Physicians get new clarification on HIPAA’s privacy rule

Although the Health Insurance Portability and Accountability Act (HIPAA) has been law for well over a decade, there is still confusion surrounding some of the regulations contained in it. The privacy rule, for example, can be difficult to navigate.

Recently, the U.S. Department of Health and Human Services (HHS), the Office of the National Coordinator for Health IT (ONC) and the Office of Civil Rights (OCR), collaborated to release a series of fact sheets to help healthcare providers and others bound by HIPAA to understand when personal health information (PHI) can be shared without the patient’s authorization, which is one of the most frequently misunderstood parts of the privacy rule. 

Two of the fact sheets are

and

. The two documents offer concrete examples of specific situations that could cause confusion for covered entities in the areas of operations and coordination of treatment. Jeff Drummond, an attorney with Jackson Walker, LLP, in Dallas, Texas, says the main reason people have difficulty with HIPAA is that they don’t understand how the law is structured.

“People have a hard time putting HIPAA together with their day-to-day lives,” says Drummond, adding that the fact sheets are geared to help bridge that gap with real-world examples for physicians.

In the operations fact sheet, HHS discusses the kinds of exceptions that make patient authorization unnecessary: improving the quality of care, developing guidelines or protocols, coordinating care, reviewing the qualifications of healthcare providers or conducting training, among several others. “Sharing information in order to develop clinical pathways is useful and very important, and we have to have some level of information sharing,” says Drummond of the exceptions.

However, two conditions must be met. First, both the covered entity sharing the PHI and the one receiving it must have a relationship with the patient, and second, only the minimum amount of information necessary to complete the operation may be disclosed. “The tricky part is deciding what the minimum amount information necessary is,” says Drummond.

Even if names, addresses, and social security numbers are removed from documents, it is still considered PHI if a date more specific than a year is included. A document that says, “June, 2016” is still subject to all of the security rules that a document including a name and address would be.

In the treatment fact sheet, HHS offers the example of a patient being discharged from an inpatient facility, who will be receiving treatment from multiple rehabilitation facilities. Written authorization is not necessary in order to coordinate that care. Drummond says confusion arises because it’s natural for people to feel ownership of records. “The person who works in medical records looks at the records and thinks of them as belonging to the hospital and therefore feels responsibility,” says Drummond, but that isn’t how HIPAA works.

The question as to whether the situation meets one of the exceptions is usually fairly clear cut. Again, it’s deciding the minimum amount necessary. For example, if the patient is getting rehabilitation for a broken arm, they don’t need the complete medical record of the patient. They need the parts of the record pertaining to the broken arm, says Drummond.

Drummond says HIPAA is really quite simple. “If you are a covered entity you cannot use or disclose PHI unless there is authorization or some exception, and it doesn’t matter what your relationship with the patient is -- and that actually works pretty well.”