by Margret Amatayakul, RHIA, CHPS, FHIMSS
Direct caregivers have long been concerned about balancing patient protections with customer relations: Who do you talk to and how much do you tell? This was an issue long before HIPAA, and has only become more complex with HIPAA. And while HIPAA provides guidance, there are still no easy answers about disclosure.
HIPAAs many standards and possible interpretations have led to some unintended consequences. In the past, facilities may have tended toward disclosing patient information when a judgment call was needed. Today, however, facilities are overly cautious about disclosing information. As a result some fear patient care concerns, if not patient satisfaction issues. Following is a road map for creating a framework that provides reasonable assurances to those who must apply professional judgment in making disclosures to personal representatives, those involved in a patients care, and other covered entities.
What Standards Are Involved?
There are a number of standards relating to who to tell what. Any one of them alone seems to be reasonable. But when considered together, appropriate action seems less clear.
The minimum necessary standard requires uses, disclosures, and requests to be limited to the amount necessary to accomplish the intended purpose. The minimum necessary standard (§164.502(b)) carries two important exceptions:
- It does not apply to disclosures or requests by a healthcare provider for treatment
- It does not apply to uses or disclosures made to the individual
HIPAAs section on other requirements relating to uses and disclosures of protected health information (PHI) (§164.514) addresses further details of implementing minimum necessary uses, disclosures, and requests and provides a standard on verification requirements.
The minimum necessary requirements standard (§164.514(d)(3)) indicates that providers may rely, if reasonable, on a request for disclosure to be the minimum necessary if the information is requested by another covered entity.
The verification standard (§164.514 (h)(1)) requires oral or written documentation, statement, or representation of the identity and authority of any person to have access to PHI if the identity or authority is not known. However, disclosures can be made under the opportunity to agree/object to the standard (§164.510).
Providers have responded to the above two standards in a variety of ways. The typical scenario is that a provider calls to request PHI (such as diagnostic studies results) for an impending visit by the patient or for a patient physically present. Responses have ranged from:
- Fulfilling the request because it is orally represented as for treatment by another provider
- Fulfilling the request only if provider is affiliated (i.e., member of the medical staff)
- Fulfilling the request only if the provider is a provider of record
- Fulfilling the request only if a written representation is obtained (such as a request faxed on provider letterhead)
- Fulfilling the request only with the individuals authorization
Any of these responses may be appropriate, depending on the organizations policy, state law, and professional judgment. However, the first two responses are risky.
First, there is no verifiable evidence of identity or authority. In an electronic environment, the requestor would not have access to the information system. Such a response should be avoided or used only in a call-back mode with documentation of the purpose of the disclosure.
In the second case, there is no verifiable evidence of authority. In an electronic environment, access to the PHI should trigger an emergency mode access response (or break the glass auditable action). In the paper world, the equivalent probably should be a call back with documentation of the purpose of the disclosure.
The third response makes the assumption that a provider of record has been identified and has authority. It may be appropriate to describe in the policy the time frame or events that would constitute the definition of provider of record. This would serve not only in the paper world, but would also establish parameters for access to electronic PHI.
The fourth response could be acceptable if the patients appointment is for a later date, although it could be spoofed. If the provider making the request is not affiliated or a provider of record, this response may be just as risky as the first response. Remember, relying on a request for disclosure from another covered entity only applies when the request is for the minimum necessary. Identity and authority should also be verified. Such a written request probably should not be fulfilled unless verification of identity and authority is performed by a call back.
The fifth response is always acceptable as a means to verify identity and authority. Because an authorization is not required by HIPAA when there is a treatment relationship, some providers may balk at getting an authorization. Be aware, however, that some state laws require an authorization when health information is released to an unrelated entity. Furthermore, it may be the only means to ensure that there is a treatment relationship.
Another due diligence issue that relates to the personal representative standard requires the covered entity, with certain exceptions, to treat a personal representative as the individual for purposes of the privacy rule. This means that because minimum necessary does not apply to the individual, it also does not apply to the individuals personal representative.
There are two key issues to address:
- Who is a personal representative?
- When do exceptions apply?
When identifying a personal representative, first determine who your state law considers a personal representative. Legal Definitions of Representation lists a number of terms that may be used in your state to describe various forms of representation.
Next, youll need to know who is a legitimate personal representative. If such a person is present, the person should have the formal documentation as indicated in Legal Definitions of Representation. If the person is not present or there is an emergency wherein the person cannot produce such documentation, then healthcare providers should apply professional judgment in communicating about an individuals health status with an informally recognized next of kin or significant other. Most healthcare professionals have experience questioning an individual to get a good sense of the nature of the relationship and therefore how much to say.
Opportunity to Agree/Object
An opportunity to agree or object to inclusion in a facility directory must be provided via the notice of privacy practices (NPP). Some providers are being proactive and advising individuals at the time of registration that, unless they object at that time, the provider will disclose to persons who ask for the individual by name his or her location in the facility and condition in general terms that do not communicate specific medical information. In addition, religious affiliation will be provided to the clergy.
An opportunity to agree or object to uses and disclosures for involvement in the individuals care is also a required statement in the NPP. Providers should probably be more proactive. If the individual can respond, providers should ask if:
- The person accompanying them should remain with the individual during care and if that person should be provided information about caring for the individual. If so, the disclosures should be limited to that which is directly relevant to such persons involvement with the individuals care or payment for care
- The person who is involved in care and calls can be provided more information than that permitted through the facility directory. A means to identify the person should be agreed on and recorded in a readily accessible location. As with a person accompanying an individual, the disclosures should be limited to that which is directly relevant to such persons involvement with the individuals care or payment for care
If the individual is not present or is incapable of agreeing or objecting, professional judgment should be applied. Such judgment has long been based on:
- previous knowledge of the individuals relationships, if known, and
- the individuals best interest
Just as if the individual were physically present or capable, the disclosure of PHI should be limited to that which is directly relevant to such a persons involvement with the individuals care or payment for care. For example, if an individual is calling about another individuals bill, it would be appropriate to verify that the person has the bill in front of them, such as by requesting the account number and amount of charges. Typically, medical information should not be discussed, but rather instructions on whom, when, and what to pay can be provided.
Reasonable Due Diligence
Due diligence is important to verify identity and authority, but should not impede patient care. Professional judgment and reasonableness are required by HIPAAand should be liberally applied. Legal Definitions of Representation
| Type || Definition/Documentation || Access to PHI |
|Attorney in fact ||Person given durable power of attorney to make certain decisions for an individual. In most states, this does not authorize a person to make life support decisions ||If power of attorney extends to making healthcare decisions when an attending physician deems the individual unable to make his or her own decisions, then access is same as individual with exceptions as noted |
|Conservator of estate ||Person appointed by a probate court to make financial decisions for an incapable individual ||Limited to that relating to financial issues, such as Medicaid application or claim |
|Conservator of person || Person appointed by a probate court to make personal decisions for an incapable individual ||Access same as individual with exceptions as noted |
|Guardian of a mentally retarded patient ||Person appointed by a probate court to supervise some or all aspects of the care of a mentally retarded adult ||Access same as individual with exceptions as noted |
|Guardians of an unemancipated minor ||Father and mother, unless deceased or parental rights terminated, in which case another person appointed by a probate court ||Access same as individual with exceptions for unemancipated minors as noted |
|Healthcare agent ||Person appointed via a document signed by the individual providing authority to communicate (life support and comfort care) decisions in the |
event the individual becomes incapable of making those decisions
|Limited to that relating to making life support and comfort care decisions when such decisions need to be made |
| Next of kin || Person who provides a notarized request in writing stating there is no estate and is next of kin. Generally next of kin are: |
grandparents or adult grandchildren
adult nephews, nieces, uncles, or aunts
|Used in lieu of conservator with exceptions as noted. In an emergency, healthcare providers will apply professional judgment in communicating about an individuals health status with an informally recognized next of kin or significant other. See also Involved in care |
- A provider may elect not to treat a person as a personal representative if there is reason to believe the individual has been or may be subjected to domestic violence, abuse, or neglect; it could endanger the individual; or the provider decides that it is not in the best interest of the individual to treat the person as the individuals personal representative.
- In the case of an unemancipated minor, a parent, guardian, or other person acting in loco parentis is the personal representative with respect to PHI. However, if the minor has the authority under state law to consent to or obtain healthcare service without consent of the parent, guardian, or other person acting in loco parentis (usually for HIV testing and treatment, treatment for alcohol and drug abuse, outpatient mental health treatment, and treatment of sexually transmitted diseases), the provider must refer to state law to disclose PHI to the parent, guardian, or other person acting in loco parentis:
- If permitted or required by state law, disclosure or provision of access to PHI about an unemancipated minor may be made to a parent, guardian, or other person acting in loco parentis
- If prohibited by state law, disclosure or provision of access to PHI about an unemancipated minor may not be made to a parent, guardian, or other person acting in loco parentis
- If state law is silent and the parent, guardian, or other person acting in loco parentis is not designated by the unemancipated minor as the personal representative, a licensed healthcare professional should exercise professional judgment in making or not making a disclosure or provision of access to PHI about the unemancipated minor to the parent, guardian, or other person acting in loco parentis
Margret Amatayakul (margretcpr@ aol.com) is president of Margret\A Consulting, LLC, an independent consulting firm based in Schaumburg, IL.
Amatayakul, Margret. "Due Diligence in Moderation: Disclosing PHI (HIPAA on the Job series)." Journal of AHIMA 74, no.8 (September 2003): 16A-D.