Is There A Hippo In Your Doctor's Office?
By Amos Goodall
In 1996, Congress passed the Health Insurance Portability and Accountability Act, called HIPAA. Congress created this law to regulate the electronic exchange of medical information. Recognizing that assembling this information in one place could lead to abuses, one part of HIPAA calls for the creation of a privacy rule to protect patients from invasion of their privacy.
Unfortunately, this protection sometimes interferes with the way people legitimately feel their information should be handled. It almost seems like the law has created a hippopotamus, wandering around medical offices, smashing into relationships between doctors and nurses and members of their patients’ families.
The privacy rule creates a base of federal safeguards to protect health information. The rule does not take the place of federal, state or other laws that give even greater privacy rights. Most healthcare plans, including Medicaid and healthcare providers that are covered by the privacy rule, were required to start following it on April 14, 2003.
Under the law, private health information is generally protected from disclosure to third parties, unless:
• it is authorized by the patient,
• disclosure is required by law (such as child abuse which may be required to be reported to authorities or in response to a subpoena), or
• the information is used by another health provider for the treatment of the patient.
Information, which does not identify the patient, can also be released for purpose of research.
Limited information, may be released by a hospital or other facility. Limited information includes the patient’s name, location in the facility, general condition and a person’s religious affiliation. The facility may use this to provide a directory or to furnish it to persons who ask for the individual by name. These disclosures, may only be made if the patient has been given the opportunity to object or "opt out" of being included in the directory.
If there are circumstances where disclosure of person’s medical information is needed, based upon the exercise of professional judgment, and the person can not provide consent, either because of incapacity or an emergency circumstance, a medical services provider can make disclosures to another party that is directly relevant to the person’s involvement with the covered individual.
There is some question whether standard language in powers of attorney written under Pennsylvania law authorize a health care provider to disclose medical information to the person’s agent or attorney in fact. Department of Health and Human Services in interpreting its own regulations, has offered the opinion that a health care power of attorney may receive private health information. This does not extend to financial powers of attorney and is limited to someone who has the authority to make health care decisions on behalf of the principal.
The privacy rule itself, however, does not specifically identify agents under a power of attorney, and limits this disclosure to a patient’s "personal representative". Many attorneys are modifying their powers of attorney to describe a healthcare agent using the "personal representative" language of the privacy rule. 45CFR §164.524. Physicians may refuse disclosure to an agent under a health care power of attorney if the patient has been subject to domestic violence abuse or neglect by the agent (or the physician reasonably believes this to have been the case) or if disclosure could endanger the individual in the exercise of professional judgment. With some exceptions, such as when the individual himself is requesting disclosure of the information, the covered entity may only supply the minimum information necessary to accomplish the legitimate purpose for which the information was requested.
Emancipated children are treated as adults, and their information is protected unless they authorize its disclosure as an adult. Typically, a parent, guardian or other person in loco parentis for an unemancipated minor may obtain medical information about the minor, and the minor may obtain the information himself or herself without the consent of the parent, guardian or other person, unless state law requires disclosure to the parent.
Covered entities are required to provide privacy notices to their patients, and are required to take steps to make certain that their consultations are indeed confidential.
There are complex rules governing patients’ consent to release of information to third parties, and those rules are even more complex when mental health records are involved.