ABA Health eSource
November 2008 Volume 5 Number 3

New HIPAA Privacy Rule Guidance From The OCR
by Kathy L. Poppitt, Thompson & Knight, LLP, Austin, TX

Kathy L. PoppittFor many healthcare providers and their attorneys, navigating the murky waters of medical record privacy protections is often daunting and confusing. For the first time since the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule went into effect in 2003, the HHS Office for Civil Rights (OCR) has issued two separate guidance documents on the topic of how a covered entity may share information with people involved in a patient's care. According to the OCR, due to a lack of clear understanding, some providers are not sharing medical and other information in situations in which the Privacy Rule would permit them to do so. The guidance released on September 19 in two formats, one for patients and one for providers, is targeted at this frequently misunderstood area of provider communications with a patient's family, friends, or others involved in the patient's care.

The two guides are intended to clarify HIPAA requirements so that healthcare providers do not unnecessarily withhold a patient's health information from friends and family. Of particular interest is the discussion of what health information a provider may share when the patient is not present or is incapacitated. In those circumstances, according to the guidance to providers, the provider may share the patient's information with family, friends, or others as long as the healthcare provider determines in his or her professional judgment that it is in the best interest of the patient, but only to the extent that the information that the person involved needs to know about the patient's care or payment. Some examples given are:

  • A surgeon who performed emergency surgery on a patient may tell the patient's spouse about the patient's condition while the patient is unconscious.
  • A pharmacist may give a prescription to a patient's friend who the patient has sent to pick up the prescription.
  • A hospital may discuss a patient's bill with her adult son who calls the hospital with questions about charges to his mother's account.
  • A healthcare provider may give information regarding a patient's drug dosage to the patient's health aide who calls the provider with questions about the particular prescription.

The OCR goes on to say that a provider may not tell a patient's friend about a past medical problem that is unrelated to the patient's current condition. Additionally, a provider is not actually required by HIPAA to share any patient information when the patient is not present or is incapacitated, and can choose to wait until the patient has an opportunity to either agree or give the information himself.

The patient guidance states that as long as the patient does not object, a provider may share or discuss the patient's medical information with a patient's family, friends, or others involved in the patient's care or payment. Again, even when the patient is present, the provider may discuss only the information that the person involved needs to know about the care or payment for the care. The following examples are given:

  • An emergency room doctor may discuss a patient's treatment in front of the patient's friend when the patient asked that the friend come into the treatment room.
  • The hospital may discuss a bill with the patient's daughter who is with the patient at the hospital.
  • A doctor may talk to the patient's sister who is driving the patient home from the hospital about keeping the patient's foot raised during the ride home.
  • A doctor may discuss the drugs the patient needs to take with the health aide who has come with the patient to her appointment.

The guidance states that a provider may share a patient's information with others as long as the patient does not object. However, it also clarifies that while the provider is free to document the patient's agreement in writing, HIPAA does not require that a provider document the patient's agreement or lack of objection in the patient's chart.

Another point of interest in the patient guidance is the discussion of whether a provider must require proof of identity of those asking for information about a patient. The guidance states that HIPAA does not require such proof of identity; however, a provider may have its own rules for verifying who is on the phone, for example.

Two of the positive aspects of both the patient and provider guidance are that they are relatively user-friendly and provide satisfyingly concrete examples to common questions. Providers may find it useful to distribute copies of the patient guidance with the notice of privacy practices that they given patients. The guidance may be read at www.hhs.gov/ocr/hipaa/consumer.ffg.pdf.

The ABA Health eSource is distributed automatically to members of the ABA Health Law Section . Please feel free to forward it! Non-members may also sign up to receive the ABA Health eSource.