May 25, 2017

HIPAA and Disclosure to Media

by Kim Stanger

Last week, a Texas health system agreed to a $2,400,000 HIPAA settlement arising out of a hospital’s disclosure of a patient’s name in a press release. (See here). Last year, a New York hospital agreed to pay $2,200,000 for allowing media to film in its facilities. (See here ). Given these cases, it is a good time to review the HIPAA rules on disclosures to the media.

Protected Health Information. HIPAA applies to a patient’s protected health information (“PHI”), which includes any individually identifiable information concerning a patient’s health, healthcare or payment for their care. (45 CFR § 160.103). It includes the patient’s name or any other identifiable information even if additional details of treatment are not included. A provider may not avoid HIPAA by simply omitting the name; PHI includes any information “[w]ith respect to which there is a reasonable basis to believe the information can be used to identify the individual”. (Id.). Accordingly, details about an individual that would allow others to identify the individual are considered PHI even if the usual identifiers are omitted. PHI remains protected by HIPAA even if the information is widely known in the community or the patient has disclosed the information himself or herself.

Disclosures to Media. HIPAA generally prohibits healthcare providers from disclosing a patient’s protected health information to media unless either (i) the patient or their personal representative authorizes the disclosure, or (ii) the disclosure fits within a HIPAA exception. (45 CFR § 164.502).

1. Authorization. When seeking to disclose information to the media, the safest course is to obtain the patient’s or their personal representative’s written authorization to make the disclosure. Providers should ensure that the authorization clearly covers the information that will be disclosed, describes the purpose of the disclosure, and identifies the persons or entity permitted to make and receive the disclosure. (45 CFR § 164.508). For more information about valid authorizations, see https://www.hollandhart.com/valid-hipaa-authorizations-a-checklist. In addition to obtaining a HIPAA authorization, the provider may want to obtain a separate media release.

2. Response to Media Inquiries. HIPAA’s “facility directory” exception is often used to justify disclosures to news media, but it is very limited in scope. Under this exception, a provider may disclose certain limited information “for directory purposes”, i.e., to notify persons who inquire about the patient of the patient’s general condition and location in the facility. (45 CFR § 164.510(a)). To make the disclosure, the following standards must be met:

  1. Disclosure is Consistent with Patient’s Wishes. The exception will only apply if either (i) the patient or personal representative “is informed in advance of the use or disclosure and has the opportunity to agree to or prohibit or restrict the use or disclosure” for directory purposes, or (ii) “[i]f the opportunity to object … cannot practicably be provided because of the individual’s capacity or an emergency treatment circumstance,” the provider concludes that the disclosure is “consistent with the prior expressed preference of the individual, if any” and the disclosure is “[i]n the individual’s best interest….” (45 CFR § 164.510(a)). The provider’s Notice of Privacy Practices likely contains a provision that notifies the patient that disclosures may be made for facility purposes unless the patient objects. For competent patients, the notice arguably provides the required “opportunity to agree to or prohibit” disclosures for facility purposes; however, the OCR has stated:
    The patient must be informed about the information to be included in the directory, and to whom the information may be released, and must have the opportunity to restrict the information or to whom it is disclosed, or opt out of being included in the directory. The patient may be informed, and make his or her preferences known, orally or in writing.

    (OCR FAQ here). If the patient objects, the provider may not make the disclosure. If the patient is incompetent, the provider will have to establish both (i) that the disclosure is consistent with the patient’s prior expressed preferences and (ii) that the disclosure is in the patient’s best interests. That may be difficult to do in the case of media disclosures, and virtually impossible if the provider has never treated the patient before.

  2. Ask for Patient by Name. Assuming that disclosure is consistent with the patient’s wishes, disclosure for directory purposes may only be made “to persons who ask for the [patient] by name.” (45 CFR § 164.510(a)(1)(ii)(B)). Thus, providers may not disclose PHI in response to general media inquiries where media do not identify the patient by name.
  3. Disclose Only Limited Information. If the foregoing conditions have been satisfied, the provider may only disclose the limited information set forth below (45 CFR § 164.510(a)(1)(i)):
    1. The patient’s name. Of course, the media already has the patient’s name because they can only obtain PHI if they asked for the patient by name.
    2. The individual’s location in the healthcare provider’s facility. Providers should not disclose the location in the facility if it would effectively disclose the nature of the patient’s treatment, e.g., the psychiatric unit, labor and delivery, or a drug and alcohol treatment facility.
    3. The individual’s condition described in general terms that does not communicate specific medical information about the individual, e.g., “fair, critical, stable, etc.” (65 FR 82521). The American Hospital Association has recommended the following one-word descriptions of a patient’s condition.
Undetermined: Patient awaiting physician and assessment.
Good: Vital signs are stable and within normal limits. Patient is conscious and comfortable. Indicators are excellent.
Fair: Vital signs are stable and within normal limits. Patient is conscious but may be uncomfortable. Indicators are favorable.
Serious: Vital signs may be unstable and not within normal limits. Patient is acutely ill. Indicators are questionable.
Critical: Vital signs are unstable and not within normal limits. Patient may be unconscious. Indicators are unfavorable.
Treated and Released: Patient received treatment but was not admitted.
Treated and Transferred: Received treatment. Transferred to a different facility. (Although a hospital may disclose that a patient was treated and released, it may not release information regarding the date of release or where the patient went upon release without patient authorization.)

(AHA, HIPAA Privacy Regulations: Frequently Asked Questions, available here). The OCR has stated, “[t]he fact that a patient has been “treated and released,” or that a patient has died, may be released as part of the directory information about the patient’s general condition and location in the facility, provided that the other requirements at 45 CFR § 164.510(a) also are followed.” (OCR FAQ here).

To summarize, the “facility directory” exception may allow limited disclosures to the media, but it is difficult to satisfy all the necessary prerequisites, including patient notice and consent. Moreover, I question whether such disclosures to the media are really for “facility directory purposes”—the reason the exception exists. Finally, the exception does not require disclosures to the media; it merely allows the disclosures if the conditions are satisfied. Out of respect for their patient’s privacy, the patient’s best interests, and regulatory intent, providers may appropriately decide it is safer not to disclose PHI to the media, or to limit the disclosure, unless the patient or the patient’s personal representative expressly consents to such disclosures.

Media Access to or Filming in Treatment Areas. The provider’s primary duty is to care for his or her patients. Media access, if not managed in an appropriate way, may impede care along with violating patient privacy, including the privacy of patients who may not be the subject of the media inquiry. Per the OCR’s FAQ:

Health care providers cannot invite or allow media personnel, including film crews, into treatment or other areas of their facilities where patients’ PHI will be accessible in written, electronic, oral, or other visual or audio form, or otherwise make PHI accessible to the media, without prior written authorization from each individual who is or will be in the area or whose PHI otherwise will be accessible to the media. Only in very limited circumstances, as set forth below, does the HIPAA Privacy Rule permit health care providers to disclose protected health information to members of the media without a prior authorization signed by the individual….
There are very limited situations in which the HIPAA Privacy Rule permits a covered entity to disclose limited PHI to the media without obtaining a HIPAA authorization. For example, a covered entity may seek to have the media help identify or locate the family of an unidentified and incapacitated patient in its care. In that case, the covered entity may disclose limited PHI about the incapacitated patient to the media if, in the hospital’s professional judgment, doing so is in the patient’s best interest. See 45 C.F.R. 164.510(b)(1)(ii). In addition, a covered entity may disclose a patient’s location in the facility and condition in general terms that do not communicate specific medical information about the individual to any person, including the media, without obtaining a HIPAA authorization where the individual has not objected to his information being included in the facility directory, and the media representative or other person asks for the individual by name. See 45 C.F.R. 164.510(a).
The HIPAA Privacy Rule does not require health care providers to prevent members of the media from entering areas of their facilities that are otherwise generally accessible to the public, which may include public waiting areas or areas where the public enters or exits the facility.

(OCR FAQ at https://www.hhs.gov/hipaa/for-professionals/faq/2023/film-and-media/index.html).

Remember Other Laws. HIPAA preempts less restrictive laws, but providers must comply with more restrictive privacy laws. It may be that state or other federal laws prohibit media disclosures even if HIPAA might allow them. For example, 42 CFR part 2 places stringent privacy requirements on federally assisted drug and alcohol treatment programs. Providers should consider other potentially applicable laws or common law duties before making any disclosure.

In short, when it comes to dealing with the media, it is generally safer to simply explain that federal and state law prohibits your disclosure of health information. If a disclosure is to be made or media access allowed, providers must take extreme caution to comply with the HIPAA rules.


For questions regarding this update, please contact:
Kim C. Stanger
Holland & Hart, 800 W Main Street, Suite 1750, Boise, ID 83702
email: kcstanger@hollandhart.com, phone: 208-383-3913

This news update is designed to provide general information on pertinent legal topics. The statements made are provided for educational purposes only. They do not constitute legal advice nor do they necessarily reflect the views of Holland & Hart LLP or any of its attorneys other than the author. This news update is not intended to create an attorney-client relationship between you and Holland & Hart LLP. If you have specific questions as to the application of the law to your activities, you should seek the advice of your legal counsel.

May 10, 2017

Admitting Privileges in Hospitals: New Idaho Law

by Kim Stanger

A new Idaho statute confirms that physician assistants and advanced practice nurses may admit patients to hospitals and other healthcare facilities if allowed by the facility’s bylaws.

Background. Historically, admitting privileges were usually reserved to physicians; however, such a limitation (whether real or imagined) seems to have become somewhat outdated given the expanding role of physician assistants and advanced practice nurses, whose licensure allows them to perform services traditionally performed by physicians. Many hospitals increasingly rely on midlevel practitioners to care for patients, especially in rural areas where physicians are in short supply or decline to participate in call coverage. The new statute resolves regulatory ambiguity concerning the authority of midlevels to admit patients. Continue reading

May 2, 2017

HIPAA: Releases of Information v. Authorization

by Kim Stanger

Healthcare providers are often confused by or misunderstand the rules governing the release of a patient’s information at the patient’s request. HIPAA allows certain disclosures without the patient’s written authorization, including disclosures to other providers or third party payers for purposes of treatment, payment, or healthcare operations; to family members or others involved in the patient’s care or payment if certain conditions are met; or for certain government or public safety concerns if regulatory requirements are satisfied. (45 CFR 164.502, 164.506, 164.510 and 164.512). Other disclosures generally require the patient’s consent or written authorization. (45 CFR 164.502). The rules for such written releases of information (“ROI’s”) differ depending on who is requesting the records and to whom the disclosure will be made.

1. Disclosures to the Patient or Personal Representatives. Under HIPAA and subject to limited exceptions, a patient or the patient’s personal representative1 generally has a right to obtain a copy of the patient’s protected health information maintained in the patient’s designated record set.2 (45 CFR 164.524(a)(1)). If the provider chooses, the provider may require such requests to be in writing so long as the provider informs the individual of the requirement. (45 CFR 164.524(b)(1)). The provider must produce the records in the form or format requested (e.g., paper or electronic format) if readily producible. (45 CFR 164.524(c)(2)). It is usually a good idea to require written requests to document the date, scope, and format of the request. Once received, the provider has 30 days to respond to the request. (45 CFR 164.524(b)(2)). Although the provider may respond immediately, it is usually a good idea to take some time to collect and review the requested records before responding, thereby ensuring that the records provided are accurate, complete, and do not contain inappropriate information. Providers may charge the patients or personal representatives a reasonable cost-based fee for the records. (45 CFR 164.524(c)(4); see article at https://www.hollandhart.com/charging-patients-for-copies-of-their-records-ocr-guidance). The patient’s right to access information generally includes all information in their designated record set, including records created by or received from other providers. (OCR, Individuals’ Right under HIPAA to Access their Health Information 45 CFR § 164.524, hereafter “OCR Guide” available here). Continue reading

April 25, 2017

HIPAA: Should You Ask Patients for Consent to Disclose Information?

by Kim Stanger

Healthcare providers often limit unnecessarily their ability to use or disclose protected health information without the patient’s consent, thereby increasing their potential liability for unauthorized disclosures. For example, providers often:

  • Tell the patient that the provider will only disclose the patient’s information to those persons identified by the patient, thereby precluding disclosures to others who are not identified.
  • Ask the patient to list those to whom the provider may disclose information, thereby expressly or impliedly suggesting that they will not disclose information to others.
  • Ask that the patient authorize disclosures to payers and/or other providers, thereby expressly or impliedly agreeing that they will not disclose information to payers or providers if not authorized by the patient.

They do so under the mistaken belief that HIPAA requires such. In reality, such practices may actually increase potential HIPAA liability. Continue reading

April 17, 2017

Group Compensation Arrangements: Stark Requirements

by Kim Stanger

Physician practices must ensure that their group compensation structures comply with the federal Ethics in Patient Referrals Act (“Stark”) if they intend to bill Medicare or Medicaid for services rendered or referred by the group physicians. Under Stark, if a physician1 (or a member of the physician’s family) has a financial relationship with an entity, the physician may not refer patients to the entity for certain designated health services (“DHS”)2 payable by Medicare and Medicaid unless the financial relationship is structured to fit within a regulatory safe harbor. (42 CFR § 411.353). Stark applies to DHS referrals within the group, so the physician’s compensation arrangement must be structured to comply with Stark; otherwise, the group may not bill Medicare and Medicaid for DHS that were referred improperly, and, if they were improperly billed, the entity must repay amounts improperly received. Failure to report and repay within 60 days may result in additional civil penalties of $15,000 per claim as well as False Claims Act liability. Repayments may easily run into hundreds of thousands of dollars. Given the potential liability, it is critical that physician group compensation arrangements be structured to fit within one of the following regulatory safe harbors if they intend to participate in Medicare or Medicaid. Continue reading

April 10, 2017

Withdrawing Care for Developmentally Disabled Persons: New Idaho Standards

by Kim Stanger

Recent amendments will allow guardians and those treating developmentally disabled persons greater discretion in withholding or withdrawing artificial life-sustaining treatment, thereby avoiding situations in which developmentally disabled persons were forced to suffer painful, extended procedures which may be considered inhumane.

The Former Standard. Under Idaho law, the guardian or personal representative of an incompetent person may generally authorize the medically appropriate withdrawal of treatment for the patient. (I.C. §§ 39-4504(1) and 39-4514(3)). In the case of developmentally disabled persons, however, the former law prohibited guardians and physicians of developmentally disabled persons from withholding or withdrawing artificial life-sustaining treatment unless the treating physician and one other physician certified that the person had a terminal condition such that the application of artificial life-sustaining treatment would only serve to prolong death for a period of hours, days or weeks, and that death was imminent regardless of the life-sustaining procedures. (I.C. § 66-405(7)-(8)). Unfortunately, this standard looked only at the length of the patient’s life without considering the pain that the patient may be forced to endure in the meantime. Because of advances in medicine, healthcare providers are often able to keep persons alive for months or years, but at a terrible cost in suffering to the patient and their loved ones. Application of the former standard sometimes resulted in heartbreaking situations in which developmentally disabled persons—often with little or no cognition—were relegated to an existence that offered nothing more than perpetual pain or discomfort instead of allowing the medically appropriate withdrawal treatment. By so doing, the standard deprived developmentally disabled persons of rights that were offered to others. Continue reading

January 19, 2017

Report HIPAA Breaches Without Delay

by Kim Stanger

If you experience a HIPAA breach, make sure you investigate and report the breach “without unreasonable delay and in no case later than 60 calendar days after discovery of the breach” or you may be subject to HIPAA fines. (45 CFR 164.404(b)). The Office for Civil Rights just settled for $475,000 its first case against a covered entity for unreasonable delay in reporting a HIPAA breach.

On October 22, 2013, Presence St. Joseph Medical Center (“Presence Health”) discovered that its paper-based operating schedules were missing from its surgery center. The schedules contained protected health information of 836 persons, including names, birthdates, procedure information, and medical record information. Because the breach involved more than 500 persons, Presence Health was required to report the breach to HHS and local media at the time it notified affected individuals. However, due to a miscommunication between its workforce members, Presence Health did not report breach to HHS until January 31, 2014 (101 days after the breach was discovered); did not notify affected individuals until February 3, 2014 (104 days after the breach was discovered); and did not notify the media until February 5, 2014 (105 days after the breach was discovered). The HIPAA Breach Notification Rule requires that covered entities notify individuals and, if the breach involves more than 500 persons, report breaches to HHS and local media without unreasonable delay and in no event later than 60 calendar days after discovery of the breach. (45 CFR 164.404-.410). A separate HIPAA violation occurs for each day the covered entity fails to report the breach beyond the deadline. Presence Health settled the alleged violations for $475,000. A copy of the OCR’s press release is available here. Continue reading

December 28, 2016

Idaho Peer Review Privilege

by Kim Stanger

Idaho has enacted a broad privilege that protects the confidentiality of credentialing, quality improvement, and similar peer review activities by Idaho hospitals and other health care entities. The statute encourages participation and protects the integrity of such peer review activities by ensuring that peer review communications and proceedings remain confidential, and that participants are immune from liability.

Application. The privilege applies to “peer review” activities conducted by “healthcare organizations”. (I.C. § 39-1392).

“Health care organization” means a hospital, in-hospital medical staff committee,1 medical society, managed care organization, licensed emergency medical service, group medical practice, or skilled nursing facility.

(I.C. § 39-1392a(3)).

“Peer review” means the collection, interpretation and analysis of data by a health care organization for the purpose of bettering the system of delivery of health care or to improve the provision of health care or to otherwise reduce patient morbidity and mortality and improve the quality of patient care. Peer review activities by a health care organization include, without limitation:
(a) Credentialing, privileging or affiliating of health care providers as members of, or providers for, a health care organization;
(b) Quality assurance and improvement, patient safety investigations and analysis, patient adverse outcome reviews, and root-cause analysis and investigation activities by a health care organization; and
(c) Professional review action, meaning an action or recommendation of a health care organization which is taken or made in the conduct of peer review, that is based on the competence or professional conduct of an individual physician or emergency medical services personnel where such conduct adversely affects or could adversely affect the health or welfare of a patient or the physician’s privileges, employment or membership in the health care organization or in the case of emergency medical services personnel, the emergency medical services personnel’s scope of practice, employment or membership in the health care organization.

(I.C. § 39-1392a(11)). Continue reading

December 19, 2016

Requiring Referrals from Employees and Contractors

by Kim Stanger

Many providers mistakenly believe that the federal Stark law prohibits hospitals and other employers from requiring employed or contracted physicians to refer healthcare services to the employer. Stark actually allows a hospital or other employer to require contracted physicians to refer items or services to the hospital if the items or services relate to the physician’s services under the contract and certain additional conditions are satisfied.

Stark Regulations. Stark’s “special rules on compensation” state:

A physician’s compensation from a bona fide employer … or other arrangement for personal services may be conditioned on the physician’s referrals to a particular provider, practitioner, or supplier, provided that the compensation arrangement meets all of the following conditions. The compensation arrangement:
(i) Is set in advance for the term of the arrangement.
(ii) Is consistent with fair market value for services performed (that is, the payment does not take into account the volume or value of anticipated or required referrals).
(iii) Otherwise complies with an applicable exception under [42 CFR] §411.355 or §411.357.
(iv) Complies with both of the following conditions:

(A) The requirement to make referrals to a particular provider, practitioner, or supplier is set out in writing and signed by the parties.
(B) The requirement to make referrals to a particular provider, practitioner, or supplier does not apply if the patient expresses a preference for a different provider, practitioner, or supplier; the patient’s insurer determines the provider, practitioner, or supplier; or the referral is not in the patient’s best medical interests in the physician’s judgment.

(v) The required referrals relate solely to the physician’s services covered by the scope of the employment, the arrangement for personal services, or the contract, and the referral requirement is reasonably necessary to effectuate the legitimate business purposes of the compensation arrangement. In no event may the physician be required to make referrals that relate to services that are not provided by the physician under the scope of his or her employment, arrangement for personal services, or contract.

Continue reading

December 6, 2016

Liability for Non-Employees: Beware Apparent Authority

by Kim Stanger

As a general rule, hospitals and other healthcare providers are not liable for the acts of non-employed medical staff members, independent contractors or vendors; instead, each party is responsible for its own actions or those of its employees or agents who are acting within the scope of their employment or agency. However, courts are sometimes willing to hold a hospital or provider vicariously liable for the acts of non-employees under the doctrine of “apparent authority”.

Apparent Authority. In Jones v. Healthsouth Treasure Valley, for example, the Idaho Supreme Court held that a hospital might be liable for the acts of an independent contractor if: (1) the hospital’s conduct would lead a plaintiff to reasonably believe that another person acts on the hospital’s behalf (i.e., the hospital held out that other person as the hospital’s agent); and (2) the plaintiff reasonably believes that the putative agent’s services are rendered on behalf of the hospital (i.e., the plaintiff is justified in believing that the actor is acting as the agent of the hospital). (147 Idaho 109, 206 P.3d 473 (2009)). The Idaho Supreme Court recently reaffirmed the apparent authority theory in Navo v. Bingham Memorial Hospital, 160 Idaho 363, 373 P.3d 681 (2016). Continue reading