February 20, 2018

Producing Patient Records: The “Designated Record Set,” the “Legal Health Record,” and Records Created by Other Providers

Healthcare providers often misunderstand their obligation to provide patient records in response to a request from a patient or third party.

1. Patient Requests and the “Designated Record Set.” With very limited exceptions,[1] patients and their personal representatives generally have a right to access and/or require the disclosure of protected health information in the patient’s designated record set. (45 CFR § 164.524(a)). HIPAA defines “designated record set” as:

A group of records maintained by or for a covered entity that is:
(i) The medical records and billing records about individuals maintained by or for a covered health care provider; [or]
(iii) Used, in whole or in part, by or for the covered entity to make decisions about individuals.

(45 CFR § 164.501). As the OCR recently summarized:

The Privacy Rule generally requires HIPAA covered entities (health plans and most health care providers) to provide individuals, upon request, with access to the protected health information (PHI) about them in one or more “designated record sets” maintained by or for the covered entity. This includes the right to inspect or obtain a copy, or both, of the PHI, as well as to direct the covered entity to transmit a copy to a designated person or entity of the individual’s choice. Individuals have a right to access this PHI for as long as the information is maintained by a covered entity, or by a business associate on behalf of a covered entity, regardless of the date the information was created; whether the information is maintained in paper or electronic systems onsite, remotely, or is archived; or where the PHI originated (e.g., whether the covered entity, another provider, the patient, etc.).

(OCR, Individuals’ Right under HIPAA to Access their Health Information 45 CFR § 164.524 (“OCR Access Guidance”), available at https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/access/index.html, emphasis added). In a separate FAQ, the OCR explained further:

What personal health information do individuals have a right under HIPAA to access from their health care providers and health plans?

With limited exceptions, the HIPAA Privacy Rule gives individuals the right to access, upon request, the medical and health information (protected health information or PHI) about them in one or more designated record sets maintained by or for the individuals’ health care providers and health plans (HIPAA covered entities). See 45 CFR 164.524. Designated record sets include medical records, billing records, payment and claims records, health plan enrollment records, case management records, as well as other records used, in whole or in part, by or for a covered entity to make decisions about individuals. See 45 CFR 164.501. Thus, individuals have a right to access a broad array of health information about themselves, whether maintained by a covered entity or by a business associate on the covered entity’s behalf, including medical records, billing and payment records, insurance information, clinical laboratory test reports, X-rays, wellness and disease management program information, and notes (such as clinical case notes or “SOAP” notes … but not including psychotherapy notes …), among other information generated from treating the individual or paying for the individual’s care or otherwise used to make decisions about individuals….

Individuals do not have a right to access PHI about them that is not part of a designated record set because this information is not used to make decisions about individuals. This may include certain quality assessment or improvement records, patient safety activity records, or business planning, development, and management records that are used for business decisions more generally rather than to make decisions about individuals. For example, peer review files, practitioner or provider performance evaluations, quality control records used to improve customer service, and formulary development records may be generated from and include an individual’s PHI but may not be in the covered entity’s designated record set(s) to which the individual has access….

(See OCR FAQ, available at https://www.hhs.gov/hipaa/for-professionals/faq/2042/what-personal-health-information-do-individuals/index.html).

2. Records Created by or Received from Other Providers. As the OCR’s Access Guidance affirms, the “designated record set” includes records used by the covered entity to make healthcare decisions about a patient “regardless [of] where the [record] originated (e.g., whether the covered entity, another provider, the patient, etc.).” An OCR FAQ states:

A provider might have a patient’s medical record that contains older portions of a medical record that were created by another previous provider. Will the HIPAA Privacy Rule permit a provider who is a covered entity to disclose a complete medical record even though portions of the record were created by other providers?

Answer: Yes, the Privacy Rule permits a provider who is a covered entity to disclose a complete medical record including portions that were created by another provider, assuming that the disclosure is for a purpose permitted by the Privacy Rule, such as treatment.

(Available at http://www.hhs.gov/ocr/privacy/hipaa/faq/minimum_necessary/214.html). The OCR’s more recent Access Guidance confirms that not only may the provider disclose records received from other providers, it generally must disclose such outside records that are a part of the designated record set in response to the patient’s or personal representative’s request unless one of the limited exceptions apply; failure to do so could subject the provider to HIPAA penalties.

3. Third Party Disclosures and the “Legal Health Record”. Healthcare entities sometimes get hung up on the concept of the “legal health record” when trying to determine what may or must be provided in response to patient or third-party requests for protected health information. In contrast to the designated record set, there is no uniform or regulatory definition of the “legal health record”, and its meaning depends on the user and context. Some may intend it to refer to the patient’s “formal” medical record as defined and maintained by a provider; others use it to describe the medical records that would be used in court or produced in response to a subpoena. Thus, when someone refers to the “legal health record,” a provider must determine just what is intended. More specifically, when responding to a request for records, the covered entity must confirm who is requesting the information and what they are seeking rather than imposing its own unilateral definition of the “legal health record”:

  • As discussed above, if the patient or personal representative requests the patient’s records or asks that the patient’s records be sent to a third party, a provider generally must produce all requested records that are maintained in the patient’s designated record set unless one of the limited exceptions apply. (See 45 CFR § 164.524). If he or she chooses, a provider may ask or confirm with the patient or personal representative which records they actually want. For more information on responding to a patient’s request to disclose information, see our article at https://www.hollandhart.com/hipaa-releases-of-information-per-request-or-authorization.
  • If a provider receives a valid HIPAA authorization from a third party seeking records, the provider may (but is not required to) produce the specific records identified in the authorization, but not others. (See 45 CFR § 164.508). If there is any question about which records are covered by the authorization, the provider should check with the patient to confirm what they want disclosed. For more information about the requirements for a valid HIPAA authorization, see our article at https://www.hollandhart.com/valid-hipaa-authorizations-a-checklist.
  • If a provider receives a subpoena, order or warrant requesting records, the provider generally must produce the specific records or information identified in the subpoena, order or warrant. (See 45 CFR § 164.512(e)-(f)). Remember: the party issuing the subpoena or order may define the requested records differently than the provider. The issue is not what the provider thinks should be produced or how it unilaterally defines its own medical records; the issue is what records are requested by the subpoena, order or warrant. If the provider fails to produce the records that are requested, the provider may be subject to contempt sanctions. If the provider produces more than the records requested, the provider may be subject to HIPAA penalties. Accordingly, if there is any doubt as to the scope of records requested, the provider should contact the party issuing the subpoena to confirm what they intend, and only produce the records identified in the subpoena, order or warrant. In doing so, the provider should be careful to avoid disclosing protected health information in the discussion. For more information about the rules for responding to subpoenas, orders and warrants, see our article at: https://www.hollandhart.com/hipaa-responding-to-subpoenas-orders_and-administrative-demands.
  • If a provider is required to disclose protected health information pursuant to a statute or regulation, the provider should ensure that he or she limits the scope of the disclosure to the specific information or records identified in the statute or regulation, and strictly follows the statutory or regulatory process for such disclosures. (See 45 CFR § 164.512(a)).
  • If a provider is disclosing information for a purpose permitted by HIPAA without the patient’s authorization (g., disclosures to other providers for treatment purposes, or to a payer for payment purposes), the provider should generally comply with the minimum necessary standard, i.e., don’t disclose more than needed for the permissible purpose. (See 45 CFR § 164.514). Note that when the provider receives a request from another healthcare provider for treatment purposes, the provider may assume that the other healthcare provider needs the records requested, which may include outside records.

4. Conclusion. When responding to requests or demands for records, providers must be careful not to interpret or respond to the request based on their own unilateral concept of the “medical record”; instead, they must ensure that they produce the records described by applicable statutes, regulations, subpoenas, orders or warrants regardless of how the provider would characterize the records or, most often, who created the records.

[1] A provider may generally decline to produce records in response to a patient’s or personal representative’s request if, e.g., the requested records: (1) are not part of the patient’s “designated record set”; (2) are psychotherapy notes as defined by HIPAA; (3) were compiled in reasonable anticipation of litigation; (4) were obtained from a third party under the promise of confidentiality and disclosure would reveal the source of the information; or (5) disclosure would result in substantial harm to the patient or others. (See 45 CFR § 164.524(a)).

February 6, 2018

IMGMA Q/A: Producing Records

By Kim Stanger

Ed. note: This article also appears in an issue of the Idaho MGMA monthly newsletter.

Question:  What is the difference between a “designated record set” and “legal health record,” and what must we provide when we receive a request for “records”?

Answer:  HIPAA defines “designated record set” as:

A group of records maintained by or for a covered entity that is:

(i)        The medical records and billing records about individuals maintained by or for a covered health care provider; [or]

(iii)      Used, in whole or in part, by or for the covered entity to make decisions about individuals.

(45 CFR 164.501).  With very limited exceptions, patients and their personal representatives generally have a right to access protected health information in their designated record set.  (45 CFR 164.524).  As the OCR recently summarized: Continue reading

January 9, 2018

Reporting HIPAA Breaches: Annual Deadline Approaches

By Kim Stanger

The HIPAA breach notification rule requires covered entities to report breaches of unsecured protected health information (“PHI”) to affected individuals, HHS and, in some cases, local media. (45 CFR § 164.400 et seq.). The notice must be sent to individuals as soon as reasonably possible but no later than 60 days after it was discovered. (45 CFR § 164.404). The timing of notice to HHS depends on the number of persons affected by the breach: if the breach involves 500 or more persons, the covered entity must notify HHS at the same time it notifies the individual; if the breach involves less than 500 persons, the covered entity must report the breach to HHS until no later than 60 days after the end of the calendar year, i.e., by March 1. (45 CFR § 164.408(b)-(c)).

Is Your HIPAA Breach Reportable? Under the breach notification rule, covered entities are only required to self-report if there is a “breach” of “unsecured” PHI. (45 CFR § 164.400 et seq.). Continue reading

November 8, 2017

Non-Physicians Owning or Investing in Medical Practices in Idaho

By Kim Stanger

The Idaho Board of Medicine’s recent disavowal of the corporate practice of medicine doctrine has made it easier for corporations and non-physician individuals to invest in or own medical practices in Idaho.

The Corporate Practice of Medicine. For decades, the Idaho Board of Medicine took the position that, with limited exceptions, the Idaho Medical Practice Act “prohibits unlicensed corporations and entities from hiring physicians as employees to provide medical services to patients.” (Memo from J. Uranga to Idaho State Bd. of Medicine dated 2/26/07). This “corporate practice of medicine” doctrine (“CPOM”) had its foundation in a 1952 Idaho Supreme Court case which held that:

[n]o unlicensed person or entity may engage in the practice of the medical profession though licensed employees; nor may a licensed physician practice as an employee of an unlicensed person or entity. Such practices are contrary to public policy.

(Worlton v. Davis, 73 Idaho 217, 221 (1952)). The Board of Medicine warned that violations of the doctrine may result in disciplinary action against physicians and, more recently, physician assistants. Entities that improperly employed physicians or physician assistants risked the possibility of criminal action for the unauthorized practice of medicine. Continue reading

September 26, 2017

Police, Providers, Patients and HIPAA

By Kim Stanger

Recent cases have highlighted the conflict that may occur when police seek access to patients or patient information. Here are some general guidelines for physicians and other healthcare providers when facing demands from police or other law enforcement officials.

Disclosing Patient Information. The HIPAA privacy rules (45 CFR § 164.501 et seq.) generally prohibit healthcare providers from disclosing protected health information to law enforcement officials without the patient’s written authorization unless certain conditions are met. HIPAA allows disclosures for law enforcement purposes in the following cases:

  1. Court Order, Warrant, Subpoena, or Administrative Process. A provider may disclose information in response to a court order, warrant, subpoena or other administrative process if certain conditions are satisfied. (45 CFR § 164.512(f)(1)(ii)). These situations are discussed more fully in our separate client alert here.
  2. Avert Harm. A provider may disclose information to law enforcement to prevent or lessen a serious and imminent threat to the health or safety of an individual or the public. (45 CFR § 164.512(j)(1)(i)). Many states have specific statutes authorizing or requiring providers to make disclosures when credible threats are made against third parties.
  3. Required by Law. A provider may disclose information to law enforcement when a law requires the disclosure, e.g., to report child or adult abuse or neglect, injuries from gunshots or criminal activity, etc. Providers should comply with the strict terms of the law, and not disclose more than is required by the law. (45 CFR § 164.512(a), (f)(1)(i); see also § 164.512(b)(1)(ii) (child abuse) and § 164.512(c) (adult abuse)).
  4. Facility Directory. HIPAA generally allows, but does not require, providers to disclose limited information to persons who ask for a patient by name unless the patient has objected to such disclosures or the provider believes that the disclosure is not in the patient’s best interests. (See 45 CFR § 164.510). The provider may only disclose the patient’s name, general condition, and location in the facility. (Id.).
  5. Identify Person. If law enforcement requests information to help identify or locate a suspect, fugitive, material witness or missing person, a provider may disclose the following limited information: name and address, date and place of birth, social security number, ABO blood type and rh factor, type of injury, date and time of treatment, date and time of death, and a description of distinguishing physical characteristics. Other information related to the individual’s DNA, dental records, body fluid or tissue typing, samples, or analysis cannot be disclosed under this provision, but may be disclosed in response to a court order, warrant, or written administrative request. (45 CFR § 164.512(f)(2)). The disclosure must be in response to a request from law enforcement, which may include a response to a “wanted” poster or bulletin.
  6. Victim of a Crime. If law enforcement requests information about a person who is suspected of being a victim of a crime, a provider may disclose information if: (a) the individual agrees to the disclosure, or (b) the officer represents that the information is necessary to determine whether someone other than the victim has committed a crime, the information will not be used against the victim, the information is needed immediately and the law enforcement activity would be adversely affected by waiting to obtain the victim’s agreement, and the provider determines it is in the victim’s best interest to disclose the information. (45 CFR § 164.512(f)(3)).
  7. Death. A provider may disclose information to notify law enforcement about the death of an individual if the provider believes the death may have resulted from a crime.
  8. Crime on Premises. A provider may disclose information to law enforcement if the provider believes the information evidences criminal conduct on the provider’s premises. (45 CFR § 164.512(f)(5)).
  9. Crime Away from Premises. If, in the course of responding to an off-site medical emergency, providers become aware of criminal activity, they may disclose certain information to police as necessary to alert law enforcement to the criminal activity, including information about the commission and nature of the crime, the location of the crime or any victims, and the identity, description, and location of the perpetrator of the crime. (45 CFR § 164.512(f)(6)).
  10. Report by Victim. If a person affiliated with the provider is the victim of a crime, the person may disclose information necessary to report the crime to law enforcement; however, the person may only disclose the limited information listed in 45 CFR § 164.512(f)(2)(i). (45 CFR § 164.502(j)(2)).
  11. Admission of Violent Crime. If a person has admitted participation in a violent crime that a provider reasonably believes may have caused serious physical harm to a victim, a provider may disclose information to law enforcement necessary to identify or apprehend the person, provided that the admission was not made in the course of or based on the individual’s request for therapy, counseling, or treatment related to the propensity to commit this type of violent act. (45 CFR § 164.512(j)(1)(ii)(A), (j)(2)-(3)).
  12. Fugitive. A provider may disclose information to law enforcement to identify or apprehend an individual who appears to have escaped from lawful custody. (45 CFR § 164.512(j)(1)(ii)(B)).
  13. Prisoners. If law enforcement or a correctional institution requests protected health information about an inmate or person in lawful custody, a provider may disclose information if police represents such information is needed to provide health care to the individual; for the health and safety of the individual, other inmates, officers or employees of or others at a correctional institution or responsible for the transporting or transferring inmates; or for the administration and maintenance of the safety, security, and good order of the correctional facility, including police on the premises of the facility. (45 CFR § 164.512(k)(5)).
  14. Medical Examiners and Coroners. A provider may disclose information about a decedent to medical examiners or coroners to assist them in identifying the decedent, determining the cause of death, or to carry out their other authorized duties. (45 CFR § 164.512(g)(1)).

Continue reading

July 24, 2017

Offering Free Screening Tests to Patients

By Kim Stanger

Healthcare providers often offer free screening tests or services as a way to generate business for their facility or practice; however, doing so may violate federal and state laws unless structured properly.  The federal Anti-Kickback Statute (“AKS”)1 and Civil Monetary Penalties Law (“CMPL”)2 generally prohibit offering free or discounted items or services to patients as a way to generate business payable by Medicare, Medicaid or other federal healthcare programs unless the arrangement fits within a regulatory exception.3 Violations of the AKS or CMPL may result in criminal, civil, and/or administrative penalties. Continue reading

May 31, 2017

The On-Call Physician’s Liability for Failing to Respond to Emergency Room Call

by Kim Stanger

On-call physicians may not realize their potential exposure if they fail or decline to respond to a call from the hospital’s emergency department. Failure to respond is a violation of the Emergency Treatment and Active Labor Act (“EMTALA”) that may expose the physician to a $50,000 fine and exclusion from Medicare or Medicaid as well as contract liability. It may also expose the hospital to a fine of $50,000 and a lawsuit by the relevant patient or a hospital that receives an improper transfer.

EMTALA generally requires hospitals to provide an emergency screening examination and stabilizing treatment to a patient who comes to the hospital seeking emergency care. See 42 USC § 1395dd; 42 CFR § 489.24. EMTALA establishes the following penalties:

(A) A participating hospital that negligently violates a requirement of this section is subject to a civil money penalty of … not more than $25,000 … for each such violation.
(B) Subject to subparagraph (C) [below], any physician who is responsible for the examination, treatment, or transfer of an individual in a participating hospital, including a physician on-call for the care of such an individual, … is subject to a civil money penalty of not more than $50,000 for each such violation and, if the violation is gross and flagrant or is repeated, to exclusion from participation in [Medicare or Medicaid]….

Id. at § 1395dd(d)(1), emphasis added; see also 42 CFR §§ 1003.500(a)-(c) and 1003.510. EMTALA expressly states that the foregoing penalties apply when an on-call physician fails to respond to a call for assistance: Continue reading

May 25, 2017

HIPAA and Disclosure to Media

by Kim Stanger

Last week, a Texas health system agreed to a $2,400,000 HIPAA settlement arising out of a hospital’s disclosure of a patient’s name in a press release. (See here). Last year, a New York hospital agreed to pay $2,200,000 for allowing media to film in its facilities. (See here ). Given these cases, it is a good time to review the HIPAA rules on disclosures to the media.

Protected Health Information. HIPAA applies to a patient’s protected health information (“PHI”), which includes any individually identifiable information concerning a patient’s health, healthcare or payment for their care. (45 CFR § 160.103). It includes the patient’s name or any other identifiable information even if additional details of treatment are not included. A provider may not avoid HIPAA by simply omitting the name; PHI includes any information “[w]ith respect to which there is a reasonable basis to believe the information can be used to identify the individual”. (Id.). Accordingly, details about an individual that would allow others to identify the individual are considered PHI even if the usual identifiers are omitted. PHI remains protected by HIPAA even if the information is widely known in the community or the patient has disclosed the information himself or herself.

Disclosures to Media. HIPAA generally prohibits healthcare providers from disclosing a patient’s protected health information to media unless either (i) the patient or their personal representative authorizes the disclosure, or (ii) the disclosure fits within a HIPAA exception. (45 CFR § 164.502).

1. Authorization. When seeking to disclose information to the media, the safest course is to obtain the patient’s or their personal representative’s written authorization to make the disclosure. Providers should ensure that the authorization clearly covers the information that will be disclosed, describes the purpose of the disclosure, and identifies the persons or entity permitted to make and receive the disclosure. (45 CFR § 164.508). For more information about valid authorizations, see https://www.hollandhart.com/valid-hipaa-authorizations-a-checklist. In addition to obtaining a HIPAA authorization, the provider may want to obtain a separate media release.

2. Response to Media Inquiries. HIPAA’s “facility directory” exception is often used to justify disclosures to news media, but it is very limited in scope. Under this exception, a provider may disclose certain limited information “for directory purposes”, i.e., to notify persons who inquire about the patient of the patient’s general condition and location in the facility. (45 CFR § 164.510(a)). To make the disclosure, the following standards must be met:

  1. Disclosure is Consistent with Patient’s Wishes. The exception will only apply if either (i) the patient or personal representative “is informed in advance of the use or disclosure and has the opportunity to agree to or prohibit or restrict the use or disclosure” for directory purposes, or (ii) “[i]f the opportunity to object … cannot practicably be provided because of the individual’s capacity or an emergency treatment circumstance,” the provider concludes that the disclosure is “consistent with the prior expressed preference of the individual, if any” and the disclosure is “[i]n the individual’s best interest….” (45 CFR § 164.510(a)). The provider’s Notice of Privacy Practices likely contains a provision that notifies the patient that disclosures may be made for facility purposes unless the patient objects. For competent patients, the notice arguably provides the required “opportunity to agree to or prohibit” disclosures for facility purposes; however, the OCR has stated:
    The patient must be informed about the information to be included in the directory, and to whom the information may be released, and must have the opportunity to restrict the information or to whom it is disclosed, or opt out of being included in the directory. The patient may be informed, and make his or her preferences known, orally or in writing.

    (OCR FAQ here). If the patient objects, the provider may not make the disclosure. If the patient is incompetent, the provider will have to establish both (i) that the disclosure is consistent with the patient’s prior expressed preferences and (ii) that the disclosure is in the patient’s best interests. That may be difficult to do in the case of media disclosures, and virtually impossible if the provider has never treated the patient before.

  2. Ask for Patient by Name. Assuming that disclosure is consistent with the patient’s wishes, disclosure for directory purposes may only be made “to persons who ask for the [patient] by name.” (45 CFR § 164.510(a)(1)(ii)(B)). Thus, providers may not disclose PHI in response to general media inquiries where media do not identify the patient by name.
  3. Disclose Only Limited Information. If the foregoing conditions have been satisfied, the provider may only disclose the limited information set forth below (45 CFR § 164.510(a)(1)(i)):
    1. The patient’s name. Of course, the media already has the patient’s name because they can only obtain PHI if they asked for the patient by name.
    2. The individual’s location in the healthcare provider’s facility. Providers should not disclose the location in the facility if it would effectively disclose the nature of the patient’s treatment, e.g., the psychiatric unit, labor and delivery, or a drug and alcohol treatment facility.
    3. The individual’s condition described in general terms that does not communicate specific medical information about the individual, e.g., “fair, critical, stable, etc.” (65 FR 82521). The American Hospital Association has recommended the following one-word descriptions of a patient’s condition.
Undetermined: Patient awaiting physician and assessment.
Good: Vital signs are stable and within normal limits. Patient is conscious and comfortable. Indicators are excellent.
Fair: Vital signs are stable and within normal limits. Patient is conscious but may be uncomfortable. Indicators are favorable.
Serious: Vital signs may be unstable and not within normal limits. Patient is acutely ill. Indicators are questionable.
Critical: Vital signs are unstable and not within normal limits. Patient may be unconscious. Indicators are unfavorable.
Treated and Released: Patient received treatment but was not admitted.
Treated and Transferred: Received treatment. Transferred to a different facility. (Although a hospital may disclose that a patient was treated and released, it may not release information regarding the date of release or where the patient went upon release without patient authorization.)

(AHA, HIPAA Privacy Regulations: Frequently Asked Questions, available here). The OCR has stated, “[t]he fact that a patient has been “treated and released,” or that a patient has died, may be released as part of the directory information about the patient’s general condition and location in the facility, provided that the other requirements at 45 CFR § 164.510(a) also are followed.” (OCR FAQ here).

To summarize, the “facility directory” exception may allow limited disclosures to the media, but it is difficult to satisfy all the necessary prerequisites, including patient notice and consent. Moreover, I question whether such disclosures to the media are really for “facility directory purposes”—the reason the exception exists. Finally, the exception does not require disclosures to the media; it merely allows the disclosures if the conditions are satisfied. Out of respect for their patient’s privacy, the patient’s best interests, and regulatory intent, providers may appropriately decide it is safer not to disclose PHI to the media, or to limit the disclosure, unless the patient or the patient’s personal representative expressly consents to such disclosures.

Media Access to or Filming in Treatment Areas. The provider’s primary duty is to care for his or her patients. Media access, if not managed in an appropriate way, may impede care along with violating patient privacy, including the privacy of patients who may not be the subject of the media inquiry. Per the OCR’s FAQ:

Health care providers cannot invite or allow media personnel, including film crews, into treatment or other areas of their facilities where patients’ PHI will be accessible in written, electronic, oral, or other visual or audio form, or otherwise make PHI accessible to the media, without prior written authorization from each individual who is or will be in the area or whose PHI otherwise will be accessible to the media. Only in very limited circumstances, as set forth below, does the HIPAA Privacy Rule permit health care providers to disclose protected health information to members of the media without a prior authorization signed by the individual….
There are very limited situations in which the HIPAA Privacy Rule permits a covered entity to disclose limited PHI to the media without obtaining a HIPAA authorization. For example, a covered entity may seek to have the media help identify or locate the family of an unidentified and incapacitated patient in its care. In that case, the covered entity may disclose limited PHI about the incapacitated patient to the media if, in the hospital’s professional judgment, doing so is in the patient’s best interest. See 45 C.F.R. 164.510(b)(1)(ii). In addition, a covered entity may disclose a patient’s location in the facility and condition in general terms that do not communicate specific medical information about the individual to any person, including the media, without obtaining a HIPAA authorization where the individual has not objected to his information being included in the facility directory, and the media representative or other person asks for the individual by name. See 45 C.F.R. 164.510(a).
The HIPAA Privacy Rule does not require health care providers to prevent members of the media from entering areas of their facilities that are otherwise generally accessible to the public, which may include public waiting areas or areas where the public enters or exits the facility.

(OCR FAQ at https://www.hhs.gov/hipaa/for-professionals/faq/2023/film-and-media/index.html).

Remember Other Laws. HIPAA preempts less restrictive laws, but providers must comply with more restrictive privacy laws. It may be that state or other federal laws prohibit media disclosures even if HIPAA might allow them. For example, 42 CFR part 2 places stringent privacy requirements on federally assisted drug and alcohol treatment programs. Providers should consider other potentially applicable laws or common law duties before making any disclosure.

In short, when it comes to dealing with the media, it is generally safer to simply explain that federal and state law prohibits your disclosure of health information. If a disclosure is to be made or media access allowed, providers must take extreme caution to comply with the HIPAA rules.

For questions regarding this update, please contact:
Kim C. Stanger
Holland & Hart, 800 W Main Street, Suite 1750, Boise, ID 83702
email: kcstanger@hollandhart.com, phone: 208-383-3913

This news update is designed to provide general information on pertinent legal topics. The statements made are provided for educational purposes only. They do not constitute legal advice nor do they necessarily reflect the views of Holland & Hart LLP or any of its attorneys other than the author. This news update is not intended to create an attorney-client relationship between you and Holland & Hart LLP. If you have specific questions as to the application of the law to your activities, you should seek the advice of your legal counsel.

May 10, 2017

Admitting Privileges in Hospitals: New Idaho Law

by Kim Stanger

A new Idaho statute confirms that physician assistants and advanced practice nurses may admit patients to hospitals and other healthcare facilities if allowed by the facility’s bylaws.

Background. Historically, admitting privileges were usually reserved to physicians; however, such a limitation (whether real or imagined) seems to have become somewhat outdated given the expanding role of physician assistants and advanced practice nurses, whose licensure allows them to perform services traditionally performed by physicians. Many hospitals increasingly rely on midlevel practitioners to care for patients, especially in rural areas where physicians are in short supply or decline to participate in call coverage. The new statute resolves regulatory ambiguity concerning the authority of midlevels to admit patients. Continue reading

May 2, 2017

HIPAA: Releases of Information v. Authorization

by Kim Stanger

Healthcare providers are often confused by or misunderstand the rules governing the release of a patient’s information at the patient’s request. HIPAA allows certain disclosures without the patient’s written authorization, including disclosures to other providers or third party payers for purposes of treatment, payment, or healthcare operations; to family members or others involved in the patient’s care or payment if certain conditions are met; or for certain government or public safety concerns if regulatory requirements are satisfied. (45 CFR 164.502, 164.506, 164.510 and 164.512). Other disclosures generally require the patient’s consent or written authorization. (45 CFR 164.502). The rules for such written releases of information (“ROI’s”) differ depending on who is requesting the records and to whom the disclosure will be made.

1. Disclosures to the Patient or Personal Representatives. Under HIPAA and subject to limited exceptions, a patient or the patient’s personal representative1 generally has a right to obtain a copy of the patient’s protected health information maintained in the patient’s designated record set.2 (45 CFR 164.524(a)(1)). If the provider chooses, the provider may require such requests to be in writing so long as the provider informs the individual of the requirement. (45 CFR 164.524(b)(1)). The provider must produce the records in the form or format requested (e.g., paper or electronic format) if readily producible. (45 CFR 164.524(c)(2)). It is usually a good idea to require written requests to document the date, scope, and format of the request. Once received, the provider has 30 days to respond to the request. (45 CFR 164.524(b)(2)). Although the provider may respond immediately, it is usually a good idea to take some time to collect and review the requested records before responding, thereby ensuring that the records provided are accurate, complete, and do not contain inappropriate information. Providers may charge the patients or personal representatives a reasonable cost-based fee for the records. (45 CFR 164.524(c)(4); see article at https://www.hollandhart.com/charging-patients-for-copies-of-their-records-ocr-guidance). The patient’s right to access information generally includes all information in their designated record set, including records created by or received from other providers. (OCR, Individuals’ Right under HIPAA to Access their Health Information 45 CFR § 164.524, hereafter “OCR Guide” available here). Continue reading