HIPAA Disclosure Rules Not As Strict As Widely Believed

Patients' representatives, individuals designated to make medical decisions for them, have equal rights to access information under HIPAA.
Patients' representatives, individuals designated to make medical decisions for them, have equal rights to access information under HIPAA.

The idea of disclosing protected health information to patients strikes fear into the hearts of most physicians. And, thanks to HIPAA, releasing information to anyone other than an actual patient is nearly taboo. Most doctors do not realize, however, that HIPAA is not just about restrictions and prohibitions. The goal of HIPAA is to strike a good balance between protecting information and facilitating, or even expediting, its movement when appropriate.

Following are some guidelines on when to disclose to patients' family, friends and caregivers.

Whom to tell

HIPAA regulations lump people into 3 different categories. The first are patients, who have the greatest ability to access their information.

The second is patients' personal representatives, individuals designated to make medical decisions for them. They have rights equal to those of patients to access information under HIPAA.

The third category includes friends, family, and others. The law makes very little distinction between them. Physicians can provide information to friends and family when they believe it is in the best interest of a patient. When it comes to “others” the same judgment is required by physicians, but they must be “reasonably sure” a patient has involved the other individuals in his or her care.  

Continue Reading Below

Professional judgment

The answer to the first question begs another – how much latitude does a provider have in using his or her judgment when sharing information? More than you think, according to HIPAA consultant Abner Weintraub.

“Medical providers have enormous discretion and freedom to share medical and billing information that they are not taking advantage of,” he said. “It's disserving because the rules permit a lot of disclosure.”

Weintraub gets nearly a dozen calls each week from patients, parents, and spouses who cannot obtain information they should be able to receive. Fear of reprisal from employers and enforcement agencies like the US Office of Civil Rights keeps many physicians from disclosing this information, he said.

If a patient is present and can make decisions, the provider is free to share any information as long as the patient says it is okay or does not object given the option.

If the patient is not present, conscious, or able to make a decision, a physician can use “professional judgment” to decide if it is in the patient's best interest that the person be provided information. In this case, health or payment information should be limited to what the physician believes the person needs to know.

“This is not how the medical world sees the rules right now,” Weintraub said.

Even if a patient is in a coma, HIPAA protects physicians if they share information and the patient later wakes up and objects. As long as the provider has acted in good faith and used good judgment, he or she will be protected under the regulation, Weintraub said. 

Documentation

Documentation that an individual has been given rights to a patient's information is not required. Weintraub said this can be done orally. Healthcare providers can obtain documentation of the approval or lack of objection to share information. This can be done as simply as making a note in a medical file. 

Providers can even share information over the phone if a family member or friend calls requesting it. Providers do not need to verify the identity of a person on the phone, but they can establish some way to do so if it makes the staff more comfortable.

Exclusions

Physicians have a lot of “freedom and discretion” regarding what information they can provide to family and friends, Weintraub said. Among the areas considered off limits under HIPAA is information that is not part of a patient's designated record set. Most billing and clinical information is part of this. Providers should use discretion, however, in sharing information that could be stolen and used for identity theft, like a date of birth or Social Security Number.

“There is generally no good reason a family member or friend should be asking for those things,” he said.

Also, no access is allowed, even by patients, to personal notes made by a psychiatrist.

Finally, information being compiled as part of a civil or criminal court proceeding is off limits even to patients.

Loading links....
You must be a registered member of Renal and Urology News to post a comment.

Sign Up for Free e-newsletters