Disclosure of Health Information

Disclosure of PHI

According to the Privacy Rule, a covered entity may use or disclose PHI for treatment, payment, and healthcare operations [45 CFR 164.506(c)]. This type of disclosure is the broadest permitted disclosure. It's also the disclosure most pertinent to a medical office. Treatment means the provision of healthcare and related services. It includes the coordination and management of healthcare. Treatment can involve more than one healthcare provider, as well as the coordination or management of healthcare by a provider with a third party. Consultation between healthcare providers relating to a patient is also considered treatment. So is the referral of a patient from one healthcare provider to another. According to the Privacy Rule, treatment includes the provision of healthcare and related services. Payment encompasses the activities of healthcare providers to obtain payment or be reimbursed for their services and the activities of health plans to obtain premiums, to fulfill their coverage responsibilities and provide benefits under the plan, and to obtain or provide reimbursement for the provision of healthcare. In addition to the general definition, the Privacy Rule provides examples of common payment activities. These include, but aren't limited to, the following: Determining eligibility or coverage under a plan and judging claims Risk adjustments Billing and collection activities Reviewing healthcare services for medical necessity, coverage, justification of charges, and so on Utilization review activities Disclosures to consumer reporting agencies. This is limited to specified identifying information about individuals, their payment history, and identifying information about the covered entity. Healthcare operations are certain administrative, financial, legal, and quality improvement activities of a covered entity that are necessary to run its business and to support the core functions of treatment and payment. These activities are limited to the ones listed in the definition of "healthcare operations" at 45 CFR 164.501: Conducting quality assessment and improvement activities: These include population-based activities relating to improving healthcare or reducing costs and case management and care coordination. Reviewing and evaluating healthcare performance on all levels: This includes licensing and accreditation as well as training. Activities involved in making and changing health insurance and benefits contracts Legal and medical reviews: These also auditing functions, including fraud and abuse detection and compliance programs. Business planning and development: This includes conducting cost-management and planning analyses related to managing and operations. Business management and general administrative activities: These include customer service, mergers, fundraising for the covered entity, and what's involved in implementing and complying with the Privacy Rule.

Other Rules

The HIPAA Privacy Rule authorizes healthcare providers to charge a reasonable fee for providing copies of records. The term "reasonable" can be a topic of controversy. People sometimes claim that fees charged for copies of records are too high. Finally, the HIPAA rule sets a floor (a lower limit) for privacy protections. Some state laws are stricter. Confidentiality and Pharmacy It might seem natural to discuss a patient's status while walking the hall or riding an elevator. This is a common mistake. The information you're sharing is still private. There's always a chance that you might walk by the patient's friends or family. What if it's information the family doesn't have yet? Even if you're guessing, they might hear you and be worried or upset. Confidential information includes the following patient information: Room number Diagnosis Medications Treatments Test results or findings It's the patient's right to decide whom to share this information with. Family members and friends should learn it from the patient, not overhear it in the hallway. If a coworker or friend starts talking about patient information somewhere they shouldn't, remind the person that it's not appropriate. This includes properly disposing of articles that may have patient information on it. A prescription label or other paperwork needs to be disposed of in a way that prevents others from finding it, which could violate confidentiality. Hardware that's no longer needed, such as computers or compact discs, must also be handled properly. Be sure to familiarize yourself with the ways your employer disposes of waste items that contain personal health information. Receiving a Patient's Information Pharmacists and pharmacy technicians are covered by the Privacy Rule. This means that information you receive from a patient is confidential. You can't share it with anyone outside the pharmacy. Patients need to feel confident telling you their personal and medical information. Respecting a patient's private information is part of your professional duties as a pharmacy technician. Patients' Special Requests Pay close attention to patients' requests for special rules regarding their way of communicating. Be as accommodating as possible. Special requests could include using a certain phone number to contact them. Make sure you're speaking directly with the patient, not relaying information to a friend or family member. Remember, unless the patient specifically authorizes someone else, they're the only ones who can share their information. Even if you think the information isn't vital or the person you're speaking to seems trustworthy, the safest thing to do is speak to the patient directly. Patients' Home Medications In some cases, healthcare workers store a patient's home medications during their stay in a hospital. This can happen in a hospital pharmacy or emergency room. Returning the medications to the patient when he or she leaves or asks for them is also part of confidentiality. There are things you can do if patients can't pick up their medications. A signed letter of consent from the patient might be necessary. A copy of the courier's driver's license or identification might be required, too. These procedures might vary from workplace to workplace. Familiarize yourself with them. Stay Knowledgeable about Confidentiality The confidentiality information in your workplace should always be up to date. But you shouldn't leave the responsibility for your license or certification in someone else's hands. Take it upon yourself to get to know the rules. Staying up to date will help you become a valuable team member.

Special Rules Regarding Psychotherapy Notes

The Privacy Rule provides special rules regarding psychotherapy notes. They limit use or disclosure without consent. Psychotherapy notes can only be used in the following ways: By the note-taker to carry out treatment By the covered entity for certain other limited healthcare operations Other uses and disclosures, including treatment, payment, and healthcare operations, require the individual's authorization [45 CFR 164.508(a)(2)].

Limited Data Sets

A limited data set is the middle ground between identifiable and de-identified information. In a limited data set, most identifying information has been removed. It must not include any of the individual identifiers [45 CFR 164.514(e)]. Limited data sets don't directly identify a patient, but they may contain some identifiers. The following identifiers may be included as part of a limited data set: Geographic data (town, city, state, and ZIP code, but no street address) Dates relating to an individual (birth date, admission and discharge dates) Unique identifying numbers, characteristics, or codes other than those listed under individual identifiers Use of such data doesn't require patient authorization. Whoever receives the data does have to sign an agreement to restrict its use. The user promises to keep the information safe and release no more of it than necessary. For example, patient authorization wouldn't be required for a limited data set that contained city, state, ZIP code, age, birth date, admission and discharge dates, and date of death. Such information can only be used for public health, research, and healthcare purposes. In general, protected health information is covered by the Privacy Rule. There are exceptions for information stripped of identifiers and limited data sets.

Disclosures to Public Health Authorities

A public health authority is an agency or authority of the United States government, a state, a territory, a political subdivision of a state or territory, or an Indian tribe that's responsible for public health matters as part of its official mandate, as well as a person or entity acting under a grant of authority from, or under a contract with, a public health agency [45 CFR 164.501]. Examples of public health authorities include the following: State and local health departments The Food and Drug Administration (FDA) The Centers for Disease Control and Prevention (CDC) The Occupational Safety and Health Administration (OSHA) The Privacy Rule permits covered entities to disclose PHI to public health authorities without authorization. The public health authorities have to be legally authorized to receive such reports for the purpose of preventing or controlling disease, injury, and disability. Circumstances include but aren't limited to the following: Reporting a disease or injury Reporting events such as births and deaths Public health surveillance, investigations, and interventions Sometimes a foreign government agency collaborates with a public health authority. Public health authorities can direct covered entities to disclose protected health information to them as well. Some covered entities are also public health authorities. They may use as well as disclose protected health information for the public health purposes [45 CFR 164.512(b)(1) and 164.512(b)(2)]. Generally, the minimum necessary standard applies to information disclosed for public health purposes. However, it doesn't apply to public health disclosures that are authorized by the patient or required by other law [45 CFR 164.502(b)]. When public health authorities request disclosures, the information they request counts as the minimum necessary [45 CFR 164.514(d)(3)(iii)(A)]. Covered entities may develop minimum necessary standard protocols for routine public health disclosures. These address the types and amount of protected health information to be disclosed.

Notice of Use and Disclosure

Currently, HIPAA's Privacy Rule requires that patients be given a notice of use and disclosure of patient-specific information. Patients must also be given the opportunity to restrict this information. Providing notice of use and disclosure is required for every patient that a health provider treats. It's part of the standard procedures for new patients. Regarding the notice requirements, the Department of Health and Human Services has made the following statement: The HIPAA Privacy Rule gives individuals a fundamental new right to be informed of the privacy practices of their health plans and of most of their healthcare providers, as well as to be informed of their privacy rights with respect to their personal health information. Health plans and covered healthcare providers are required to develop and distribute a notice that provides a clear explanation of these rights and practices. The notice is intended to focus individuals on privacy issues and concerns and to prompt them to have discussions with their health plans and healthcare providers and exercise their rights. A notice of use and disclosure must contain the following information: The way the covered entity may use and disclose protected health information about a patient The patient's rights with respect to the information and how the individual may exercise these rights, including how the individual may complain to the covered entity The covered entity's legal duties with respect to the information; includes a statement that law requires the covered entity to maintain the privacy of protected health information Who individuals can contact for further information about the covered entity's privacy policies According to the US Department of Health and Human Services, covered entities that provide direct treatment to patients must also meet the following requirements: The provider must give the notice to the individual no later than the date of first service delivery (after the April 14, 2003 compliance date of the Privacy Rule) and, except in an emergency treatment situation, make a good-faith effort to obtain the individual's written acknowledgment of receipt of the notice. If an acknowledgment can't be obtained, the provider must document his or her efforts to obtain the acknowledgment and the reason why it wasn't obtained. When first service delivery to an individual is provided over the Internet, through email, or by other electronic means, the provider must send an electronic notice automatically and contemporaneously in response to the individual's first request for service. The provider must make a good-faith effort to obtain a return receipt or other transmission from the individual in response to receiving the notice. In an emergency treatment situation, the provider must give the notice as soon as it's reasonably practicable to do so after the emergency situation has ended. In situations like these, providers aren't required to make a good-faith effort to obtain a written acknowledgment from individuals. The provider must make the latest notice (that is, the one that reflects any changes in privacy policies) available at the provider's office or facility for individuals to request to take with them. The notice must be posted in a clear and prominent location at the facility. If an individual agrees to receive an electronic notice, a covered entity may email it. Patients may ask for restrictions on information usage. Healthcare providers don't have to comply if the disclosure and use are allowed under the Privacy Rule. Healthcare workers often share information to treat patients. Healthcare providers and insurance companies also share information. These two types of sharing are permitted under the Privacy Rule. Under HIPAA, patients may require an accounting of how their information has been used and disclosed.

Other Permitted Disclosures

Disclosure of PHI is permitted in the following cases: To a patient upon request by the patient or his or her representative: Certain exceptions may apply; for example, if the information would be harmful to a mentally ill patient. Uses and disclosures for which the patient has been given the opportunity to agree or object To meet the requirements of other laws, regulations, and court orders, such as workers' compensation laws For certain public health purposes To government agencies regarding victims of abuse, neglect, and domestic violence To health oversight agencies In a judicial or administrative proceeding: The court order or subpoena must either provide a protective order or notification of the patient. To law enforcement when required by law and under other specific circumstances For certain funeral home and organ transplant purposes For research, under one of four conditions: (1) An institutional review board or privacy board approves the release. (2) The information is used to establish a research protocol or is about deceased patients. The researcher must show a need for the information and say how it will be handled. (3) The information is a limited data set. (4) The patient authorizes the disclosure. When necessary because of serious health or safety threats or for essential government functions

Health Insurance Portability and Accountability Act (HIPAA)

In 1996, Congress enacted the Health Insurance Portability and Accountability Act (HIPAA) for the following purposes: Streamline the processing of healthcare claims Increase productivity Cut administrative costs Reduce paperwork by submitting claims electronically However, using electronic technology and communication does create risks to the privacy of patients' health information. Congress failed to pass legislation about medical privacy. It was the Department of Health and Human Services that made privacy rules. The first of these were issued in 2000. Over the next two years, many suggestions and comments resulted in changes to the rules. The final version of the Privacy Rule was adopted on August 14, 2002. This section regularly references the HIPAA Privacy Rule and the US Department of Health and Human Services. At various points throughout this section, you'll see citations like 45 CFR 164.501, which refer to the section of the Privacy Rule in which you can find the information. If you would like to learn more about HIPAA, visit the website for the Department of Health and Human Services. In the search box, type HIPAA.

Ownership and Access Rights

Healthcare providers create medical records and therefore own those records. However, others may have a right to access the information in the records. HIPAA gives patients the right to access their healthcare information. Some states also have statutes similar to HIPAA, licensing regulations, or judicial opinions that recognize patients' rights to access. Covered Entities A covered entity is an organization that handles protected health information in any capacity. Those who furnish, bill, or receive payment for healthcare are considered covered entities under HIPAA. The regulations in HIPAA apply to three groups of individual and corporate entities. These are known as covered entities [45 CFR 160.103]: Healthcare providers (persons, businesses, and entities) that furnish, bill, or receive payment for healthcare in the ordinary course of business and transmit any of these transactions electronically. This includes employees, so pharmacy technicians are considered covered entities under HIPAA regulations. Health plans, any individuals or groups that provide or pay the cost of medical care, including public and private health insurance issuers, employee benefit plans, Medicare, Medicaid, and so on. Healthcare clearinghouses, public or private entities that either process or facilitate the processing of health information.

Business Associates

Medical information may be managed by or made available to third parties in the course of operating a healthcare business. For example, the task of billing might be contracted to a third party. These arrangements expose medical information to people who aren't employees of the medical practitioner. HIPAA calls such third-party contractors business associates (BA). There needs to be an agreement in writing that any information business associates access will be safe. This agreement must do the following: Define the uses that the BA can make of the information Forbid disclosure or use except as specifically authorized Require the BA to make its practices, books, and records available for inspection by the Department of Health and Human Services Require the BA to account for uses and disclosures Require the BA to implement safeguards to prevent unauthorized disclosures Require the BA to employ a mechanism for reporting unauthorized disclosures Give the healthcare provider the right to audit the BA's handling of the information

Confidential Communications

Patients can choose how they receive healthcare communications. For example, a woman might ask her doctor to use a certain mailing address and phone number to avoid an abusive partner. Healthcare entities should comply with reasonable requests if the patient claims that doing otherwise would endanger him or her. Healthcare providers can also ask patients to list the people with whom they're allowed to share healthcare information. These are usually spouses or family members. For example, the doctor might call to report the results of a patient's lab work. The spouse answers and the doctor says everything is fine. That could be called disclosure of protected health information. Even setting up appointments could be a kind of disclosure. Healthcare providers should protect themselves by having patients state who else can receive their healthcare information.

Disclosures Pertinent to Other Public Health Activities

Public health authorities aren't the only entities that play an important role in public health. The Privacy Rule recognizes this. It lets covered entities disclose PHI to certain people or entities without authorization, for the public health activities listed below. Child Abuse or Neglect Covered entities can disclose protected health information to report known or suspected child abuse or neglect. They can report to a public health authority or other organization authorized by law to receive such reports. For instance, a social services department generally has the legal authority to receive reports of child abuse or neglect [45 CFR 164.512(b)(1)(ii)]. 45 CFR 512(c) has information regarding disclosures about adult victims of abuse, neglect, or domestic violence. Product or Activity Regulated by the FDA If an entity is responsible for a product or activity regulated by the FDA, they can receive PHI for public health purposes related to its quality, safety, or effectiveness. Examples include, but aren't limited to the following: Collecting or reporting product defects or problems Tracking FDA-regulated products Enabling product recalls, repairs, and replacement Conducting postmarketing surveillance Covered entities may identify the party or parties responsible for an FDA-regulated product from any of the following: The product label Written material that accompanies the product (labeling) Sources of labeling, such as the Physician's Desk Reference Persons at Risk of Contracting or Spreading a Disease If other laws allow it, a covered entity can disclose PHI to someone at risk of getting or spreading a disease or condition [45 CFR 164.512(b)(1)(iv)]. Workplace Medical Surveillance Employers can get some PHI for specific purposes. They need this information to comply with certain state laws and health and safety organizations, such as OSHA. They can only get information relevant to medical surveillance or work-related illness or injury. The covered healthcare provider must notify the patient in writing. If the service is provided at the worksite, it can be posted there [45 CFR 164.512(b)(1)(v)].

Releasing PHI

Releasing PHI of Minors Parents usually act as the personal representatives of minors. In most cases, parents are treated as the personal representatives of minors [45 CFR 164.502(g)(3)]. That is, they're the ones to whom notice of use is given. They're the ones who can exercise patient rights under the Privacy Rule. However, the records of a minor may not be disclosed to the parent or guardian if state law forbids it. If there's no state law, the doctor decides. These restrictions vary from state to state. They have the most impact in areas such as reproductive health services, substance abuse, and mental illness. Releasing PHI to Researchers HIPAA allows some information to be released for purposes of research. Helping research is important to advance medical knowledge for the benefit of all. However, confidentiality issues still apply. Patient information can be released to researchers for the purpose of advancing medical knowledge. Even so, certain conditions apply. HIPAA allows information to be released to researchers if two conditions are met. The patient has to authorize the release, and the information has to be a limited data set. If neither condition applies, the information can be released to researchers if it meets one of the following conditions: Approval by an institutional review board (IRB) or privacy board: The researchers must comply with certain procedures before the IRB will consider and possibly approve the release. For example, the researchers must have a plan for maintaining the confidentiality of the subjects in published papers or articles about the research. Being for the purpose of establishing a research protocol or about deceased patients: The researcher must make certain representations about the need for the information and how it will be handled.

Common Disclosures not requiring Consent

The Privacy Rule allows covered entities to use or disclose PHI, without first obtaining a patient's consent, for the following purposes. The US Department of Health and Human Services website has more details on uses and disclosures for treatment, payment, and healthcare operations. A hospital may use PHI to consult with other healthcare providers about an individual's treatment. For its own treatment, payment, and health operations activities: For example, a hospital may use PHI to provide healthcare to an individual. That includes consulting with other healthcare providers about the treatment. A healthcare provider may also disclose PHI as part of a claim for payment to a health plan. For the treatment activities of a healthcare provider: For example, a family doctor could send a copy of a patient's medical record to a specialist who needs the information to treat the patient. A hospital could send a patient's healthcare instructions to a nursing home to which the patient is transferred. For use by another covered entity or healthcare provider for the payment activities of the entity that receives the information: This includes providers not covered by the Privacy Rule. For example, if a lab did a blood test for a patient, it would need the patient's health plan coverage information so it can bill for services. The doctor could send it to the lab. Or a hospital emergency department may give a patient's payment information to an ambulance service provider that transported the patient to the hospital, for the same reason. For certain healthcare operations of the entity that receives the information: This applies only if two conditions are met. First, if each has or had a relationship with the patient and the PHI is relevant to it. Second, if the disclosure is for a quality-related healthcare operation or investigating healthcare fraud and abuse. Other regulations define quality-related healthcare operations. For any healthcare operations of an organized healthcare arrangement in which another covered entity participates.

Identifiable and De-Identified Information

The Privacy Rule protects information concerning the following patient information: Health Provision of healthcare Payment for healthcare According to HIPAA, protected health information (PHI) "includes any individually identifiable health information." Identifiable information is data about a specific person. Health information is considered identifiable if it "could be expected to allow individual identification." In other words, if you can look at health information and relate it to a specific individual, it's identifiable. If a story involving a medical emergency is reported by news media, the victim may be identified even if all identifying information has been stripped from the medical record. De-identified information is information stripped of data that may identify an individual. It isn't covered by the Privacy Rule, but only if the healthcare provider doesn't have actual knowledge that even after stripping it, the information could be used to identify the patient [45 CFR 164.502(d)]. So the de-identified information can't contain something unique that would link it to a specific patient. Suppose a man survives a serious car accident because of the heroism of an emergency room doctor. The news media reports the story. Because of this, information about his case could identify him as the man in the accident, even if identifying information is removed from his record. Under the Privacy Rule, the following factors are labeled as individual identifiers [45 CFR 164.514(b)(2)(i)]: Names Geographic identifiers smaller than a state, like a county or ZIP code Dates (except year) Ages greater than 89 Phone numbers Fax numbers Email addresses Social Security numbers Medical record numbers Health plan beneficiary numbers Account numbers Certificate and license numbers Vehicle identifiers and serial numbers, including license plate numbers Medical device identifiers and serial numbers URLs and Internet protocol (IP) addresses Biometric identifiers, including fingerprints and voiceprints Full-face photographs Any other unique identifiers

Minimum Necessary Standard

The minimum necessary standard is central to the Privacy Rule. The idea is that when a covered entity shares PHI, it should share only what's necessary for the purpose of the disclosure [45 CFR 164.502(b)]. Here's what the Department of Health and Human Services has stated with regard to the minimum necessary requirement: The minimum necessary standard, a key protection of the HIPAA Privacy Rule, is derived from confidentiality codes and practices in common use today. It is based on sound current practice that protected health information should not be used or disclosed when it is not necessary to satisfy a particular purpose or carry out a function. The minimum necessary standard requires covered entities to evaluate their practices and enhance safeguards as needed to limit unnecessary or inappropriate access to and disclosure of protected health information. The Privacy Rule's requirements for minimum necessary are designed to be sufficiently flexible to accommodate the various circumstances of any covered entity. The minimum necessary standard applies in all situations except the following: Disclosures related to treatment Disclosures to the patient or his or her representative Disclosures authorized by the patient Disclosures to the Department of Health and Human Services in certain circumstances Disclosures required by law or for compliance with HIPAA rules

Requirements for Authorization to Disclose

Under the HIPAA Privacy Rule [45 CFR 164.508(c)(1)], a valid authorization for the release of information must include the following information, called core elements: A description of the information to be used or disclosed A specific identification of who is authorized to make the requested use or disclosure A specific identification of whom the covered entity may make the requested use or disclosure to A description of each purpose of the requested use or disclosure When the authorization expires Signature of the individual and date (If a representative signs, there also needs to be an authorization for the representative.) The authorization also has to give the individual the following information: A statement that includes the individual's right to revoke the authorization, a description of how the individual may revoke it, and the exceptions to the right to revoke Whether treatment, payment, enrollment, or eligibility for benefits depends on the individual signing the authorization A statement that the information might not be protected by the Privacy Rule after it's disclosed and that whoever receives the information might share it