Archive for February, 2014
A. One covered entity (CE), such as a hospital, is permitted to share PHI with another CE—in this case, the ambulance service—for treatment, payment, and healthcare operations, as long as both CEs have a relationship with the individual. Such disclosures do not require patient authorization.
In this case, giving the ambulance company PHI for its billing is considered part of its healthcare operations, so doing so is permissible under HIPAA. Minimum necessary requirements apply, so limit the information you provide to the minimum necessary.
For example, if the ambulance company only needs patient demographics and insurance information for billing, you should not provide a copy of the patient’s medical record.
Editor’s note: This question was answered by Mary Brandt, MBA, RHIA, CHE, CHPS, vice president of health information at Baylor Scott & White Health in Temple, Texas. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Send your HIPAA questions to Associate Editor Jaclyn Fitzgerald at email@example.com.
HHS recently released new HIPAA Privacy Rule FAQ on sharing information related to mental health. The guidance clarifies the following:
- Providers may communicate with a patient’s family members, friends, or others involved in the patient’s care when the patient has the capacity to make healthcare decisions so long as the patient does not object
- Providers may communicate with a patient’s family members, friends, or others involved in the patient’s care when the patient is incapacitated if the provider determines doing so is in the patient’s best interest
- Providers need to obtain a patient’s authorization prior to disclosing psychotherapy notes for any reason
- Providers may disclose PHI that is directly relevant to the patient’s care to the patient’s family, friends, or other persons involved in the patient’s care or payment for care in emergency situations
- Providers may disclose general treatment information of a minor patient to a parent, guardian, or other person acting in loco parentis except in situations when the parent is not the minor child’s personal representative
- Providers may not provide a minor patient’s parents copies of psychotherapy notes, but may provide a parent who is a personal representative a copy of his or her child’s mental health information contained in the medical record, including information about diagnosis, symptoms, or treatment plans
- Providers may disclose information to family members of an adult patient who has capacity and indicates that he or she does not want the disclosure made if the provider perceives a serious and imminent threat to the health or safety of the patient or others and the family member is in a position to lessen the threat
- Providers may disclose necessary information about a patient to law enforcement officials, family members of the patient, or other persons, when the provider believes the patient presents a serious and imminent threat to self or others
- Covered entities may disclose certain PHI, including the date and time of admission and discharge, to law enforcement officials upon request for the purpose of locating or identifying a suspect, fugitive, material witness, or missing person
- Under limited circumstances in which the HIPAA Privacy Rule may apply to health information in a school setting, disclosing information to parents of a minor patient or to law enforcement officials is permitted
The U.S. Department of Health and Human Services Office for Civil Rights (OCR) and the Office of the National Coordinator for Health IT (ONC) recently announced the Digital Privacy Notice Challenge.
OCR and ONC recently developed paper model notices of privacy practices (NPP) to help organizations develop updated NPPs that comply with the HIPAA Omnibus Rule. The two agencies are calling on designers, developers, and privacy experts to submit their concepts for a digital model NPP. The submission deadline is April 7.
OCR and ONC will host the Digital Privacy Notice Informational Webinar at 2 p.m. (Eastern) Thursday, February 27. Join the webinar by visiting the challenge website.
A: Some organizations use aliases or “break the glass” technology to attempt to protect the confidentiality of celebrity patients (whether famous or infamous). My problem with this approach is that it implies some records are more confidential than others. In fact, all records are confidential and should only be accessed as necessary to do one’s job. The best way to protect celebrity records—and all records—is through education, monitoring for compliance, and appropriate sanctions. There should be absolutely no tolerance for snooping, whether it is done by your housekeeping staff or your CEO. Run audit trails often (especially for persons of interest in the community), investigate suspicious access, and take immediate and definitive action when you find any evidence of deliberate snooping. It is the law, it is the right thing to do, and it will surely lead to more private and secure PHI for all of your patients.
Editor’s note: This question was answered by Chris Simons, MS, RHIA, director of health information and privacy officer at Cheshire Medical Center/Dartmouth-Hitchcock in Keene, N.H. This information does not constitute legal advice. Consult legal counsel for answers t j o specific privacy and security questions. Send your HIPAA questions to Associate Editor Jaclyn Fitzgerald at firstname.lastname@example.org.
HHS recently published a final rule in the Federal Register amending Clinical Laboratory Improvement Amendments of 1988 (CLIA) regulations and the HIPAA Privacy Rule.
The final rule permits laboratories subject to CLIA to provide a patient, personal representative of a patient, or a person designated by a patient to obtain copies of test reports belonging to that patient. It amends the HIPAA Privacy Rule by removing the exception for CLIA-certified and CLIA-exempt laboratories from the provision that provides individuals with the right of access to their PHI.
The regulations are effective April 7, 2014. HIPAA covered entities must comply with applicable requirements by October 6, 2014.