Certainly you’ve heard a colleague say, “That’s a HIPAA violation! Yet for providers, there is a real reason to be careful: HIPAA violations can carry significant penalties for individual and institutional providers (referred to under HIPAA as “covered entities”) and their “business associates” (individuals and organizations doing work on their behalf, e.g., claims processor or business manager).
When it comes to gray-area situations, it is important to recognize that HIPAA is not intended to interfere with a patient’s medical care.
What HIPAA says: HIPAA requires providers to give a patient access to his/her PHI when the patient specifically requests it, unless the PHI or patient is subject to special protections or another law authorizes the provider to withhold the information (e.g., a state law further restricting disclosure of mental health information).
Absent such a request and assuming the patient has not objected to the provider’s disclosure of PHI to family members, this situation raises ethical rather than HIPAA concerns.
For example, the “minimum necessary” rule requires that the PHI disclosed for non-treatment related purposes must be limited to the minimum amount necessary to accomplish the intended purpose of the disclosure.
In other words, only relevant information may be disclosed.The disclosing provider must use professional judgment to determine whether the requested PHI relates to the patient’s treatment by the requesting physician.What HIPAA says: Location and general health status (i.e., directory information) can be disclosed if the requestor identifies the patient by name unless the patient has objected to such disclosures.While serving as the protector of PHI, limiting disclosures without patient authorization, and generally ensuring that people’s private medical conditions are not broadcasted in public, HIPAA is often misunderstood and misapplied in practice.Incorrectly applied invocations of HIPAA can sometimes limit access to vital information and harm patients.What HIPAA says: Most of HIPAA’s disclosure exceptions are permissive; meaning that the provider may use professional judgment when deciding whether or not to disclose the information.If the records request is for treatment purposes, HIPAA permits disclosure to another provider without patient authorization, i.e., without an authorization document that meets certain requirements.For example, physicians discussing a specific patient’s case on a crowded elevator could be a HIPAA violation.In this situation, a reasonable safeguard – such as not disclosing PHI in a crowded, public setting – would be expected when the case could easily be discussed in a more private setting.In many cases, HIPAA permits disclosure of PHI without patient authorization (See Figure 1 below).Providers may avail themselves of any applicable permissive disclosure exceptions at their discretion, but must comply with relevant requirements.