Uses And Disclosure of Protected Health Information

• by: Thomas J. Weber, Esquire

Disclosures For Treatment, Payment and Health Care Operations

The HIPAA regulations recognize that the most frequent use of patient confidential information is in relation to the furtherance of treatment, payment, or other health care operations (“TPO”). Treatment includes the use or disclosure of the information for the furtherance of medical care to the individual. It includes oral and written communications with other health care providers, office staff, and referring colleagues.

“Payment” is the disclosure of information to obtain payment for health care services provided. This would include disclosures to banking institutions (by way of depositing patient checks), disclosures with claims processing entities, insurers, and collection services.

“Health care operations” would include any disclosures in connection with activities such as quality assessment, training, licensing, or credentialing. A significant modification to the proposed regulations was the recognition that the sale of a practice would qualify under health care operations. By including this activity in one of the customary uses of protected health information, the regulations reduced the type of disclosure or authorization that would be required from a patient to enable this information to be shared during a due diligence period.

The HIPAA regulations require that in order to disclose protected health information for TPO purposes, the covered entity must make a good faith effort to obtain the patient’s acknowledgment of receipt and review of the covered entity’s Notice of Privacy Practices. Once the patient acknowledges that he or she has been made aware of how the covered entity will use the information for these purposes, the covered entity is then allowed to use and/or disclose the information. As a result, HIPAA does not place a health care provider in the unenviable position of attempting to obtain payment from an insurance company without the ability to fully disclose the nature of the services provided. Likewise, health care providers’ hands are not tied in terms of making a referral for further treatment. Additionally, a health care provider’s office staff do not have to play games of “twenty questions” in order to effectuate efficient medical care. A health care provider could entertain the possible sale of his or her practice without having to obtain a consent from patients for the disclosure of the charts to the would-be purchaser. To require such a consent could have a negative impact on the practitioner’s patient base and, therefore, a corresponding negative impact on the salability of the practice. Generally speaking, after the obtaining of an acknowledgment, the covered entity should be able to “go about its business” as usual.

Once the acknowledgment is obtained from the patient, the covered entity need not go back to the patient for each subsequent disclosure. A subsequent acknowledgment would only be required if the covered entity instituted a change in its Notice of Privacy Practices.

An exception to this general rule occurs when a minor patient reaches the age of majority. The HIPAA regulations indicate that state law governs in terms of treatment of minors. As a result, in Pennsylvania, it is necessary for the covered entity to obtain an acknowledgment signed by one of the parents as it relates to a minor patient. A system should be put in place at the covered entity so that when the minor patient reaches the age of 18, a trigger is in place to inform the covered entity of the need to have the parents’ former acknowledgment replaced by one executed by the patient.

Disclosure Of Information to the Individual

The HIPAA regulations are consistent with existing Pennsylvania law as it relates to disclosure of information to the patient or individual. The individual retains the right to receive or access his or her own protected health information. This right exists regardless of the execution of an acknowledgment of receipt and review of the covered entity’s Notice of Privacy Practices, or a consent or authorization.

Further, the use to which the individual may place the information rests fully within the discretion of the individual/patient. As a result of this entitlement held by the individual patient, the ability to disclose the protected health information directed to the individual provides a convenient mechanism by which the covered entity can comply with a patient’s request for disclosure to a third party. By way of example, disclosure of an individual’s health information to an employer would not typically fall under one of the appropriate uses under TPO. (An exception to this could be if the employer is the administrator of a self-insured employee benefit program.) In order for a health care provider to disclose the information to an employer, the patient should provide the covered entity with a written authorization for this disclosure. This may be a deviation from historical practice where a telephone request would have typically been sufficient. In the event it is determined that obtaining a written authorization is not practical, the covered entity could merely make the information available to the patient himself, who, in turn, could provide it to his employer. By adopting this approach, the covered entity has not made a disclosure to a third party but, instead, to the individual/patient himself.

Disclosures Pursuant to an Authorization

As stated, for use of the protected health information for treatment, payment or other health care operations, the covered entity merely must obtain a signed acknowledgement from the patient of receipt and review of the covered entity’s Notice of Privacy Practices (or make a good faith effort to obtain such an acknowledgment). If the information is to be disclosed for some purpose other than TPO, the covered entity should obtain a consent or authorization from the individual/patient. An acknowledgement is distinguished from an authorization in many factors. Initially, the acknowledgement should be obtained from every patient. The authorization is required only in specific instances. Additionally, the acknowledgement is general in format. The authorization should be specific as to the information to be disclosed, the intended recipient of the information and the duration of the authorization.

It should be recognized the authorization or consent contemplated under HIPAA is related to the privacy issue and potential disclosure of confidential information. This must be distinguished from an informed consent and decision as to treatment, which remains controlled by Pennsylvania law.

In addition to need for an authorization because the use of the information is other than TPO, a consent or authorization may be needed if a stricter state law applies.

Times in which a specific consent may be required would include the disclosure of HIV information. As previously noted, the Pennsylvania Legislature has provided very specific elements necessary in a consent for the disclosure of HIV related information. Similar requirements exist for mental health records and drug and alcohol treatment records.

Times in which an authorization may be required would include the selling of names and addresses of patients to marketing firms. It is this type of activity that provided the incentive for promulgation of the HIPAA privacy regulations. An additional example for the requirement of an authorization would be disclosure in relation to a patient’s employment or educational institution. An additional example would be a covered entity’s disclosure to the media or anyone else pertaining to the health condition of an athlete. Before a physician could talk to the local press about a quarterback’s injury, the physician should obtain an authorization from the quarterback. This would be distinguished from a hypothetical question posed to a non-treating physician. In other words, a non-treating doctor could provide his opinion to the newspaper about the chances of the quarterback playing. The treating physician cannot make such a disclosure without an authorization.

Another area in which authorizations may be required will be the disclosure of information in litigation. Additionally, the type of authorization for litigation required has been specifically set forth in HIPAA. To be effective, the authorization must have the following core elements:

1. a specific and meaningful description of the information to be used or disclosed;
2. the name or other specific identification of the persons or class of persons authorized to make the requested use for disclosure;
3. the name or other specific identification of the person(s) or class of persons to whom the covered entity may make the requested use for disclosure;
4. a description of each purpose of the requested use or information. The statement “at the request of the individual” is a sufficient description of the purpose when an individual initiates the authorization and does not, or elects not to, provide a statement of the purpose;
5. an expiration date or an expiration event that relates to the individual purpose for the use of the disclosure; and
6. the signature of the individual and date.

In addition to these core elements, the authorization must contain statements adequate to placing the patient on notice of all the following: 1) the individual’s right to revoke the authorization in writing; 2) the ability or inability to condition treatment, payment, enrollment, or eligibility for benefits on the authorization; and 3) the potential for information disclosed pursuant to the authorization to be subject to re-disclosure by the recipient and no longer protected. In addition, the regulations require that the authorization must be printed in plain language. If it is a covered entity that seeks disclosure of the protected health information pursuant to an authorization, the covered entity must provide the individual with a copy of the signed authorization. 45 C.F.R. §164.508.

Disclosures Pursuant to an Exception Under HIPAA

The HIPAA regulations provide certain uses disclosures that do not require an authorization. 45 C.F.R. §164.52. These include uses and disclosures required by law. Generally, the regulations recognize that if another exception to the law requires disclosure, the covered entity is allowed to comply. Uses and disclosures for public health activities are also permitted. These disclosures include those made to a public health authority that is authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury, or a disability. Disclosure is also permitted to the appropriate government authority authorized by law to receive reports of child abuse or neglect. Disclosure is also permitted for information about a person subject to the jurisdiction of the Federal Food and Drug Administration with respect to an FDA regulated product or activity.

Disclosure is also permitted to a person who may have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading such a disease or condition.

Disclosure is also permitted to an employer when the covered entity is a covered health care provider who is a member of the work force of the employer or provides health care to the individual at the request of the employer for purposes of conducting an evaluation relating to medical surveillance of the workplace or to evaluate whether an individual has a work-related illness or injury.

Disclosures about victims of abuse, neglect or domestic violence are also permitted to the extent that the disclosures are required by law or if the individual agrees to such disclosure.

Furthermore, uses and disclosures are permitted for health oversight activities. These include disclosures for audits; administrative criminal investigations pertaining to the oversight of health care systems; government benefit programs for which health information is relevant to beneficiary eligibility; entities subject to government regulatory programs; and entities subject to civil rights law for which health information is necessary.

Disclosures are also allowed for judicial and administrative proceedings. Specifically, a covered entity may disclose protected health information in the course of any judicial or administrative proceeding in response to an order of court or administrative tribunal provided the covered entity discloses only the protected information expressly authorized by such order, or in response to a subpoena, discovery request, or other lawful process that is not accompanied by an order of court or administrative tribunal. However, the HIPAA regulations do provide additional requirements in order to produce the information in response to a subpoena, discovery request or other lawful process.

In these situations disclosure is permitted if the covered entity receives satisfactory assurances from the party seeking the information that reasonable efforts have been made by that party to ensure that the individual who is the subject of the protected health information that has been requested has been given notice of the request or when the covered entity receives satisfactory assurances from the party seeking the information that reasonable efforts have been made to secure a qualified protective order. For purposes of the notice of a request, covered entities receive adequate assurances from the party seeking health information if the covered entity receives a written statement and accompanying documentation demonstrating that the party requesting such information has made a good faith attempt to provide written notice to the individual; the notice included sufficient information about the litigation or proceeding in which the protected health information is requested to enable the individual to raise an objection to the court or administrative tribunal; and the time for the individual to raise an objection has elapsed and either no objections were filed or all objections filed by the individual have been resolved by the court or administrative tribunal and the disclosures being sought are consistent with such resolution. In terms of state subpoenas, the Notice of Intent to serve a subpoena would provide the applicable time frame. In terms of federal subpoenas, which do not impose a notice requirement, good practice would suggest that the attorney adopt use of the state Notice of Intent.

In terms of adequate assurances pertaining to a protective order, the party requesting information should provide a written statement and accompanying documentation demonstrating that the parties to the dispute giving rise to the request for information have agreed to a qualified protective order and have presented it to the court or administrative tribunal with jurisdiction over the dispute, or the party seeking the protected health information has requested a qualified protective order from the court or administrative tribunal. A qualified protective order is one from a court or administrative tribunal or a stipulation by the parties in litigation that prohibits the parties from using or disclosing the protected health information for any purpose other than the litigation and requiring the return to the covered entity or destruction of the protected health information at the end of the proceeding.

In addition, a covered entity is allowed to make disclosures for law enforcement purposes. These would include reporting requirements for certain types of wounds and other physical injuries such as gunshots.

In addition, health care providers are allowed to disclose information pertaining to decedents. This disclosure can be made to coroners, medical examiners, and funeral directors. Similarly, disclosures can be made for harvesting of transplant organs, eyes or tissue for donation purposes.

Disclosures are also permitted for research purposes assuming it is a properly approved research study.

Covered entities are also provided flexibility for use or disclosure to avert a serious threat to health or safety. In order to avail itself of this exception, the covered entity must make a good faith determination that the use or disclosure is necessary to prevent or lessen the serious or imminent threat to the health or safety of a person or the public. They must also believe the disclosures will have a reasonable chance of succeeding in reducing or avoiding the risk.

The HIPAA regulations also recognize the ability to use or disclose the information for specialized government functions such as military and veterans’ activities, as well as national security and intelligence activities. Finally, disclosures are appropriate for workers’ compensation purposes to the extent required by law.