10 Times HIPAA May Not Apply


10 common emergency care situations where the Health Insurance Portability and Accountability Act of 1996 may be improperly invoked

Next year marks the 20th anniversary of the passage of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). HIPAA’s purpose is to protect the privacy and security of protected health information or “PHI.” PHI is individually identifiable information in any form relating to an individual’s healthcare, payment for healthcare, or physical or mental health condition. While serving as the protector of PHI, limiting disclosures without patient authorization, and generally ensuring that people’s private medical conditions are not broadcasted in public, HIPAA is often misunderstood and misapplied in practice. Incorrectly applied invocations of HIPAA can sometimes limit access to vital information and harm patients. A recent New York Times article detailed cases where important clinical information did not reach providers, all in the name of HIPAA.

When it comes to emergency medical care, complete information is vital to making the best clinical decision. Timely access to existing records often affects clinical actions, such as decisions to admit, order expensive imaging tests, or use narcotic pain relievers. For example, incorrectly using HIPAA as the reason for not sharing important information such as old EKGs or stress tests results for patients with chest pain or prior imaging results in patients with abdominal pain can cause providers to overuse inpatient and radiology resources. Unfortunately, pertinent information is often absent or kept protected during the emergency department (ED) visit, limiting easy access by providers.


當供應商不了解HIPAA適用to a particular situation, the kneejerk response is often to err on the side of caution. Certainly you’ve heard a colleague say, “That’s a HIPAA violation!” but have not been so sure yourself. Yet for providers, there is a real reason to be careful: HIPAA violations can carry significant penalties for individual and institutional providers (referred to under HIPAA as “covered entities”) and their “business associates” (individuals and organizations doing work on their behalf, e.g., claims processor or business manager).





HIPAA說的是什麼:Providers may disclose “directory information” (i.e., patient’s location and general health status) if the caller identifies the patient by name. This exception permits callers to locate friends or family who may have been involved in an accident. Providers must first provide patients the opportunity to agree or object to the disclosure of “directory information.” If the patient is incapacitated, the provider must inform the patient that such disclosures were made and give the patient the opportunity to object to further disclosures as soon as practicable. This requirement protects, for example, victims of domestic abuse who may not want their whereabouts divulged to their abuser. This opportunity to object may be offered verbally or in writing, such as through the notice of privacy practices that is given to patients upon arrival in the ED.

Situation #2: A person identifying herself as a patient’s physician calls the ED provider to ask about their patient’s status.
HIPAA說的是什麼:Disclosures of PHI from one provider to another provider for treatment purposes are permissible without the patient’s authorization. The disclosing provider must use professional judgment to determine whether the requested PHI relates to the patient’s treatment by the requesting physician.

HIPAA說的是什麼:Location and general health status (i.e., directory information) can be disclosed if the requestor identifies the patient by name unless the patient has objected to such disclosures. This rule prevents inappropriate disclosures when, for example, a caller inquires about the status of “the gunshot victim.” A provider may disclose PHI to the media where necessary to identify, locate, or notify individuals responsible for the patient’s care, but media-initiated inquiries about a specific patient do not fall within this exception.


HIPAA說的是什麼:披露了“事件”一個許可證ted disclosure of PHI (such as disclosures for treatment purposes) are permissible. While HIPAA does not define exactly what “incident to” means, it requires that providers “reasonably protect” PHI with appropriate safeguards to limit incidental disclosures. This may include speaking quietly when discussing PHI or moving patients to private areas. For example, physicians discussing a specific patient’s case on a crowded elevator could be a HIPAA violation. In this situation, a reasonable safeguard – such as not disclosing PHI in a crowded, public setting – would be expected when the case could easily be discussed in a more private setting.


HIPAA說的是什麼:HIPAA requires providers to give a patient access to his/her PHI when the patient specifically requests it, unless the PHI or patient is subject to special protections or another law authorizes the provider to withhold the information (e.g., a state law further restricting disclosure of mental health information). Absent such a request and assuming the patient has not objected to the provider’s disclosure of PHI to family members, this situation raises ethical rather than HIPAA concerns. Providers should use their professional judgment and consider the best interests of the patient as well as any organizational policies and procedures for such situations.

Situation #7: Emergency department staff calls a patient to provide a test result that resulted after the patient was discharged, but the patient is unavailable. The family member who answers the phone asks for the result stating that they will share it with the patient.
HIPAA說的是什麼:Disclosures to family and friends involved with a patient’s care are permissible under HIPAA. Patients must have an opportunity to agree or object to such disclosures while they are in the ED. However, providers may use their professional judgment to infer from the situation that a patient does or does not object. If, while in the ED, the patient agreed to disclosures to the family member and the provider determines that it is in the patient’s best interest, disclosure of the test results may technically be permissible. However, verifying the family member’s identity and determining whether the patient’s prior permission extends to this situation may not be possible. In these situations, providers should use their professional judgment and consider the best interests of the patient as well as any organizational policies and procedures. For example, many facilities commonly would ask the patient to call the hospital for the results.

HIPAA說的是什麼:在有限的情況下,未經患者授權,可向執法部門披露PHI。例如,如果一名執法官員要求對一名疑似犯罪受害者的患者進行PHI,而該患者由於喪失行為能力或其他緊急情況而無法同意披露,如果醫療機構確定披露符合患者的最佳利益,且執法官員表示:(1)需要提供PHI以確定其他人是否違法;(2) PHI不用於針對患者;(3) 即時執法活動取決於披露;(4)等待患者能夠同意披露會對活動產生重大不利影響。在規定的執法例外情況之外未經授權的披露必須限於目錄信息或通知患者家屬,除非患者反對此類披露。

HIPAA說的是什麼:In general, providers must have the employee’s authorization to disclose health-related information to an employer, unless the provider is treating the employee for a work-related illness or injury at the employer’s request. In that case, the provider may disclose pertinent findings only if the employer needs such information for reporting requirements mandated by law. Providers must alert patients to these types of disclosures, which can be done in their Notice of Privacy Practices. Providers may also disclose PHI without patient authorization to the extent authorized by laws relating to worker’s compensation programs providing benefits for work-related injury or illness.

Situation #10: The hospital CEO calls the ED to inquire for his personal concern about the status of a VIP patient.
HIPAA說的是什麼:目錄信息(例如,位置,一般的頭腦lth status) may be disclosed if the patient has not objected to such disclosures. Additional information may be disclosed if it is to be used for a “health care operations” purpose, which includes six broad categories of activities such as quality improvement and customer service. If information beyond directory-level information is sought for personal interest, such disclosures are impermissible. Depending on the policies and procedures of a particular organization, looking up a patient’s PHI without a permissible purpose may lead to disciplinary action in addition to any HIPAA related penalties.


HIPAA attempts to balance individuals’ right to control access to their health information against providers’ need to exchange information for treatment, payment, and health care operations. While the previous 10 situations may sound familiar, many other situations may cause confusion. Despite common misperceptions, the HIPAA Privacy Rule vests fairly broad discretion in health care providers to exchange prudent amounts of patient information related to treatment, payment, and operations without written patient authorization. However, beyond these purposes, there are important exceptions, some of which require written patient authorization or an opportunity for the patient to object to the disclosure of information. To help, here are some practical considerations in determining how HIPAA applies to a particular ED situation. In addition, guidance on where to find additional information is in Figure 2.


HIPAA’s treatment, payment, and operations exceptions cover most routine healthcare activities. While providers may not be familiar with all the specifics of these exceptions, a basic guideline to help determine whether an exception applies is to consider whether the disclosure facilitates or improves patient care and is in the best interest of the patient. If failure to disclose would materially and adversely impact care, it is probable that the disclosure would be permissible under HIPAA.

Law v. Ethics

Disclosures During v. After Treatment

HIPAA對未成年人和其他無能的博士致敬的國家法律。其他聯邦法律(例如,42 CFR第2部分)含有更多限製性要求,適用於PHI,如藥物濫用信息。州法律可能比HIPAA更嚴格或保護某些類型的PHI,例如艾滋病病毒相關信息。提供商應熟悉所有適用的法律及其組織的披露政策,並將其申請申請到所披露的具體類型的PHI。

Don’t Be Vague


  1. Health Insurance Portability and Accountability Act of 1996 (HIPAA), Pub. L. No. 104-191, 110 Stat. 1936 (codified as amended in scattered sections of 18, 26, 29, and 42 U.S.C.); for purposes of this article, references to “HIPAA” are to the HIPAA Privacy Rule, 45 C.F.R. 164.500 et seq.
  2. HIPAA的用途作為沉默準則經常誤解了法律。NY Times 2015年7月17日。http://www.nytimes.com/2015/07/21/health/hipaas-use-as-code-of-silence-often-misinterprets-the-the-law.html?_r=0


HEALTH POLICY SECTION EDITOR Dr. Pines is a practicing emergency physician and a Professor of Emergency Medicine and Health Policy at the George Washington University.

Elizabeth Gray,法學博士,MHA是喬治華盛頓大學米爾肯研究所公共衛生學院的高級研究員。

Jane Hyatt Thorpe, JD is an Associate Professor at the Milken Institute School of Public Health and Director of the Healthcare Corporate Compliance Program at George Washington University.


  1. Gretchen Boise, MDon

    The list of 18 print out with the corresponding CFR’s should be in every physician’s file in order to give a copy to the rare patient who refuses care due to HIPPA concerns. I had a lab tech who stuck herself on an IVDA patient’s blood, leave the office after she became concerned because she’d secretly taken and shown me the index patient’s identifying information to which I said they should be tested for Hepatitis C. Unfortunately, the employer wanted her to be seen by her private physician instead of us under workman’s compensation. The private physician did not want to get involved in a workman’s compensation case. The patient did eventually go to another of our Occupational Medicine clinics, but if I’d had this print-out, showing her #17, it may have appeased her so we could have continued with her own testing right away.

  2. ivette rosadoon

    家庭死亡,醫院沒有提供有法律權利的母親讓安排否收回她的國家,任何與她的40歲的人的下落的信息有關的任何資料,他的葬禮葬禮家庭Pickef Hea。最後,它掩蓋了他的女兒,她的家人讓他知道他們並不想。他們幾次到醫院,他們都知道情景。長話短說,在Hospits工作的遙遠的家庭成員試圖翻譯N HRKP它們。由於河馬法律,她被終止了。當適當的協議時,我沒有看到河馬法律是如何破壞的,因為他沒有像他一樣存在河馬法律。他們隻是想知道誰拿了身體。瘋狂的權利..在被家人操縱的女兒那裏可怕。想到任何人......我是人力兒,我覺得終止是不正確的。

  3. 勞拉·巴特爾斯on

    I was a patient seven months ago who was accused of being an “alcoholic” by the ER doctor who attended to me. I am not, but that didn’t matter to this doctor who saw liver damage and continued an assault on me, saying I was going to die unless I had a liver transplant, but I could forget about that happening because nobody would help someone who was an alcoholic.
    By the way, I didn’t test positive for alcohol, or any drugs, but that didn’t matter. To make matters worse, right after returning to work, my home business was closed down because of a complaint containing medical information that only a doctor would know. The complaint resulted in my license being revoked and I had to close my business. I still did not have a firm diagnosis of my condition. I had to sell off my business at loss, to pay for medical bills and had to sell future inheritance to cover expenses that come from lost wages, medical bills, and raising children. When I finally got my diagnosis everything was already taken away.
    I have autoimmune hepatitis, just like my mom and other family members. I am not an alcoholic which I was originally accused of, My business and reputation were destroyed. I never used to be depressed, but I cry all the time now. I only ever wanted meaningful purposeful work, and I grieve for all the ways that this was taken from me. This was done by the medical community. I have completely lost my trust in doctors and I feel like I can’t say anything. I am not taken seriously. I had to go to a doctor with my daughter today because she was hit by a semi-truck driver. I feel like I have PTSD. I can’t shake this feeling of mistrust that I have each time I need to step into a Health Care facility. How can this be right?

Leave A Reply