hipaa logo

Part 3: What You Should Know about Uses and Disclosures (FAQs 55 - 65)

The HIPAA health privacy rule is long and complex. Implementation guides for use by the covered entities that must comply with the rule can be hundreds of pages. For example, the rule sets out ten administrative requirements for covered entities. They relate to designation of a privacy officer, privacy training for staff, establishment of safeguards, sanctions for violations, and the like. We are happy that the rule includes these requirements, but we don’t think that you need to know the details. The parts of the rule directly relevant to patients are long enough.

The most important part of the rule – after the provisions that define the rights of a patient – restricts use and disclosure of health information by covered entities. We’ve already discussed the seven patient rights. (See FAQs 13-54.) The rest of this guide focuses on the use and disclosure provisions.

 

55. Does HIPAA Really Restrict Use and Disclosure of My Health Records?

This is a tough question to answer in a simple way. The answer depends in part on your perspective. If you thought that your health records would never be disclosed without your consent, then you won’t think much of the HIPAA use and disclosure provisions.

One answer is that HIPAA regulates all uses and disclosures. If the rule does not allow a use or disclosure, then the only way that a covered entity can use or disclose the record is with your written authorization. If you think that sounds good, you should keep reading because the rule allows a large number of uses and disclosures without your consent... By the way, a use of information occurs when a covered entity makes a record available to someone within the organization that maintains the record. A disclosure occurs when a record is shared with someone outside the organization.

A second answer is that HIPAA allows many uses and disclosures to occur without any need for your approval. Typically, these are disclosures made so a covered entity can be paid for services, manage its operations, provide treatment, or comply with government reporting requirements.

It is genuinely difficult to count the number of categories of permissible uses and disclosures. Much depends on how you do the counting. The number of government and private institutions that can ask for and receive health records without your permission numbers in the tens of thousands. A covered entity can make nearly all permissible uses and disclosures without your consent or authorization. Indeed, with only a few exceptions, a covered entity can make most allowable uses and disclosures even over your express written objection.

A third answer is that HIPAA did not really change the practice for most covered entities regarding use and disclosure. Instead, HIPAA established universal standards and procedures for covered entities. The universal standards and procedures were new. However, the uses and disclosures that HIPAA allows are largely those that became routine in the last half of the twentieth century. Even many health care providers were not aware of how widespread the use and disclosure of health records had become. Before HIPAA, many providers thought that they only disclosed patient records with the consent of the patient, but it just wasn’t true. HIPAA made everyone pay attention to and learn about privacy, often for the first time.

The biggest drivers for the sharing of medical records are:

  • Growth of third party insurance (including Medicare)
  • Pressures for increased controls on the cost of health care
  • Development of quality controls for medical practice
  • Growth of health care fraud and fraud investigations
  • Increase in public health activities
  • Expansion of records-based health research.

All of these activities and others contributed to the demand for access to individually identifiable medical records. Most of these activities serve important public or personal purposes, and it is not always easy to dismiss the HIPAA rule’s policies as anti-privacy. Disclosure often serves another significant but competing goal. Protecting privacy is only one objective in the health care system.

SIDEBAR:

Some health activities can be and are conducted with records that do not include any identifying data about individual patients. However, use of anonymous or non-identifiable records doesn’t meet all the needs for health information for several reasons. First, some activities really do require records with identifiers. For research that tracks the course of disease over years, the only way to link records may be with the use of identifiers.

Second, too many activities that could have used non-identifiable records started at a time when few paid attention to privacy or to alternatives to the use of identifiable records. Methods that might have increased use of non-identifiable records do not always exist because nothing forced their development.

Third, it is increasingly difficult to talk about non-identifiable records. As the amount of data recorded and available throughout society increased, the domain of truly non-identifiable records diminished. It is easier and easier to identify records even though overt identifiers have been removed. To make the point, more than 85% of the population of the United States can be uniquely identified just by date of birth, gender, and five-digit zip code. All records, no matter how they may have been edited, may be potentially identifiable with enough time, effort, and other data. Powerful modern computers make it easier to link records and to re-identify records that have been “de-identified.”

SIDEBAR:

Another interesting and important part of the rule tries to limit use and disclosure to the minimum amount of information necessary to accomplish the purpose of the use or disclosure. This is a fine principle, but its implementation is complex and controversial. All uses and disclosures to a health care provider for treatment purposes are exempt from the minimum necessary rule. It’s a big exception to the principle, but it is one that makes sense to us. Providers need broad access to records for treatment. Disclosures pursuant to a patient’s authorization are also exempt, which is a reason that a patient should be careful when signing any authorization for disclosure of his or her records. If you sign an authorization for the disclosure of “any or all” of your records, your entire medical history can be disclosed.

 

56. Is My Consent Needed to Disclose Records for Treatment or Payment?

No. Medical records can be used and disclosed without your approval for treatment, payment, and health care operations. Treatment is the providing, management, or coordination of health care by a health care provider. The formal definition is slightly more complicated, but the basic concept is relatively simple.

The definition of payment is more complex. It includes activities by a health plan to determine coverage and provision of benefits and activities by a provider to obtain reimbursement. Payment also includes determining eligibility or coverage, including benefit coordination, cost sharing, adjudication and subrogation (making a third party pay) of benefits. It includes risk adjustment based on enrollee status and characteristics. Patient data may also be used for billing, claims management, collection activities for bad debts, and reinsurance activities.

We are not done with payment. It also includes review for medical necessity and appropriateness of care as well as utilization review, such as pre-certification and preauthorization services. Disclosure to credit bureaus of information relating to collection of premiums or reimbursement is another payment disclosure.

All of those activities, and perhaps a bit more, fall under payment. The breadth of payment activities reflects the complexity of the health care system, the multiple inter-relationships between providers and payors, and the range of insurance activities.

The definition of payment is just a warm up for understanding disclosures for health care operations, another category of disclosure that does not require patient consent. The formal definition goes on for about 400 words. It includes quality assessment, quality improvement, development of clinical guidelines, management and care coordination, review of provider competence, student training, underwriting, premium rating, medical review, legal services, auditing, fraud detection, business planning, business management, customer service, transfer or sale of a business, and fundraising.

We didn’t include every type of health care operation here, but you should already get the idea. Further, many of the functions mentioned here are complex tasks that encompass other layers of activities and involve the sharing of medical records with people far removed from any activity that the average person would readily identify as part of routine health care management.

SIDEBAR:

HIPAA professionals often use the acronym TPO to refer to treatment, payment, and health care operations. We will use that acronym here.

 

57. Are Disclosures for Treatment, Payment and Health Care Operations Okay?

At one level, yes. Health care is a complex business that represents a large chunk of America’s economy. If you think about it, you may realize that major health care treatment and payment institutions are big businesses that engage in a wide variety of activities just like other businesses. Management and internal controls require access to some records. If we spent the time to list the comparable data-intensive activities engaged in by banks or governments, we would also find a long list of uses and disclosures of personal information that are, for better or worse, a routine part of those functions.

At one level, then, treatment, payment and health care operations (TPO) disclosures are routine. Just about all of the functions supported by TPO uses and disclosures went on before HIPAA, although few health professionals paid attention to them. Before HIPAA, if your consent was sought for the sharing of your records for these purposes – and it frequently was not sought – you weren’t told any of the specifics. Doctors, hospitals, and insurers asked patients to consent to “any and all disclosures” without telling patients what that meant.

HIPAA eliminated the need for consent for TPO. A covered entity may still seek your consent, but this seems to happen rarely. It is easier to rely on the authority provided by the rule to justify use and disclosure. Some privacy advocates see the lack of consent as a great gap in privacy protection that removes any pretense of patient control over records.

SIDEBAR:

Before HIPAA, many health professionals thought that a patient’s health record would only be disclosed with the patient’s informed consent. However, what was called informed consent was typically neither informed nor consensual. You had no idea what you were signing, and you really didn’t have much of a choice. Signing a consent form was a prerequisite to seeing the doctor or having the insurance company pay the bill. Patients – especially those who were ill – were not really able to focus on privacy. Almost everybody signed whatever form they were given without question. If a patient limited or modified an informed consent form, the changes were often not noticed or ignored.

Some experts recognize that it is difficult to expect patients – often people who are sick, impaired, or worried about their children – to be able to understand and control the complex use and disclosures of their records that have become part of health care activities. Would you prefer to be asked for your permission to disclose your records for dozens of different purposes? Could you really make a meaningful choice while suffering from the flu, undergoing chemotherapy, or worried about your nauseous child? Further, there is a limit to how much the health care system can cater to individual preferences. There is a cost involved.

Discussions about the proper role of consent for information use and disclosure in the health care process are ongoing. You are welcome to your side of this debate.

 

58. Do I Have a Say in Any Disclosures? (Facility Directories and Caregivers)

Yes, but only in a few circumstances.

First, if you are in a facility (e.g., an inpatient in a hospital), the facility can disclose basic information about your presence, location, and general condition through a facility directory. One limitation is that the facility can’t reveal information that discloses specific medical information about you (e.g., you are an inpatient on the psychiatric floor or are in a kidney dialysis unit).

The idea behind facility directory disclosures is that if someone comes to visit you or sends flowers, the hospital can say that you are there and, perhaps, where you are. The hospital may disclose your religious affiliation, but only to a member of the clergy.

You have a right to object to facility directory disclosures. The covered entity must offer you an opportunity to object to the inclusion of your information in a facility directory. If because of incapacity or emergency treatment, you weren’t offered the chance to object, the hospital can make still limited disclosures in emergency circumstances. For example, if you are unconscious, the emergency room can tell your spouse where you are. That seems perfectly reasonable.

Second, HIPAA has a complex set of rules governing disclosures to caregivers. A caregiver can be your next of kin, other family member, or another person involved in your care (e.g., a roommate). The HIPAA rule allows disclosure of information relevant to the caregiver’s involvement in your care. A covered entity can make a disclosure to locate a family member or other caregiver.

If you (the patient) are present at the time of a disclosure to a caregiver, the covered entity can seek your agreement, offer you an opportunity to object, or reasonably infer from the circumstances that you do not object. Essentially, the rule specifically allows the exercise of professional judgment for the types of disclosures that have long been made to caregivers.

If a patient is not present or is incapacitated at the time of disclosure, the covered entity may exercise professional judgment and make disclosures directly relevant to a caregiver’s responsibility. Thus, the rule allows your spouse to pick up your prescription at the pharmacy without written consent from you.

Another provision addresses disclosures for disaster relief purposes. An example is disclosure to the Red Cross following a hurricane. The disaster relief provision, after a bit of confusion, allowed appropriate disclosures during and after Hurricane Katrina.

SIDEBAR:

Disclosures by health care providers to family members have always been common. Those are some of the disclosures that the rule contemplates. Importantly, the caregiver exception also covers disclosures by insurance plans to family members. That allows a family member to negotiate approval of your treatment or payment of the bill with the insurance company while you are incapacitated.

In general, the caregiver provision seems to have worked well after some initial of confusion. The trick is to strike a reasonable balance between privacy and the normal expectations of patients and families. It is a delicate balance, and we think that HIPAA did well here. Giving considerable discretion to health professionals had a lot to do with the success of this provision.

Third, a covered entity can use or disclose information for its own fundraising purposes. The allowable fundraising disclosures are limited to dates of care and demographic information. You have the right to object to these disclosures, and you must be notified of the right in any solicitation. A hospital can call you on the telephone asking for a contribution. However, if you object to the use of your information for fundraising, the hospital can still demand that you object in writing. That strikes us as a bit unbalanced. You should be able to object while on the telephone, and the objection should be valid.

Fourth, you have the right to authorize the disclosure of your health records to anyone you like. The HIPAA rule sets standards for authorization forms, and if a form does not meet HIPAA standards, then the form does not constitute patient authorization. We are not going to bore you with the technical requirements for authorization forms. We discuss the strategy for authorizations later. (See FAQs 62-64.)

SIDEBAR:

The rule uses both consent and authorization as terms that apply when a patient gives approval for the disclosure of a health record. Consent is the term that applies when a patient gives an organization permission to disclosure for treatment, payment, and health care operations. Authorization is the term that applies to all other disclosures approved by a patient. The reason for the difference in terminology is buried in the history of the rule, and it is too boring to explain. Normally, patients will encounter the term authorization.

When might a patient authorize disclosure? You might authorize disclosure if you are applying for life or disability insurance. You might authorize your doctor to send information to your employer or to a school to explain an absence. You could authorize your doctor to disclose your records to your lawyer, a family member, or a researcher. You might want records disclosed to support a disability claim made with the Social Security Administration. It is also possible that you might even want to share your records with the police under some circumstances (perhaps to clear you of suspicion).

For the most part, however, HIPAA has defined the range of non-consensual uses and disclosures to include nearly every possible disclosure that is either necessary or convenient for the health care system to operate or for the government to carry out its many functions. After all, the HIPAA rule was written by the Department of Health and Human Services, one of the biggest users of health records in the country. The first thing that HHS did in writing the rule was to take care of its own interests in obtaining access to records.

 

59. Does HIPAA Allow Uses and Disclosures Without My Approval?

Yes, does it ever. The HIPAA rule allows dozens of different uses and disclosures without any need for patient consent or authorization. The rule permits so many uses and disclosures that it is hard to count them. The rule has about five pages of dense type describing allowable uses and disclosures of health records.

SIDEBAR:

Many of HIPAA’s allowable uses and disclosures come with terms, conditions, and procedures that the covered entity or the person seeking the information must meet. A simple list of authorized recipients or recognized purposes doesn’t necessarily tell you that much. The terms, conditions, and procedures make a big difference to the scope and ease of disclosures. We won’t cover all those terms, conditions, and procedures all here because of the complexity. The details are crucial important if you are a covered entity concerned about when it is permissible to make a disclosure. A patient may need to know the details when trying to decide if a covered entity made a disclosure properly. However, a patient with that requirement will have to look elsewhere for the specifics.

One important feature of the rule’s allowable uses and disclosures is that they are mostly permissive. Just because a use or disclosure can be made without violating the rule does not mean that a covered entity must make the disclosure. A covered entity can just say no to almost any person who asks for a disclosure permitted by the rule. This means that the rule itself is not the most important factor in determining how your record may be used or disclosed. In most cases, it is up to your health care provider or insurer to decide whether to make your record available for a particular activity. If anyone tells you that HIPAA requires a disclosure, you should be very suspicious.

The only two types of disclosure that the rule actually requires are:

  1. when a patient asks for access to his or her own record, and
  2. when the Secretary of HHS needs access to records to oversee or enforce the HIPAA rule itself. For all other uses and disclosures, it is up to the covered entity to decide whether the use or disclosure is appropriate, legal, and ethical. Of course, other laws may affect that decision.
RULE OF THUMB:

We also want to remind you that the HIPAA rule establishes a floor of privacy protection. If state law or other federal law has higher standards and better privacy protections, then that law controls. If HIPAA allows a disclosure that is prohibited by law in your state, a covered entity in your state may not make the disclosure.

We will go over one type of allowable use and disclosure in detail in FAQ 59 to give you better insight into the complexity of use and disclosure.

 

60. What Are Uses and Disclosures Required by Law?

We want to discuss the category of uses and disclosures required by law. For purposes of this discussion, we will focus on disclosures rather than uses. HIPAA recognizes that other laws sometimes require the disclosure of health records. In one of the shortest sections dealing with disclosure, HIPAA says that a covered entity can make a disclosure that is required by law.

What does this mean? It means that any federal, state or local law requiring disclosure of medical records remains in force. (A law means a statute or a regulation.) For example, when a state law requires a physician to report a suspected case of child abuse to a state agency, the HIPAA rule does not interfere with that disclosure (although it establishes some conditions on the disclosure). If a city passed an ordinance that said that the entire medical record of any individual hospitalized in a local hospital must be published in full in the local newspaper, HIPAA would permit that disclosure too.

We do not expect to see laws requiring newspaper publication of records of hospitalized patients any time soon. We just want to point out the breadth of the HIPAA deference to other laws. Any law, no matter what its purpose or scope, that requires disclosure is sufficient for HIPAA’s purposes. If another law says disclose, then HIPAA says disclosure is permitted but only to the extent of the requirements of the other law. Any compulsion about disclosure comes from that other law and not from HIPAA, however.

For some disclosures allowed by HIPAA, the rule provides that the procedures established by HIPAA continue to apply to covered entities even when disclosures are made under the authority of other laws. This is a complicated area, and you may want to skip the rest of this paragraph. For example, HIPAA allows disclosures to report suspected cases of abuse, neglect, or domestic violence to the proper authorities. Most or all states have comparable laws. HIPAA includes a set of procedures that a covered entity must comply with before or after making a disclosure of abuse, neglect, or domestic violence. Under some specified circumstances, the covered entity making the disclosure must inform the subject of the disclosure (i.e., the victim) about the disclosure. However, the rule specifies that in some circumstances, notifying the victim will place the victim in greater peril so telling the victim is not always required. The HIPAA rule says that if state law mandates disclosure about abuse, the covered entity making the disclosure must still comply with the HIPAA procedures. HIPAA also imposes additional duties for disclosures for judicial and administrative proceedings and for disclosures for law enforcement purposes.

However, for other allowable disclosures, none of the conditions in HIPAA applies if another law requires disclosure. For example, the HIPAA rule allows disclosures for health research under a lengthy and complex set of conditions. If a covered entity wants to make a disclosure for research, it must comply with all of the HIPAA conditions. However, if a state law requires disclosure for health research with fewer or no conditions, then HIPAA says that the disclosure can be made without complying with any of HIPAA’s conditions.

This is complicated stuff, and we have not covered all the nuances. The covered entities that make disclosures need to pay close attention to the details. The message for patients is that many laws affect the confidentiality of health records. If you thought that no one disclosed your medical records without your approval, keep reading to see how wrong you were.

 

61. What Are the Allowable Uses and Disclosures?

We will list each HIPAA category of allowable use and disclosure, together with some discussion as appropriate. (If we included every detail of every disclosure, the discussion would double the size of this guide.) A covered entity that must comply with the HIPAA rule needs to know all the specifics, but a patient generally only needs to be aware of the categories of uses and disclosures. Every covered entity’s notice of privacy practices should include some information about each type of allowable disclosure. Those who want to know more can read the rule itself.

  • Treatment, Payment, and Health Care Operations. We covered this category of uses and disclosures in detail in an earlier question. The category includes uses and disclosures for a very large number of purposes.
  • Required by law. We’ve already covered this category in detail in the previous question. We used this category to illustrate the complexity of allowable disclosures.
  • Public Health Activities. Public health disclosures are one of the more expansive disclosure categories under the rule. There are at least five general types of public health disclosures. Some public health disclosures are to traditional federal, state, and local public health agencies. The reporting of communicable diseases is an example. It is the type of disclosure that draws few, if any, objections. Additional confidentiality protections may apply to some of the information disclosed to public health agencies. Disclosures to manufacturers of pharmaceutical medicines and devices for the reporting of adverse events may qualify as public health disclosures. Some public health disclosures can be to employers for medical surveillance of the workplace. These disclosures to private entities explain why the public health category so expansive. Many different organizations play a role in public health, including employers.
  • Victims of Abuse, Neglect, or Domestic Violence. Reporting of victims can be done to a social service agency or other government authority (including the police) that is authorized to receive the reports.
  • Health Oversight Activities. Various government agencies regulate and oversee parts of the health care system. Disclosures are permissible for activities authorized (not just required!) by law, including audits, investigations, inspections, licensing, and similar functions. One patient protection included in the rule prevents the use of information disclosed for oversight purposes against the patient who is the subject of the record disclosed. So if an agency investigates a health care provider, it cannot use information about that provider’s patients against the patients themselves. However, if the information reveals health care fraud by the patient or involving public benefits for health care or benefits based on health condition, the information can be used against the patient. The protection for patients with oversight disclosures is limited, but it has some substance.
  • Judicial and Administrative Proceedings. A covered entity can respond to a court order or the order of an administrative agency for health records. The authority to disclose also covers subpoenas and discovery requests. The conditions that attach to these disclosures are lengthy and include some obligation to give notice to the patient who is the subject of the record. The complexity here is enough to choke a lawyer because the HIPAA rule interacts with already elaborate state laws and court procedures.
  • Law Enforcement Purposes. The rule has six flavors of law enforcement disclosure. The loosest allows disclosures for administrative requests. An administrative request does not require judicial approval or even have to be in writing. Any law enforcement official can ask for information by stating that the information sought is relevant to a legitimate law enforcement inquiry, by limiting the request to information reasonably practicable to the purpose, and by saying that de-identified information cannot be used. It is hard to imagine a more unrestricted type of police disclosure. A covered entity need not comply with an administrative request, but it may do so. The other types of law enforcement disclosures are not so open-ended. One, for example, allows a provider to report a crime that occurred in the provider’s office.
  • Decedents. A covered entity can share information about people who died with coroners and funeral directors. They may need to know if the decedent has AIDS, for example.
  • Organ and Tissue Donation. A covered entity can disclose patient information to organizations engaged in tissue banking and transplantation to facilitate donations.
  • Research. Researchers engaged in health research and other types of research often want access to health records. The rule allows disclosures for research but generally requires that a research project be approved by an Institutional Review Board (IRB). An IRB is an existing institution – often part of the organization conducting the research – that oversees research activities to protect human subjects. The research section of HIPAA is particularly convoluted in order to address different needs of researchers. We observe that HHS itself conducts and funds research using health records. The rule reflects the needs of HHS and researchers, while offering some procedural protections for privacy. There are many policy conflicts involving research disclosures, and the rule strikes a balance that some like and some do not.
  • Serious Threats to Health or Safety. A covered entity may use or disclose a patient record if it believes in good faith that the use or disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public. There are a few other conditions.
  • Specialized Government Functions. This category of uses and disclosures has six subcategories. Some relate to military, veterans, and prison functions. Another category allows disclosure to the Secret Service to protect the President and some other officials. Another broad subcategory allows disclosure to government programs providing public benefits.
  • National security or intelligence agency. This is the broadest subcategory for disclosure. HIPAA imposes no conditions or procedures for national security disclosures. The disclosures are not mandatory (at least not under HIPAA), but any national security or intelligence agency can request a health record on any individual without prerequisite and without violating HIPAA, even if the disclosure would violate medical ethics.
  • Worker’s Compensation. HIPAA allows any disclosure authorized and necessary to comply with laws relating to worker’s compensation. The worker’s compensation system typically requires the routine disclosure of health information about injured workers. HIPAA stays out of the way and allows the normal processes to continue without any procedural or substantive interference.
SIDEBAR:

We remind you once again that HIPAA disclosures are permissive and not mandatory. While many records are heavily used and disclosed for treatment, payment, and health care operations, many of the other permissible disclosures are likely to be relatively unusual. Just because records can be disclosed to the Central Intelligence Agency under the national security category doesn’t mean that the CIA really looks at everyone’s health records routinely.

 

62. What Should I Do if Asked to Sign an Authorization to Disclose my Record?

Although not everyone who asks you to sign an authorization will have a sinister motive, you should be cautious in signing an authorization for more disclosure of your information. Here are some things to look out for.

  • Does the authorization say that all of your information can be disclosed? If you are authorizing disclosure to another physician who is treating you, a broad authorization may be appropriate. If you are authorizing disclosure to a life insurance company, the company will likely insist on a broad authorization as part of the application process. However, if the authorization is for disclosure to your employer to explain your absence from work, you may want to be sure that the authorization only covers your recent illness and not records from the past. You may not want your employer to know, for example, that you were treated for a psychiatric ailment ten years ago.
  • Is there an expiration date or event for the authorization? There should be in nearly all cases. You should try to understand why the date or event was chosen and be very suspicious of any open-ended authorizations. Some long-term research activities may be able to justify not having an expiration date. Otherwise, you should try to insist on a short expiration date or near-term event.
  • Is the person authorized to receive the information properly described? It is okay if the form says ABC Life Insurance Company rather than the name of a specific individual at the company. However, if the form is too vague (e.g., “bearer”), then you should definitely think twice.
  • Is the purpose for the disclosure properly described? This can be tricky because if you tell the covered entity why you are authorizing the disclosure, you may be revealing information that you don’t want to reveal and don’t have to share. It is okay to sign a form that merely describes the purpose as “at the request of the individual.” However, we wouldn’t sign an authorization written that way without a good reason. By stating a purpose, you may limit what the recipient can do with the information. Anyone seeking an authorization in good faith should be willing to include an appropriate purpose and, if someone does not suggest a narrow purpose, you should be wary.
  • Is the disclosure for a marketing activity? We would never allow a disclosure for a marketing purpose, no matter what the inducement. Once a marketer obtains your information, the marketer can use it, keep it, and sell it without any restriction. Don’t give away your privacy for a t-shirt.

We want to emphasize that while we think that you should be cautious in signing authorizations, in some circumstances it will be the right thing to do. Being asked to sign an authorization should happen infrequently enough that you can spend a little time asking questions.

We would be cautious if asked to sign an authorization as part of the process for admission to a hospital. The HIPAA rule allows the hospital to make all the disclosure necessary for your care and for the hospital’s operations. If you are presented with an authorization to sign, ask questions. We have heard that some hospitals routinely collect authorizations that allow disclosures to employers. That is a type of disclosure that you may not want to permit without a specific reason. The hospital may seek a broad authorization for its own convenience so that it can make a disclosure without getting your signature later. We suggest that any extra paperwork may be worth it, because it may protect you. You can decline to sign the authorization or you can limit its effectiveness to the period while you are in the hospital or perhaps for an additional week.

SIDEBAR:

The HIPAA rule expressly provides that no one can condition treatment, payment, or enrollment in a health plan on signing an authorization. This is an important protection, and if anyone says “sign or leave”, you should be extremely suspicious and ask for a written explanation that you can take with you. There is a limited exception to this policy if you are enrolling in a research activity involving treatment. Another exception allows a health plan to require an authorization for an individually underwritten health policy. There is one other complex but minor exception to the rule.

SIDEBAR:

We told you earlier that HIPAA protections do not follow the records. When your records are transferred to someone who is not a covered entity, the records in the possession of the recipient are not covered by HIPAA. That is also true for disclosures with your authorization. If you agree to allow a covered entity to share your records with someone who is not a HIPAA covered entity, no privacy law may apply to the recipient. If you authorize a company that engages in advertising-supported activity (such as a personal health record or PHR) to obtain your records, it is possible that your information could be used for marketing and shared with almost anyone. Any privacy protections would depend on the recipient’s policy. If you read the privacy policy at most advertising-supported personal health record companies, we bet it says expressly that the privacy policy can be changed at any time. You have been warned!

 

63. Do I Need a Disclosure Authorization to Care For My Elderly Parent?

Maybe. If you are helping a parent, other relative, or even an unrelated friend or neighbor, HIPAA allows a provider to disclose to a person who is involved in a patient’s care. These people are sometimes called caregivers, and the rule governing caregivers is discussed elsewhere. (See FAQ 58.) While the HIPAA caregiver policy usually works well, it may be useful to have a written authorization from the patient. This is good advice especially if you will be caring for someone for a long time, if there are many health care providers involved, or if you expect to have to deal with an insurance company or Medicare. Don’t give away your original authorization. Keep copies because you may need them regularly. If you are giving care to someone at a hospital or nursing home, bring a copy with you at all times. The nurse who knows you may not be there tomorrow.

If you obtain a health care power of attorney for another person, the power should specifically mention the authority to obtain protected health information about that person. Protected health information is the formal HIPAA term for a health record. You can obtain a power of attorney for a patient just for HIPAA disclosure purposes without having the authority to make substantive health decisions about the patient. If you sign or receive a broad health care power of attorney that authorizes substantive health decisions, that same power of attorney should also authorize disclosures to support those decisions.

 

64. What Can I Do if I Foolishly Signed an Authorization?

You can revoke the authorization, but you have to do it in writing. Your ability to revoke an authorization is restricted if a covered entity has taken action in reliance on the authorization or if the authorization was obtained as a condition of obtaining insurance coverage.

Remember that revoking an authorization may not b enough. The covered entity that you authorized to disclose your records must receive a copy of your revocation. If the authorization was obtained by a third party, you should make sure that the third party receives a copy of the revocation. If a third party obtained the authorization for your records from a specific hospital, formally notifying the hospital in writing that you revoked the authorization is also important.

 

65. Can My Health Records be Used for Marketing?

The short answer is no, but the correct and longer answer is more complicated. Let’s go through it step by step.

The HIPAA rule tells covered entities that they can only use or disclose health records for marketing with the authorization of the patient. One reason for being careful with authorization is to make sure that you don’t casually authorize disclosure of your records to a company that wants to use them for marketing. Remember that other activities can reveal your medical history. If you accept a drug manufacturer’s coupon for a prescription drug, the manufacturer will learn your name and other information that it didn’t have before. Drug manufacturers are not covered entities or subject to privacy laws. Signing up for a disease-specific newsletter will also reveal your name and medical information.

HIPAA has two exceptions that allow marketing uses and disclosures. The first permits face-to-face communications by a covered entity to a patient. The second allows promotional gifts of nominal value provided by the covered entity. Under the first exception, for example, a nurse can invite you to visit the hospital’s new weight loss clinic. Under the second, the hospital can give you a refrigerator magnet with the phone number of its well-baby clinic. If the covered entity undertakes any marketing activity because someone, such as an outside entity, pays it to do so, then the covered entity must tell you it is being paid. The basic marketing rule is pretty good as far as it goes. Most doctors believe, and will tell you, that using – and especially disclosing – health records for marketing is unethical anyway.

So far, so good. The rule allows uses and disclosures for treatment purposes and for health care operations. When does a treatment recommendation constitute marketing? The line can be hard to draw. Advice from HHS says that any communication for the patient’s treatment, case management, care coordination, or recommendation of alternative therapies is permitted to the extent reasonably necessary. Further, population-based activities for health education or disease prevention (“Don’t Smoke!”) can also be okay.

The problem in line drawing here is that legitimate health activities overlap at the edges with marketing activities that many people are likely to find objectionable. Activities that fall on those edges can be characterized differently. Some activities that fall under the broad (and permissible) category of health care operations will look like marketing to some. When the answer requires a lawyer to dissect words, the result will be controversial at best.

The HIPAA rule helps a bit in limiting marketing disclosures. For example, you can expect that no covered entity will sell or rent lists of patients to drug manufacturers for the purposes of sending junk mail. However, there may be other forms of marketing-like activities that a covered entity’s lawyer may say is allowed under HIPAA.

We are not done yet, but we need more context to continue. If you receive mail hawking allergy medicines or medical devices for diabetics, does that mean that your allergist or internist or insurer or pharmacist gave your name and diagnosis to the advertiser? Anything is possible, but there are other, more likely, sources of the same information.

Marketing companies and list brokers sell or rent mailing lists of people by diagnosis. They offer lists of millions of people by dozens of different diseases and conditions. Where does the information come from? The answer is from many places, but you are the most likely source. If you show interest in a medical product by making a purchase, calling an 800 number, registering at a website, using a coded coupon, subscribing to a magazine, or entering a sweepstakes, you may reveal your interest and your diagnosis. If you fill out a warranty card or a consumer survey, any information about your health condition (“Why did you buy the vaporizer?”) that you reveal is likely to end up in a personal or household profile and can used forever for marketing purposes. Those who read carefully already saw our warning about turning your health records over to a commercial, advertising-supported company offering personal health record (PHR) services. (See FAQ 9.) That is another way that your records can leak into the marketing system. Any slip puts your personal information in the permanent possession of marketers and profilers.

SIDEBAR:

We do not fill out warranty cards. You have the same warranty protections whether or not you fill out the card. The main purpose of warranty cards is for the manufacturer of a product to learn information about its customers that it can use or sell for marketing purposes. We do not fill out warranty cards even if the manufacturer promises a one-in-a-zillion chance of winning a prize.

We need to remind you again that HIPAA does not protect all health information. It only applies to health information held by a covered entity (health care provider or insurer). If you fill out a warranty card for a health related appliance, the manufacturer will know who you are and will know or may be able to infer something about your medical condition. The information will not be protected under HIPAA and can be sold or shared with others.

SIDEBAR:

We suggest that you should be careful when buying over-the-counter medications on the Internet or using frequent shopping cards from drug stores or pharmacies. The information about your purchase is not protected under HIPAA because the rule only covers prescription drugs. If the merchant is not a covered entity, then HIPAA does not stop it from recording your name and purchase and selling that information to others for marketing purposes. Here’s the same advice that makes the point more succinctly: Never buy a tube of Preparation H using a frequent shopper card. A chain drug store or supermarket is only a covered entity for the pharmacy in the back of the store. Anything that merchant knows about you other than prescription drug purchases will not be protected under HIPAA.

The final answer about marketing is that HIPAA mostly does the right thing when it comes to marketing uses and disclosures of health information. However, there are gaps at the edges. Beyond HIPAA, there are non-regulated sources of health information about many Americans. For many organizations with health information, the pressure to exploit health data for marketing purposes is great. That pressure is even greater on the Internet. Many health care companies are for-profit organizations, accountable to their shareholders. We generally trust individual doctors to do the right thing here, but we don’t necessarily trust large institutions. We are especially worried that information maintained by non-HIPAA entities in Personal Health Records will leak into the marketing system. We remain cautious and observant about marketing. Once a marketer gets your health information, that information is “in the wild” and the marketer has it forever.

Jump to list of FAQs 1-65