Search results for: Orlando

My heart goes out to any family member trying desperately to get news about a loved one in the hours and days following an individual or widespread tragedy, irrespective of whether it was triggered by an act of nature, an act of terrorism, or any other violent, unanticipated, life-taking event. My mind, though, struggles with the idea that HIPAA could actually exacerbate and prolong a family member’s agony.

HIPAA is, generally speaking, intended to protect our privacy when it comes to health status, treatment, or payment and to facilitate appropriate access to our health information. But, as is typical with federal laws intersecting areas historically governed by State law, HIPAA defers to State law in some key respects.  For example, if a HIPAA provision is contrary to a similar provision of State law, it preempts State law unless the State law relates to the privacy of individually identifiable health information and is “more stringent” than the comparable HIPAA provision.  HIPAA also references “applicable law” in describing who can get information as a personal representative of an individual or act on behalf of a deceased individual.

So what does this mean in the context of family members seeking information about loved ones following the devastating Orlando, Florida night club shooting or following some other violent tragedy?

If a victim is hospitalized and a friend or family member is trying to get information about the victim, HIPAA permits the hospital to share information under the following circumstances:

*          A hospital may use protected health information (PHI) to notify or assist in the notification of a family member, personal representative or other person responsible for the patient’s care of the patient’s location, general condition or death

*          A hospital can use a facility directory to inform visitors and callers of a patient’s location and general condition

*          A hospital can release information as to the victim of a crime in response to law enforcement’s request for such information under certain circumstances, and law enforcement can notify the families

*          If the patient is competent, the patient can tell the hospital that it may release all information to their family and friends

*          If the patient is not competent to authorize release of information, a “personal representative” (a person authorized under State law to act on behalf of the patient to make health care decisions) can have all information necessary to make decisions.  That person can also authorize release of information to others

Sadly, the agony of loved ones seeking information about a patient may be prolonged if they are not viewed as family members or if State law does not recognize the loved one as a “personal representative”.  Sure, the federal Department of Health and Human Services (HHS) could amend the HIPAA regulations to deem certain individuals (for example, same-sex partners who are not legally married) to be personal representatives for purposes of access to PHI.  [Note: HHS treats legally married same-sex spouses as “family members” under HIPAA — see special topic publication available here.]

However, if the State law does not recognize these certain individuals as personal representatives, perhaps because the State law is “more stringent than” HIPAA in affording the patient greater privacy, HHS might also have to amend its HIPAA preemption regulations.

Hospitals and other health care professionals are constantly called upon to exercise discretion in dealing with requests for PHI from family members and loved ones of patients while complying with HIPAA.   HIPAA regulations may need to be modified or perhaps could be “waived” (as described yesterday’s Washington Post article) in some cases, but only when doing so furthers the fundamental HIPAA goals of privacy protection and facilitation of appropriate access.

Because of the enormity of the Orlando tragedy, some State legislatures may be expected to consider whether changes are necessary to promote information sharing in exigent circumstances while preserving the State’s interest in affording patients greater privacy protection than that afforded by HIPAA.

More than eleven years have passed since the U.S. Department of Health and Human Services (HHS), the agency responsible for the privacy of protected health information under HIPAA, and the U.S. Department of Education (DOE), the agency responsible for the privacy of student records under FERPA, issued joint guidance on the interplay between HIPAA and FERPA.

New joint guidance issued earlier this month (the “2019 Update”) provides updates and helpful clarifications as to when and how HIPAA and FERPA apply. The following 6 topics caught my attention:

  1. Emergency Situations.  A new section on when disclosures may be made in emergency situations under HIPAA paraphrases a 2014 HHS Bulletin and FAQ issued, respectively, following the Ebola outbreak and questions about disclosure standards in the wake of the shooting at the Pulse Nightclub in Orlando (see here for my 2016 post on this topic). It also incorporates DOE guidance and regulatory preamble statements concerning disclosure of FERPA-protected information in the event of a health or safety emergency.
  2. School-Employed Health Care Providers. The 2019 Update also includes a clarified description of when a school that employs a health care provider and conducts covered transactions electronically is subject to the FERPA privacy standards instead of the HIPAA privacy standards. The prior guidance stated that even when a school is a covered entity under HIPAA, it might not have protected health information. The 2019 Update more helpfully states that compliance with “the HIPAA Rules” is not required where the school’s only health records are considered “education records” or “treatment records” under FERPA (note that the 2019 Update would be even more helpful if it added the word “Privacy” between “HIPAA” and “Rules”, since such the school would still be subject to the HIPAA “Transactions Rule” when submitting claims electronically).
  3. University-Affiliated Hospitals and Clinics. Records maintained by a hospital affiliated with a university that is subject to FERPA are generally subject to HIPAA because the hospital provides health services to individuals regardless of whether they are students of the university. On the other hand, if the hospital runs a separate student health clinic, those clinic records are subject to FERPA as either “education records” or “treatment records”.
  4. Disclosure for Treatment, Payment and “Legitimate Educational Interests” Purposes. Under FERPA, “treatment records” (see 34 C.F.R. 99.3) must be made, maintained, and used only in connection with treatment. They can be disclosed to treating health care professionals who are not part of or acting on behalf of the school, if used solely for treatment. However, if the records are used for billing, they are “education records” and, unless another FERPA exception applies, cannot be disclosed without the prior written consent of the parent or eligible student (meaning a student who reaches the age of 18 or attends a postsecondary institution). However, schools can share information, including health and medical information, from a student’s education record without prior written consent with teachers and other school officials if they have “legitimate educational interests” in the information pursuant to FERPA regulations and the school’s annual notification of FERPA rights. On the other hand, HIPAA allows protected health information to be disclosed to a health plan for payment purposes without the individual’s prior written consent, and for other purposes as permitted under the HIPAA regulations and in accordance with the covered entity’s notice of privacy practices.
  5. Disclosure to Parents. Under FERPA, a physician at a university-operated health clinic may disclose information form the education records of an eligible student without the student’s consent: (i) if the student is claimed as a dependent for federal tax purposes; (ii) in connection with a health or safety emergency if disclosure is needed to protect the student or other persons; or (iii) if the eligible student is under the age of 21 disclosing that the student has committed a disciplinary violation related to the use or possession of alcohol or a controlled substance. FERPA also allows an educational agency or institution to disclose education records of a deceased eligible student to the parent or other third party “at its discretion or consistent with State law.” The privacy rights of a non-eligible student rest with the parent(s), but once the “parents are deceased, the records are no longer protected by FERPA.” On the other hand, HIPAA generally allows covered entities to disclose protected health information about a minor child to the child’s parent or personal representative when consistent with State law. However, if the minor is permitted to receive treatment without a parent’s consent under State law, HIPAA only permits parental disclosure in limited situations, like when the minor presents serious danger to self or others. With respect to deceased students, HIPAA defers to applicable State law to determine who can make disclosure decisions following death.
  6. Disclosure to the National Instance Criminal Background Check System (NCIS).  While HIPAA generally does not permit a school-based health care provider to report a student to NCIS (see here for Fox partner Bill Maruca’s post on this topic), FERPA generally permits the records of a law enforcement unit of an educational agency or institution to be reported to NCIS without prior written consent.

These 6 topics and the related clarifications reveal two sobering realities. First, in this age of mass shootings and public health emergencies, there’s a risk that efforts to comply with privacy laws will get in the way of effective emergency response. Second, the inconsistencies and complexity of various U.S. privacy laws are likely to mean continued confusion, despite the best efforts of HHS, DOE, and other state and federal agencies to provide clarification.

In a recent New York Times op-ed piece entitled “How a Bad Law and a Big Mistake Drove My Mentally Ill Son Away,” the father of a young man involuntarily hospitalized under Florida’s Baker Act decries “privacy laws” for limiting his access to information about his son’s whereabouts and care.   If this account is accurate, it highlights the widespread confusion that surrounds  health care providers’ communication with family members.

The article’s author, Norman Ornstein, describes a disturbing incident in which his son Matthew’s landlord reported that Matthew’s behavior was putting himself in danger.  Based on the landlord’s report, which Ornstein later describes as a pretext for removing Matthew from the property, Ornstein and his wife agreed to authorize a 72-hour involuntary commitment under the Florida statute.  They later learned that Matthew had been seized by police and taken to the county mental health facility, where he was held for three days and released.  He reported:

But the staff members wouldn’t let us in. In fact, they said privacy rules meant that they could not even confirm that he was there. … The Baker Act allows 72 hours of involuntary observation to see whether someone is in fact an imminent danger to himself or others. Matthew was not, and after three awful days, he was put in a taxi and sent home. We were not informed when he was released.

Matthew had begun to struggle with mental illness at age 24, but his age at the time is not specified.  Since he was no longer a minor, his parents would not be “personal representatives” with access to all his health information absent a guardianship appointment, power of attorney, or similar process recognized under applicable law.  However, the facility would have been permitted to confirm his admission and general condition under the HIPAA “directory exception,” which states:

(a) Standard: Use and disclosure for facility directories

(1) Permitted uses and disclosure. Except when an objection is expressed in accordance with paragraphs (a)(2) or (3) of this section, a covered health care provider may:

(i) Use the following protected health information to maintain a directory of individuals in its facility:

(A) The individual’s name;

(B) The individual’s location in the covered health care provider’s facility;

(C) The individual’s condition described in general terms that does not communicate specific medical information about the individual; and

(D) The individual’s religious affiliation; and

(ii) Use or disclose for directory purposes such information:

(A) To members of the clergy; or

(B) Except for religious affiliation, to other persons who ask for the individual by name.

HIPAA also allows family members to be given information in order to locate an individual, and allows the sharing of protected health information directly relevant to the family members’ involvement with the individual’s health care or payment for such care.

(b) Standard: Uses and disclosures for involvement in the individual’s care and notification purposes

(1) Permitted uses and disclosures.

(i) A covered entity may, in accordance with paragraphs (b)(2), (b)(3), or (b)(5) of this section, disclose to a family member, other relative, or a close personal friend of the individual, or any other person identified by the individual, the protected health information directly relevant to such person’s involvement with the individual’s health care or payment related to the individual’s health care.

(ii) A covered entity may use or disclose protected health information to notify, or assist in the notification of (including identifying or locating), a family member, a personal representative of the individual, or another person responsible for the care of the individual of the individual’s location, general condition, or death.

Finally, the facility could have simply asked Matthew if he agreed to allow the facility to notify his parents that he was being treated there. The Times account does not indicate whether the facility attempted to seek his consent, and it is possible that he was asked and refused.

The Office of Civil Rights (OCR) of the Department of Health and Human Services has addressed these concerns in a bulletin entitled HIPAA Helps Caregiving Connections –  HIPAA helps family and friends stay connected with loved ones who have a substance use disorder, including opioid abuse, or a mental or behavioral health condition:

If a family member, friend, or person you are caring for, has a mental health condition, substance use disorder (including opioid abuse), or other health problem, it can be difficult to stay connected if their condition worsens and they enter a health care facility for observation or treatment. HIPAA helps by allowing the health and mental health providers who treat your loved one to make decisions about communicating with his or her family and friends based on their professional judgment about what is best for the patient.

For Notification Purposes: HIPAA helps you stay connected with your loved one by permitting health professionals to contact you with information related to your family member, friend, or the person you are caring for, that is necessary and relevant to your involvement with the patient’s health care or payment for care. For example, if your loved one becomes disoriented, delirious, or unaware of their surroundings, due, for example, to opioid abuse or a mental health crisis, and arrives at a hospital emergency room for treatment, the doctors, nurses, and social workers may notify you of the patient’s location  and general condition. First, the staff will determine whether the patient agrees to share this information with you or if you are the patient’s personal representative.

If the patient is not able to make decisions (for example, due to being unconscious, sedated, severely intoxicated, or disoriented), then the doctors, nurses, and social workers may contact you without the patient’s permission when they determine that doing so is in the patient’s best interests.

To Help the Patient: HIPAA helps you to assist your loved one by permitting doctors, nurses, and social workers to share protected health information that is related to the care and assistance you are providing to your loved one. For example, if your adult son has been prescribed medication to treat anxiety, and you are helping him by providing supervision or housing, the discharge nurse may inform you what medication he will be taking, if he doesn’t object to sharing this information with you–as well as the side effects to watch for, or symptoms that indicate the medication isn’t working or isn’t being taken properly. If your son is unable to make health decisions independently, the nurse may decide to share this information with you if the nurse determines, using professional judgment, that it is in your son’s best interests.

See also Elizabeth Litten’s post following the Florida nightclub shootings in 2016:  Reflections on HIPAA Protections and Permissions in the Wake of the Orlando Tragedy

Some facilities tend to err on the side of caution when they are uncertain whether they are permitted to release information.  In addition, to the extent a state law affords greater privacy protections than those afforded under HIPAA, the state law protections will control.  However, erring on the side of caution when no HIPAA restriction applies and no other law affords greater privacy protections may actually exacerbate problems for the individual, particularly in the context of mental health.

 

 

Heading into its 22nd year, HIPAA continues to be misunderstood and misapplied by many, including health care industry professionals who strive for (or at least claim the mantle of) HIPAA compliance. Here is my “top 5” list of the most frequent, and most frustrating, HIPAA misperceptions seen during 2017:

  1. “If I’m using or disclosing protected health information (PHI) for health care operations purposes, I don’t need a Business Associate Agreement.”

Yes, HIPAA allows PHI to be used or disclosed for treatment, payment and health care operations purposes, but the term “health care operations” is defined to include specific activities of the covered entity performing them. In addition, the general provision permitting use or disclosure for health care operations purposes (45 C.F.R. 164.506(c)) allows such use or disclosure for the covered entity’s “own” health care operations. So if the covered entity (or business associate) is looking to a third party to perform these activities (and the activities involve the use or disclosure of PHI), a Business Associate Agreement is needed.

  1. “I don’t need to worry about HIPAA if I’m only disclosing a patient’s/member’s telephone number, since that’s not PHI.”

If the data disclosed was ever PHI, it’s still PHI (unless it has been de-identified in accordance with 45 C.F.R. 164.514). For example, if data is received by a health care provider and relates to the provision of care to patient (e.g., as a phone number listed on a patient intake form), it’s PHI – even though, as a stand-alone data element, it doesn’t appear to have anything to do with the patient’s health. Unless the patient has signed a HIPAA authorization allowing the disclosure of the phone number to a third party vendor, the vendor receiving the phone number from the provider to perform patient outreach on behalf of the provider is a Business Associate.

  1. “When a doctor leaves a practice, she can take her patients’ medical records with her.”

This is not automatic, particularly if the practice is the covered entity responsible for maintaining the records and the patient has not expressly allowed the disclosure of his or her records to the departing doctor. In most cases, the practice entity transmits health information in electronic form in connection with a HIPAA transaction and acts as the covered entity health care provider responsible for HIPAA compliance. The patient can access his or her records and direct that they be sent to the departing physician (see guidance issued by the U.S. Department of Health and Human Services (HHS) on individual’s access rights), and if the patient shows up in the departing doctor’s new office, the practice can share the patient’s PHI under the “treatment” exception. If the practice wants the departing doctor to maintain the records of patients she treated while part of the practice, it can enter a records custodian agreement and Business Associate Agreement with the departing doctor.

  1. “I can disclose PHI under the “sales exception” to anyone involved in due diligence related to the sale of my health care practice/facility without getting a Business Associate Agreement.”

HIPAA prohibits the sale of PHI, but excluded from this prohibition is “the sale, transfer, merger, or consolidation of all or part of the covered entity and for related due diligence” as described in the definition of health care operations. The definition of health care operations, in turn, includes the “sale, transfer, merger, or consolidation of all or part of the covered entity with another covered entity, or an entity that following such activity will become a covered entity and due diligence related to such activity.”  This “sales exception” is a bit vague and the cross-referencing of other regulations adds to the confusion, but the fact that disclosing PHI in connection with due diligence related to a possible sale of a covered entity is not prohibited as a “sale” does not mean it’s permitted without regard to other HIPAA requirements and protections. Attorneys, consultants, banks, brokers and even potential buyers should consider whether they are acting as business associates, and careful buyers and sellers may want to require Business Associate Agreements with those accessing PHI.

  1. “If I’m treating an overdose victim [or other unconscious or incapacitated person], I can’t share his/her PHI with family members or caregivers.”

The HHS Office for Civil Rights recently published guidance to clarify that HIPAA does not prohibit health care professionals from sharing information with family members and others in crisis situations, such as those involving overdose victims. I blogged on a related topic, involving the nightclub shooting tragedy in Orlando, Florida, back in 2016. The bottom line is that HIPAA allows the disclosure of PHI in two circumstances that are often forgotten: (1) where the patient is unconscious or incapacitated and the provider believes sharing information with family and close friends involved in the patient’s care is in the best interests of the patient; and (2) where the provider believes that sharing information will prevent or lessen a serious and imminent threat to the patient’s health or safety.  More stringent laws may apply, such as those governing substance use disorder treatment records created or maintained by certain federally-assisted substance use disorder treatment providers or state laws, but HIPAA permits providers to exercise discretion in crisis situations.

The aftermath of the Orlando nightclub tragedy has led to much discussion about ways that healthcare providers can and should deal with compliance with health information privacy requirements in the face of disasters that injure or sicken many individuals in a limited time frame. One aspect is the pressure to treat patients while simultaneously fulfilling the need to supply current and relevant information to family, friends and the media about patient status without breaching HIPAA by improperly disclosing protected health information (PHI).

Our partner Elizabeth Litten has already posted a prior blog entry on some HIPAA issues that surfaced in the Orlando disaster. She and I were recently featured again by our good friend Marla Durben Hirsch in her article in the August, 2016 issue of Medical Practice Compliance Alert entitled “After Orlando: Keep family, friends informed without violating HIPAA.” Full text can be found in the August, 2016 issue, but a synopsis is below.

Some of the tips provided by Litten and Kline in the article include the following:

  1. Kline: Review and update your practice’s disaster/emergency plan. “[Orlando] was such a disaster, and [there was an appearance created that] the hospital didn’t approach it with calmness and a professional approach.”
  2. Litten: One of the easily forgotten parts of HIPAA is that a covered entity can exercise professional discretion. “It’s best if the patient can agree [to the disclosure]. But if the patient can’t give consent, the provider has ways to provide information and exercise that discretion.” Kline added, “So there’s no need for a HIPAA waiver; the rule anticipates such situa­tions.”
  3. Litten: Make sure that the practice’s desig­nated spokesperson is knowledgeable about HIPAA. “This includes what can and can’t be divulged to friends, family members and the media.
  4. Litten: Educate clinicians on professional discretion. “Remember when disclosing information to view it through the eyes of the patient. If you reasonably believe that a patient would want the information communicated, it’s OK. The professional is acting as proxy for a patient who can’t speak.” 
  5. Kline: Share contact information so staff can quickly get guidance from the practice’s compliance officer, especially during emer­gency situations. “For instance, a clinician being bombarded in the emergency department may have a question regarding whether she can tell a patient’s relative that the patient has been treated and released (she can).”
  6. Kline: Add this information to your practice’s HIPAA compliance program. “If you have policies and procedures on this, docu­ment that training occurred, and [if it] can show you attempted to comply with HIPAA, a court would be very hard pressed to find liability if a patient later claims invasion of privacy.” 
  7. Kline: Don’t discriminate. “So clinicians exercis­ing their professional discretion in informing friends and family members need to be gender neutral and objective.”
  8. Kline and Litten: Train administrative staff about HIPAA. “Not only should medical staff know the rules, but so should other staff members such as front desk staff, managers and billing personnel. It’s pretty bad when the head of a hospital is so uninformed about HIPAA that he provides misinformation to the mayor.”
  9. Kline and LittenHighlight the limitations of the disclosure. “You can’t go overboard and reveal more than is allowed. For instance, a provider can tell a friend or family member about an incapacitated patient’s location, general condition or death. But that doesn’t mean that he can divulge that the lab tests indicate the patient has hepatitis. HIPAA also requires that a disclosure be made only of information that’s ‘minimally necessary.'”

Planning ahead by healthcare providers can help them comply with HIPAA if a disaster situation occurs to keep family and friends informed as to patient status, while contemporaneously carrying out their most important tasks: saving lives, alleviating pain and providing quality care to victims. This approach, however, combined with a good helping of common sense and professionalism, is not confined to disasters – it should be the practice of providers for non-emergent situations as well.