10 common emergency care situations where the Health Insurance Portability and Accountability Act of 1996 may be improperly invoked
Next year marks the 20th anniversary of the passage of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). HIPAA’s purpose is to protect the privacy and security of protected health information or “PHI.” PHI is individually identifiable information in any form relating to an individual’s healthcare, payment for healthcare, or physical or mental health condition. While serving as the protector of PHI, limiting disclosures without patient authorization, and generally ensuring that people’s private medical conditions are not broadcasted in public, HIPAA is often misunderstood and misapplied in practice. Incorrectly applied invocations of HIPAA can sometimes limit access to vital information and harm patients. A recent New York Times article detailed cases where important clinical information did not reach providers, all in the name of HIPAA.
When it comes to emergency medical care, complete information is vital to making the best clinical decision. Timely access to existing records often affects clinical actions, such as decisions to admit, order expensive imaging tests, or use narcotic pain relievers. For example, incorrectly using HIPAA as the reason for not sharing important information such as old EKGs or stress tests results for patients with chest pain or prior imaging results in patients with abdominal pain can cause providers to overuse inpatient and radiology resources. Unfortunately, pertinent information is often absent or kept protected during the emergency department (ED) visit, limiting easy access by providers.
當供應商不了解HIPAA適用to a particular situation, the kneejerk response is often to err on the side of caution. Certainly you’ve heard a colleague say, “That’s a HIPAA violation!” but have not been so sure yourself. Yet for providers, there is a real reason to be careful: HIPAA violations can carry significant penalties for individual and institutional providers (referred to under HIPAA as “covered entities”) and their “business associates” (individuals and organizations doing work on their behalf, e.g., claims processor or business manager).
HIPAA說的是什麼：Providers may disclose “directory information” (i.e., patient’s location and general health status) if the caller identifies the patient by name. This exception permits callers to locate friends or family who may have been involved in an accident. Providers must first provide patients the opportunity to agree or object to the disclosure of “directory information.” If the patient is incapacitated, the provider must inform the patient that such disclosures were made and give the patient the opportunity to object to further disclosures as soon as practicable. This requirement protects, for example, victims of domestic abuse who may not want their whereabouts divulged to their abuser. This opportunity to object may be offered verbally or in writing, such as through the notice of privacy practices that is given to patients upon arrival in the ED.
Situation #2: A person identifying herself as a patient’s physician calls the ED provider to ask about their patient’s status.
HIPAA說的是什麼：Disclosures of PHI from one provider to another provider for treatment purposes are permissible without the patient’s authorization. The disclosing provider must use professional judgment to determine whether the requested PHI relates to the patient’s treatment by the requesting physician.
HIPAA說的是什麼：Location and general health status (i.e., directory information) can be disclosed if the requestor identifies the patient by name unless the patient has objected to such disclosures. This rule prevents inappropriate disclosures when, for example, a caller inquires about the status of “the gunshot victim.” A provider may disclose PHI to the media where necessary to identify, locate, or notify individuals responsible for the patient’s care, but media-initiated inquiries about a specific patient do not fall within this exception.
HIPAA說的是什麼：披露了“事件”一個許可證ted disclosure of PHI (such as disclosures for treatment purposes) are permissible. While HIPAA does not define exactly what “incident to” means, it requires that providers “reasonably protect” PHI with appropriate safeguards to limit incidental disclosures. This may include speaking quietly when discussing PHI or moving patients to private areas. For example, physicians discussing a specific patient’s case on a crowded elevator could be a HIPAA violation. In this situation, a reasonable safeguard – such as not disclosing PHI in a crowded, public setting – would be expected when the case could easily be discussed in a more private setting.
HIPAA說的是什麼：HIPAA requires providers to give a patient access to his/her PHI when the patient specifically requests it, unless the PHI or patient is subject to special protections or another law authorizes the provider to withhold the information (e.g., a state law further restricting disclosure of mental health information). Absent such a request and assuming the patient has not objected to the provider’s disclosure of PHI to family members, this situation raises ethical rather than HIPAA concerns. Providers should use their professional judgment and consider the best interests of the patient as well as any organizational policies and procedures for such situations.
Situation #7: Emergency department staff calls a patient to provide a test result that resulted after the patient was discharged, but the patient is unavailable. The family member who answers the phone asks for the result stating that they will share it with the patient.
HIPAA說的是什麼：Disclosures to family and friends involved with a patient’s care are permissible under HIPAA. Patients must have an opportunity to agree or object to such disclosures while they are in the ED. However, providers may use their professional judgment to infer from the situation that a patient does or does not object. If, while in the ED, the patient agreed to disclosures to the family member and the provider determines that it is in the patient’s best interest, disclosure of the test results may technically be permissible. However, verifying the family member’s identity and determining whether the patient’s prior permission extends to this situation may not be possible. In these situations, providers should use their professional judgment and consider the best interests of the patient as well as any organizational policies and procedures. For example, many facilities commonly would ask the patient to call the hospital for the results.
HIPAA說的是什麼：在有限的情況下，未經患者授權，可向執法部門披露PHI。例如，如果一名執法官員要求對一名疑似犯罪受害者的患者進行PHI，而該患者由於喪失行為能力或其他緊急情況而無法同意披露，如果醫療機構確定披露符合患者的最佳利益，且執法官員表示：（1）需要提供PHI以確定其他人是否違法；（2） PHI不用於針對患者；（3） 即時執法活動取決於披露；（4）等待患者能夠同意披露會對活動產生重大不利影響。在規定的執法例外情況之外未經授權的披露必須限於目錄信息或通知患者家屬，除非患者反對此類披露。
HIPAA說的是什麼：In general, providers must have the employee’s authorization to disclose health-related information to an employer, unless the provider is treating the employee for a work-related illness or injury at the employer’s request. In that case, the provider may disclose pertinent findings only if the employer needs such information for reporting requirements mandated by law. Providers must alert patients to these types of disclosures, which can be done in their Notice of Privacy Practices. Providers may also disclose PHI without patient authorization to the extent authorized by laws relating to worker’s compensation programs providing benefits for work-related injury or illness.
Situation #10: The hospital CEO calls the ED to inquire for his personal concern about the status of a VIP patient.
HIPAA說的是什麼：目錄信息(例如,位置,一般的頭腦lth status) may be disclosed if the patient has not objected to such disclosures. Additional information may be disclosed if it is to be used for a “health care operations” purpose, which includes six broad categories of activities such as quality improvement and customer service. If information beyond directory-level information is sought for personal interest, such disclosures are impermissible. Depending on the policies and procedures of a particular organization, looking up a patient’s PHI without a permissible purpose may lead to disciplinary action in addition to any HIPAA related penalties.
HIPAA attempts to balance individuals’ right to control access to their health information against providers’ need to exchange information for treatment, payment, and health care operations. While the previous 10 situations may sound familiar, many other situations may cause confusion. Despite common misperceptions, the HIPAA Privacy Rule vests fairly broad discretion in health care providers to exchange prudent amounts of patient information related to treatment, payment, and operations without written patient authorization. However, beyond these purposes, there are important exceptions, some of which require written patient authorization or an opportunity for the patient to object to the disclosure of information. To help, here are some practical considerations in determining how HIPAA applies to a particular ED situation. In addition, guidance on where to find additional information is in Figure 2.
HIPAA’s treatment, payment, and operations exceptions cover most routine healthcare activities. While providers may not be familiar with all the specifics of these exceptions, a basic guideline to help determine whether an exception applies is to consider whether the disclosure facilitates or improves patient care and is in the best interest of the patient. If failure to disclose would materially and adversely impact care, it is probable that the disclosure would be permissible under HIPAA.
Law v. Ethics
Disclosures During v. After Treatment
Don’t Be Vague
- Health Insurance Portability and Accountability Act of 1996 (HIPAA), Pub. L. No. 104-191, 110 Stat. 1936 (codified as amended in scattered sections of 18, 26, 29, and 42 U.S.C.); for purposes of this article, references to “HIPAA” are to the HIPAA Privacy Rule, 45 C.F.R. 164.500 et seq.
- HIPAA的用途作為沉默準則經常誤解了法律。NY Times 2015年7月17日。http://www.nytimes.com/2015/07/21/health/hipaas-use-as-code-of-silence-often-misinterprets-the-the-law.html?_r=0