What Information can be Shared without Violating HIPAA?
One of the reasons for complaints to HHS´ Office for Civil Rights is a misunderstanding of what information can be shared without violating HIPAA. The complaints are not necessarily due to compliance failures by Covered Entities, but more likely attributable to a lack of patient knowledge.
Each month, HHS´ Office for Civil Rights updates a HIPAA Enforcement Highlights web page that includes a summary of complaints the agency has received and how they have been resolved. According to the most recent update, the agency has received more than 300,000 complaints since the publication of the Privacy Rule in 2003 and resolved 97 percent of them.
Of these 300,000 complaints, more than two-thirds did not present an eligible case for enforcement. Most often this was because the business being complained about was not a HIPAA Covered Entity. However, in a significant number of cases, complaints were made about disclosures of PHI in circumstances in which the disclosures were allowed by the Privacy Rule.
Because complaints of this nature are more likely to be made by patients, this would imply many patients are unaware of what information can be shared without violating HIPAA – and although Covered Entities might not consider it their responsibility to educate patients, when HHS´ Office for Civil Rights follows up on patients´ complaints, the investigations can be disruptive.
Therefore, it is worth ensuring patients understand what information can be shared without violating HIPAA – and the best way to do this is to ensure members of the workforce understand what information can be shared without violating HIPAA so they can explain to patients when information can be shared, who information is being shared with, and what for.
Who Can Share Information without Violating HIPAA?
When discussing what information can be shared without violating HIPAA it is necessary to establish who HIPAA applies to and what information is being shared. As mentioned above, many complaints received by the HHS´ Office for Civil Rights are resolved without any investigation because the business being complained about is not a HIPAA Covered Entity.
HIPAA only applies to health plans, health care clearinghouses, and healthcare providers that conduct electronic transactions for which the Department of Health and Human Services has published standards. Some insurance firms and healthcare providers do not qualify as HIPAA Covered Entities because they do not meet this criterion – as discussed in this article.
Additionally, businesses that provide a service for or on behalf of a Covered Entity that involves uses or disclosures of PHI have to comply with the Privacy, Security, and Breach Notification Rules depending on what service is being provided. Information can be shared with these businesses without violating HIPAA provided a valid Business Associate Agreement is in place.
Any business that does not qualify as a Covered Entity or Business Associate can share information without violating HIPAA. However, other state and federal laws may apply depending on the nature of information being shared. In terms of what information that can be shared without violating HIPAA, this not only depends on the nature of the information, but also where it is maintained.
What Information can be Shared without Violating HIPAA
In the context of what information can be shared without violating HIPAA, there are three important considerations to take into account:
- Is the information protected by HIPAA?
- Can the information be shared permissibly?
- Can the information be shared with a patient authorization?
Is the Information Protected by HIPAA?
Due to the complicated definition of Protected Health Information, it is understandable that patients and members of the workforce are not always clear about what information is protected by HIPAA and when it is protected. To summarize, all health information and information that could identify the subject of the health information is protected all the time it is maintained in the same record set.
If identifying information (i.e., name, phone number, etc.) is maintained outside of a “designated” record set in a database that does not contain health information, it is not protected by HIPAA. For example, if a hospital maintains a directory of names and phone numbers to contact patients, the directory and the information in it is not protected and can be shared without violating HIPAA.
Can the information be shared permissibly?
Sections §164.506 and §164.514 of the Privacy Act stipulate when Protected Health Information can be shared without violating HIPAA. Under these standards, permissible uses and disclosures include those required for treatment, payment, and health care operations, and those required by law, for public health activities, and for health oversight activities.
It is important to be aware that some permissible uses and disclosures of Protected Health Information have conditions or limitations on how much information can be disclosed (i.e., disclosures to law enforcement officers), and in all permissible uses and disclosures of Protected Health Information it is necessary to comply with the minimum necessary standard.
Can the information be shared with a patient authorization?
If a use or disclosure of Protected Health Information is not permitted by the Privacy Rule it may still be possible to share information without violating HIPAA if the use or disclosure is authorized by the patient or their personal representative (i.e., the parent of a child). In all cases, the authorization must be signed and documented and comply with the requirements of §164.508.
It is important that members of a Covered Entity´s workforce understand the difference between consent and authorization. Consent – which can be verbal or implied – is only allowed in a limited number of specific cases; and the failure to obtain a valid authorization when required can result in justified complaints to HHS´ Office for Civil Rights and compliance investigations.
How to Educate Patients on When Can PHI be Shared without Violating HIPAA
As mentioned previously, it is worth ensuring patients understand what information can be shared and when can PHI be shared without violating HIPAA. However, adding more information to a Notice of Privacy Practices is likely to raise questions and potentially create as much disruption as an investigation into an unjustified complaint to HHS´ Office for Civil Rights.
Therefore, the best way to educate patients is to maximize workforce knowledge about when information is protected by HIPAA and when can PHI be shared without violating HIPAA through HIPAA training. This approach has the benefit of better educating the workforce on permissible uses and disclosures to minimize the risk of justified complaints.
Not only can investigations into complaints be disruptive, but when an impermissible use or disclosure is identified, the Covered Entity may have to comply with a corrective action plan which involves the revision of policies and additional workforce training. Alternatively, HHS investigators may uncover other compliance issues that result in more serious consequences.