What’s the first word that comes to mind when you see the term “HIPAA”?
For many individuals in the healthcare market, the word is “NO.”
“Just say no” is a common answer for covered entities and business associates when they are faced with a decision about whether to disclose health information.
But what if I told you that HIPAA actually permits (and even requires) you to say “yes” to many disclosures of health information?
One of the most overlooked aspects of HIPAA is that there are sections that encourage the free-flow of information. Examples include: (1) disclosures for treatment purposes, (2) disclosures for patient access, (3) disclosures to minimize an imminent danger, and (4) disclosures that are required by state laws.
Disclosures for Treatment Purposes
Let’s get one thing clear: HIPAA allows the disclosure of health information for treatment purposes.
A common misconception among providers is that HIPAA prevents or limits health care providers from sharing health information between each other to provide care for a patient.
This is not true.
I also commonly hear the idea that HIPAA requires a Business Associate Agreement in order for a provider to share health information for the purpose of treating a patient.
This is not true.
In fact, the HIPAA treatment disclosure exception is so broad that it applies to disclosures between health care providers AND the “coordination or management of health care” by a provider and a third party.
The third party does not even have to be a health care provider!
For example, an eye doctor can disclose health information to a contact lens distributor in order to confirm a prescription. The distributor is not a health care provider, but the disclosure is for the purpose of treatment of the patient.
One common idea is that patients do not have an unfettered right to access their entire medical record.
Many providers feel that they, not the patient, have ownership of the patient’s health information and have no obligation to give the patient unrestricted access.
This opinion has lead to more than one Office of Civil Rights investigation.
In reality, HIPAA gives patients broad rights to access their health information and health care providers are required to honor patient requests. Patients are also not required to fill out an Authorization for Release of Records when requesting their own health care information.
With that said, there are some important exceptions to the patient’s access rights under HIPAA, including the limitation on accessing psychotherapy notes, information compiled in anticipation of a lawsuit, or if the access is prohibited under some other law.
But in general, patients have the right to access all of their health information that a provider uses to make treatment decisions about a patient. This includes any health information that a provider received from other providers.
Denial of such access could constitute a HIPAA violation.
Disclosures to minimize an imminent danger or assist law enforcement
Another way that HIPAA encourages the disclosure of health information is seen in the allowable disclosure to minimize an imminent threat to health or safety of an individual or of the public.
HIPAA permits covered entities to disclose health information to persons reasonably able to prevent or lessen the threat.
In addition, HIPAA permits covered entities to disclose health information to law enforcement authorities to identify or apprehend an individual in the following circumstances:
- An individual makes a statement admitting participation in a violent crime that the covered entity reasonably believes may have resulted in serious physical harm to the victim.
- Where it appears from all the circumstances that the individual has escaped from a correctional institution or from lawful custody.
There are some key exceptions to this permissive disclosure for mental health counselors. State laws may further restrict the extent of the disclosure exceptions.
However, these are important exceptions that can prevent danger to members of the community.
Disclosures Required By Law State
Another permissive type of disclosure under HIPAA is any disclosure required by state law. A few common disclosure obligations under state law are:
- Reporting cases of child abuse
- Reporting cases of vulnerable adult abuse
- Reporting to law enforcement if an individual has certain types of wounds (e.g. bullet wound).
The HIPAA “required by law” disclosure exception makes it essential for covered entities and business associates to review their state mandatory reporting laws.
Focusing only on the federal HIPAA regulations to inform your disclosure obligations is a mistake.
HIPAA does not always mean “no.”
Of course, it is easy for healthcare market participants to believe this stereotype. The horror stories of large fines levied on covered entities and business associates who improperly disclose health information are so common.
However, there are many permissive (and some required) disclosures under HIPAA that covered entities and business associates must understand and implement in their business operations.
Learning the types of health information disclosures that HIPAA prohibits and encourages will facilitate the proper flow of information, improve patient experience, and help avoid costly government investigations and fines.
For more information about HIPAA, please contact Casey Moriarty.