated, may a health care provider still share the patient’s health information with family, friends, or others involved in the patient’s care or payment for care?

Yes. If the patient is not present or is incapacitated, a health care provider may share the patient’s information with family, friends, or others as long as the health care provider determines, based on professional judgment, that it is in the best interest of the patient. When someone other than a friend or family member is involved, the health care provider must be reasonably sure that the patient asked the person to be involved in his or her care or payment for care. The health care provider may discuss only the information that the person involved needs to know about the patient’s care or payment.

Here are some examples:

A surgeon who did emergency surgery on a patient may tell the patient’s spouse about the patient’s condition while the patient is unconscious.
A pharmacist may give a prescription to a patient’s friend who the patient has sent to pick up the prescription.
A hospital may discuss a patient’s bill with her adult son who calls the hospital with questions about charges to his mother’s account.
A health care provider may give information regarding a patient’s drug dosage to the patient’s health aide who calls the provider with questions about the particular prescription.

BUT:

A nurse may not tell a patient’s friend about a past medical problem that is unrelated to the patient’s current condition.
A health care provider is not required by HIPAA to share a patient’s information when the patient is not present or is incapacitated, and can choose to wait until the patient has an opportunity to agree to the disclosure.

October 2018

Tags: HIPPA, Disclosures

Does HIPAA require that a health care provider document a patient’s decision to allow the provider to share his or her health information with a family member, friend, or other person involved in the patient’s care or payment for care?

No. HIPAA does not require that a health care provider document the patient’s agreement or lack of objection. However, a health care provider is free to obtain or document the patient’s agreement, or lack of objection, in writing, if he or she prefers. For example, a provider may choose to document a patient’s agreement to share information with a family member with a note in the patient’s medical file.

October 2018

Tags: HIPPA, Disclosures

May a health care provider discuss a patient’s health information over the phone with the patient’s family, friends, or others involved in the patient’s care or payment for care?

Yes. Where a health care provider is allowed to share a patient’s health information with a person, information may be shared face-to-face, over the phone, or in writing.

October 2018

Tags: HIPPA, Disclosures

If a patient’s family member, friend, or other person involved in the patient’s care or payment for care calls a health care provider to ask about the patient’s condition, does HIPAA require the health care provider to obtain proof of who the person is before speaking with them?

No. If the caller states that he or she is a family member or friend of the patient, or is involved in the patient’s care or payment for care, then HIPAA doesn’t require proof of identity in this case. However, a health care provider may establish his or her own rules for verifying who is on the phone. In addition, when someone other than a friend or family member is involved, the health care provider must be reasonably sure that the patient asked the person to be involved in his or her care or payment for care.

October 2018

Tags: HIPPA, Disclosures

Can a patient have a family member, friend, or other person pick up a filled prescription, medical supplies, x-rays, or other similar forms of patient information, for the patient?

Yes. HIPAA allows health care providers to use professional judgment and experience to decide if it is in the patient’s best interest to allow another person to pick up a prescription, medical supplies, X-rays, or other similar forms of information for the patient.

For example, the fact that a relative or friend arrives at a pharmacy and asks to pick up a specific prescription for a patient effectively verifies that he or she is involved in the patient’s care. HIPAA allows the pharmacist to give the filled prescription to the relative or friend. The patient does not need to provide the pharmacist with their names in advance.

October 2018

Tags: HIPPA, Disclosures

May a health care provider share a patient’s health information with an interpreter to communicate with the patient or with the patient’s family, friends, or others involved in the patient’s care or payment for care?

Yes. HIPAA allows covered health care providers to share a patient’s health information with an interpreter without the patient’s written authorization under the following circumstances:

A health care provider may share information with an interpreter who works for the provider (e.g., a bilingual employee, a contract interpreter on staff, or a volunteer).

For example, an emergency room doctor may share information about an incapacitated patient’s condition with an interpreter on staff who relays the information to the patient’s family.

A health care provider may share information with an interpreter who is acting on its behalf (but is not a member of the provider’s workforce) if the health care provider has a written contract or other agreement with the interpreter that meets HIPAA’s business associate contract requirements.

For example, many providers are required under Title VI of the Civil Rights Act of 1964 to take reasonable steps to provide meaningful access to persons with limited English proficiency. These providers often have contracts with private companies, community-based organizations, or telephone interpreter service lines to provide language interpreter services. These arrangements must comply with the HIPAA business associate agreement requirements at 45 C.F.R. 164.504(e).

A health care provider may share information with an interpreter who is the patient’s family member, friend, or other person identified by the patient as his or her interpreter, if the patient agrees, or does not object, or the health care provider determines, using his or her professional judgment, that the patient does not object.

For example, health care providers sometimes see patients who speak a certain language and the provider has no employee, volunteer, or contractor who can competently interpret that language. If the provider is aware of a telephone interpreter service that can help, the provider may have that interpreter tell the patient that the service is available. If the provider decides, based on professional judgment, that the patient has chosen to continue using the interpreter, the provider may talk to the patient using the interpreter.

October 2018

Tags: HIPPA, Disclosures

May a health plan disclose protected health information to a person who calls the plan on the beneficiary’s behalf?

Yes, subject to the conditions set forth in 45 CFR 164.510(b) of the HIPAA Privacy Rule. The Privacy Rule at 45 CFR 164.510(b) permits a health plan (or other covered entity) to disclose to a family member, relative, or close personal friend of the individual, the protected health information (PHI) directly relevant to that person’s involvement with the individual’s care or payment for care. A covered entity also may make these disclosures to persons who are not family members, relatives, or close personal friends of the individual, provided the covered entity has reasonable assurance that the person has been identified by the individual as being involved in his or her care or payment.

A covered entity only may disclose the relevant PHI to these persons if the individual does not object or the covered entity can reasonably infer from the circumstances that the individual does not object to the disclosure; however, when the individual is not present or is incapacitated, the covered entity can make the disclosure if, in the exercise of professional judgment, it believes the disclosure is in the best interests of the individual.

For example:

A health plan may disclose relevant PHI to a beneficiary’s daughter who has called to assist her hospitalized, elderly mother in resolving a claims or other payment issue.
A health plan may disclose relevant PHI to a human resources representative who has called the plan with the beneficiary also on the line, or who could turn the phone over to the beneficiary, who could then confirm for the plan that the representative calling is assisting the beneficiary.
A health plan may disclose relevant PHI to a Congressional office or staffer that has faxed to the plan a letter or e-mail it received from the beneficiary requesting intervention with respect to a health care claim, which assures the plan that the beneficiary has requested the Congressional office’s assistance.
A Medicare Part D plan may disclose relevant PHI to a staff person with the Centers for Medicare and Medicaid Services (CMS) who contacts the plan to assist an individual regarding the Part D benefit, if the information offered by the CMS staff person about the individual and the individual’s concerns is sufficient to reasonably satisfy the plan that the individual has requested the CMS staff person’s assistance.

October 2018

Tags: HIPPA, Disclosures

Does the HIPAA Privacy Rule permit a doctor to discuss a patient’s health status, treatment, or payment arrangements with a person who is not married to the patient or is otherwise not recognized as a relative of the patient under applicable law (e.g., state law)?

Yes. The HIPAA Privacy Rule at 45 CFR 164.510(b) permits covered entities to share with an individual’s family member, other relative, close personal friend, or any other person identified by the individual, the information directly relevant to the involvement of that person in the patient’s care or payment for health care. In addition, HIPAA allows a covered entity to disclose information about a patient as necessary to notify, or assist in the notification of (including by helping to identify or locate), such a person of the patient’s location, general condition, or death. In either circumstance, the person can be a patient’s family member, relative, guardian, caregiver, friend, spouse, or partner. The Privacy Rule defers to a covered entity’s professional judgment in these cases and does not require the entity to verify that a person is a family member, friend, or otherwise involved in the patient’s care or payment for care.

HIPAA permits a covered entity to share PHI with anyone from the list of potential recipients, subject to the conditions included at 45 CFR 164.510(b) and described below. Moreover, the list of potential recipients of PHI under 45 CFR 164.510(b) is in no way limited or impacted by the sex or gender identity of either the patient or the potential recipient.

When making disclosures to the persons listed under 45 CFR 164.510(b), a covered entity should get verbal permission from the patient when possible, or otherwise be able to reasonably infer that the patient does not object to the disclosure, before disclosing information to these persons. If the patient is incapacitated or not available, a covered entity may share information when, in its professional judgment, doing so is in the patient’s best interest. Finally, if the individual is deceased, a covered entity may share information with a person who was involved in the individual’s care or payment for care prior to the individual’s death, unless doing so is inconsistent with any prior expressed preference of the individual that is known to the covered entity.

In contrast to the permitted disclosures described above, there are circumstances in which a covered entity is required to disclose information to a family member or other person involved in an individual’s care. Specifically, in some cases, a spouse, partner, or other person involved in a patient’s care will be the patient’s personal representative and thus generally have the authority to exercise the patient’s rights under the HIPAA Privacy Rule on the patient’s behalf, such as the right to access medical and other health records as provided at 45 CFR 164.524(a). A covered entity must treat all personal representatives as the individual for purposes of the Privacy Rule, in accordance with 45 CFR 164.502(g). This means a covered entity may not deny a personal representative, as defined in 45 CFR 164.502(g), the rights afforded to the personal representative under 45 CFR 164.502(g) of the Privacy Rule for any reason, including because of the sex or gender identity of the personal representative. For example, if a state grants legally married spouses health care decision making authority for each other, such that legally married spouses are personal representatives under 45 CFR 164.502(g), the legally married spouse is the patient’s personal representative and a covered entity must provide the spouse access to the patient’s records. In this example, a covered entity that does not provide a patient’s lawful spouse with access because of the sex of the spouses would be in violation of the Privacy Rule. Similarly, if a person has been granted a legal health care power of attorney for an individual that grants the person the authority to make health care decisions for the individual in a state, that person satisfies the definition of personal representative and a covered entity in that state that denies the person personal representative status because of the gender identity of the person would be in violation of the Privacy Rule.

For more information about HIPAA and Marriage, see http://www.hhs.gov/hipaa/for-professionals/special-topics/same-sex-marriage/index.html.” . More general information about when HIPAA permits disclosures to family members, friends, and others involved in a patient’s care or payment for care is available at http://www.hhs.gov/hipaa/for-individuals/family-members-friends/index.html (for individuals) and at http://www.hhs.gov/sites/default/files/provider_ffg.pdf – PDF

October 2018

Tags: HIPPA, Disclosures

What do the HIPAA Privacy and Security Rules require of covered entities when they dispose of protected health information?

The HIPAA Privacy Rule requires that covered entities apply appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information (PHI), in any form. See 45 CFR 164.530(c). This means that covered entities must implement reasonable safeguards to limit incidental, and avoid prohibited, uses and disclosures of PHI, including in connection with the disposal of such information. In addition, the HIPAA Security Rule requires that covered entities implement policies and procedures to address the final disposition of electronic PHI and/or the hardware or electronic media on which it is stored, as well as to implement procedures for removal of electronic PHI from electronic media before the media are made available for re-use. See 45 CFR 164.310(d)(2)(i) and (ii). Failing to implement reasonable safeguards to protect PHI in connection with disposal could result in impermissible disclosures of PHI.

Further, covered entities must ensure that their workforce members receive training on and follow the disposal policies and procedures of the covered entity, as necessary and appropriate for each workforce member. See 45 CFR 164.306(a)(4), 164.308(a)(5), and 164.530(b) and (i). Therefore, any workforce member involved in disposing of PHI, or who supervises others who dispose of PHI, must receive training on disposal. This includes any volunteers. See 45 CFR 160.103 (definition of “workforce”).

Thus, covered entities are not permitted to simply abandon PHI or dispose of it in dumpsters or other containers that are accessible by the public or other unauthorized persons. However, the Privacy and Security Rules do not require a particular disposal method. Covered entities must review their own circumstances to determine what steps are reasonable to safeguard PHI through disposal, and develop and implement policies and procedures to carry out those steps. In determining what is reasonable, covered entities should assess potential risks to patient privacy, as well as consider such issues as the form, type, and amount of PHI to be disposed. For instance, the disposal of certain types of PHI such as name, social security number, driver’s license number, debit or credit card number, diagnosis, treatment information, or other sensitive information may warrant more care due to the risk that inappropriate access to this information may result in identity theft, employment or other discrimination, or harm to an individual’s reputation.

In general, examples of proper disposal methods may include, but are not limited to:

For PHI in paper records, shredding, burning, pulping, or pulverizing the records so that PHI is rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed.
Maintaining labeled prescription bottles and other PHI in opaque bags in a secure area and using a disposal vendor as a business associate to pick up and shred or otherwise destroy the PHI.
For PHI on electronic media, clearing (using software or hardware products to overwrite media with non-sensitive data), purging (degaussing or exposing the media to a strong magnetic field in order to disrupt the recorded magnetic domains), or destroying the media (disintegration, pulverization, melting, incinerating, or shredding).

For more information on proper disposal of electronic PHI, see the HHS HIPAA Security Series 3: Security Standards – Physical Safeguards – PDF. In addition, for practical information on how to handle sanitization of PHI throughout the information life cycle, readers may consult NIST SP 800-88, Guidelines for Media Sanitization. – PDF

Other methods of disposal also may be appropriate, depending on the circumstances. Covered entities are encouraged to consider the steps that other prudent health care and health information professionals are taking to protect patient privacy in connection with record disposal. In addition, if a covered entity is winding up a business, the covered entity may wish to consider giving patients the opportunity to pick up their records prior to any disposition by the covered entity (and note that many states may impose requirements on covered entities to retain and make available for a limited time, as appropriate, medical records after dissolution of a business).

October 2018

Tags: HIPPA, Disposal of Protected Health Information

May a covered entity dispose of protected health information in dumpsters accessible by the public?

No, unless the protected health information (PHI) has been rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed prior to it being placed in a dumpster. In general, a covered entity may not dispose of PHI in paper records, labeled prescription bottles, hospital identification bracelets, PHI on electronic media, or other forms of PHI in dumpsters, recycling bins, garbage cans, or other trash receptacles generally accessible by the public or other unauthorized persons. The HIPAA Privacy Rule requires that covered entities apply appropriate administrative, technical, and physical safeguards to protect the privacy of PHI, in any form, including in connection with the disposal of such information. See 45 CFR 164.530(c). In addition, the HIPAA Security Rule requires that covered entities implement policies and procedures to address the final disposition of electronic PHI and/or the hardware or electronic media on which it is stored. See 45 CFR 164.310(d)(2)(i). Depositing PHI in a trash receptacle generally accessible by the public or other unauthorized persons is not an appropriate privacy or security safeguard. Instead, covered entities must implement reasonable safeguards to limit incidental, and avoid prohibited, uses and disclosures of PHI. Failing to implement reasonable safeguards to protect PHI in connection with disposal could result in impermissible disclosures of PHI.

For example, depending on the circumstances, proper disposal methods may include (but are not limited to):

Shredding or otherwise destroying PHI in paper records so that the PHI is rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed prior to it being placed in a dumpster or other trash receptacle.
Maintaining PHI for disposal in a secure area and using a disposal vendor as a business associate to pick up and shred or otherwise destroy the PHI.
In justifiable cases, based on the size and the type of the covered entity, and the nature of the PHI, depositing PHI in locked dumpsters that are accessible only by authorized persons, such as appropriate refuse workers.
For PHI on electronic media, clearing (using software or hardware products to overwrite media with non-sensitive data), purging (degaussing or exposing the media to a strong magnetic field in order to disrupt the recorded magnetic domains), or destroying the media (disintegration, pulverization, melting, incinerating, or shredding).

October 2018

Tags: HIPPA, Disposal of Protected Health Information

May a covered entity hire a business associate to dispose of protected health information?

Yes, a covered entity may, but is not required to, hire a business associate to appropriately dispose of protected health information (PHI) on its behalf. In doing so, the covered entity must enter into a contract or other agreement with the business associate that requires the business associate, among other things, to appropriately safeguard the PHI through disposal. See 45 CFR 164.308(b), 164.314(a), 164.502(e), and 164.504(e). Thus, for example, a covered entity may hire an outside vendor to pick up PHI in paper records or on electronic media from its premises, shred, burn, pulp, or pulverize the PHI, or purge or destroy the electronic media, and deposit the deconstructed material in a landfill or other appropriate area.

October 2018

Tags: HIPPA, Disposal of Protected Health Information

May a covered entity reuse or dispose of computers or other electronic media that store electronic protected health information?

Yes, but only if certain steps have been taken to remove the electronic protected health information (ePHI) stored on the computers or other media before its disposal or reuse, or if the media itself is destroyed before its disposal. The HIPAA Security Rule requires that covered entities implement policies and procedures to address the final disposition of ePHI and/or the hardware or electronic media on which it is stored, as well as to implement procedures for removal of ePHI from electronic media before the media are made available for reuse. See 45 CFR 164.310(d)(2)(i) and (ii). Depending on the circumstances, appropriate methods for removing ePHI from electronic media prior to reuse or disposal may be by clearing (using software or hardware products to overwrite media with non-sensitive data) or purging (degaussing or exposing the media to a strong magnetic field in order to disrupt the recorded magnetic domains) the information from the electronic media. If circumstances warrant the destruction of the electronic media prior to disposal, destruction methods may include disintegrating, pulverizing, melting, incinerating, or shredding the media. Covered entities may contract with business associates to perform these services for them.

October 2018

Tags: HIPPA, Disposal of Protected Health Information

How should home health workers or other workforce members of a covered entity dispose of protected health information that they use off of the covered entity’s premises?

The HIPAA Privacy Rule requires that covered entities develop and apply policies and procedures for appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information (PHI), including through final disposition. See 45 CFR 164.530(c). In addition, the HIPAA Security Rule requires that covered entities implement policies and procedures to address the final disposition of electronic PHI and/or the hardware or electronic media on which it is stored. See 45 CFR 164.310(d)(2)(i). The Rules are flexible and thus, do not specify particular types of disposal methods; however, covered entities must ensure that the disposal method reasonably protects against impermissible uses and disclosures of PHI and protects against reasonably anticipated threats or hazards to the security of electronic PHI. See 45 CFR 164.530(c)(2) and 164.306(a). Whatever the disposal method, a covered entity must ensure that appropriate workforce members, either working on the premises or off-site, receive training on and follow the disposal policies and procedures of the covered entity. See 45 CFR 164.530(b) and (i), as well as 164.306(a)(4) and 164.308(a)(5) with regard to electronic PHI. These policies and procedures could require, for example, that employees or other workforce members who use PHI off-site, including electronic PHI, return all PHI to the covered entity for appropriate disposal. Or, for example, if appropriate under the circumstances, a covered entity could give off-site workforce members the option of either properly shredding PHI in paper records themselves or returning the PHI to the covered entity for disposal. In cases where workforce members fail to comply with the covered entity’s disposal policies and procedures, the covered entity must apply appropriate sanctions. See 45 CFR 164.530(e).

October 2018

Tags: HIPPA, Disposal of Protected Health Information

Does the HIPAA Privacy Rule require covered entities to keep patients’ medical records for any period of time?

No, the HIPAA Privacy Rule does not include medical record retention requirements. Rather, State laws generally govern how long medical records are to be retained. However, the HIPAA Privacy Rule does require that covered entities apply appropriate administrative, technical, and physical safeguards to protect the privacy of medical records and other protected health information (PHI) for whatever period such information is maintained by a covered entity, including through disposal. See 45 CFR 164.530(c).

October 2018

Tags: HIPPA, Disposal of Protected Health Information

Are hospitals able to inform the clergy about parishioners in the hospital?

Yes, the HIPAA Privacy Rule allows this communication to occur, as long as the patient has been informed of this use and disclosure, and does not object. The Privacy Rule provides that a hospital or other covered health care provider may maintain in a directory the following information about that individual: the individual’s name; location in the facility; health condition expressed in general terms; and religious affiliation.

The facility may disclose this directory information to members of the clergy. Thus, for example, a hospital may disclose the names of Methodist patients to a Methodist minister unless a patient has restricted such disclosure. Directory information, except for religious affiliation, may be disclosed only to other persons who ask for the individual by name. When, due to emergency circumstances or incapacity, the patient has not been provided an opportunity to agree or object to being included in the facility’s directory, these disclosures may still occur, if such disclosure is consistent with any known prior expressed preference of the individual and the disclosure is in the individual’s best interest as determined in the professional judgment of the provider. See 45 CFR 164.510(a).

October 2018

Tags: HIPPA

Does the HIPAA Privacy Rule limit an individual’s ability to gather and share family medical history information?

No. The HIPAA Privacy Rule may limit how a covered entity (for example, a health plan or most health care providers) uses or discloses individually identifiable health information, but does not prevent individuals, themselves, from gathering medical information about their family members or from deciding to share this information with family members or others, including their health care providers. Thus, individuals are free to provide their doctors with a complete family medical history or communicate with their doctors about conditions that run in the family.

October 2018

Tags: HIPPA, Medical History

Does the HIPAA Privacy Rule limit what a doctor can do with a family medical history?

Yes, if the doctor is a “covered entity” under the HIPAA Privacy Rule. A doctor, who conducts certain financial and administrative transactions electronically, such as electronically billing Medicare or other payers for health care services, is considered a covered health care provider. The HIPAA Privacy Rule limits how a covered health care provider may use or disclose protected health information. The HIPAA Privacy Rule allows a covered health care provider to use or disclose protected health information (other than psychotherapy notes), including family history information, for treatment, payment, and health care operation purposes without obtaining the individual’s written authorization or other agreement. The HIPAA Privacy Rule also generally allows covered entities to disclose protected health information without obtaining the individual’s written authorization or other agreement for certain purposes to benefit the public, for example, circumstances that involve public health research or health oversight activities.

When a covered health care provider, in the course of treating an individual, collects or otherwise obtains an individual’s family medical history, this information becomes part of the individual’s medical record and is treated as “protected health information” about the individual. Thus, the individual (and not the family members included in the medical history) may exercise the rights under the HIPAA Privacy Rule to this information in the same fashion as any other information in the medical record, including the right of access, amendment, and the ability to authorize disclosure to others.

October 2018

Tags: HIPPA, Medical History

Does the HIPAA Privacy Rule apply to an elementary or secondary school?

Generally, no. In most cases, the HIPAA Privacy Rule does not apply to an elementary or secondary school because the school either: (1) is not a HIPAA covered entity or (2) is a HIPAA covered entity but maintains health information only on students in records that are by definition “education records” under FERPA and, therefore, is not subject to the HIPAA Privacy Rule.

The school is not a HIPAA covered entity. The HIPAA Privacy Rule only applies to health plans, health care clearinghouses, and those health care providers that transmit health information electronically in connection with certain administrative and financial transactions (“covered transactions”). See 45 CFR § 160.102. Covered transactions are those for which the U.S. Department of Health and Human Services has adopted a standard, such as health care claims submitted to a health plan. See the definition of “transaction” at 45 CFR § 160.103 and 45 CFRPart 162, Subparts K–R. Thus, even though a school employs school nurses, physicians, psychologists, or other health care providers, the school is not generally a HIPAA covered entity because the providers do not engage in any of the covered transactions, such as billing a health plan electronically for their services. It is expected that most elementary and secondary schools fall into this category.
The school is a HIPAA covered entity but does not have “protected health information.” Where a school does employ a health care provider that conducts one or more covered transactions electronically, such as electronically transmitting health care claims to a health plan for payment, the school is a HIPAA covered entity and must comply with the HIPAA Transactions and Code Sets and Identifier Rules with respect to such transactions. However, even in this case, many schools would not be required to comply with the HIPAA Privacy Rule because the school maintains health information only in student health records that are “education records” under FERPA and, thus, not “protected health information” under HIPAA. Because student health information in education records is protected by FERPA, the HIPAA Privacy Rule excludes such information from its coverage. See the exception at paragraph (2)(i) to the definition of “protected health information” in the HIPAA Privacy Rule at 45 CFR § 160.103. For example, if a public high school employs a health care provider that bills Medicaid electronically for services provided to a student under the IDEA, the school is a HIPAA covered entity and would be subject to the HIPAA requirements concerning transactions. However, if the school’s provider maintains health information only in what are education records under FERPA, the school is not required to comply with the HIPAA Privacy Rule. Rather, the school would have to comply with FERPA’s privacy requirements with respect to its education records, including the requirement to obtain parental consent (34 CFR § 99.30) in order to disclose to Medicaid billing information about a service provided to a student.

October 2018

Tags: HIPPA, FERPA

Does FERPA or HIPAA apply to elementary or secondary school student health records maintained by a health care provider that is not employed by a school?

If a person or entity acting on behalf of a school subject to FERPA, such as a school nurse that provides services to students under contract with or otherwise under the direct control of the school, maintains student health records, these records are education records under FERPA, just as they would be if the school maintained the records directly. This is the case regardless of whether the health care is provided to students on school grounds or off-site. As education records, the information is protected under FERPA and not HIPAA.

Some outside parties provide services directly to students and are not employed by, under contract to, or otherwise acting on behalf of the school. In these circumstances, these records are not “education records” subject to FERPA, even if the services are provided on school grounds, because the party creating and maintaining the records is not acting on behalf of the school. For example, the records created by a public health nurse who provides immunization or other health services to students on school grounds or otherwise in connection with school activities but who is not acting on behalf of the school would not be “education records” under FERPA. In such situations, a school that wishes to disclose to this outside party health care provider any personally identifiable information from education records would have to comply with FERPA and obtain parental consent. See 34 CFR § 99.30.

With respect to HIPAA, even where student health records maintained by a health care provider are not education records protected by FERPA, the HIPAA Privacy Rule would apply to such records only if the provider conducts one or more of the HIPAA transactions electronically, e.g., billing a health plan electronically for his or her services, making the provider a HIPAA covered entity.

October 2018

Tags: HIPPA, FERPA

Are there circumstances in which the HIPAA Privacy Rule might apply to an elementary or secondary school?

There are some circumstances in which an elementary or secondary school would be subject to the HIPAA Privacy Rule, such as where the school is a HIPAA covered entity and is not subject to FERPA. As explained previously, most private schools at the elementary and secondary school levels typically do not receive funding from the U.S. Department of Education and, therefore, are not subject to FERPA.

A school that is not subject to FERPA and is a HIPAA covered entity must comply with the HIPAAPrivacy Rule with respect to any individually identifiable health information it has about students and others to whom it provides health care. For example, if a private elementary school that is not subject to FERPA employs a physician who bills a health plan electronically for the care provided to students (making the school a HIPAA covered entity), the school is required to comply with the HIPAA Privacy Rule with respect to the individually identifiable health information of its patients. The only exception would be where the school, despite not being subject to FERPA, has education records on one or more students to whom it provides services on behalf of a school or school district that is subject to FERPA. In this exceptional case, the education records of only those publicly-placed students held by the private school would be subject to FERPA, while the remaining student health records would be subject to the HIPAA Privacy Rule.

October 2018

Tags: HIPPA, FERPA

Where the HIPAA Privacy Rule applies, does it allow a health care provider to disclose protected health information (PHI) about a troubled teen to the parents of the teen?

In most cases, yes. If the teen is a minor, the HIPAA Privacy Rule generally allows a covered entity to disclose PHI about the child to the child’s parent, as the minor child’s personal representative, when the disclosure is not inconsistent with state or other law. For more detailed information, see 45 CFR § 164.502(g) and the personal representatives fact sheet. In some cases, such as when a minor may receive treatment without a parent’s consent under applicable law, the parents are not treated as the minor’s personal representative. See 45 CFR § 164.502(g)(3). In such cases where the parent is not the personal representative of the teen, other HIPAA Privacy Rule provisions may allow the disclosure of PHI about the teen to the parent. For example, if a provider believes the teen presents a serious danger to self or others, the HIPAA Privacy Rule permits a covered entity to disclose PHI to a parent or other person(s) if the covered entity has a good faith belief that: (1) the disclosure is necessary to prevent or lessen the threat and (2) the parent or other person(s) is reasonably able to prevent or lessen the threat. The disclosure also must be consistent with applicable law and standards of ethical conduct. See 45 CFR § 164.512(j)(1)(i).

In addition, the Privacy Rule permits covered entities to share information that is directly relevant to the involvement of a family member in the patient’s health care or payment for care if, when given the opportunity, the patient does not object to the disclosure. Even when the patient is not present or it is impracticable, because of emergency circumstances or the patient’s incapacity, for the covered entity to ask the patient about discussing his or her care or payment with a family member, a covered entity may share this information with the family member when, in exercising professional judgment, it determines that doing so would be in the best interest of the patient. See 45 CFR § 164.510(b).

October 2018

Tags: HIPPA, FERPA

Does the HIPAA Privacy Rule allow a health care provider to disclose protected health information (PHI) about a student to a school nurse or physician?

Yes. The HIPAA Privacy Rule allows covered health care providers to disclose PHI about students to school nurses, physicians, or other health care providers for treatment purposes, without the authorization of the student or student’s parent. For example, a student’s primary care physician may discuss the student’s medication and other health care needs with a school nurse who will administer the student’s medication and provide care to the student while the student is at school. In addition, a covered health care provider may disclose proof of a student’s immunizations directly to a school nurse or other person designated by the school to receive immunization records if the school is required by State or other law to have such proof prior to admitting the student, and a parent, guardian, or other person acting in loco parentis has agreed to the disclosure. See 45 CFR 164.512(b)(1)(vi).

October 2018

Tags: HIPPA, FERPA

Does FERPA or HIPAA apply to records on students at health clinics run by postsecondary institutions?

FERPA applies to most public and private postsecondary institutions and, thus, to the records on students at the campus health clinics of such institutions. These records will be either education records or treatment records under FERPA, both of which are excluded from coverage under the HIPAA Privacy Rule, even if the school is a HIPAA covered entity. See the exceptions at paragraphs (2)(i) and (2)(ii) to the definition of “protected health information” at 45 CFR § 160.103.

The term “education records” is broadly defined under FERPA to mean those records that are: (1) directly related to a student and (2) maintained by an educational agency or institution or by a party acting for the agency or institution. See 34 CFR § 99.3, “Education records.”

“Treatment records” under FERPA, as they are commonly called, are: records on a student who is eighteen years of age or older, or is attending an institution of postsecondary education, which are made or maintained by a physician, psychiatrist, psychologist, or other recognized professional or paraprofessional acting in his professional or paraprofessional capacity, or assisting in that capacity, and which are made, maintained, or used only in connection with the provision of treatment to the student, and are not available to anyone other than persons providing such treatment, except that such records can be personally reviewed by a physician or other appropriate professional of the student’s choice.

See 20 U.S.C. § 1232g(a)(4)(B)(iv); 34 CFR § 99.3, “Education records.” For example, treatment records would include health or medical records that a university psychologist maintains only in connection with the provision of treatment to an eligible student, and health or medical records that the campus health center or clinic maintains only in connection with the provision of treatment to an eligible student. (Treatment records also would include health or medical records on an eligible student in high school if the records otherwise meet the above definition.)

Yes. The Privacy Rule requires a health plan to remind enrollees of the availability of its Notice of Privacy Practices, as well as how to obtain a copy, no less frequently than once every 3 years. See 45 CFR 164.520(c)(1)(ii).

Health plans may satisfy this requirement in a number of ways, including by:

Sending a copy of their Notice of Privacy Practices.
Mailing only a reminder concerning the availability of the Notice of Privacy Practices and information on how to obtain a copy.
Including in a plan-produced newsletter or other publication information about the availability of the Notice of Privacy Practices and how to obtain a copy.

Health plans already may have satisfied the reminder requirement in a number of ways. For instance, a health plan may have adopted the practice of sending its Notice of Privacy Practices to subscribers and enrollees annually. Or, a health plan may have substantially amended its Notice of Privacy Practices recently, and thus, sent the revised Notice to its subscribers and enrollees as required by the Privacy Rule. See 45 CFR 164.520(c)(1)(i)(C). Moreover, a plan may have included information regarding the availability of its Notice of Privacy Practices in annual communications sent to subscribers and enrollees of the plan.

A health plan can satisfy the requirement by providing the reminder notice to the named insured of a policy under which coverage is provided to that named insured and one or more dependents. See 45 CFR 164.520(c)(1)(iii). For instance, if an employee of a firm and her three dependents are covered under a single health plan policy, that health plan can satisfy the reminder requirement by sending information concerning the availability of the Notice of Privacy Practices to just the employee, rather than to the employee and each dependent.

This information is especially timely as the third anniversary of the compliance date of the HIPAA Privacy Rule nears. Health plans, other than small health plans, were first required to distribute their Notice of Privacy Practices to subscribers and enrollees by April 14, 2003. Thus, those health plans that have not already reminded subscribers and enrollees in some manner of the availability of their Notice of Privacy Practices and how they may obtain a copy, must do so no later than April 14, 2006. For small health plans, which had until April 14, 2004, to first distribute their Notices of Privacy Practices, the compliance date for the triennial reminder notice requirement is April 14, 2007. These plans can begin to prepare now to meet this requirement using the most efficient means, such as including the reminder notice of the availability of the Notice of Privacy Practices in open enrollment materials, a group health plan newsletter provided to all members, or similar all-member mailings.

October 2018

Tags: HIPPA, Group Health Plan

What is a covered entity’s liability under the HIPAA Privacy Rule for sharing data inappropriately to or through a health information organization (HIO) or other electronic health information exchange network?

A covered entity that exchanges protected health information (PHI) to or through a HIO or otherwise participates in electronic health information exchange is responsible for its own non-compliance with the Privacy Rule, and for violations by its workforce. A covered entity is not directly liable for a violation of the Privacy Rule by a HIO acting as its business associate, if an appropriate business associate agreement is in place. Nor can a HIO as a business associate be held liable for civil money penalties arising from violations of the Privacy Rule. Rather, where a business associate agreement exists between a covered entity and a HIO for the electronic exchange of PHI, the HIO will be contractually obligated to adequately safeguard the PHI and to report noncompliance with the agreement terms to the covered entity, and the covered entity will be held accountable for taking appropriate action to cure known noncompliance by the business associate, and if unable to do so, to terminate the business associate relationship. See 45 C.F.R. §§ 164.502(e), 164.504(e). Furthermore, a covered entity is not liable for a disclosure that is based on the non-compliance of another entity within the health information exchange, as long as the covered entity has complied with the Privacy Rule.

October 2018

Tags: HIPPA, Health Information Technology

Does the HIPAA Privacy Rule require a covered entity to “police” a health information organization (HIO), which functions as its business associate?

No. As with other business associates, the Privacy Rule would require that a covered entity enter into a relationship with a HIO in a way which anticipates and reasonably safeguards against the potential for inappropriate uses and disclosures, specifically through the use of a business associate agreement. The Privacy Rule also would require the covered entity to respond appropriately to complaints and evidence of violations, but it would not otherwise require the covered entity to actively monitor or oversee the extent to which a HIO, acting as its business associate, abides by the privacy provisions of the agreement, or the means by which the HIO carries out its privacy safeguard obligations. See 45 C.F.R. §§ 164.502(e), 164.504(e).

October 2018

Tags: HIPPA, Health Information Technology

How should a covered entity respond to any HIPAA Privacy Rule violation of a health information organization (HIO) acting as its business associate?

The Privacy Rule establishes a series of steps a covered entity should take in response to any complaints or other evidence it receives that a HIO has violated its business associate agreement, which include the following:

investigation of any complaint received, as well as of other information containing credible evidence of a violation;
reasonable steps to cure/end any material breaches or violations it becomes aware of;
termination of the agreement where attempts to cure a material breach are unsuccessful; and
in the event termination of the agreement is not feasible, the report of violation(s) to the Secretary of HHS, through OCR. See 45 C.F.R. § 164.504(e).

Depending on the type of request or disclosure, it may be that some or many of the requests or disclosures to or through the health information organization (HIO) by a covered entity may not be subject to the Privacy Rule’s minimum necessary standard. This would be true in the case of a HIO whose primary purpose is to exchange electronic PHI between and among several hospitals, doctors, pharmacies, and other health care providers for treatment. However, even though the Privacy Rule does not require that the minimum necessary standard be applied to electronic health information exchanges for treatment purposes, the covered entities participating in the electronic networked environment and the HIO are free to apply the concepts of the minimum necessary standard to develop policies that limit the information they include and exchange, even for treatment purposes. For electronic health information exchanges by a covered entity to and through a HIO that are subject to the minimum necessary standard, such as for a payment or health care operations purpose, the Privacy Rule would require that the minimum necessary standard be applied to that exchange and that the business associate agreement limit the HIO’s disclosures of, and requests for, PHI accordingly. However, as one covered entity may rely, if reasonable, on another covered entity’s request as being the minimum necessary amount of PHI, the HIO’s business associate agreement similarly can authorize and instruct the HIO to rely on the requests of covered entities as the minimum necessary, where appropriate, to help facilitate disclosures between covered entities.

The Privacy Rule’s verification standard requires that covered entities develop and implement reasonable policies and procedures to verify the identity and authority of such persons, if otherwise unknown to them, before granting them access to protected health information (PHI). See 45 C.F.R. § 164.514(h). Once verified, the personal representative can then be given the appropriate credentials for authentication and access through an electronic system. The Privacy Rule allows covered entities to rely on their professional judgment, as well as industry standards, in designing reasonable verification and authentication processes.

The Privacy Rule permits a covered entity to assign this function to a HIO, acting as its business associate, so long as the relevant standards are complied with. For example, a covered entity could use the HIO to assign the appropriate credentials and authenticate personal representatives, and any others, seeking access to PHI.

October 2018

Tags: HIPPA, Health Information Technology

How may judgments be made electronically about denial of access under the HIPAA Privacy Rule?

The Privacy Rule differentiates between two types of denial, reviewable and unreviewable. See 45 C.F.R. § 164.524(a)(2), (3). As to the unreviewable grounds for denial, there are essentially two decisions a covered entity will need to make with respect to electronic access: 1) whether it may deny access based on one or more of the grounds identified by the Privacy Rule; and 2) how to implement such decisions categorically in the electronic environment.

A covered entity may decide, for example, to categorically deny access to certain types of information to which no access right exists, such as psychotherapy notes. The Privacy Rule would permit denial without review, and a case-by-case judgment would not be necessary. Similarly, the covered entity may make such a system-wide decision with respect to other types of protected health information where the Privacy Rule permits an unreviewable denial of access.

In contrast, reviewable grounds for denial of access require decisions be made on a case-by-case basis through the professional judgment of licensed health care providers. Professional judgment also would be required if individuals exercise their right to appeal a denial of access made on reviewable grounds. As computer logic cannot be a substitute for professional judgment in these cases, these types of activities cannot be carried out categorically or in an automated way. Neither could these decisions be delegated to a health information organization (HIO), unless a licensed health care professional at the HIO were assigned the task of making the access determinations.

October 2018

Tags: HIPPA, Health Information Technology

Does the HIPAA Privacy Rule inhibit electronic health information exchange across different states or jurisdictions?

No. The Privacy Rule establishes a federal baseline of privacy protections and rights, which applies to covered entities consistently across state borders. The Privacy Rule, however, as required by HIPAA, does not preempt State laws that provide greater privacy protections and rights. Thus, as with covered entities that conduct business today on paper in a multi-jurisdictional environment, covered entities participating in electronic health information exchange need to be cognizant of States with more stringent privacy laws that will affect the exchange of electronic health information across State lines. In addition, other Federal laws also may apply more stringent or different requirements to such exchanges depending on the circumstances. Covered entities and health information organizations (acting as their business associates) which participate in multi-jurisdictional electronic health information exchange should establish privacy policies for the network that accommodate these variances.

October 2018

Tags: HIPPA, Health Information Technology

How do HIPAA authorizations apply to an electronic health information exchange environment?

The HIPAA Privacy Rule requires the individual’s written authorization for any use or disclosure of protected health information (PHI) not otherwise expressly permitted or required by the Privacy Rule. For example, authorizations are not generally required to disclose PHI for treatment, payment, or health care operations purposes because covered entities are permitted to use and disclose PHI for such purposes, with few exceptions. Thus, to the extent the primary purpose of any electronic health information exchange is to exchange clinical information among health care providers for treatment, HIPAA authorizations are unlikely to be a common method of effectuating individual choice for the exchange. However, if the purpose of a covered entity sharing PHI through a health information organization is for a purpose not otherwise permitted by the Privacy Rule, then a HIPAA authorization would be required. In such cases, the Privacy Rule would allow covered entities to disclose PHI pursuant to an electronic copy of a valid and signed authorization. Further, the Privacy Rule allows HIPAA authorizations to be obtained electronically from individuals, provided any electronic signature is valid under applicable law.

October 2018

Tags: HIPPA, Health Information Technology

Can a covered entity use existing aspects of the HIPAA Privacy Rule to give individuals the right to Opt-In or Opt-Out of electronic health information exchange?

Yes. In particular, the Privacy Rule’s provisions for optional consent and the right to request restrictions can support and facilitate individual choice with respect to the electronic exchange of health information through a networked environment, depending on the purposes of the exchange. The Privacy Rule allows covered entities to obtain the individual’s consent in order to use or disclose protected health information (PHI) for treatment, payment, and health care operations purposes. If a covered entity chooses to obtain consent, the Privacy Rule provides the covered entity with complete flexibility as to the content and manner of obtaining the consent. 45 C.F.R. § 164.506(b). Similarly, the Privacy Rule also provides individuals with a right to request that a covered entity restrict uses or disclosures of PHI about the individual for treatment, payment, or health care operations purposes. See 45 C.F.R. § 164.522(a). While covered entities are not required to agree to an individual’s request for a restriction, they are required to have policies in place by which to accept or deny such requests. Thus, covered entities may use either the Privacy Rule’s provisions for consent or right to request restrictions to facilitate individual choice with respect to electronic health information exchange.

Further, given the Privacy Rule’s flexibility, covered entities could design processes that apply on a more global level (e.g., by requiring an individual’s consent prior to making any disclosure of PHI to or through a health information organization (HIO), or granting restrictions only in which none of the individual’s information is to be exchanged to or through the HIO) or at a more granular level (such as by type of information, potential recipients, or the purposes for which a disclosure may be made). Whatever the policy, such decisions may be implemented on an organization-wide level, or across a HIO’s health information exchange (such as based on the consensus of the health information exchange participants).

October 2018

Tags: HIPPA, Health Information Technology

Who has the right to consent or the right to request restrictions with respect to whether a covered entity may electronically exchange a minor’s protected health information to or through a health information organization (HIO)?

As with a minor’s paper medical record, generally a parent, guardian, or other person acting in loco parentis with legal authority to make health care decisions on behalf of the minor is the personal representative of the minor under the HIPAA Privacy Rule and, thus, is able to exercise all of the HIPAA rights with respect to the minor’s health information. Thus, a parent, guardian, or other person acting in loco parentis who is a personal representative would be able to consent to, if the covered entity has adopted a consent process under the Privacy Rule, or to request restrictions on, disclosures of the minor’s health information to or through a HIO for treatment or other certain purposes. However, there are a few exceptions when the parent, guardian, or other person acting in loco parentis is not the personal representative of the minor child, such as:

(1) when State or other law does not require the consent of a parent or other person before a minor can obtain a particular health care service, and the minor consents to the health care service;

(2) when a court determines or other law authorizes someone other than the parent, guardian, or person acting in loco parentis to make treatment decisions for a minor; and

Can a health information organization (HIO), as a business associate, exchange protected health information (PHI) with another HIO acting as a business associate?

Yes, so long as the disclosure of PHI is authorized by the HIO’s business associate agreement and the information exchange would be permitted by the HIPAA Privacy Rule. For example, a HIO may disclose, on behalf of a primary care physician, PHI about an individual for treatment purposes in response to a query from another HIO, acting on behalf of a hospital at which the individual is a patient, unless, for instance, the primary care physician has agreed to the patient’s request to restrict such disclosures. Similarly, a HIO that is a business associate of two different covered entities may share PHI it receives from one covered entity with the other covered entity as permitted by the Privacy Rule and its business associate agreement, for example, for treatment purposes, subject to any applicable restrictions.

October 2018

Tags: HIPPA, Health Information Technology

Can a health information organization (HIO) participate as part of an organized health care arrangement (OHCA)?

A HIO, by definition, cannot participate as part of an OHCA because the HIPAA Privacy Rule defines OHCA as an arrangement involving only health care providers or health plans, neither of which a HIO qualifies as. However, a HIO may be a business associate of an OHCA if the HIO performs functions or activities on behalf of the OHCA. See 45 C.F.R. § 160.103 (definitions of “organized health care arrangement” and “business associate”). For example, a hospital and the health care providers with staff privileges at the hospital are an OHCA for purposes of the Privacy Rule. To the extent such an arrangement uses a HIO for electronic health information exchange, the HIO would be a business associate of the OHCA.

October 2018

Tags: HIPPA, Health Information Technology

Can a health information organization (HIO) participate as part of an affiliated covered entity?

A HIO generally is not a HIPAA covered entity and the HIPAA Privacy Rule allows only certain legally separate covered entities to designate themselves as a single affiliated covered entity for purposes of complying with the Privacy Rule. Thus, a HIO generally may not participate as part of an affiliated covered entity. See 45 C.F.R. § 164.105(b) for the requirements and conditions regarding affiliated covered entities.

October 2018

Tags: HIPPA, Health Information Technology

May a HIPAA Notice of Privacy Practices (NPP) specifically mention that protected health information (PHI) will be disclosed to and through a health information organization (HIO)? May the NPP mention that the covered health care provider uses an electronic health record (EHR)?

Yes, covered entities are permitted to include such information in their NPPs. The HIPAA Privacy Rule requires that a covered entity’s NPP describe the types of uses and disclosures of PHI a covered entity is permitted to make. The Rule also requires that a covered entity’s NPP include at least one example of the uses and disclosures the covered entity is permitted to make for treatment, payment, and health care operations purposes. See 45 C.F.R. § 164.520(b). While the Privacy Rule does not require that these examples describe the covered entity’s disclosure of PHI to and through a HIO for treatment and other purposes, or that a covered health care provider uses an EHR, the Privacy Rule does not preclude a covered entity from including in its NPP additional information concerning the covered entity’s participation in these activities. Alternatively, a covered entity may wish to provide the individual with a separate notice of the disclosures that may be made to and through a HIO, and how the individual’s health information will be protected.

Such notice that mentions that PHI will be disclosed to and through a HIO or that the covered health care provider uses an EHR would help facilitate the openness and transparency in electronic health information exchange that is important for building trust and thus, is encouraged. Some individuals also may find the fact that a health care provider participates in electronic health information exchange, or that the provider uses an EHR, to be an important factor that could lead individuals to choose that provider over another. Also, to the extent the individual is provided with certain choices of how or if the individual’s information is to be exchanged through a HIO, notice of the disclosures a covered entity may make to and through a HIO, as well as how the individual’s information will be protected, would be an important element of informing such choices.

October 2018

Tags: HIPPA, Health Information Technology

Are health information organizations (HIOs) required to have a HIPAA Notice of Privacy Practices (NPP)?

Generally, no. The HIPAA Privacy Rule’s NPP obligations extend only to HIPAA covered entities and the functions a HIO generally performs do not make it a HIPAA covered entity (i.e., a health plan, health care clearinghouse, or covered health care provider). See 45 C.F.R. § 160.103 (definition of “covered entity”). However, while a HIO does not itself have a HIPAA obligation to provide a NPP to individuals, the Privacy Rule permits covered entities that participate in electronic health information exchange with the HIO to provide notice to individuals of the disclosures that will be made to and through the HIO and through the network, as well as how individuals’ health information will be protected by the HIO.

October 2018

Tags: HIPPA, Health Information Technology

May covered entities that operate in electronic environments provide individuals with their HIPAA Notice of Privacy Practices (NPP) electronically?

Yes, provided the individual agrees to receive the covered entity’s NPP electronically and such agreement has not been withdrawn (although the individual always retains the right to receive a paper copy of the NPP upon request). Further, where health care is delivered to an individual electronically, such as through e-mail, or over the Internet, the provider must send an electronic NPP automatically and contemporaneously in response to the individual’s request for service. Except in an emergency treatment situation, a covered entity that has a direct treatment relationship with an individual and who delivers an NPP electronically also must make a good faith effort to obtain a written acknowledgment of receipt, either electronically or through other means. In addition, the HIPAA Privacy Rule requires a covered entity that maintains a website providing information about the covered entity’s services or benefits to prominently post its NPP on its website. See 45 C.F.R. § 164.520(c).

October 2018

Tags: HIPPA, Health Information Technology

Does the HIPAA Privacy Rule permit a covered health care provider to e-mail or otherwise electronically exchange protected health information (PHI) with another provider for treatment purposes?

Yes. The Privacy Rule allows covered health care providers to share PHI electronically (or in any other form) for treatment purposes, as long as they apply reasonable safeguards when doing so. Thus, for example, a physician may consult with another physician by e-mail about a patient’s condition, or health care providers may electronically exchange PHI to and through a health information organization (HIO) for patient care.

October 2018

Tags: HIPPA, Health Information Technology

How may the HIPAA Privacy Rule’s requirements for verification of identity and authority be met in an electronic health information exchange environment?

The Privacy Rule requires covered entities to verify the identity and authority of a person requesting protected health information (PHI), if not known to the covered entity. See 45 C.F.R. § 164.514(h). The Privacy Rule allows for verification in most instances in either oral or written form, although verification does require written documentation when such documentation is a condition of the disclosure.
The Privacy Rule generally does not include specific or technical verification requirements and thus, can flexibly be applied to an electronic health information exchange environment in a manner that best supports the needs of the exchange participants and the health information organization (HIO). For example, in an electronic health information exchange environment:

Participants can agree by contract or otherwise to keep current and provide to the HIO a list of authorized persons so the HIO can appropriately authenticate each user of the network.
For persons claiming to be government officials, proof of government status may be provided by having a legitimate government e-mail extension (e.g., xxx.gov).
Documentation required for certain uses and disclosures may be provided in electronic form, such as scanned images or pdf files.
Documentation requiring signatures may be provided as a scanned image of the signed documentation or as an electronic document with an electronic signature, to the extent the electronic signature is valid under applicable law.

October 2018

Tags: HIPPA, Health Information Technology

Does the HIPAA Privacy Rule permit health care providers to use e-mail to discuss health issues and treatment with their patients?

Yes. The Privacy Rule allows covered health care providers to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so. See 45 C.F.R. § 164.530(c). For example, certain precautions may need to be taken when using e-mail to avoid unintentional disclosures, such as checking the e-mail address for accuracy before sending, or sending an e-mail alert to the patient for address confirmation prior to sending the message. Further, while the Privacy Rule does not prohibit the use of unencrypted e-mail for treatment-related communications between health care providers and patients, other safeguards should be applied to reasonably protect privacy, such as limiting the amount or type of information disclosed through the unencrypted e-mail. In addition, covered entities will want to ensure that any transmission of electronic protected health information is in compliance with the HIPAA Security Rule requirements at 45 C.F.R. Part 164, Subpart C.

Note that an individual has the right under the Privacy Rule to request and have a covered health care provider communicate with him or her by alternative means or at alternative locations, if reasonable. See 45 C.F.R. § 164.522(b). For example, a health care provider should accommodate an individual’s request to receive appointment reminders via e-mail, rather than on a postcard, if e-mail is a reasonable, alternative means for that provider to communicate with the patient. By the same token, however, if the use of unencrypted e-mail is unacceptable to a patient who requests confidential communications, other means of communicating with the patient, such as by more secure electronic methods, or by mail or telephone, should be offered and accommodated.

Patients may initiate communications with a provider using e-mail. If this situation occurs, the health care provider can assume (unless the patient has explicitly stated otherwise) that e-mail communications are acceptable to the individual. If the provider feels the patient may not be aware of the possible risks of using unencrypted e-mail, or has concerns about potential liability, the provider can alert the patient of those risks, and let the patient decide whether to continue e-mail communications.

October 2018

Tags: HIPPA, Health Information Technology

Does the HIPAA Privacy Rule allow covered entities participating in electronic health information exchange with a health information organization (HIO) to establish a common set of safeguards?

Yes. The Privacy Rule requires a covered entity to have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information (PHI), including reasonable safeguards to protect against any intentional or unintentional use or disclosure in violation of the Privacy Rule. See 45 C.F.R. § 164.530(c). Each covered entity can evaluate its own business functions and needs, the types and amounts of PHI it collects, uses, and discloses, size, and business risks to determine adequate safeguards for its particular circumstances.

With respect to electronic health information exchange, the Privacy Rule would allow covered entities participating in an exchange with a HIO to agree on a common set of privacy safeguards that are appropriate to the risks associated with exchanging PHI to and through the HIO. In addition, as a requirement of participation in the electronic health information exchange with the HIO, these commonly agreed to safeguards also could be extended to other participants, even if they are not covered entities. A common or consistent set of standards applied to the HIO and its participants may help not only to facilitate the efficient exchange of information, but also to foster trust among both participants and individuals.

October 2018

Tags: HIPPA, Health Information Technology

Can health care providers engage in confidential conversations with other providers or with patients, even if there is a possibility that they could be overheard?

Yes. The HIPAA Privacy Rule is not intended to prohibit providers from talking to each other and to their patients. Provisions of this Rule requiring covered entities to implement reasonable safeguards that reflect their particular circumstances and exempting treatment disclosures from certain requirements are intended to ensure that providers’ primary consideration is the appropriate treatment of their patients. The Privacy Rule recognizes that oral communications often must occur freely and quickly in treatment settings. Thus, covered entities are free to engage in communications as required for quick, effective, and high quality health care. The Privacy Rule also recognizes that overheard communications in these settings may be unavoidable and allows for these incidental disclosures.

For example, the following practices are permissible under the Privacy Rule, if reasonable precautions are taken to minimize the chance of incidental disclosures to others who may be nearby:

Health care staff may orally coordinate services at hospital nursing stations.
Nurses or other health care professionals may discuss a patient’s condition over the phone with the patient, a provider, or a family member.
A health care professional may discuss lab test results with a patient or other provider in a joint treatment area.
A physician may discuss a patients’ condition or treatment regimen in the patient’s semi-private room.
Health care professionals may discuss a patient’s condition during training rounds in an academic or training institution.
A pharmacist may discuss a prescription with a patient over the pharmacy counter, or with a physician or the patient over the phone.

In these circumstances, reasonable precautions could include using lowered voices or talking apart from others when sharing protected health information. However, in an emergency situation, in a loud emergency room, or where a patient is hearing impaired, such precautions may not be practicable. Covered entities are free to engage in communications as required for quick, effective, and high quality health care.

October 2018

Tags: HIPPA, Incidental Uses and Disclosures

May physician’s offices use patient sign-in sheets or call out the names of their patients in their waiting rooms?

Yes. Covered entities, such as physician’s offices, may use patient sign-in sheets or call out patient names in waiting rooms, so long as the information disclosed is appropriately limited. The HIPAA Privacy Rule explicitly permits the incidental disclosures that may result from this practice, for example, when other patients in a waiting room hear the identity of the person whose name is called, or see other patient names on a sign-in sheet. However, these incidental disclosures are permitted only when the covered entity has implemented reasonable safeguards and the minimum necessary standard, where appropriate. For example, the sign-in sheet may not display medical information that is not necessary for the purpose of signing in (e.g., the medical problem for which the patient is seeing the physician). See 45 CFR 164.502(a)(1)(iii).

October 2018

Tags: HIPPA, Incidental Uses and Disclosures

Are physicians and doctor’s offices prohibited from maintaining patient medical charts at bedside or outside of exam rooms, or from engaging in other customary practices where the potential exists for patient information to be incidentally disclosed to others?

No. The HIPAA Privacy Rule does not prohibit covered entities from engaging in common and important health care practices; nor does it specify the specific measures that must be applied to protect an individual’s privacy while engaging in these practices. Covered entities must implement reasonable safeguards to protect an individual’s privacy. In addition, covered entities must reasonably restrict how much information is used and disclosed, where appropriate, as well as who within the entity has access to protected health information. Covered entities must evaluate what measures make sense in their environment and tailor their practices and safeguards to their particular circumstances.

For example, the Privacy Rule does not prohibit covered entities from engaging in the following practices, where reasonable precautions have been taken to protect an individual’s privacy:

Maintaining patient charts at bedside or outside of exam rooms, displaying patient names on the outside of patient charts, or displaying patient care signs (e.g., “high fall risk” or “diabetic diet”) at patient bedside or at the doors of hospital rooms.
Possible safeguards may include: reasonably limiting access to these areas, ensuring that the area is supervised, escorting non-employees in the area, or placing patient charts in their holders with identifying information facing the wall or otherwise covered, rather than having health information about the patient visible to anyone who walks by.
Announcing patient names and other information over a facility’s public announcement system.
Possible safeguards may include: limiting the information disclosed over the system, such as referring the patients to a reception desk where they can receive further instructions in a more confidential manner.
Use of X-ray lightboards or in-patient logs, such as whiteboards, at a nursing station.
Possible safeguards may include: if the X-ray lightboard is in an area generally not accessible by the public, or if the nursing station whiteboard is not readily visible to the public, or any other safeguard which reasonably limits incidental disclosures to the general public.

The above examples of possible safeguards are not intended to be exclusive. Covered entities may engage in any practice that reasonably safeguards protected health information to limit incidental uses and disclosures.

October 2018

Tags: HIPPA, Incidental Uses and Disclosures

A clinic customarily places patient charts in the plastic box outside an exam room. It does not want the record left unattended with the patient, and physicians want the record close by for fast review right before they walk into the exam room. Will the HIPAA Privacy Rule allow the clinic to continue this practice?

Yes, the Privacy Rule permits this practice as long as the clinic takes reasonable and appropriate measures to protect the patient’s privacy. The physician or other health care professionals use the patient charts for treatment purposes. Incidental disclosures to others that might occur as a result of the charts being left in the box are permitted, if the minimum necessary and reasonable safeguards requirements are met. See our section on Incidental Uses and Disclosures. As the purpose of leaving the chart in the box is to provide the physician with access to the medical information relevant to the examination, the minimum necessary requirement would be satisfied.

Examples of measures that could be reasonable and appropriate to safeguard the patient chart in such a situation would be limiting access to certain areas, ensuring that the area is supervised, escorting non-employees in the area, or placing the patient chart in the box with the front cover facing the wall rather than having protected health information about the patient visible to anyone who walks by. Each covered entity must evaluate what measures are reasonable and appropriate in its environment. Covered entities may tailor measures to their particular circumstances. See 45 CFR 164.530(c).

October 2018

Tags: HIPPA, Incidental Uses and Disclosures

A hospital customarily displays patients’ names next to the door of the hospital rooms that they occupy. Will the HIPAA Privacy Rule allow the hospital to continue this practice?

The Privacy Rule explicitly permits certain incidental disclosures that occur as a by-product of an otherwise permitted disclosure—for example, the disclosure to other patients in a waiting room of the identity of the person whose name is called. In this case, disclosure of patient names by posting on the wall is permitted by the Privacy Rule, if the use or disclosure is for treatment (for example, to ensure that patient care is provided to the correct individual) or health care operations purposes (for example, as a service for patients and their families). The disclosure of such information to other persons (such as other visitors) that will likely also occur due to the posting is an incidental disclosure.

Incidental disclosures are permitted only to the extent that the covered entity has applied reasonable and appropriate safeguards and implemented the minimum necessary standard, where appropriate. See our section on Incidental Uses and Disclosures. In this case, it would appear that the disclosure of names is the minimum necessary for the purposes of the permitted uses or disclosures described above, and there do not appear to be additional safeguards that would be reasonable to take in these circumstances. However, each covered entity must evaluate what measures are reasonable and appropriate in its environment. Covered entities may tailor measures to their particular circumstances.

October 2018

Tags: HIPPA, Incidental Uses and Disclosures

May mental health practitioners or other specialists provide therapy to patients in a group setting where other patients and family members are present?

Yes. Disclosures of protected health information in a group therapy setting are treatment disclosures and, thus, may be made without an individual’s authorization. Furthermore, the HIPAA Privacy Rule generally permits a covered entity to disclose protected health information to a family member or other person involved in the individual’s care. Where the individual is present during the disclosure, the covered entity may disclose protected health information if it is reasonable to infer from the circumstances that the individual does not object to the disclosure. Absent countervailing circumstances, the individual’s agreement to participate in group therapy or family discussions is a good basis for inferring the individual’s agreement.

October 2018

‘Tags: HIPPA, Incidental Uses and Disclosures

Are covered entities required to document incidental disclosures permitted by the HIPAA Privacy Rule, in an accounting of disclosures provided to an individual?

No. The Privacy Rule includes a specific exception from the accounting standard for incidental disclosures permitted by the Rule. See 45 CFR 164.528(a)(1).

October 2018

Tags: HIPPA, Incidental Uses and Disclosures

Do the HIPAA Privacy Rule’s provisions permitting certain incidental uses and disclosures apply only to treatment situations or discussions among health care providers?

No. The provisions apply universally to incidental uses and disclosures that result from any use or disclosure permitted under the Privacy Rule, and not just to incidental uses and disclosures resulting from treatment communications, or only to communications among health care providers or other medical staff. For example:

A provider may instruct an administrative staff member to bill a patient for a particular procedure, and may be overheard by one or more persons in the waiting room.
A health plan employee discussing a patient’s health care claim on the phone may be overheard by another employee who is not authorized to handle patient information.

If the provider and the health plan employee made reasonable efforts to avoid being overheard and reasonably limited the information shared, an incidental use or disclosure resulting from such conversations would be permissible under the Rule.

October 2018

Tags: HIPPA, Incidental Uses and Disclosures

Is a covered entity required to prevent any incidental use or disclosure of protected health information?

No. The HIPAA Privacy Rule does not require that all risk of incidental use or disclosure be eliminated to satisfy its standards. Rather, the Rule requires only that covered entities implement reasonable safeguards to limit incidental uses or disclosures. See 45 CFR 164.530(c)(2).

October 2018

Tags: HIPPA, Incidental Uses and Disclosures

May a covered entity disclose protected health information in response to a court order?

Yes. A covered entity may disclose protected health information to comply with a court order, including an order of an administrative tribunal. Such disclosures must be limited to the protected health information expressly authorized by the order. See 45 CFR 164.512(e)(1)(i).

October 2018

Tags: HIPPA, Judicial and Administrative Proceedings

May a covered entity disclose protected health information in response to a court order?

October 2018

Tags: HIPPA, Judicial and Administrative Proceedings

May a covered entity use or disclose protected health information for litigation?

A covered entity may use or disclose protected health information as permitted or required by the Privacy Rule, see 45 CFR 164.502(a) (PDF); and, subject to certain conditions the Rule typically permits uses and disclosures for litigation, whether for judicial or administrative proceedings, under particular provisions for judicial and administrative proceedings set forth at 45 CFR 164.512(e) (GPO), or as part of the covered entity’s health care operations, 45 CFR 164.506(a) (PDF). Depending on the context, a covered entity’s use or disclosure of protected health information in the course of litigation also may be permitted under a number of other provisions of the Rule, including uses or disclosures that are:

required by law (as when the court has ordered certain disclosures),
for a proceeding before a health oversight agency (as in a contested licensing revocation),
for payment purposes (as in a collection action on an unpaid claim), or
with the individual’s written authorization.

Where a covered entity is a party to a legal proceeding, such as a plaintiff or defendant, the covered entity may use or disclose protected health information for purposes of the litigation as part of its health care operations. The definition of “health care operations” at 45 CFR 164.501 (GPO) includes a covered entity’s activities of conducting or arranging for legal services to the extent such activities are related to the covered entity’s covered functions (i.e., those functions that make the entity a health plan, health care provider, or health care clearinghouse), including legal services related to an entity’s treatment or payment functions. Thus, for example, a covered entity that is a defendant in a malpractice action or a plaintiff in a suit to obtain payment may use or disclose protected health information for such litigation as part of its health care operations. The covered entity, however, must make reasonable efforts to limit such uses and disclosures to the minimum necessary to accomplish the intended purpose. See 45 CFR 164.502(b) , 164.514(d).

Where the covered entity is not a party to the proceeding, the covered entity may disclose protected health information for the litigation in response to a court order, subpoena, discovery request, or other lawful process, provided the applicable requirements of 45 CFR 164.512(e) (GPO) for disclosures for judicial and administrative proceedings are met.

October 2018

Tags: HIPPA, Judicial and Administrative Proceedings

May a covered entity that is a plaintiff or defendant in a legal proceeding use or disclose protected health information for the litigation?

Yes. Where a covered entity is a party to a legal proceeding, such as a plaintiff or defendant, the covered entity may use or disclose protected health information for purposes of the litigation as part of its health care operations. The definition of “health care operations” at 45 CFR 164.501 includes a covered entity’s activities of conducting or arranging for legal services to the extent such activities are related to the covered entity’s covered functions (i.e., those functions that make the entity a health plan, health care provider, or health care clearinghouse). Thus, for example, a covered entity that is a defendant in a malpractice action, or a plaintiff in a suit to obtain payment, may use or disclose protected health information for such litigation as part of its health care operations.

The covered entity, however, must make reasonable efforts to limit such uses and disclosures to the minimum necessary to accomplish the intended purpose. See 45 CFR 164.502(b), 164.514(d). In most cases, the covered entity will share protected health information for litigation purposes with its lawyer, who is either a workforce member or a business associate. In these cases, the Privacy Rule permits a covered entity to reasonably rely on the representations of a lawyer who is a business associate or workforce member that the information requested is the minimum necessary for the stated purpose. See 45 CFR 164.514(d)(3)(iii)(C). A covered entity’s minimum necessary policies and procedures may provide for such reasonable reliance on the lawyer’s requests for protected health information needed in the course of providing legal services to the covered entity.

In disclosing protected health information for litigation purposes, the lawyer who is a workforce member of the covered entity must make reasonable efforts to limit the protected health information disclosed to the minimum necessary for the purpose of the disclosure. Similarly, a lawyer who is a business associate must apply the minimum necessary standard to its disclosures, as the business associate contract may not authorize the business associate to further use or disclose protected health information in a manner that would violate the HIPAA Privacy Rule if done by the covered entity. Depending on the circumstances, this could involve de-identifying the information or stripping direct identifiers from the information to protect the privacy of individuals, and may in some cases limit disclosures more significantly than would be required to meet a “relevance” standard. Further, whether as workforce members or business associates, lawyers may consider availing themselves of the protections routinely afforded to similarly confidential information within the litigation forum, such as protective orders on the use of the information in public portions of the proceedings.

October 2018

Tags: HIPPA, Judicial and Administrative Proceedings

What “satisfactory assurances” must a covered entity that is not a party to the litigation receive before it may respond to a subpoena without a court order?

Under 45 CFR 164.512(e)(1)(ii) of the Privacy Rule, a covered entity that is not a party to the litigation may disclose protected health information in response to a subpoena, discovery request, or other lawful process if the covered entity receives certain satisfactory assurances from the party seeking the information. Specifically, the covered entity must receive a written statement and accompanying documentation that the requestor has made reasonable efforts either (1) to ensure that the individual(s) who are the subject of the information have been given sufficient notice of the request, or (2) to secure a qualified protective order. (Alternatively, the covered entity may make such disclosures if it itself makes reasonable efforts to notify the individual(s) or seek a qualified protective order.) If the conditions above have been met, a court order is not required to make the disclosure.

For notice to the individual(s), the written statement and accompanying documentation must demonstrate that the requestor has made a good faith attempt to provide written notice to the individual; and that the notice included sufficient information about the litigation to permit the individual to raise an objection with the court, the time for the individual to raise an objection has elapsed, and no objections were filed or all objections filed were resolved and the request is consistent with the resolution. Such statements and documentation may include, for example, a copy of the notice mailed to the individual that includes instructions for raising an objection with the court and the deadline for doing so, and a written statement or other documentation demonstrating that no objections were raised or all objections raised were resolved and the request is consistent with the resolution. To the extent that the subpoena or other request itself demonstrates the above elements, no additional documentation is required.

For a qualified protective order, the written statement and accompanying documentation must demonstrate that the parties to the dispute have agreed to a qualified protective order and have presented it to the court or administrative tribunal; or the party seeking the protected health information has requested a qualified protective order from the court or administrative tribunal. See the definition of “qualified protective order” at 45 CFR 164.512(e)(1)(v). Such statements and documentation may include, for example, a copy of the qualified protective order that the parties have agreed to and documentation or a statement that the order was presented to the court, or a copy of the motion to the court requesting a qualified protective order.

October 2018

Tags: HIPPA, Judicial and Administrative Proceedings

For disclosures for judicial and administrative proceedings, can notice be provided to the individual’s lawyer instead of the individual?

Yes. A covered entity that is not a party to litigation must obtain or receive the satisfactory assurances required by 45 CFR 164.512(e) before making a disclosure for a judicial or administrative proceeding. Where the satisfactory assurances are in the form of notice to the individual, a written statement and accompanying documentation of notice to the individual’s lawyer is considered to be notice to the individual and, thus, suffices, provided the documentation otherwise meets the requirements of 45 CFR 164.512(e)(1)(iii). Specifically, the written statement and accompanying documentation must demonstrate that the notice included sufficient information about the litigation to permit the individual to raise an objection to the court; and that the time for the individual to raise objections has elapsed, with no objections having been filed, or all filed objections having been resolved.

October 2018

Tags: HIPPA, Judicial and Administrative Proceedings

For disclosures for judicial and administrative proceedings, when is a copy of the subpoena itself sufficient satisfactory assurance of notice to the individual?

A copy of the subpoena (or other request pursuant to lawful process) is sufficient when, on its face, it meets the requirements of 45 CFR 164.512(e)(1)(iii), such as by demonstrating that the individual whose protected health information is requested is a party to the litigation, notice of the request has been provided to the individual or his or her attorney, and the time for the individual to raise objections has elapsed and no objections were filed or all objections filed have been resolved. When the above requirements are evident on the face of the subpoena (or other request), no additional documentation is required.

October 2018

Tags: HIPPA, Judicial and Administrative Proceedings

When must a covered entity account for disclosures of protected health information made during the course of litigation?

Individuals have a right to receive, upon request, an accounting of disclosures of protected health information made by a covered entity (or its business associate), with certain exceptions. These exceptions, or instances where a covered entity is not required to account for disclosures, include disclosures for treatment, payment, or health care operations and disclosures authorized by the individual. See 45 CFR 164.528 (GPO). Disclosures that are subject to the accounting for disclosures requirement include disclosures made by a covered entity that is not a party to the litigation or proceeding and that are made:

as required by law (under §§ 164.512(a) and (e)(1)(i));
for a proceeding before a health oversight agency (under § 164.512(d)); or
in response to a subpoena, discovery request, or other lawful process (under § 164.512(e)).

Conversely, covered entities need not account for disclosures of protected health information for litigation that are made with the individual’s authorization or, in cases where the covered entity is a party to the litigation, when such disclosures are part of the covered entity’s health care operations.

In many cases, covered entities share protected health information for litigation purposes with a lawyer who is a business associate of the covered entity. These disclosures by a covered entity to its lawyer-business associate are not themselves subject to the accounting. However, if (as described above) the lawyer makes disclosures that are subject to the accounting requirement, the business associate agreement required by the Privacy Rule must provide that the lawyer-business associate must make information about these disclosures available to the covered entity, so that the covered entity can fulfill its obligation to provide an accounting to the individual. Alternatively, the covered entity and the lawyer can agree through the business associate contract that the lawyer will provide the accounting to individuals who request one.

October 2018

Tags: HIPPA, Judicial and Administrative Proceedings

May a covered entity that is not a party to a legal proceeding disclose protected health information in response to a subpoena, discovery request, or other lawful process that is not accompanied by a court order?

Yes, if certain conditions are met. A covered entity that is not a party to litigation, such as where the covered entity is neither a plaintiff nor a defendant, may disclose protected health information in response to a subpoena, discovery request, or other lawful process, that is not accompanied by a court order, provided that the covered entity:

Receives a written statement and accompanying documentation from the party seeking the information that reasonable efforts have been made either (1) to ensure that the individual(s) who are the subject of the information have been notified of the request, or (2) to secure a qualified protective order for the information; or
Itself makes reasonable efforts either (1) to provide notice to the individual(s) that meets the same requirements as set forth below for sufficient notice by the party making the request, or (2) to seek a qualified protective order as defined below. See 45 CFR 164.512(e).

The covered entity must make reasonable efforts to limit the protected health information used or disclosed to the minimum necessary to respond to the request. See 45 CFR 164.502(b) and 164.514(d).

The requirement to provide sufficient notice to the individual(s) is met when a party provides a written statement and accompanying documentation that demonstrates:

A good faith attempt was made to notify the individual (or if the individual’s location is unknown, to mail a notice to the individual’s last known address);
The notice included sufficient detail to permit the individual to raise an objection with the court or administrative tribunal; and
The time for the individual to raise objections under the rules of the court or tribunal has lapsed and no objections were filed or all objections filed by the individual have been resolved by the court and the disclosures being sought are consistent with the resolution.

A qualified protective order is an order of a court or administrative tribunal or a stipulation by the parties that prohibits the parties from using or disclosing the protected health information for any purpose other than the litigation or proceeding for which such information was requested; and requires the return to the covered entity or destruction of the protected health information (including any copies) at the end of the litigation or proceeding. The party requesting the information must provide a written statement and accompanying documentation that demonstrates:
The parties to the dispute have agreed to a qualified protective order and have presented it to the court or administrative tribunal; or

The party seeking the protected health information has requested a qualified protective order from the court or administrative tribunal.

October 2018

Tags: HIPPA, Judicial and Administrative Proceedings

Must a covered entity provide an accounting for disclosures if the only information disclosed to a public health authority is in the form of a limited data set?

No, a covered entity is not required to provide an accounting for a disclosure where the only information disclosed is in the form of a limited data set, and the covered entity has a data use agreement with the public health authority receiving the information. (See 45 CFR 164.514(e) for limited data set and data use agreement requirements.)

Moreover, a covered entity is not required to provide an accounting when it uses protected health information to create a limited data set. For example, when a covered entity’s workforce member – whether a paid employee or volunteer – reviews medical records to identify reportable cases and extracts facially unidentifiable information to be reported as part of a limited data set to the public health authority, the covered entity is using, rather than disclosing, protected health information. In that case, the covered entity does not have to provide an accounting for its uses of protected health information. Further, even though a disclosure occurs when the limited data set is received by the public health authority for its own public health purposes, the covered entity is not required to account for this disclosure. Limited data sets are excepted from the accounting requirement at 45 CFR 164.528(a)(1)(viii).

October 2018

Tags: HIPPA, Limited Data Set

Does the HIPAA Privacy Rule expand the ability of providers, plans, marketers and others to use my protected health information to market goods and services to me? Does the Privacy Rule make it easier for health care businesses to engage in door-to-door sales and marketing efforts?

No. The Privacy Rule’s limitations on the use or disclosure of protected health information for marketing purposes do not exist in most States today. For example, the Rule requires patients’ authorization for the following types of uses or disclosures of protected health information for marketing:

Selling protected health information to third parties for their use and re-use. Thus, under the Rule, a hospital or other provider may not sell names of pregnant women to baby formula manufacturers or magazines without an authorization.
Disclosing protected health information to outsiders for the outsiders’ independent marketing use. Under the Rule, doctors may not provide patient lists to pharmaceutical companies for those companies’ drug promotions without an authorization.

Without these Privacy Rule restrictions, these activities could occur with no authorization from the individual in most jurisdictions. In addition, if a State law provided additional limitations on disclosures of information for related activities, the Privacy Rule generally would not interfere with those laws.

Moreover, under the “business associate” provisions of the Privacy Rule, a covered entity may not give protected health information to a telemarketer, door-to-door salesperson, or other third party it has hired to make permitted communications (for example, about a covered entities’ own goods and services) unless that third party has agreed by contract to use the information only for communicating on behalf of the covered entity. Without the Privacy Rule, there may be no restrictions on how third parties re-use information they obtain from health plans and providers. See the fact sheet and frequently asked questions on this web site about the business associate standard for more information.

October 2018

Tags: HIPPA, Marketing

Can contractors (business associates) use protected health information for its own marketing purposes?

No. While covered entities may share protected health information with their contractors who meet the definition of “business associates” under the HIPAA Privacy Rule, that definition is limited to contractors that obtain protected health information to perform or assist in the performance of certain health care operations on behalf of covered entities. Thus, business associates, with limited exceptions, cannot use protected health information for their own purposes. Although, under the HIPAA statute, the Privacy Rule cannot govern contractors directly, the Rule does set clear parameters for how covered entities may contract with business associates. See 45 CFR 164.502(e) and 164.504(e), and the definition of “business associate” at 45 CFR 160.103.

Further, the Privacy Rule expressly prohibits health plans and covered health care providers from selling protected health information to third parties for the third party’s own marketing activities, without authorization. So, for example, a pharmacist cannot, without patient authorization, sell a list of patients to a pharmaceutical company, for the pharmaceutical company to market its own products to the individuals on the list.

October 2018

Tags: HIPPA, Marketing

Can telemarketers obtain my health information and use it to call me to sell good and services?

Under the HIPAA Privacy Rule, a covered entity can share protected health information with a telemarketer only if the covered entity has either obtained the individual’s prior written authorization to do so, or has entered into a business associate relationship with the telemarketer for the purpose of making a communication that is not marketing, such as to inform individuals about the covered entity’s own goods or services.

If the telemarketer is a business associate under the Privacy Rule, it must agree by contract to use the information only for communicating on behalf of the covered entity, and not to market its own goods or services (or those of another third party).

October 2018

Tags: HIPPA, Marketing

How can I distinguish between activities for treatment or health care operations versus marketing activities?

The overlap among common usages of the terms “treatment,” “healthcare operations,” and “marketing” is unavoidable. For instance, in recommending treatments, providers and health plans sometimes advise patients to purchase goods and services. Similarly, when a health plan explains to its members the benefits it provides, it too is encouraging the use or purchase of goods and services.

The HIPAA Privacy Rule defines these terms specifically, so they can be distinguished. For example, the Privacy Rule excludes treatment communications and certain health care operations activities from the definition of “marketing.” If a communication falls under one of the definition’s exceptions, the marketing rules do not apply. In these cases, covered entities may engage in the activity without first obtaining an authorization. See the fact sheet on this web site about marketing, as well as the definition of “marketing” at 45 CFR 164.501,for more information.

However, if a health care operation communication does not fall within one of these specific exceptions to the marketing definition, and the communication falls under the definition of “marketing,” the Privacy Rule’s provisions restricting the use or disclosure of protected health information for marketing purposes will apply. For these marketing communications, the individual’s authorization is required before a covered entity may use or disclose protected health information.

October 2018

Tags: HIPPA, Marketing

Do disease management, health promotion, preventive care, and wellness programs fall under the HIPAA Privacy Rule’s definition of “marketing”?

Generally, no. To the extent the disease management or wellness program is operated by the covered entity directly or by a business associate, communications about such programs are not marketing because they are about the covered entity’s own health-related services. So, for example, a hospital’s Wellness Department could start a weight-loss program and send a flyer to all patients seen in the hospital over the past year who meet the definition of obese, even if those individuals were not specifically seen for obesity when they were in the hospital.

Moreover, a communication that merely promotes health in a general manner and does not promote a specific product or service from a particular provider does not meet the definition of “marketing.” Such communications may include population-based activities in the areas of health education or disease prevention. Examples of general health promotional material include:

mailings reminding women to get an annual mammogram;
mailings providing information about how to lower cholesterol, new developments in health care (e.g., new diagnostic tools),
support groups,
organ donation,
cancer prevention, and
health fairs.

October 2018

Tags: HIPPA, Marketing

Is it marketing for a covered entity to describe products or services that are provided by the covered entity to its patients, or to describe products or services that are included in the health plan’s plan of benefits of the health plan?

No. The HIPAA Privacy Rule excludes from the definition of “marketing” communications made to describe a covered entity’s health-related product or service (or payment for such product or service) that is provided by, or included in a plan of benefits of, the covered entity making the communication.

Thus, it would not be marketing for a physician who has developed a new anti-snore device to send a flyer describing it to all of her patients (whether or not each patient has actually sought treatment for snoring). Nor would it be marketing for an ophthalmologist or health plan to send existing patients or members discounts for eye-exams or eye-glasses available only to the patients and members. Similarly, it would not be marketing for an insurance plan to send its members a description of covered benefits, payment schedules, and claims procedures.

October 2018

Tags: HIPPA, Marketing

No. In the specific case of face-to-face encounters, the HIPAA Privacy Rule allows health plans and their business associates to market both health and non-health insurance products to individuals.

October 2018

Tags: HIPPA, Marketing

What effect do the “marketing” provisions of the HIPAA Privacy Rule have on Federal or State fraud and abuse statutes?

The Privacy Rule makes it clear that nothing in the marketing provisions of the Privacy Rule are to be construed as amending, modifying, or changing any rule or requirement related to any other Federal or State statutes or regulations, including specifically anti-kickback, fraud and abuse, or self-referral statutes or regulations, or to authorize or permit any activity or transaction currently proscribed by such statutes and regulations. Examples of such laws include:

the anti-kickback statute (section 1128B(b) of the Social Security Act),
safe harbor regulations (42 CFR Parts 411 and 424), and
HIPAA statute on self-referral (section 1128C of the Social Security Act).

The definition of “marketing” is applicable solely to the Privacy Rule and the permissions granted by the Rule are only for a covered entity’s use or disclosure of protected health information. In particular, although the Privacy Rule defines the term “marketing” to exclude communications to an individual to recommend, purchase, or use a product or service as part of the treatment of the individual or for case management or care coordination of that individual, such communication by a health care professional may violate the anti-kickback statute.

No, only communications about drugs or biologics currently prescribed to the individual fall within the refill reminder exception at paragraph (2)(i) of the definition of “marketing” at 45 CFR 164.501. Making a communication to an individual encouraging the individual to switch from a prescribed medicine to an alternative therapy would only be appropriate where such communication falls within the treatment exception to marketing at paragraph (2)(ii)(A) of the definition and the covered entity does not receive financial remuneration in exchange for making the communication; where the communication is made in a face-to-face encounter with the individual; or where the individual has authorized the use or disclosure of her protected health information to make such communications.

October 2018

Tags: HIPPA, Marketing

What is permitted remuneration for purposes of the “refill reminder” exception to marketing?

The Privacy Rule excepts from the definition of “marketing” refill reminders and other communications about a drug or biologic that is currently being prescribed for the individual, provided that financial remuneration received by the covered entity in exchange for making the communication, if any, is reasonably related to the covered entity’s cost of making the communication. See paragraph (2)(i) of the definition of “marketing” at 45 CFR 164.501. Financial remuneration means payment to a covered entity (or business associate, if applicable) from or on behalf of a third party whose product or service is being described. Thus, for these purposes, permitted remuneration in exchange for making a “refill reminder” communication is:

Non-financial or in-kind remuneration, such as supplies, computers, or other materials.
Payment from a party other than the third party (or other than on behalf of the third party) whose product or service is being described in the communication, such as payment from a health plan.
Payments to a covered entity by a pharmaceutical manufacturer or other third party whose product is being described in the communication that cover only the reasonable direct and indirect costs related to the refill reminder or medication adherence program, or other excepted communications, including labor, materials, and supplies, as well as capital and overhead costs.

No. The Privacy Rule distinguishes between mental health information in a mental health professional’s private notes and that contained in the medical record. It does not provide a right of access to psychotherapy notes, which the Privacy Rule defines as notes recorded by a health care provider who is a mental health professional documenting or analyzing the contents of a conversation during a private counseling session or a group, joint, or family counseling session and that are separate from the rest of the patient’s medical record. See 45 CFR 164.501. Psychotherapy notes are primarily for personal use by the treating professional and generally are not disclosed for other purposes. Thus, the Privacy Rule includes an exception to an individual’s (or personal representative’s) right of access for psychotherapy notes. See 45 CFR 164.524(a)(1)(i).

However, parents generally are the personal representatives of their minor child and, as such, are able to receive a copy of their child’s mental health information contained in the medical record, including information about diagnosis, symptoms, treatment plans, etc. Further, although the Privacy Rule does not provide a right for a patient or personal representative to access psychotherapy notes regarding the patient, HIPAA generally gives providers discretion to disclose the individual’s own protected health information (including psychotherapy notes) directly to the individual or the individual’s personal representative. As any such disclosure is purely permissive under the Privacy Rule, mental health providers should consult applicable State law for any prohibitions or conditions before making such disclosures.

October 2018

Tags: HIPPA, Mental Health

Does HIPAA allow a health care provider to communicate with a patient’s family, friends, or other persons who are involved in the patient’s care?

Yes. In recognition of the integral role that family and friends play in a patient’s health care, the HIPAA Privacy Rule allows these routine – and often critical – communications between health care providers and these persons. Where a patient is present and has the capacity to make health care decisions, health care providers may communicate with a patient’s family members, friends, or other persons the patient has involved in his or her health care or payment for care, so long as the patient does not object. See 45 CFR 164.510(b). The provider may ask the patient’s permission to share relevant information with family members or others, may tell the patient he or she plans to discuss the information and give them an opportunity to agree or object, or may infer from the circumstances, using professional judgment, that the patient does not object. A common example of the latter would be situations in which a family member or friend is invited by the patient and present in the treatment room with the patient and the provider when a disclosure is made.

Where a patient is not present or is incapacitated, a health care provider may share the patient’s information with family, friends, or others involved in the patient’s care or payment for care, as long as the health care provider determines, based on professional judgment, that doing so is in the best interests of the patient. Note that, when someone other than a friend or family member is involved, the health care provider must be reasonably sure that the patient asked the person to be involved in his or her care or payment for care.

In all cases, disclosures to family members, friends, or other persons involved in the patient’s care or payment for care are to be limited to only the protected health information directly relevant to the person’s involvement in the patient’s care or payment for care.

OCR’s website contains additional information about disclosures to family members and friends in fact sheets developed for consumers – PDF and providers – PDF.

October 2018

Tags: HIPPA, Mental Health

Is a health care provider permitted to discuss an adult patient’s mental health information with the patient’s parents or other family members?

In situations where the patient is given the opportunity and does not object, HIPAA allows the provider to share or discuss the patient’s mental health information with family members or other persons involved in the patient’s care or payment for care. For example, if the patient does not object:

A psychiatrist may discuss the drugs a patient needs to take with the patient’s sister who is present with the patient at a mental health care appointment.
A therapist may give information to a patient’s spouse about warning signs that may signal a developing emergency.

But:

A nurse may not discuss a patient’s mental health condition with the patient’s brother after the patient has stated she does not want her family to know about her condition.

In all cases, the health care provider may share or discuss only the information that the person involved needs to know about the patient’s care or payment for care. See 45 CFR 164.510(b). Finally, it is important to remember that other applicable law (e.g., State confidentiality statutes) or professional ethics may impose stricter limitations on sharing personal health information, particularly where the information relates to a patient’s mental health.

October 2018

Tags: HIPPA, Mental Health

When does mental illness or another mental condition constitute incapacity under the Privacy Rule? For example, what if a patient who is experiencing temporary psychosis or is intoxicated does not have the capacity to agree or object to a health care provider sharing information with a family member, but the provider believes the disclosure is in the patient’s best interests?

Section 164.510(b)(3) of the HIPAA Privacy Rule permits a health care provider, when a patient is not present or is unable to agree or object to a disclosure due to incapacity or emergency circumstances, to determine whether disclosing a patient’s information to the patient’s family, friends, or other persons involved in the patient’s care or payment for care, is in the best interests of the patient. Where a provider determines that such a disclosure is in the patient’s best interests, the provider would be permitted to disclose only the PHI that is directly relevant to the person’s involvement in the patient’s care or payment for care.

This permission clearly applies where a patient is unconscious. However, there may be additional situations in which a health care provider believes, based on professional judgment, that the patient does not have the capacity to agree or object to the sharing of personal health information at a particular time and that sharing the information is in the best interests of the patient at that time. These may include circumstances in which a patient is suffering from temporary psychosis or is under the influence of drugs or alcohol. If, for example, the provider believes the patient cannot meaningfully agree or object to the sharing of the patient’s information with family, friends, or other persons involved in their care due to her current mental state, the provider is allowed to discuss the patient’s condition or treatment with a family member, if the provider believes it would be in the patient’s best interests. In making this determination about the patient’s best interests, the provider should take into account the patient’s prior expressed preferences regarding disclosures of their information, if any, as well as the circumstances of the current situation. Once the patient regains the capacity to make these choices for herself, the provider should offer the patient the opportunity to agree or object to any future sharing of her information.

*Note: The Privacy Rule permits, but does not require, providers to disclose information in these situations. Providers who are subject to more stringent privacy standards under other laws, such as certain state confidentiality laws or 42 CFR Part 2, would need to consider whether there is a similar disclosure permission under those laws that would apply in the circumstances.

October 2018

Tags: HIPPA, Mental Health

If a health care provider knows that a patient with a serious mental illness has stopped taking a prescribed medication, can the provider tell the patient’s family members?

So long as the patient does not object, HIPAA allows the provider to share or discuss a patient’s mental health information with the patient’s family members. See 45 CFR 164.510(b). If the provider believes, based on professional judgment, that the patient does not have the capacity to agree or object to sharing the information at that time, and that sharing the information would be in the patient’s best interests, the provider may tell the patient’s family member. In either case, the health care provider may share or discuss only the information that the family member involved needs to know about the patient’s care or payment for care.

Otherwise, if the patient has capacity and objects to the provider sharing information with the patient’s family member, the provider may only share the information if doing so is consistent with applicable law and standards of ethical conduct, and the provider has a good faith belief that the patient poses a threat to the health or safety of the patient or others, and the family member is reasonably able to prevent or lessen that threat. See 45 CFR 164.512(j). For example, if a doctor knows from experience that, when a patient’s medication is not at a therapeutic level, the patient is at high risk of committing suicide, the doctor may believe in good faith that disclosure is necessary to prevent or lessen the threat of harm to the health or safety of the patient who has stopped taking the prescribed medication, and may share information with the patient’s family or other caregivers who can avert the threat. However, absent a good faith belief that the disclosure is necessary to prevent a serious and imminent threat to the health or safety of the patient or others, the doctor must respect the wishes of the patient with respect to the disclosure.

October 2018

Tags: HIPPA, Mental Health

When does HIPAA allow a doctor to notify an individual’s family, friends, or caregivers that a patient has overdosed?

As explained more thoroughly below, when a patient has overdosed, a health care professional, such as a doctor, generally may notify the patient’s family, friends, or caregivers involved in the patient’s health care or payment for care if:

(1) the patient has the capacity to make health care decisions at the time of the disclosure, is given the opportunity to object, and does not object;

(2) the family, friends, or caregivers have been involved in the patient’s health care or payment for care and there has been no objection from the patient;

(3) the patient had the capacity to make health care decisions at the time the information is shared and the doctor can reasonably infer, based on the exercise of professional judgment, that the patient would not object;

(4) the patient is incapacitated and the health care professional determines, based on the exercise of professional judgment, that notification and disclosure of PHI is in the patient’s best interests;

(5) the patient is unavailable due to some emergency and the health care professional determines, based on the exercise of professional judgment, that notification and disclosure of PHI is in the patient’s best interests; or

(6) the notification is necessary to prevent a serious and imminent threat to the health or safety of the patient or others.

If the patient who has overdosed is incapacitated and unable to agree or object, a doctor may notify a family member, personal representative, or another person responsible for the individual’s care of the patient’s location, general condition, or death. See 45 CFR 164.510(b)(1)(ii). Similarly, HIPAA allows a doctor to share additional information with a patient’s family member, friend, or caregiver as long as the information shared is directly related to the person’s involvement in the patient’s health care or payment for care. 45 CFR 164.510(b)(1)(i). Decision-making incapacity may be temporary or long-term. If a patient who has overdosed regains decision-making capacity, health providers must offer the patient the opportunity to agree or object to sharing their health information with involved family, friends, or caregivers before making any further disclosures. If a patient becomes unavailable due to some emergency, a health care professional may determine, based on the exercise of professional judgment, that notification and disclosure of PHI to someone previously involved in their care is in the patient’s best interests. For example, if a patient who is addicted to opioids misses important medical appointments without any explanation, a primary health care provider at a general practice may believe that there is an emergency related to the opioid addiction and under the circumstances, may use professional judgment to determine that it is in the patient’s best interests to reach out to emergency contacts, such as parents or family, and inform them of the situation. See 45 CFR 164.510(b)(3).

If the patient is deceased, a doctor may disclose information related to the family member’s, friend’s, or caregiver’s involvement with the patient’s care, unless doing so is inconsistent with any prior expressed preference of the patient that is known to the doctor. If the person who will receive notification is the patient’s personal representative, that person has a right to request and obtain any information about the patient that the patient could obtain, including a complete medical record, under the HIPAA right of access. See 45 CFR 164.524.

When a patient poses a serious and imminent threat to his own or someone else’s health or safety, HIPAA permits a health care professional to share the necessary information about the patient with anyone who is in a position to prevent or lessen the threatened harm–including family, friends, and caregivers–without the patient’s permission. See 45 CFR 164.512(j). HIPAA expressly defers to the professional judgment of health care professionals when they make determinations about the nature and severity of the threat to health or safety. See 45 CFR 164.512(j)(4). Specifically, HIPAA presumes the health care professional is acting in good faith in making this determination, if the professional relies on his or her actual knowledge or on credible information from another person who has knowledge or authority. For example, a doctor whose patient has overdosed on opioids is presumed to have complied with HIPAA if, based on talking with or observing the patient, the doctor determines that the patient poses a serious and imminent threat to his or her own health. Even when HIPAA permits this disclosure, however, the disclosure must be consistent with applicable state law and standards of ethical conduct. HIPAA does not preempt any state law or professional ethics standards that would prevent a health care professional from sharing protected health information in the circumstances described here. For example, the doctor in this situation still may be subject to a state law that prohibits sharing information related to mental health or a substance use disorder without the patient’s consent in all circumstances, even if HIPAA would permit the disclosure.

For more information see OCR’s guidance, How HIPAA Allows Doctors to Respond to the Opioid Crisis, https://www.hhs.gov/sites/default/files/hipaa-opioid-crisis.pdf – PDF

October 2018

Tags: HIPPA, Mental Health

If an adult patient who may pose a danger to self stops coming to psychotherapy sessions and does not respond to attempts to make contact, does HIPAA permit the therapist to contact a family member to check on the patient’s well-being even if the patient has told the therapist that they do not want information shared with that person?

Yes, under two possible circumstances:

Given that the patient is no longer present, if the therapist determines, based on professional judgment, that there may be an emergency situation and that contacting the family member of the absent patient is in the patient’s best interests; or
If the disclosure is needed to lessen a serious and imminent threat and the family member is in a position to avert or lessen the threat.

In making the determination about the patient’s best interests, the provider may take into account the patient’s prior expressed preferences regarding disclosures of their information, if any, as well as the circumstances of the current situation. In either case, the health care provider may share or discuss only the information that the family member involved needs to know about the patient’s care or payment for care or the minimum necessary for the purpose of preventing or lessening the threatened harm.

Additionally, if the family member is a personal representative of the patient, the therapist may contact that person. However, a provider may decide not to treat someone as a personal representative if the provider believes that the patient has been or may be subject to violence, abuse, or neglect by the personal representative, or the patient may be endangered by treating the person as the personal representative; and the provider determines, in the exercise of professional judgment, that it is not in the best interests of the patient to treat the person as the personal representative. See 45 CFR 164.502(g)(5).

See Guidance on Sharing Information Related to Mental Health, https://www.hhs.gov/hipaa/for-professionals/special-topics/mental-health/index.html

Guidance on Personal Representatives, https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/personal-representatives/index.html

October 2018

Tags: HIPPA, Mental Health

When does HIPAA allow a hospital to notify an individual’s family, friends, or caregivers that a patient who has been hospitalized for a psychiatric hold has been admitted or discharged?

Hospitals may notify family, friends, or caregivers of a patient in several circumstances:

When the patient has a personal representative
A hospital may notify a patient’s personal representative about their admission or discharge and share other PHI with the personal representative without limitation. However, a hospital is permitted to refuse to treat a person as a personal representative if there are safety concerns associated with providing the information to the person, or if a health care professional determines that disclosure is not in the patient’s best interest.
When the patient agrees or does not object to family involvement
A hospital may notify a patient’s family, friends, or caregivers if the patient agrees, or doesn’t object, or if a health care professional is able to infer from the surrounding circumstances, using professional judgment that the patient does not object. This includes when a patient’s family, friends, or caregivers have been involved in the patient’s health care in the past, and the individual did not object.
When the patient becomes unable to agree or object and there has already been family involvement
When a patient is not present or cannot agree or object because of some incapacity or emergency, a health care provider may share relevant information about the patient with family, friends, or others involved in the patient’s care or payment for care if the health care provider determines, based on professional judgment, that doing so is in the best interest of the patient.

For example, a psychiatric hospital may determine that it is in the best interests of an incapacitated patient to initially notify a member of their household, such as a parent, roommate, sibling, partner, or spouse, and inform them about the patient’s location and general condition. This may include, for example, notifying a patient’s spouse that the patient has been admitted to the hospital.

If the health care provider determines that it is in the patient’s interest, the provider may share additional information that is directly related to the family member’s or friend’s involvement with the patient’s care or payment for care, after they clarify the person’s level of involvement. For example, a nurse treating a patient may determine that it is in the patient’s best interest to discuss with the patient’s adult child, who is the patient’s primary caregiver, the medications found in a patient’s backpack and ask about any other medications the patient may have at home.

Decision-making incapacity may be temporary or long-term. Upon a patient’s regaining decision-making capacity, health providers should offer the patient the opportunity to agree or object to sharing their health information with involved family, friends, or caregivers.
When notification is needed to lessen a serious and imminent threat of harm to the health or safety of the patient or others
A hospital may disclose the necessary protected health information to anyone who is in a position to prevent or lessen the threatened harm, including family, friends, and caregivers, without a patient’s agreement. HIPAA expressly defers to the professional judgment of health professionals in making determinations about the nature and severity of the threat to health or safety. For example, a health care provider may determine that a patient experiencing a mental health crisis has ingested an unidentified substance and that the provider needs to contact the patient’s roommate to help identify the substance and provide the proper treatment, or the patient may have made a credible threat to harm a family member, who needs to be notified so he or she can take steps to avoid harm. OCR would not second guess a health care professional’s judgment in determining that a patient presents a serious and imminent threat to their own, or others’, health or safety.

October 2018

Tags: HIPPA, Mental Health

May a covered entity collect, use, and disclose criminal justice data under HIPAA?

Does HIPAA permit health care providers who are HIPAA covered entities to collect criminal justice data, such as data on arrests, jail days, and utilization of 911 services, and link the criminal justice data to their health data, for purposes of improving treatment and care coordination?

HIPAA does not limit the types of data that providers may seek or obtain about individual patients for treatment purposes. Treatment includes “the provision, coordination, or management of health care and related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party; consultation between health care providers relating to a patient; or the referral of a patient for health care from one health care provider to another.” 45 CFR 164.501. Other standards, such as professional ethics rules or state law, may address the scope of health care providers’ independent investigations and data collection pertaining to patients. Once a HIPAA covered provider obtains criminal justice data about an individual for treatment purposes, or otherwise combines the data with its PHI, the data held by the HIPAA covered entity is considered protected health information (PHI) and the HIPAA Rules would apply to protect the data.

Is criminal justice data protected health information (PHI) under HIPAA?

In some circumstances, yes. To the extent that criminal justice data is maintained by a HIPAA covered entity or its business associate and relates to the past, present, or future physical or mental health or condition of an individual or the provision of or payment for health care to an individual, it is PHI. For example, when a covered health care provider receives criminal justice data, either directly from the individual or from another source, in order to help inform the treatment and services that the provider will provide to that individual, or otherwise links the criminal justice data with its patient information, it is PHI.

Does HIPAA permit health care providers to disclose PHI that includes criminal justice data on individuals to other treating providers without obtaining an authorization from the individuals?

Yes, HIPAA permits a covered health care provider to disclose PHI for treatment purposes to other providers without having to first obtain an authorization from the individuals. This may include the disclosure of PHI for purposes of coordinating an individual’s care with other treatment facilities or emergency medical technicians (EMTs).

Does HIPAA permit multiple health care providers who are seeking to collect individuals’ criminal justice data and link it to the individuals’ health data to engage the services of or work with a third-party to do this on their behalf?

Yes. Multiple covered health care providers can contract with a third party to perform data aggregation and linkage services on their behalf, as long as the providers enter into a HIPAA-compliant business associate agreement (BAA) with the third party, and so long as the aggregation is for purposes permitted under HIPAA. (Such third parties are considered to be “business associates” (BAs) under HIPAA and have direct compliance obligations with certain aspects of the HIPAA Rules.) In these cases, the participating providers may enter into one, common business associate agreement with the third party.

The BAA then governs the subsequent uses and disclosures that the BA may make with the data. For example, the BA may be authorized by its BAA to share the PHI on behalf of the participating providers with each other or other providers for treatment purposes, including care coordination, or, subject to certain conditions, for health care operations purposes. For more information on exchanging PHI for treatment or health care operations purposes, please see:

Permitted Uses and Disclosures: Exchange for Treatment

www.healthit.gov/sites/default/files/exchange_treatment.pdf – PDF

Permitted Uses and Disclosures: Exchange for Health Care Operations

https://www.healthit.gov/sites/default/files/exchange_health_care_ops.pdf – PDF

Does HIPAA permit a health care provider to share the PHI of an individual that may include criminal justice data with a law enforcement official who has the individual in custody and is looking to ensure the individual is seen by the proper treatment facility?

A covered entity is permitted to disclose PHI in response to a request by a law enforcement official having lawful custody of an individual if the official represents that such PHI is needed to provide health care to the individual or for the health and safety of the individual. For more information on permitted disclosures to law enforcement under HIPAA, see OCR’s guidance on sharing protected health information with law enforcement:

http://www.hhs.gov/hipaa/for-professionals/faq/505/what-does-the-privacy-rule-allow-covered-entities-to-disclose-to-law-enforcement-officials/index.html

http://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/understanding/special/emergency/final_hipaa_guide_law_enforcement.pdf – PDF

While HIPAA permits the disclosure of protected health information to law enforcement in these defined circumstances, other Federal and State laws may impose greater restrictions on the release of certain information, such as substance use disorder information, to law enforcement.

Does HIPAA permit health care providers to disclose PHI that includes criminal justice data to other public or private-sector entities providing social services (such as housing, income support, job training)?

In specified circumstances, yes. For example:

A covered entity may disclose PHI for treatment of the individual without having to obtain the authorization of the individual. Treatment includes the coordination of health care or related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party. Thus, health care providers who believe that disclosures to certain social service entities are a necessary component of or may help further the individual’s health care may disclose the minimum necessary PHI to such entities for treatment purposes without the individual’s authorization. For example, a provider may disclose PHI about a patient needing health care supportive housing to a service agency that arranges such services for individuals.
A covered entity may also disclose PHI to such entities with an authorization signed by the individual. HIPAA permits authorizations that refer to a class of persons who may receive or use the PHI. Thus, providers could in one authorization identify a broad range of social services entities that may receive the PHI if the individual agrees. For example, an authorization could indicate that PHI will be disclosed to “social services providers” for purposes of “housing, public benefits, counseling, and job readiness.”

Does HIPAA restrict the ability of law enforcement officials to use or disclose data they maintain on health or mental health indicators to help inform incident response (g., to ensure officers are prepared to stabilize individuals and/or to support diversion)?

In general, no. Most state and local police or other law enforcement agencies are not covered by HIPAA and thus, are not subject to HIPAA’s use and disclosure rules. HIPAA, however, does apply to the disclosure of health information by most health providers to law enforcement. For more information, see OCR’s HIPAA Guide for Law Enforcement at:

http://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/understanding/special/emergency/final_hipaa_guide_law_enforcement.pdf – PDF

While HIPAA does not generally apply to use or disclosure of the data by law enforcement officials, other Federal and State laws may apply.

In the context of pre-arrest diversion, when does HIPAA permit a health care provider to share PHI with a law enforcement official without an individual’s authorization?

Calls for service dealing with attempted suicide or a mental health complaint. Sometimes a family will call 911 for law enforcement response for a family member in a mental health crisis. Other times, a business owner or a bystander calls to report unusual behavior (which often is an individual in crisis) and responding officers would benefit from knowing if the individual has a mental health condition. This type of information may enable officers to employ crisis intervention and de-escalation techniques that could reduce the likelihood of injury to both officers and individuals in a mental health crisis.

HIPAA permits a health care provider to share PHI with law enforcement, in conformance with other applicable laws and ethics rules, in order to “prevent or lessen a serious and imminent threat to the health or safety of an individual or the public.” 45 CFR 164.512(j). For example, if an individual makes a credible threat to inflict serious and imminent bodily harm, such as threatening to commit suicide, a provider may share with law enforcement the information needed to intervene. The provider may rely on a credible representation from a person with apparent knowledge of the situation or authority, such as a law enforcement official, when determining that the disclosure permission applies. See: http://www.hhs.gov/hipaa/for-professionals/faq/505/what-does-the-privacy-rule-allow-covered-entities-to-disclose-to-law-enforcement-officials/index.html

Other general calls: An officer is trying to determine whether an individual has a mental illness, substance abuse problem, or both, and needs to gain information about his or her condition in order to decide whether jail, emergency room, or some other program is needed.

If the individual is in lawful custody, a health care provider may disclose PHI to law enforcement pursuant to 45 CFR 164.512(k)(5) if the official represents that the information is needed to provide health care to the individual or to provide for the individual’s health and safety or the health and safety of the officers.

If the individual is not in lawful custody (see 45 CFR 164.512 (k)(5)), nor is a threat to self or others (see 45 CFR 164.512(j)), these provisions would not apply and the provider would need to obtain an authorization from the individual before disclosing PHI to law enforcement, unless another HIPAA provision applies (e.g., escaped inmate, apprehension of an admitted perpetrator of violent crime, etc.). See http://www.hhs.gov/hipaa/for-professionals/faq/505/what-does-the-privacy-rule-allow-covered-entities-to-disclose-to-law-enforcement-officials/index.html for additional provisions that may apply depending on the particular situation.

We note that substance use disorder treatment information may be subject to additional protections under 42 CFR part 2.

When is an individual, other than an inmate, considered to be within the “lawful custody” of law enforcement for purposes of 45 CFR 164.512(k)(5) of the HIPAA Privacy Rule? Is “lawful custody” limited to arrest and imminent arrest or does it apply to situations where an individual may be under the care or control of an officer, but not under arrest?

For purposes of the scope of permitted disclosures of PHI to law enforcement in custodial situations under 45 CFR 164.512(k)(5), HIPAA does not define the precise boundaries of “other persons in lawful custody.” As defined in HIPAA at 45 CFR 164.501, the term includes, but is not limited to: juvenile offenders adjudicated delinquent, non-citizens detained awaiting deportation, persons committed to mental institutions through the criminal justice system, witnesses, or others awaiting charges or trial. In addition to these defined situations, lawful custody also includes those situations where an individual is under the care or control of an officer. This includes instances where an individual has been arrested, as well as situations where the individual has been detained by law enforcement and is not free to go, but is not under formal arrest. For example, this would include situations when an officer has detained an individual and seeks to determine whether diversion is appropriate. Lawful custody does not encompass pretrial release, probation, or parole.

Does HIPAA restrict a covered entity’s disclosure of PHI for treatment purposes to only those health care providers that are themselves covered by HIPAA?

No. A covered entity is permitted to disclose PHI for treatment purposes to any health care provider, including those that are not covered by HIPAA. In addition, HIPAA permits a covered health care provider to disclose PHI for the treatment of an individual to a third party, such as a social service agency, that is involved in the coordination or management of health care of that individual.

October 2018

Tags: HIPPA, Mental Health

Does HIPAA permit a doctor to contact a patient’s family or law enforcement if the doctor believes that the patient might hurt herself or someone else?

Yes. The Privacy Rule permits a health care provider to disclose necessary information about a patient to law enforcement, family members of the patient, or other persons, when the provider believes the patient presents a serious and imminent threat to self or others. The scope of this permission is described in a letter to the nation’s health care providers – PDF.

Specifically, when a health care provider believes in good faith that such a warning is necessary to prevent or lessen a serious and imminent threat to the health or safety of the patient or others, the Privacy Rule allows the provider, consistent with applicable law and standards of ethical conduct, to alert those persons whom the provider believes are reasonably able to prevent or lessen the threat. These provisions may be found in the Privacy Rule at 45 CFR § 164.512(j).

Under these provisions, a health care provider may disclose patient information, including information from mental health records, if necessary, to law enforcement, family members of the patient, or any other persons who may reasonably be able to prevent or lessen the risk of harm. For example, if a mental health professional has a patient who has made a credible threat to inflict serious and imminent bodily harm on one or more persons, HIPAA permits the mental health professional to alert the police, a parent or other family member, school administrators or campus police, and others who may be able to intervene to avert harm from the threat.

In addition to professional ethical standards, most States have laws and/or court decisions which address, and in many instances require, disclosure of patient information to prevent or lessen the risk of harm. Providers should consult the laws applicable to their profession in the States where they practice, as well as 42 USC 290dd-2 and 42 CFR Part 2 under Federal law (governing the disclosure of alcohol and drug abuse treatment records) to understand their duties and authority in situations where they have information indicating a threat to public safety. Note that, where a provider is not subject to such State laws or other ethical standards, the HIPAA permission still would allow disclosures for these purposes to the extent the other conditions of the permission are met.

October 2018

Tags: HIPPA, Mental Health

If a law enforcement officer brings a patient to a hospital or other mental health facility to be placed on a temporary psychiatric hold, and requests to be notified if or when the patient is released, can the facility make that notification?

The Privacy Rule permits a HIPAA covered entity, such as a hospital, to disclose certain protected health information, including the date and time of admission and discharge, in response to a law enforcement official’s request, for the purpose of locating or identifying a suspect, fugitive, material witness, or missing person. See 45 CFR § 164.512(f)(2). Under this provision, a covered entity may disclose the following information about an individual: name and address; date and place of birth; social security number; blood type and rh factor; type of injury; date and time of treatment (includes date and time of admission and discharge) or death; and a description of distinguishing physical characteristics (such as height and weight). However, a covered entity may not disclose any protected health information under this provision related to DNA or DNA analysis, dental records, or typing, samples, or analysis of body fluids or tissue. The law enforcement official’s request may be made orally or in writing.

Other Privacy Rule provisions also may be relevant depending on the circumstances, such as where a law enforcement official is seeking information about a person who may not raise to the level of a suspect, fugitive, material witness, or missing person, or needs protected health information not permitted under the above provision. For example, the Privacy Rule’s law enforcement provisions also permit a covered entity to respond to an administrative request from a law enforcement official, such as an investigative demand for a patient’s protected health information, provided the administrative request includes or is accompanied by a written statement specifying that the information requested is relevant, specific and limited in scope, and that de-identified information would not suffice in that situation. The Rule also permits covered entities to respond to court orders and court-ordered warrants, and subpoenas and summonses issued by judicial officers. See 45 CFR § 164.512(f)(1). Further, to the extent that State law may require providers to make certain disclosures, the Privacy Rule would permit such disclosures of protected health information as “required-by-law” disclosures. See 45 CFR § 164.512(a).

Finally, the Privacy Rule permits a covered health care provider, such as a hospital, to disclose a patient’s protected health information, consistent with applicable legal and ethical standards, to avert a serious and imminent threat to the health or safety of the patient or others. Such disclosures may be to law enforcement authorities or any other persons, such as family members, who are able to prevent or lessen the threat. See 45 CFR § 164.512(j).

October 2018

Tags: HIPPA, Mental Health

If a doctor believes that a patient might hurt himself or herself or someone else, is it the duty of the provider to notify the family or law enforcement authorities?

A health care provider’s “duty to warn” generally is derived from and defined by standards of ethical conduct and State laws and court decisions such as Tarasoff v. Regents of the University of California. HIPAA permits a covered health care provider to notify a patient’s family members of a serious and imminent threat to the health or safety of the patient or others if those family members are in a position to lessen or avert the threat. Thus, to the extent that a provider determines that there is a serious and imminent threat of a patient physically harming self or others, HIPAA would permit the provider to warn the appropriate person(s) of the threat, consistent with his or her professional ethical obligations and State law requirements. See 45 CFR 164.512(j). In addition, even where danger is not imminent, HIPAA permits a covered provider to communicate with a patient’s family members, or others involved in the patient’s care, to be on watch or ensure compliance with medication regimens, as long as the patient has been provided an opportunity to agree or object to the disclosure and no objection has been made. See 45 CFR 164.510(b)(2).

October 2018

Tags: HIPPA, Mental Health

What constitutes a “serious and imminent” threat that would permit a health care provider to disclose PHI to prevent harm to the patient, another person, or the public without the patient’s authorization or permission?

HIPAA expressly defers to the professional judgment of health professionals in making determinations about the nature and severity of the threat to health or safety posed by a patient. OCR would not second guess a health professional’s good faith belief that a patient poses a serious and imminent threat to the health or safety of the patient or others and that the situation requires the disclosure of patient information to prevent or lessen the threat. Health care providers may disclose the necessary protected health information to anyone who is in a position to prevent or lessen the threatened harm, including family, friends, caregivers, and law enforcement, without a patient’s permission.

October 2018

Tags: HIPPA, Mental Health

Does HIPAA require a mental health provider to let a patient know that the provider is going to share information with others before disclosing PHI to prevent or lessen a serious and imminent threat?

Not at the time of disclosure; however, the Notice of Privacy Practices should contain an example of this type of disclosure so patients are informed in advance of that possibility. See 45 CFR 164.520(b). In situations that also involve reports to the appropriate government authority that the patient may be an adult victim of abuse, neglect, or domestic violence, the mental health provider must promptly inform the patient that a report has been or will be made, unless:

informing the patient would create a danger to the patient; or
the provider would be informing a personal representative, and the provider reasonably believes the personal representative is responsible for the abuse, neglect, or other injury, and that informing such person would not be in the best interests of the patient is determined by the provider, in the exercise of professional judgment. See 45 CFR 164.512(c).

Other standards, such as clinical protocols, ethics rules, or state laws, may also be applicable to patient notification about disclosures in situations involving threats of imminent harm.

October 2018

Tags: HIPPA, Mental Health

How does HIPAA interact with the federal confidentiality rules for substance use disorder treatment information in an emergency situation—which rules should be followed?

A health provider that provides treatment for substance use disorders, including opioid abuse, needs to determine whether it is subject to 42 CFR Part 2 (i.e., a “Part 2 program”) and whether it is a covered entity under HIPAA. Generally, the Part 2 rules provide more stringent privacy protections than HIPAA, including in emergency situations. If an entity is subject to both Part 2 and HIPAA, it is responsible for complying with the more protective Part 2 rules, as well as with HIPAA. HIPAA is intended to be a set of minimum federal privacy standards, so it generally is possible to comply with HIPAA and other laws, such as 42 CFR Part 2, that are more protective of individuals’ privacy.

For example, HIPAA permits disclosure of protected health information (PHI) for treatment purposes (including in emergencies) without patient authorization, and allows PHI to be used or disclosed to lessen a threat of serious and imminent harm to the health or safety of the patient or others (which may occur as part of a health emergency) without patient authorization or permission. Because HIPAA permits, but does not require, disclosures for treatment or to prevent harm, if Part 2 restricts certain disclosures during an emergency, an entity subject to both sets of requirements could comply with Part 2’s restrictions without violating HIPAA.

October 2018

Tags: HIPPA, Mental Health

Does HIPAA provide extra protections for mental health information compared with other health information?

Generally, the Privacy Rule applies uniformly to all protected health information, without regard to the type of information. One exception to this general rule is for psychotherapy notes, which receive special protections. The Privacy Rule defines psychotherapy notes as notes recorded by a health care provider who is a mental health professional documenting or analyzing the contents of a conversation during a private counseling session or a group, joint, or family counseling session and that are separate from the rest of the patient’s medical record. Psychotherapy notes do not include any information about medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, or results of clinical tests; nor do they include summaries of diagnosis, functional status, treatment plan, symptoms, prognosis, and progress to date. Psychotherapy notes also do not include any information that is maintained in a patient’s medical record. See 45 CFR 164.501.

Psychotherapy notes are treated differently from other mental health information both because they contain particularly sensitive information and because they are the personal notes of the therapist that typically are not required or useful for treatment, payment, or health care operations purposes, other than by the mental health professional who created the notes. Therefore, with few exceptions, the Privacy Rule requires a covered entity to obtain a patient’s authorization prior to a disclosure of psychotherapy notes for any reason, including a disclosure for treatment purposes to a health care provider other than the originator of the notes. See 45 CFR 164.508(a)(2). A notable exception exists for disclosures required by other law, such as for mandatory reporting of abuse, and mandatory “duty to warn” situations regarding threats of serious and imminent harm made by the patient (State laws vary as to whether such a warning is mandatory or permissible).

October 2018

Tags: HIPPA, Mental Health

What options do family members of an adult patient with mental illness have if they are concerned about the patient’s mental health and the patient refuses to agree to let a health care provider share information with the family?

The HIPAA Privacy Rule permits a health care provider to disclose information to the family members of an adult patient who has capacity and indicates that he or she does not want the disclosure made, only to the extent that the provider perceives a serious and imminent threat to the health or safety of the patient or others and the family members are in a position to lessen the threat. Otherwise, under HIPAA, the provider must respect the wishes of the adult patient who objects to the disclosure. However, HIPAA in no way prevents health care providers from listening to family members or other caregivers who may have concerns about the health and well-being of the patient, so the health care provider can factor that information into the patient’s care.

In the event that the patient later requests access to the health record, any information disclosed to the provider by another person who is not a health care provider that was given under a promise of confidentiality (such as that shared by a concerned family member), may be withheld from the patient if the disclosure would be reasonably likely to reveal the source of the information. 45 CFR 164.524(a)(2)(v). This exception to the patient’s right of access to protected health information gives family members the ability to disclose relevant safety information with health care providers without fear of disrupting the family’s relationship with the patient.

October 2018

Tags: HIPPA, Mental Health

Does HIPAA prevent a school administrator, or a school doctor or nurse, from sharing concerns about a student’s mental health with the student’s parents or law enforcement authorities?

Student health information held by a school generally is subject to the Family Educational Rights and Privacy Act (FERPA), not HIPAA. HHS and the Department of Education have developed guidance clarifying the application of HIPAA and FERPA – PDF.

In the limited circumstances where the HIPAA Privacy Rule, and not FERPA, may apply to health information in the school setting, the Rule allows disclosures to parents of a minor patient or to law enforcement in various situations. For example, parents generally are presumed to be the personal representatives of their unemancipated minor child for HIPAA privacy purposes, such that covered entities may disclose the minor’s protected health information to a parent. See 45 CFR § 164.502 (g)(3). In addition, disclosures to prevent or lessen serious and imminent threats to the health or safety of the patient or others are permitted for notification to those who are able to lessen the threat, including law enforcement, parents or others, as relevant. See 45 CFR § 164.512(j).

October 2018

Tags: HIPPA, Mental Health

Does HIPAA permit health care providers to share protected health information (PHI) about an individual who has mental illness with other health care providers who are treating the same individual for care coordination/continuity of care purposes?

HIPAA permits health care providers to disclose to other health providers any protected health information (PHI) contained in the medical record about an individual for treatment, case management, and coordination of care and, with few exceptions, treats mental health information the same as other health information. Some examples of the types of mental health information that may be found in the medical record and are subject to the same HIPAA standards as other protected health information include:

medication prescription and monitoring
counseling session start and stop times
the modalities and frequencies of treatment furnished
results of clinical tests
summaries of: diagnosis, functional status, treatment plan, symptoms, prognosis, and progress to date.

HIPAA generally does not limit disclosures of PHI between health care providers for treatment, case management, and care coordination, except that covered entities must obtain individuals’ authorization to disclose separately maintained psychotherapy session notes for such purposes. Covered entities should determine whether other rules, such as state law or professional practice standards place additional limitations on disclosures of PHI related to mental health.

For more information see:

Does HIPAA provide extra protections for mental health information compared with other health information?

October 2018

Tags: HIPPA, Mental Health

Does HIPAA permit health care providers to share protected health information (PHI) about an individual with mental illness with a third party that is not a health care provider for continuity of care purposes? For example, can a health care provider refer a homeless patient to a social services agency, such as a housing provider, when doing so may reveal that the basis for eligibility is related to mental health?

HIPAA, with few exceptions, treats all health information, including mental health information, the same. HIPAA allows health care providers to disclose protected health information (PHI), including mental health information, to other public or private-sector entities providing social services (such as housing, income support, job training) in specified circumstances. For example:

A health care provider may disclose a patient’s PHI for treatment purposes without having to obtain the authorization of the individual. Treatment includes the coordination or management of health care by a health care provider with a third party. Health care means care, services, or supplies related to the health of an individual. Thus, health care providers who believe that disclosures to certain social service entities are a necessary component of, or may help further, the individual’s health or mental health care may disclose the minimum necessary PHI to such entities without the individual’s authorization. For example, a provider may disclose PHI about a patient needing mental health care supportive housing to a service agency that arranges such services for individuals.
A covered entity may also disclose PHI to such entities pursuant to an authorization signed by the individual. HIPAA permits authorizations that refer to a class of persons who may receive or use the PHI. Thus, providers could in one authorization identify a broad range of social services entities that may receive the PHI if the individual agrees. For example, an authorization could indicate that PHI will be disclosed to “social services providers” for purposes of “supportive housing, public benefits, counseling, and job readiness.”

October 2018

Tags: HIPPA, Mental Health

How are covered entities expected to determine what is the minimum necessary information that can be used, disclosed, or requested for a particular purpose?

The HIPAA Privacy Rule requires a covered entity to make reasonable efforts to limit use, disclosure of, and requests for protected health information to the minimum necessary to accomplish the intended purpose. To allow covered entities the flexibility to address their unique circumstances, the Rule requires covered entities to make their own assessment of what protected health information is reasonably necessary for a particular purpose, given the characteristics of their business and workforce, and to implement policies and procedures accordingly. This is not an absolute standard and covered entities need not limit information uses or disclosures to those that are absolutely needed to serve the purpose. Rather, this is a reasonableness standard that calls for an approach consistent with the best practices and guidelines already used by many providers and plans today to limit the unnecessary sharing of medical information.

The minimum necessary standard requires covered entities to evaluate their practices and enhance protections as needed to limit unnecessary or inappropriate access to protected health information. It is intended to reflect and be consistent with, not override, professional judgment and standards. Therefore, it is expected that covered entities will utilize the input of prudent professionals involved in health care activities when developing policies and procedures that appropriately limit access to personal health information without sacrificing the quality of health care.

October 2018

Tags: HIPPA, Minimum Necessary

Won’t the HIPAA Privacy Rule’s minimum necessary restrictions impede the delivery of quality health care by preventing or hindering necessary exchanges of patient medical information among health care providers involved in treatment?

No. Disclosures for treatment purposes (including requests for disclosures) between health care providers are explicitly exempted from the minimum necessary requirements.

Uses of protected health information for treatment are not exempt from the minimum necessary standard. However, the Privacy Rule provides the covered entity with substantial discretion with respect to how it implements the minimum necessary standard, and appropriately and reasonably limits access to identifiable health information within the covered entity. The Rule recognizes that the covered entity is in the best position to know and determine who in its workforce needs access to personal health information to perform their jobs. Therefore, the covered entity may develop role-based access policies that allow its health care providers and other employees, as appropriate, access to patient information, including entire medical records, for treatment purposes.

October 2018

Tags: HIPPA, Minimum Necessary

Do the HIPAA Privacy Rule’s minimum necessary requirements prohibit medical residents, medical students, nursing students, and other medical trainees from accessing patient medical information in the course of their training?

No. The definition of “health care operations” in the Privacy Rule provides for “conducting training programs in which students, trainees, or practitioners in areas of health care learn under supervision to practice or improve their skills as health care providers.” Covered entities can shape their policies and procedures for minimum necessary uses and disclosures to permit medical trainees access to patients’ medical information, including entire medical records.

October 2018

Tags: HIPPA, Minimum Necessary

Must the HIPAA Privacy Rule’s minimum necessary standard to be applied to uses or disclosures that are authorized by an individual?

No. Uses and disclosures that are authorized by the individual are exempt from the minimum necessary requirements. For example, if a covered health care provider receives an individual’s authorization to disclose medical information to a life insurer for underwriting purposes, the provider is permitted to disclose the information requested on the authorization without making any minimum necessary determination. The authorization must meet the requirements of 45 CFR 164.508.

October 2018

Tags: HIPPA, Minimum Necessary

Are providers required to make a minimum necessary determination to disclose to Federal or state agencies, such as the Social Security Administration (SSA) or its affiliated agencies, for individuals’ applications for federal or state benefits?

No. These disclosures must be authorized by an individual and, therefore, are exempt from the HIPAA Privacy Rule’s minimum necessary requirements. Furthermore, use of the provider’s own authorization form is not required. Providers can accept an agency’s authorization form as long as it meets the requirements of 45 CFR 164.508 of the Privacy Rule.

October 2018

Tags: HIPPA, Minimum Necessary

Doesn’t the HIPAA Privacy Rule minimum necessary standard conflict with the HIPAA transaction standards?

No, because the Privacy Rule exempts from the minimum necessary standard any uses or disclosures that are required for compliance with the applicable requirements of the transactions standards, including disclosures of all data elements that are required or situationally required in those transactions. See 45 CFR 164.502(b)(2)(vi).

However, covered entities have significant discretion as to the information included in the transactions as optional data elements. Therefore, the minimum necessary standard does apply to the optional data elements. The transactions standard adopted for the outpatient pharmacy sector is an example of a standard that uses optional data elements. The health plan, or payer, currently specifies which of the optional data elements are needed for payment of its particular pharmacy claims. The health plan or its business associates must apply the minimum necessary standard when requesting this information. In this example, a pharmacist may reasonably rely on the health plan’s request for information as the minimum necessary for the intended disclosure. For example, as part of a routine protocol, the name of the individual may be requested by the payer as the minimum necessary to validate the identity of the claimant or for drug interaction or other patient safety reasons.

October 2018

Tags: HIPPA, Minimum Necessary

Does the HIPAA Privacy Rule strictly prohibit the use, disclosure, or request of an entire medical record? If not, are case-by-case justifications required each time the entire medical record is disclosed?

No. The Privacy Rule does not prohibit the use, disclosure, or request of an entire medical record; and a covered entity may use, disclose, or request an entire medical record without a case-by-case justification, if the covered entity has documented in its policies and procedures that the entire medical record is the amount reasonably necessary for certain identified purposes.

For uses, the policies and procedures would identify those persons or classes of person in the workforce that need to see the entire medical record and the conditions, if any, that are appropriate for such access. Policies and procedures for routine disclosures and requests and the criteria used for non-routine disclosures and requests would identify the circumstances under which disclosing or requesting the entire medical record is reasonably necessary for particular purposes.The Privacy Rule does not require that a justification be provided with respect to each distinct medical record.

Finally, no justification is needed in those instances where the minimum necessary standard does not apply, such as disclosures to or requests by a health care provider for treatment purposes or disclosures to the individual who is the subject of the protected health information.

October 2018

Tags: HIPPA, Minimum Necessary

A provider might have a patient’s medical record that contains older portions of a medical record that were created by another previous provider. Will the HIPAA Privacy Rule permit a provider who is a covered entity to disclose a complete medical record even though portions of the record were created by other providers?

Yes, the Privacy Rule permits a provider who is a covered entity to disclose a complete medical record including portions that were created by another provider, assuming that the disclosure is for a purpose permitted by the Privacy Rule, such as treatment.

October 2018

Tags: HIPPA, Minimum Necessary

In limiting access, are covered entities required to completely restructure existing workflow systems, including redesigning office space and upgrading computer systems, in order to comply with the HIPAA Privacy Rule’s minimum necessary requirements?

No. The basic standard for minimum necessary uses requires that covered entities make reasonable efforts to limit access to protected health information to those in the workforce that need access based on their roles in the covered entity.

The Department generally does not consider facility redesigns as necessary to meet the reasonableness standard for minimum necessary uses. However, covered entities may need to make certain adjustments to their facilities to minimize access, such as isolating and locking file cabinets or records rooms, or providing additional security, such as passwords, on computers maintaining personal information.

Covered entities should also take into account their ability to configure their record systems to allow access to only certain fields, and the practicality of organizing systems to allow this capacity. For example, it may not be reasonable for a small, solo practitioner who has largely a paper-based records system to limit access of employees with certain functions to only limited fields in a patient record, while other employees have access to the complete record. In this case, appropriate training of employees may be sufficient. Alternatively, a hospital with an electronic patient record system may reasonably implement such controls, and therefore, may choose to limit access in this manner to comply with the Privacy Rule.

October 0218

Tags: HIPPA, Minimum Necessary

Is a covered entity required to apply the HIPAA Privacy Rule’s minimum necessary standard to a disclosure of protected health information it makes to another covered entity?

Covered entities are required to apply the minimum necessary standard to their own requests for protected health information. One covered entity may reasonably rely on another covered entity’s request as the minimum necessary, and then does not need to engage in a separate minimum necessary determination. See 45 CFR 164.514(d)(3)(iii).

The HIPAA Privacy Rule is intended to be flexible enough to address the various types of relationships that covered health care providers may have with the individuals they treat, including those treatment situations that are not face-to-face. For example, a health care provider who first treats a patient over the phone satisfies the notice provision requirements of the Privacy Rule by mailing the notice to the individual the same day, if possible. To satisfy the requirement that the provider also make a good faith effort to obtain the individual’s acknowledgment of the notice, the provider may include a tear-off sheet or other document with the notice that requests that the acknowledgment be mailed back to the provider. The health care provider is not in violation of the Rule if the individual chooses not to mail back an acknowledgment; and a file copy of the form sent to the patient would be adequate documentation of the provider’s good faith effort to obtain the acknowledgment.

Where a health care provider’s initial contact with the patient is simply to schedule an appointment or a procedure, the notice provision and acknowledgment requirements may be satisfied at the time the individual arrives at the provider’s facility for his or her appointment.

For service provided electronically, the notice must be sent electronically automatically and contemporaneously in response to the individual’s first request for service. In this situation, an electronic return receipt or other return transmission from the individual is considered a valid written acknowledgment of the notice.

October 2018

Tags: Notice of Privacy, HIPPA

We participate in an organized health care arrangement (OHCA). How are we to comply with the HIPAA Privacy Rule’s requirements for providing notices and obtaining individuals’ acknowledgements of the notice?

Health care providers and other covered entities that participate in an organized health care arrangement (OHCA) may use a single, joint notice that covers all of the participating covered entities (provided that the conditions at 45 CFR 164.520(d) are met), or may each maintain separate notices. Where a joint notice is provided to an individual by any one of the covered entities to which the joint notice applies, the Privacy Rule’s requirements for providing the notice are satisfied for all others covered by the joint notice. If the joint notice is provided to an individual by a direct treatment provider participating in the OHCA, the provider must make a good faith effort to obtain the individual’s written acknowledgment of receipt of the joint notice. Where the joint notice is provided to the individual by a participating covered entity other than a direct treatment provider, no acknowledgment need be obtained.

However, where covered entities participating in an OHCA choose to maintain separate notices, each covered entity from which an individual obtains services must provide its notice to the individual in accordance with the applicable requirements of 45 CFR 164.520(c). In addition, each direct treatment provider within the OHCA must make a good faith effort to obtain the individual’s acknowledgment of the notice he or she provides.

October 2018

Tags: Notice of Privacy, HIPPA

Does a health plan have to provide a copy of its notice to each dependent receiving coverage under a policy?

No. A health plan satisfies the HIPAA Privacy Rule’s requirements for providing the notice by distributing its notice only to the named insured of a policy under which coverage is provided both to the named insured and his or her dependents. See 45 CFR 164.520(c)(1)(iii).

October 2018

Tags: Notice of Privacy, HIPPA

For group health plan products, can the health plan send its notice to the administrator of the group product or the plan sponsor for them to distribute to each employee enrolled in the plan?

The HIPAA Privacy Rule requires a health plan to distribute its notice to each individual covered by the plan. Health plans may arrange to have another person or entity, for example, a group administrator or a plan sponsor, distribute the notice on their behalf. However, if the other person or entity fails to distribute the notice to the plan’s enrollees, the health plan may be in violation of the Privacy Rule.

October 2018

Tags: Notice of Privacy, HIPPA

As a pediatrician, am I required to give my notice of privacy practices to the children I treat?

The HIPAA Privacy Rule requires a covered health care provider with a direct treatment relationship with the individual to provide the notice to the individual receiving treatment no later than the date of first service delivery. In cases where the individual has a personal representative, as is generally the case when a parent brings a child in for treatment, the provider satisfies the notice distribution requirements by providing the notice to the personal representative (e.g., the child’s parent), and making a good faith effort to obtain the personal representative’s acknowledgment of the notice.

October 2018

Tags: Notice of Privacy, HIPPA

Does the HIPAA Privacy Rule change the way in which a person can grant another person health care power of attorney?

No. Nothing in the Privacy Rule changes the way in which an individual grants another person power of attorney for health care decisions. State law (or other law) regarding health care powers of attorney continue to apply. The intent of the provisions regarding personal representatives was to complement, not interfere with or change, current practice regarding health care powers of attorney or the designation of other personal representatives. Such designations are formal, legal actions which give others the ability to exercise the rights of, or make treatment decisions related to, an individual. The Privacy Rule provisions regarding personal representatives generally grant persons, who have authority to make health care decisions for an individual under other law, the ability to exercise the rights of that individual with respect to health information.

October 2018

Tags: Personal Representatives, minor, HIPPA

If someone has a health care power of attorney for an individual, can they obtain access to that individual’s medical record?

Yes, an individual that has been given a health care power of attorney will have the right to access the medical records of the individual related to such representation to the extent permitted by the HIPAA Privacy Rule at 45 CFR 164.524.

However, when a physician or other covered entity reasonably believes that an individual, including an unemancipated minor, has been or may be subjected to domestic violence, abuse or neglect by the personal representative, or that treating a person as an individual’s personal representative could endanger the individual, the covered entity may choose not to treat that person as the individual’s personal representative, if in the exercise of professional judgment, doing so would not be in the best interests of the individual.

October 2018

Tags: Personal Representatives, minor, HIPPA

State or other law determines who is authorized to act on an individual’s behalf, thus the Privacy Rule does not address how personal representatives should be identified. Covered entities should continue to identify personal representatives the same way they have in the past. However, the HIPAA Privacy Rule does require covered entities to verify a personal representative’s authority in accordance with 45 CFR 164.514(h).

October 2018

Tags: Personal Representatives, minor, HIPPA

If a child receives emergency medical care without a parent’s consent, can the parent get all information about the child’s treatment and condition?

Generally, yes. Even though the parent did not consent to the treatment in this situation, the parent would be the child’s personal representative under the HIPAA Privacy Rule. This would not be so when the parent does not have authority to act for the child (e.g., parental rights have been terminated), when expressly prohibited by State or other applicable law, or when the covered entity, in the exercise of professional judgment, believes that providing such information would not be in the best interest of the individual because of a reasonable belief that the individual may be subject to abuse or neglect by the personal representative, or that doing so would otherwise endanger the individual.

October 2018

Tags: Personal Representatives, minor, HIPPA

Does the HIPAA Privacy Rule provide rights for children to be treated without parental consent?

No. The Privacy Rule does not address consent to treatment, nor does it preempt or change State or other laws that address consent to treatment. The Rule addresses access to, and disclosure of, health information, not the underlying treatment.

October 2018

Tags: Personal Representatives, minor, HIPPA

Does the HIPAA Privacy Rule preempt state laws?

The HIPAA Privacy Rule provides a Federal floor of privacy protections for individuals’ individually identifiable health information where that information is held by a covered entity or by a business associate of the covered entity. State laws that are contrary to the Privacy Rule are preempted by the Federal requirements, unless a specific exception applies. These exceptions include if the State law:

relates to the privacy of individually identifiable health information and provides greater privacy protections or privacy rights with respect to such information,
provides for the reporting of disease or injury, child abuse, birth, or death, or for public health surveillance, investigation, or intervention, or
requires certain health plan reporting, such as for management or financial audits. In these circumstances, a covered entity is not required to comply with a contrary provision of the Privacy Rule.

In addition, the Department of Health and Human Services (HHS) may, upon specific request from a State or other entity or person, determine that a provision of State law which is “contrary” to the Federal requirements – as defined by the HIPAA Administrative Simplification Rules – and which meets certain additional criteria, will not be preempted by the Federal requirements. Thus, preemption of a contrary State law will not occur if the Secretary or designated HHS official determines, in response to a request, that one of the following criteria apply: the State law:

is necessary to prevent fraud and abuse related to the provision of or payment for health care,
is necessary to ensure appropriate State regulation of insurance and health plans to the extent expressly authorized by statute or regulation,
is necessary for State reporting on health care delivery or costs,
is necessary for purposes of serving a compelling public health, safety, or welfare need, and, if a Privacy Rule provision is at issue, if the Secretary determines that the intrusion into privacy is warranted when balanced against the need to be served; or
has as its principal purpose the regulation of the manufacture, registration, distribution, dispensing, or other control of any controlled substances (as defined in 21 U.S.C. 802), or that is deemed a controlled substance by State law.

It is important to recognize that only State laws that are “contrary” to the Federal requirements are eligible for an exemption determination. As defined by the Administrative Simplification Rules, contrary means that it would be impossible for a covered entity to comply with both the State and Federal requirements, or that the provision of State law is an obstacle to accomplishing the full purposes and objectives of the Administrative Simplification provisions of HIPAA.

See 45 C.F.R. Part 160, Subpart B, for specific requirements related to preemption of State law. View an unofficial version of the Privacy Rule and the preemption requirements. – PDF

October 2018

Tags: Preemption of State Law, minor, HIPPA

How does the HIPAA Privacy Rule reduce the potential for conflict with state laws?

The Privacy Rule is designed to minimize conflicts between Federal requirements and those of State law in the following ways:

– The Privacy Rule establishes a floor of Federal privacy protections and individual rights with respect to individually identifiable health information held by covered entities and their business associates. Covered entities may provide greater privacy rights to individuals and greater protections on such information. In addition, covered entities may comply with State laws that provide greater protections for individually identifiable health information and greater privacy rights for individuals.

– The Privacy Rule permits a covered entity to use or disclose protected health information if a State law requires the use or disclosure. See 45 C.F.R. 164.512(a).

– The Privacy Rule permits a covered entity to disclose protected health information to a public health authority who is authorized by law to collect such information for the purposes of preventing or controlling disease, injury, or disability, including, but not limited to, the reporting of disease, injury, vital events such as birth or death, and the conduct of public health surveillance, public health investigations, and public health interventions. (See 45 C.F.R. 164.512(b) for all of the public health disclosures permitted by the Privacy Rule.) Thus, State laws that provide for the reporting of disease or injury, child abuse, birth or death, or for the conduct of public health surveillance, investigation, or intervention, likely will not conflict with the Privacy Rule. In the unusual case where there is a conflict, the State law would stand. See 45 C.F.R. 160.203(c). Because the Administrative Simplification Rules themselves exempt such State laws from preemption, a request for the Department of Health and Human Services (HHS) to issue a preemption exception determination is unnecessary and inappropriate.

– The Privacy Rule permits a covered entity to disclose protected health information to a health oversight agency for oversight activities authorized by law, such as audits and licensure activities. See 45 C.F.R. 164.512(d). Thus, State laws that provide for certain health plan reporting for the purpose of management or financial audits, program monitoring and evaluation, or the licensure or certification of facilities or individuals, likely will not conflict with the Privacy Rule. In the unusual case where there is a conflict, the State law would stand. See 45 C.F.R. 160.203(d). Because the Administrative Simplification Rules themselves exempt such State laws from preemption, a request for the Department of Health and Human Services (HHS) to issue a preemption exception determination is unnecessary and inappropriate.

October 2018

Tags: Preemption of State Law, minor, HIPPA

How do I know if a state law is “contrary” to the HIPAA Privacy Rule?

A State law is “contrary” to the HIPAA Privacy Rule if it would be impossible for a covered entity to comply with both the State law and the Federal Privacy Rule requirements, or if the State law is an obstacle to accomplishing the full purposes and objectives of the Administrative Simplification provisions of HIPAA. See the definition of “contrary” at 45 C.F.R. 160.202.

For example, a State law that prohibits the disclosure of protected health information to an individual who is the subject of the information may be contrary to the Privacy Rule, which requires the disclosure of protected health information to an individual in certain circumstances. With certain exceptions, the Privacy Rule preempts “contrary” State laws. See 45 C.F.R. Part 160, Subpart B. View an unofficial version of the Privacy Rule and the preemption requirements. – PDF

October 2018

Tags: Preemption of State Law, minor, HIPPA

How do I know if a state law is “more stringent” than the HIPAA Privacy Rule?

In general, a State law is “more stringent” than the HIPAA Privacy Rule if it relates to the privacy of individually identifiable health information and provides greater privacy protections for individuals’ identifiable health information, or greater rights to individuals with respect to that information, than the Privacy Rule does. See the definition of “more stringent” at 45 C.F.R. 160.202 for the specific criteria. For example, a State law that provides individuals with a right to inspect and obtain a copy of their medical records in a more timely manner than the Privacy Rule is “more stringent” than the Privacy Rule.

In the unusual case where a more stringent provision of State law is contrary to a provision of the Privacy Rule, the Privacy Rule provides an exception to preemption for the more stringent provision of State law, and the State law prevails. Where the more stringent State law and Privacy Rule are not contrary, covered entities must comply with both laws.

See 45 C.F.R. Part 160, Subpart B, for specific requirements related to preemption of State law. View an unofficial version of the Privacy Rule and the preemption requirements. – PDF

October 2018

Tags: Preemption of State Law, minor, HIPPA

Under what circumstances will HHS grant a state law preemption exception determination?

The Department of Health and Human Services (HHS) may, upon specific request from a State or other entity or person, issue a determination that a contrary State law which meets certain criteria will not be preempted by the Federal requirements. Only State laws that are “contrary” to the Federal requirements are eligible for an exemption determination. As defined by HIPAA’s Administrative Simplification Rules, “contrary” means that it would be impossible for a covered entity to comply with both the State and Federal requirements, or that the State law is an obstacle to accomplishing the full purposes and objectives of the Administrative Simplification provisions of HIPAA. See 45 C.F.R. 160.202.

A contrary State law is not preempted by the Federal requirements if the Secretary or designated HHS official determines that the request meets one or more of the following criteria, which are set forth in 45 C.F.R. 160.203(a):

The provision of State law is necessary
- to prevent fraud and abuse related to the provision of or payment for health care,
- to ensure appropriate State regulation of insurance and health plans to the extent expressly authorized by statute or regulation,
- for State reporting on health care delivery and costs, or
- for purposes of serving a compelling public health, safety, or welfare need, and, if a Privacy Rule provision is at issue, if the Secretary determines that the intrusion into privacy is warranted when balanced against the need to be served; or
The principal purpose of the provision of State law is to regulate the manufacture, registration, distribution, dispensing, or other control of any controlled substances (as defined in 21 U.S.C. 802), or that is deemed a controlled substance by State law.

Thus, States and other persons may request in writing that HHS except certain contrary provisions of State law from preemption by the Privacy Rule. The request for exception must explain how the State law in question is actually contrary to the Federal requirements, and how the contrary State law meets one or more of the specific criteria for which exceptions may be granted. Title 45 C.F.R. Part 160, Subpart B, sets forth the specific requirements related to preemption of State law and the criteria and process for requesting exception determinations.

HHS will not make determinations as to whether a provision of State law is “more stringent” than a provision of the HIPAA Privacy Rule, and will not determine whether a provision is “contrary” to the Privacy Rule, except in the context of, and as necessary to, making an exception determination.

See 45 C.F.R. Part 160, Subpart B, for specific requirements related to preemption of State law. View an unofficial version of the Privacy Rule and the preemption requirements. – PDF

October 2018

Tags: Preemption of State Law, minor, HIPPA

My state law provides greater privacy protections on patients’ HIV information than the HIPAA Privacy Rule. Is this more protective state law preempted by the Privacy Rule?

No. The Privacy Rule establishes a floor of Federal privacy protections and rights for individuals. If a provision of State law provides greater privacy protection than a provision of the Privacy Rule, and it is possible to comply with both the State law and the Privacy Rule (e.g., where a State law prohibits the disclosure of HIV status while the Privacy Rule permits such disclosure), there is no conflict between the State law and the Privacy Rule, and no preemption.

Further, even in the unusual case where a “more stringent” provision of a State law is “contrary” to a provision of the Privacy Rule – that is, it is impossible to comply with both the Privacy Rule and the State law, or the State law is an obstacle to accomplishing the full purposes and objectives of HIPAA’s Administrative Simplification provisions – the Administrative Simplification Rules specifically provide an exception to preemption of State law. Thus, if a more stringent provision of State law protects HIV patient information and is contrary to the Privacy Rule, the “more stringent” State law would prevail. Because HIPAA’s Administrative Simplification Rules themselves except more stringent, contrary State law from preemption, it is neither necessary nor appropriate to request a preemption exception determination from the Department of Health and Human Services.

See 45 C.F.R. 160.202 for the definitions of “more stringent” and “contrary,” and 45 C.F.R. 160.203 for the general rule and exceptions to preemption. View an unofficial version of the Privacy Rule and the preemption requirements. – PDF

October 2018

Tags: Preemption of State Law, minor, HIPPA

My state law authorizes health care providers to report suspected child abuse to the state department of health and social services. Does the HIPAA Privacy Rule preempt this state law?

No. The Privacy Rule permits covered health care providers and other covered entities to disclose reports of child abuse or neglect to public health authorities or other appropriate government authorities. See 45 C.F.R. 164.512(b)(1)(ii). Thus, there is no conflict between the State law and the Privacy Rule, and no preemption. Covered entities may report such information and be in compliance with both the State law and the Privacy Rule.

Further, even in the unusual case where a State law that provides for the reporting of disease or injury, child abuse, birth, or death, or for public health surveillance, investigation, or intervention is contrary to a provision of the Privacy Rule – that is, it is impossible for a covered entity to comply with both the Privacy Rule and the State law, or the State law is an obstacle to accomplishing the full purposes and objectives of HIPAA’s Administrative Simplification provisions – the Administrative Simplification Rules specifically provide an exception to preemption of State law. Thus, if a provision of State law provided for public health surveillance and was contrary to the Privacy Rule, the State law would prevail. Because the Administrative Simplification Rules except such contrary State laws from preemption, it is neither necessary nor appropriate to request a preemption exception determination from the Department of Health and Human Services.

See 45 C.F.R. 160.202 for the definition of “contrary” and 45 C.F.R. 160.203 for the general rule and exceptions to preemption. View an unofficial version of the Privacy Rule and the preemption requirements. – PDF

October 2018

Tags: Privacy Rule, HIPPA

Generally, what does the HIPAA Privacy Rule require the average provider or health plan to do?

For the average health care provider or health plan, the Privacy Rule requires activities, such as:

Notifying patients about their privacy rights and how their information can be used.
Adopting and implementing privacy procedures for its practice, hospital, or plan.
Training employees so that they understand the privacy procedures.
Designating an individual to be responsible for seeing that the privacy procedures are adopted and followed.
Securing patient records containing individually identifiable health information so that they are not readily available to those who do not need them.

Responsible health care providers and businesses already take many of the kinds of steps required by the Rule to protect patients’ privacy. Covered entities of all types and sizes are required to comply with the Privacy Rule. To ease the burden of complying with the new requirements, the Privacy Rule gives needed flexibility for providers and plans to create their own privacy procedures, tailored to fit their size and needs. The scalability of the Rule provides a more efficient and appropriate means of safeguarding protected health information than would any single standard. For example,

The privacy official at a small physician practice may be the office manager, who will have other non-privacy related duties; the privacy official at a large health plan may be a full-time position, and may have the regular support and advice of a privacy staff or board.
The training requirement may be satisfied by a small physician practice’s providing each new member of the workforce with a copy of its privacy policies and documenting that new members have reviewed the policies; whereas a large health plan may provide training through live instruction, video presentations, or interactive software programs.
The policies and procedures of small providers may be more limited under the Rule than those of a large hospital or health plan, based on the volume of health information maintained and the number of interactions with those within and outside of the health care system.

Learn more about health information privacy.

October 2018

Tags: Privacy Rule, HIPPA

When did covered entities have to meet these HIPAA privacy standards?

As Congress required in HIPAA, most covered entities had until April 14, 2003 to come into compliance with these standards, as modified by the August, 2002 final Rule. Small health plans had an additional year – until April 14, 2004 – to come into compliance.

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is providing assistance to help covered entities prepare to comply with the Rule. Visit the OCR Privacy web site for helpful information, such as guidance, frequently asked questions, sample “business associate” contract provisions, significant reference documents, and other technical assistance information for consumers and the health care industry.

October 2018

Tags: Privacy Rule, HIPPA

Why was the consent requirement eliminated from the HIPAA Privacy Rule, and how will it affect individuals’ privacy protections?

The consent requirement created the unintended effect of preventing health care providers from providing timely, quality health care to individuals in a variety of circumstances. The most troubling and pervasive problem was that health care providers would not have been able to use or disclose protected health information for treatment, payment, or health care operations purposes prior to the initial face-to-face encounter with the patient, which is routinely done to provide timely access to quality health care. The following are some examples of how the consent requirement would have posed barriers to health care:

– Pharmacists would not have been able to fill a prescription, search for potential drug interactions, determine eligibility, or verify coverage before the individual arrived at the pharmacy to pick up the prescription if the individual had not already provided consent under the Privacy Rule.

– Hospitals would not have been able to use information from a referring physician to schedule and prepare for procedures before the individual presented at the hospital for such procedure, or the patient would have had to make a special trip to the hospital to sign the consent form.

– Providers who do not provide treatment in person (such as a provider prescribing over the telephone) may have been unable to provide care because they would have had difficulty obtaining prior written consent to use protected health information at the first service delivery.

– Emergency medical providers were concerned that, even if a situation was urgent, they would have had to try to obtain consent to comply with the Privacy Rule, even if that would be inconsistent with the appropriate practice of emergency medicine.

– Emergency medical providers were also concerned that the requirement that they attempt to obtain consent as soon as reasonably practicable after an emergency would have required significant efforts and administrative burden which might have been viewed as harassing by patients, because these providers typically do not have ongoing relationships with individuals.

To eliminate such barriers to health care, mandatory consent was replaced with the voluntary consent provision that permits health care providers to obtain consent for treatment, payment and healthcare operations, at their option, and enables them to obtain consent in a manner that does not disrupt needed treatment. Although consent is no longer mandatory, the Rule still affords individuals the opportunity to engage in important discussions regarding the use and disclosure of their health information through the strengthened notice requirement, while allowing activities that are essential to quality health care to occur unimpeded. These modifications will ensure that the Rule protects patient privacy as intended without harming consumers’ access to care or the quality of that care. Further, the individual’s right to request restrictions on the use or disclosure of his or her protected health information is retained in the Rule as modified.

Learn more about health information privacy.

October 2018

Tags: Privacy Rule, HIPPA

Will the Department of Health and Human Services (HHS) make future changes to the HIPAA Privacy Rule and, if so, how will these changes be made?

Under HIPAA, HHS has the authority to modify the privacy standards as the Secretary may deem appropriate. However, a standard can be modified only once in a 12-month period.

As a general rule, future modifications to the Privacy Rule must be made in accordance with the Administrative Procedure Act (APA). HHS will comply with the APA by publishing proposed rule changes, if any, in the Federal Register through a Notice of Proposed Rulemaking and will invite comment from the public. After reviewing and addressing those comments, HHS will issue a modified final rule.

Learn more about health information privacy.

October 2018

Tags: Privacy Rule, HIPPA

Does the HIPAA Privacy Rule create a government database with all individuals’ personal health information?

No. The Privacy Rule does not create such a government database or require a physician or any other covered entity to send medical information to the Federal government for a government database or similar operation.

October 2018

Tags: Privacy Rule, HIPPA

How does the HIPAA Privacy Rule affect my rights under the Federal Privacy Act?

The Privacy Act of 1974 (U.S. Department of Justice) protects personal information about individuals held by the Federal government. Covered entities that are Federal agencies or Federal contractors that maintain records that are covered by the Privacy Act not only must obey the Privacy Rule’s requirements, but also must comply with the Privacy Act.

October 2018

Tags: Privacy Rule, HIPPA

Does the HIPAA Privacy Rule protect genetic information?

Yes, genetic information is health information protected by the Privacy Rule. Like other health information, to be protected it must meet the definition of protected health information: it must be individually identifiable and maintained by a covered health care provider, health plan, or health care clearinghouse. See 45 C.F.R 160.103 and 164.501.

October 2018

Tags: Privacy Rule, HIPPA

Does the HIPAA Privacy Rule require that covered entities document all oral communications?

No. The Privacy Rule does not require covered entities to document any information, including oral information, that is used or disclosed for treatment, payment or health care operations.

The Rule includes, however, documentation requirements for some information disclosures for other purposes. For example, some disclosures must be documented in order to meet the standard for providing a disclosure history to an individual upon request. Where a documentation requirement exists in the Rule, it applies to all relevant communications, whether in oral or some other form. For example, if a covered physician discloses information about a case of tuberculosis to a public health authority as permitted by the Rule at 45 CFR 164.512, then he or she must maintain a record of that disclosure regardless of whether the disclosure was made orally, by phone, or in writing.

October 2108

Tags: Privacy Rule, HIPPA

Must a health care provider or other covered entity obtain permission from a patient prior to notifying public health authorities of the occurrence of a reportable disease?

No. All States have laws that require providers to report cases of specific diseases to public health officials. The HIPAA Privacy Rule permits disclosures that are required by law. Furthermore, disclosures to public health authorities that are authorized by law to collect or receive information for public health purposes are also permissible under the Privacy Rule. In order to do their job of protecting the health of the public, it is frequently necessary for public health officials to obtain information about the persons affected by a disease. In some cases they may need to contact those affected in order to determine the cause of the disease to allow for actions to prevent further illness.

The Privacy Rule continues to allow for the existing practice of sharing protected health information with public health authorities that are authorized by law to collect or receive such information to aid them in their mission of protecting the health of the public. Examples of such activities include those directed at the reporting of disease or injury, reporting deaths and births, investigating the occurrence and cause of injury and disease, and monitoring adverse outcomes related to food (including dietary supplements), drugs, biological products, and medical devices.

October 2018

Tags: Public health uses and disclosures, HIPPA

Covered entities may identify persons responsible for an FDA-regulated product by using the product label, the literature that accompanies the product, or other sources of labeling, such as the Physician’s Desk Reference. If multiple persons are named, covered entities may choose any of the persons named by these sources.

October 2018

Tags: Public health uses and disclosures, HIPPA

Is a covered entity permitted to disclose protected health information under the HIPAA Privacy Rule’s public health provision when the link between an averse event and a product regulated by the Food and Drug Administration (FDA) is only suspected?

Yes. In most instances when a covered entity makes an adverse event report to a person responsible for an FDA-regulated product, the covered entity will suspect, but not know, the product is the cause of the event. Determining whether the product is related to the adverse event almost always requires follow up with the covered entity which in turn may need further contact with the patient.

FDA and product manufacturers receive a great deal of important information about the safety of regulated products from these reports. To limit such reports to those instances where the covered entity is convinced of the link between the product and the event would reduce the amount of useful safety, quality and effectiveness data available to the agency as well as to product manufacturers. This would limit significantly FDA’s ability to protect the public health by helping to assure that only safe and effective products are marketed in the U.S. Accordingly, covered entities may disclose the minimum amount of protected health information that is reasonably necessary to report suspected adverse events associated with an FDA-regulated product.

October 2018

Tags: Public health uses and disclosures, HIPPA

Does the HIPAA Privacy Rule’s public health provision permit covered entities to disclose protected health information without authorization to a manufacturer of a product regulated by the Food and Drug Administration (FDA) for use by the manufacturer to assess the effectiveness of its marketing campaign?

No. The public health provision is intended to facilitate the flow of information that is essential to the FDA’s public health mission. The provision does not permit covered entities to disclose protected health information to a manufacturer for the manufacturer’s commercial purposes, or for any other non-public health purpose.

For example, the Rule does not permit a covered entity to provide a drug manufacturer with a list of persons who prefer a different flavored cough syrup over the flavor of the manufacturer’s product. Rather, this provision permits covered entities to disclose protected health information as necessary to continue current voluntary reporting of adverse events and similar reports that are necessary to ensure the quality, safety, or effectiveness of an FDA-regulated product.

For instance, a covered entity would be permitted to report a concern to a drug manufacturer that its cough syrup might be unsafe based on the belief that a difference in the taste could be due to drug tampering or a manufacturing problem. Likewise, a covered health care provider would be permitted to disclose protected health information to a drug manufacturer to report that the failure of a patient’s medical condition to improve may be due to the drug’s ineffectiveness. In making such a report, the covered entity may disclose the protected health information that is reasonably necessary to achieve the purpose of the report.

October 2018

Tags: Public health uses and disclosures, HIPPA

Does the HIPAA Privacy Rule’s public health provision permit covered health care providers to disclose protected health information concerning the findings of pre-employment physicals, drug tests, or fitness-for-duty examinations to an individuals employer?

The public health provision permits covered health care providers to disclose an individual’s protected health information to the individual’s employer without authorization in very limited circumstances.

First, the covered health care provider must provide the health care service to the individual at the request of the individual’s employer or as a member of the employer’s workforce.

Second, the health care service provided must relate to the medical surveillance of the workplace or an evaluation to determine whether the individual has a work-related illness or injury.

Third, the employer must have a duty under the Occupational Safety and Health Administration (OSHA), the Mine Safety and Health Administration (MSHA), or the requirements of a similar State law, to keep records on or act on such information. For example, OSHA requires employers to monitor employees’ exposures to certain substances and to take specific actions when an employee’s exposure level exceeds a specified limit. A covered entity which tests an individual for such an exposure level at the request of the individual’s employer may disclose that test result to the employer without authorization.

Generally, pre-placement physicals, drug tests, and fitness-for-duty examinations are not performed for such purposes. However, to the extent such an examination is conducted at the request of the employer for the purpose of such workplace medical surveillance or work-related illness or injury, and the employer needs the information to comply with the requirements of OSHA, MSHA, or similar State law, the protected health information the employer needs to meet such legal obligation may be discussed to the employer without authorization. Covered health care providers who make such disclosures must provide the individual with written notice that the information is to be disclosed to his or her employer (or by posting the notice at the work site if the service is provided there).

When a health care service does not meet the above requirements, covered entities may not disclose an individual’s protected health information to the individual’s employer without an authorization, unless the disclosure is otherwise permitted without authorization by other provisions of the Rule. However, nothing in the Rule prohibits an employer from conditioning employment on an individual providing an authorization for the disclosure of such information.

October 2018

Tags: Public health uses and disclosures, HIPPA

To provide individuals with an accounting for disclosures, does a covered entity have to document each medical record that may be accessed by a public health authority in the course of surveillance activities that involve all patient records?

The Privacy Rule does not require a notation in each medical record that has been accessed by public health authorities, as long as the information required under the Privacy Rule is included in the accounting for disclosures. Where, as with many public health disclosures, access to an entire universe of records is involved, tracking disclosures can be accomplished without the need for documentation in each record. This flexibility in the manner of documentation facilitates complying with the accounting requirement.

By way of background, a covered entity may disclose protected health information (PHI) without the patient’s authorization to a public health authority that is legally permitted to collect or receive such information for public health surveillance or related activities (45 CFR 164.512(b)(1)). A covered entity is also required by the Privacy Rule to account to the patient for such disclosures of PHI, if the patient asks (45 CFR 164.528). Further, under the Privacy Rule, making a set of records available for review by a third party constitutes a “disclosure” of the PHI in the entire set of records, regardless of whether the third party actually reviews any particular record. See 45 CFR 164.501, for the definition of disclosure. Thus, mere access by a third party, such as a public health authority, to PHI is a disclosure and subject to an accounting for disclosures.

Public health surveillance activities often involve a retrospective review by a public health authority of a universe of patient records to identify reportable events. When a reportable case is identified, the specific data items pertinent to the public health surveillance activity are extracted and reported to the public health authority.

For example, retrospective review of the medical charts for all patients treated by a health care provider or all charts of patients treated in the entity’s emergency department may be required to identify cases of new or previously unknown infectious agents, clinical conditions associated with the use or abuse of illicit or prescription drugs, or adverse events or reactions associated with pharmaceuticals or medical devices. In these cases, as noted above, all records to which access was provided to the public health authority are deemed to have been disclosed under the Privacy Rule. Because of the universal nature of the access provided, the documentation required for the disclosure can be easily maintained. The covered entity need only document the identity (and address if known) of the public health authority to which access was provided, a description of the records and PHI subject to access, the purpose for the disclosure, and when access was provided. This documentation need not be noted in each record. It would be sufficient, for instance, for the covered entity to maintain a separate notation of such disclosures, applicable to all records so accessed. Then, if an individual requests an accounting, the covered entity need only determine whether the individual’s records were among the universe of records to which the public health authority was granted access. All individuals whose records were accessed in this fashion would receive the same accounting for the disclosure.

For example, if on August 1, 2003, a hospital began providing a public health authority ongoing access to the medical charts of all patients treated in its emergency department to identify reportable cases and extract relevant information required for a particular surveillance activity, it would be sufficient, under §164.528(b)(2), for the accounting to include the following:

the identity, and address, if known, of the public health authority;
a statement that the public health authority had access to medical charts for patients treated in the emergency department
the date (or approximate range of dates) when the individual’s record was subject to access (e.g., access provided within a week of treatment in ER on [fill in date of individual visit]); and
a statement of the purpose of the access (e.g., identify the particular public health surveillance activity).

The same basic statement could then be provided in response to a request for an accounting by any individual who was seen in the emergency department of the hospital on or after August 1, 2003.

October 2018

Tags: Public health uses and disclosures, HIPPA

Can researchers continue to access existing databanks or repositories that are maintained by covered entities, even if those databases were created prior to the compliance date without patient permission or without a waiver of informed consent by an Institutional Review Board (IRB)?

Yes. Under the HIPAA Privacy Rule, covered entities may use or disclose protected health information from existing databases or repositories for research purposes either with individual authorization as required at 45 CFR 164.508, or with a waiver of individual authorization as permitted at 45 CFR 164.512(i).

October 2018

Tags: HIPPA

Yes. Here are the EEOC and FTC comments on the subject.

https://www.eeoc.gov/eeoc/publications/background_checks_employers.cfm

https://www.ftc.gov/news-events/blogs/business-blog/2011/06/fair-credit-reporting-act-social-media-what-businesses

October 2018

background check consent form

background check release form