Patient’s Guide to HIPAA Part III: What You Should Know about Uses and Disclosures (FAQ 54 – 65)
You are reading the Patient’s Guide to HIPAA Part III, which is FAQ 54-65 .
HIPAA Guide Quick Links:
This page covers all of Part III of the Guide, which discusses health information uses and disclosures, FAQ 54-65 and The HIPAA health privacy rule is long and complex. Implementation guides for use by the covered entities that must comply with the rule can be hundreds of pages. For example, the rule sets out ten administrative requirements for covered entities. They relate to designation of a privacy officer, privacy training for staff, establishment of safeguards, sanctions for violations, and the like. We are happy that the rule includes these requirements, but we don’t think that you need to know the details. The parts of the rule directly relevant to patients are long enough.
The most important part of the rule – after the provisions that define the rights of a patient – restricts use and disclosure of health information by covered entities. We’ve already discussed the seven patient rights. (See FAQs 13-54.) The rest of this guide focuses on the use and disclosure provisions.
FAQ 54: Does HIPAA Really Restrict Use and Disclosure of My Health Records?
This is a tough question to answer in a simple way. The answer depends in part on your perspective. If you thought that your health records would never be disclosed without your consent, then you won’t think much of the HIPAA use and disclosure provisions.
Another answer is that HIPAA regulates all uses and disclosures. If the rule does not allow a use or disclosure, then the only way that a covered entity can use or disclose the record is with your written authorization. If you think that sounds good, you should keep reading because the rule allows a large number of uses and disclosures without your consent. By the way, a use of information occurs when a covered entity makes a record available to someone within the organization that maintains the record. A disclosure occurs when a record is shared with someone outside the organization.
The Center for Law, Ethics, and Applied Research in Health Information at Indiana University has a map that shows the flow of information within the health care system. The system of information flows is so complex that the map is hard to understand, but that’s the point. Have a look for yourself at http://www.mappinghealth.com/iuclear/#journeyv. There another map maintained by Harvard Professor Latanya Sweeney at http://thedatamap.org/. Both of these maps are works in progress.
A third answer is that HIPAA allows many uses and disclosures to occur without any need for your approval. Typically, these are disclosures made so a covered entity can be paid for services, manage its operations, provide treatment, or comply with government reporting requirements. I most cases, these disclosures are reasonable and expected.
It is genuinely difficult to count the number of categories of permissible uses and disclosures. Much depends on how you do the counting. The number of government and private institutions that can ask for and receive health records without your permission numbers in the tens of thousands. A covered entity can make nearly all permissible uses and disclosures without your consent or authorization. Indeed, with only a few exceptions, a covered entity can make most allowable uses and disclosures even over your express written objection.
A fourth answer is that HIPAA did not really change the practice for most covered entities regarding use and disclosure in any major way. Instead, HIPAA established universal standards and procedures for covered entities. These standards and procedures were new. However, the uses and disclosures that HIPAA allows are largely those that became routine in the last half of the twentieth century. Most health care providers were not aware of how widespread the use and disclosure of health records had become. Before HIPAA, many providers thought that they only disclosed patient records with the consent of the patient, but it just wasn’t true. HIPAA made everyone pay attention to and learn about privacy, often for the first time.
The biggest drivers for the sharing of medical records are:
• Growth of third party insurance (including Medicare)
• Pressures for increased controls on the cost of health care
• Development of quality controls for medical practice
• Growth of health care fraud and fraud investigations
• Increase in public health activities
• Expansion of records-based health research
• Electronic health records and electronic health networks such as Health Information Exchanges (HIE). For more about HIEs, see WPF’s HIE resources at http://www.worldprivacyforum.org/hie.
All of these activities and others contributed to the demand for access to individually identifiable medical records. Most of these activities serve important public or personal purposes, and it is not always easy to dismiss the HIPAA rule’s policies as anti-privacy. Disclosure often serves another significant but competing goal. Protecting privacy is only one objective in the health care system. We don’t know how the Affordable Care Act (Obamacare) will affect the flow of health information, but we confidently predict that the flow will not diminish.
FAQ 55: Is My Consent Needed to Disclose Records for Treatment or Payment?
No. Medical records can be used and disclosed without your approval for treatment, payment, and health care operations. Treatment is the providing, management, or coordination of health care by a health care provider. The formal definition is slightly more complicated, but the basic concept is relatively simple.
The definition of payment is more complex. It includes activities by a health plan to determine coverage and provision of benefits and activities by a provider to obtain reimbursement. Payment also includes determining eligibility or coverage, including benefit coordination, cost sharing, adjudication and subrogation (making a third party pay) of benefits. It includes risk adjustment based on enrollee status and characteristics. Patient data may also be used for billing, claims management, collection activities for bad debts, and reinsurance activities.
We are not done with payment. It also includes review for medical necessity and appropriateness of care as well as utilization review, such as pre-certification and preauthorization services. Disclosure to credit bureaus of information relating to collection of premiums or reimbursement is another payment disclosure.
All of those activities, and perhaps a bit more, fall under payment. The breadth of payment activities reflects the complexity of the health care system, the multiple inter-relationships between providers and payors, and the range of insurance activities.
The definition of payment is just a warm up for understanding disclosures for health care operations, another category of disclosure that does not require patient consent. The formal definition goes on for about 400 words. It includes quality assessment, quality improvement, development of clinical guidelines, management and care coordination, review of provider competence, student training, underwriting, premium rating, medical review, legal services, auditing, fraud detection, business planning, business management, customer service, transfer or sale of a business, and fundraising.
We didn’t include every type of health care operation here, but you should already get the idea. Further, many of the functions mentioned here are complex tasks that encompass other layers of activities and involve the sharing of medical records with people far removed from any activity that the average person would readily identify as part of routine health care management.
One new limit on use and disclosure of genetic information is the result of the Genetic Information Nondiscrimination Act of 2008 (GINA). GINA made it illegal to use genetic information for most underwriting purposes. That’s good, but it’s not much in the way of health information disclosure restrictions. GINA also generally prohibits use of genetic information in health insurance and employment. Those are good restrictions too, mostly in furtherance of preventing discrimination against individuals with genetic predispositions. There’s much to debate about GINA, but not here. From a narrow privacy perspective, GINA only helps a little.
FAQ 56: Are Disclosures for Treatment, Payment and Health Care Operations Okay?
At one level, yes. Health care is a complex enterprise that represents a large chunk of America’s economy. There are hundreds of thousands of health care providers and probably as many support organizations. Daily transactions measure in the millions. If you think about it, you may realize that major health care treatment and payment institutions are big businesses that engage in a wide variety of activities just like other businesses. Management and internal controls require access to some records. If we spent the time to list the comparable data-intensive activities engaged in by banks or governments, we would also find a long list of uses and disclosures of personal information that are, for better or worse, a routine part of those functions.
At one level, then, treatment, payment and health care operations (TPO) disclosures are routine. Just about all of the functions supported by TPO uses and disclosures went on before HIPAA, although few health professionals paid attention to them. Before HIPAA, if your consent was sought for the sharing of your records for these purposes – and it frequently was not sought – you weren’t told any of the specifics. Doctors, hospitals, and insurers typically asked patients to consent to “any and all disclosures” without telling patients what that meant. Physicians and other providers didn’t know themselves how widely patient information was shared.
HIPAA eliminated the need for consent for TPO disclosures. A covered entity may still seek your consent, but this seems to happen rarely. It is easier to rely on the authority provided by the rule to justify use and disclosure. Some privacy advocates see the lack of consent as a great gap in privacy protection because it removes any pretense of patient control over records. We doubt that asking everyone for consent all the time would achieve a better result, and the extra expense and bother would be considerable.
FAQ 57: Do I Have a Say in Any Disclosures? (Facility Directories and Caregivers)
Yes, but only in a few circumstances.
First, if you are in a facility (e.g., an inpatient in a hospital), the facility can disclose basic information about your presence, location, and general condition through a facility directory. One limitation is that the facility can’t reveal information that discloses specific medical information about you (e.g., you are an inpatient on the psychiatric floor or are in a kidney dialysis unit).
The idea behind facility directory disclosures is that if someone comes to visit you or sends flowers, the hospital can say that you are there and, perhaps, where you are. The hospital may disclose your religious affiliation, but only to a member of the clergy.
You have a right to object to facility directory disclosures. The covered entity must offer you an opportunity to object to the inclusion of your information in a facility directory. If because of incapacity or emergency treatment, you weren’t offered the chance to object, the hospital can make still limited disclosures in emergency circumstances. For example, if you are unconscious, the emergency room can tell your spouse where you are. That seems perfectly reasonable.
Second, HIPAA has a complex but flexible set of rules governing disclosures to caregivers. A caregiver can be your next of kin, other family member, or another person involved in your care (e.g., a roommate). The HIPAA rule allows disclosure of information relevant to the caregiver’s involvement in your care. A covered entity can make a disclosure to locate a family member or other caregiver.
If you (the patient) are present at the time of a disclosure to a caregiver, the covered entity can seek your agreement, offer you an opportunity to object, or reasonably infer from the circumstances that you do not object. Essentially, the rule specifically allows the exercise of professional judgment for the types of disclosures that have long been made to caregivers.
If a patient is not present or is incapacitated at the time of disclosure, the covered entity may exercise professional judgment and make disclosures directly relevant to a caregiver’s responsibility, including payment related activities. Thus, the rule allows your spouse to pick up your prescription at the pharmacy without written consent from you or to negotiate with your health plan.
A 2013 change clarifies that a covered entity may disclose a decedent’s information to family members and others who were involved in the care or payment for care of the decedent prior to death, unless doing so is inconsistent with any prior expressed preference of the individual that is known to the covered entity. This gives health care providers and health plans the discretion to do what they consider to be the right thing for families of patients recently deceased.
Another provision addresses disclosures for disaster relief purposes. An example is disclosure to the Red Cross following a hurricane. The disaster relief provision, for example, allowed appropriate health disclosures during and after Hurricane Katrina.
Third, a covered entity can use or disclose information for its own fundraising purposes. The 2013 changes broadened allowable fundraising disclosures, and this change is worth noting. A covered entity can use or disclose to a business associate or related foundation your name, address, other contact information, age, gender, and date of birth. In addition, it may use or disclose information about dates of care, department of service, treating physician, outcome information, and health insurance status. No other PHI may be used for fund-raising. This expansion means that a hospital can now tell a fundraiser that you were treated by the oncology or psychiatry department. That is a bit much, if you ask us.
You can opt-out of fundraising requests. First, if a covered entity intends to use PHI for fundraising, it must include a statement in its notice of privacy practices. Second, each fundraising communication must include a clear and conspicuous opportunity to opt-out of future fundraising communications, and the opt-out method cannot impose an undue burden or more than a nominal cost. Making you write a letter to opt-out is not allowed, however. Third, a covered entity may not condition treatment or payment on the individual’s choice about fundraising communications.
Fourth, you have the right to authorize the disclosure of your health records to anyone you like. The HIPAA rule sets standards for authorization forms, and if a form does not meet HIPAA standards, then the form does not constitute patient authorization. We are not going to bore you with the technical requirements for authorization forms. We discuss the strategy for authorizations later. (See FAQs 62, 63, 64.) Anyone who wants you to authorize a disclosure or is a covered entity will know the technical requirements. This isn’t typically a problem that patients have to solve.
When might a patient authorize disclosure? You might authorize disclosure if you are applying for life or disability insurance. You might authorize your doctor to send information to your employer or to a school to explain an absence. You could authorize your doctor to disclose your records to your lawyer, a family member, or a health researcher. You might want records disclosed to support a disability claim made with the Social Security Administration. It is also possible that you might even want to share your records with the police under some circumstances (perhaps to clear you of suspicion). You might want to authorize a provider to give records to the organization maintaining your personal health record (but we think you should think twice before casually establishing a personal health record. For more on PHRs, see the World Privacy Forum report Personal Health Records: Why Many PHRs Threaten Privacy at http://www.worldprivacyforum.org/wp-content/uploads/2012/04/WPF_PHR_02_20_2008fs.pdf).
For the most part, however, HIPAA has defined the range of non-consensual uses and disclosures to include nearly every possible disclosure that is either necessary or convenient for the health care system to operate or for the government to carry out its many functions. After all, the HIPAA rule was written by the Department of Health and Human Services, one of the biggest users of health records in the country. The first thing that HHS did in writing the rule was to take care of its own interests in obtaining access to records.
FAQ 58: Does HIPAA Allow Uses and Disclosures Without My Approval?
Yes, does it ever. The HIPAA rule allows dozens of different uses and disclosures without any need for patient consent or authorization. The rule permits so many uses and disclosures that it is hard to count them. The rule has about five pages of dense type describing allowable uses and disclosures of health records.
One important feature of the rule’s allowable uses and disclosures is that they are mostly permissive. Just because a use or disclosure can be made without violating the rule does not mean that a covered entity must make the disclosure. A covered entity can just say no to almost any person who asks for a disclosure permitted by the rule. This means that the rule itself is not the most important factor in determining how your record may be used or disclosed. In most cases, it is up to your health care provider or insurer to decide whether to make your record available for a particular activity. If anyone tells you that HIPAA requires a disclosure, you should be suspicious.
The only two types of disclosure that the rule actually requires are:
1) when a patient asks for access to his or her own record, and
2) when the Secretary of HHS needs access to records to oversee or enforce the HIPAA rule itself. For all other uses and disclosures, it is up to the covered entity to decide whether the use or disclosure is appropriate, legal, and ethical. Of course, other laws may affect that decision, and many laws require disclosure of health records.
We also want to remind you that the HIPAA rule establishes a floor of privacy protection. If state law or other federal law has higher standards and better privacy protections, then that law controls. If HIPAA allows a disclosure that is prohibited by law in your state, a covered entity in your state may not make the disclosure.
We will go over one type of allowable use and disclosure in detail to give you better insight into the complexity of use and disclosure. We will then provide general information on the other permissible uses and disclosures.
FAQ 59: What Are Uses and Disclosures Required by Law?
We want to discuss the category of uses and disclosures required by law. If you read privacy policies, you may see this term a lot. For purposes of this discussion, we will focus on disclosures rather than uses. HIPAA recognizes that other laws sometimes require the disclosure of health records. In one of the shortest sections dealing with disclosure, HIPAA says that a covered entity can make a disclosure that is required by law.
What does this mean? It means that any federal, state, or local law requiring disclosure of medical records remains in force. (A law means a statute or a regulation.) For example, when a state law requires a physician to report a suspected case of child abuse to a state agency, the HIPAA rule does not interfere with that disclosure (although it establishes some conditions on that particular disclosure). If a city passed an ordinance that said that the entire medical record of any individual hospitalized in a local hospital must be published in full in the local newspaper, HIPAA would permit that disclosure too.
We do not expect to see laws requiring the publishing of records of patient records any time soon. We just want to point out the breadth of the HIPAA deference to other laws. Any law, no matter what its purpose or scope, that requires disclosure is sufficient for HIPAA’s purposes. If another law says disclose, then HIPAA says disclosure is permitted but only to the extent of the requirements of the other law. Any compulsion about disclosure comes from that other law and not from HIPAA, however.
For some disclosures allowed by HIPAA, the rule provides that the procedures established by HIPAA continue to apply to covered entities even when disclosures are made under the authority of other laws. This is a complicated area, and you may want to skip the rest of this paragraph. For example, HIPAA allows disclosures to report suspected cases of abuse, neglect, or domestic violence to the proper authorities. Most or all states have comparable laws. HIPAA includes a set of procedures that a covered entity must comply with before or after making a disclosure of abuse, neglect, or domestic violence. Under some specified circumstances, the covered entity making the disclosure must inform the subject of the disclosure (i.e., the victim) about the disclosure. However, the rule specifies that in some circumstances, notifying the victim will place the victim in greater peril so telling the victim is not always required. The HIPAA rule says that if state law mandates disclosure about abuse, the covered entity making the disclosure must still comply with the HIPAA procedures. HIPAA also imposes additional duties for disclosures for judicial and administrative proceedings and for disclosures for law enforcement purposes.
However, for other allowable disclosures, none of the conditions in HIPAA applies if another law requires disclosure. For example, the HIPAA rule allows disclosures for health research under a lengthy set of conditions. If a covered entity wants to make a disclosure for research, it must comply with all of the HIPAA conditions. However, if a state law requires disclosure for health research with fewer or no conditions, then HIPAA says that the disclosure can be made without complying with any of HIPAA’s conditions.
This is complicated stuff, and we have not covered all the nuances. The covered entities that make disclosures need to pay close attention to the details. The message for patients is that many laws affect the confidentiality of health records. If you thought that no one disclosed your medical records without your approval, keep reading to see how wrong you were.
FAQ 60: What Are the Allowable Uses and Disclosures?
We will list each HIPAA category of allowable use and disclosure, together with some discussion as appropriate. (If we included every detail of every disclosure, it would double the size of this guide.) A covered entity that must comply with the HIPAA rule needs to know all the specifics, but an informed patient generally only needs to be generally aware of the categories of uses and disclosures. Every covered entity’s notice of privacy practices should include some information about each type of allowable disclosure. Those who want to know more can read the rule itself.
• Treatment, Payment, and Health Care Operations. We covered this category of uses and disclosures in detail in an earlier question. (See FAQ 56.) The category includes uses and disclosures for a very large number of purposes.
• Required by law. We’ve already covered this category in detail in the previous question. We used this category to illustrate the complexity of allowable disclosures.
• Public Health Activities. Public health disclosures are one of the more expansive disclosure categories under the rule. There are at least five general types of public health disclosures. Some public health disclosures are to traditional federal, state, and local public health agencies. The reporting of communicable diseases is an example. It is the type of disclosure that draws few, if any, objections. Additional confidentiality protections may apply to some of the information disclosed to public health agencies. Disclosures to manufacturers of pharmaceutical medicines and devices for the reporting of adverse events may qualify as public health disclosures. Some public health disclosures can be to employers for medical surveillance of the workplace. These disclosures to private entities explain why the public health category so expansive. Many different organizations play a role in public health, including employers.
The 2013 changes added a new public health type of disclosure. A covered entity can disclose proof of immunization to a school where an individual is a student or prospective student, if the school is required by law to have proof of immunization before admitting a student and the covered entity obtains and documents agreement to disclose from a parent or guardian or from an adult student. The agreement does not have to be in writing.
• Victims of Abuse, Neglect, or Domestic Violence. Reporting of victims can be done to a social service agency or other government authority (including the police) that is authorized to receive the reports.
• Health Oversight Activities. Many federal and state government agencies regulate and oversee parts of the health care system. Disclosures are permissible for activities authorized (not just required!) by law, including audits, investigations, inspections, licensing, and similar functions. One patient protection included in the rule prevents the use of information disclosed for oversight purposes against the patient who is the subject of the record disclosed. So if an agency investigates a health care provider, it cannot use information about that provider’s patients against the patients themselves. However, if the information reveals health care fraud by the patient or involving public benefits for health care or benefits based on health condition, the information can be used against the patient. The protection for patients with oversight disclosures is limited, but it has some substance.
• Judicial and Administrative Proceedings. A covered entity can respond to a court order or the order of an administrative agency for health records. The authority to disclose also covers subpoenas and discovery requests. The conditions that attach to these disclosures are lengthy and include some obligation to give notice to the patient who is the subject of the record. The complexity here is enough to choke a lawyer because the HIPAA rule interacts with already elaborate state laws and court procedures.
• Law Enforcement Purposes. The rule has six flavors of law enforcement disclosure. The loosest allows disclosures for administrative requests. An administrative request does not require judicial approval or even have to be in writing. Any law enforcement official can ask for information by stating that the information sought is relevant to a legitimate law enforcement inquiry, by limiting the request to information reasonably practicable to the purpose, and by saying that de-identified information cannot be used. It is hard to imagine a more unrestricted type of police disclosure. A covered entity need not comply with an administrative request, but it may do so. The other types of law enforcement disclosures are not so open-ended. One, for example, allows a provider to report a crime that occurred in the provider’s office. That seems more reasonable.
• Decedents. A covered entity can share information about people who died with coroners and funeral directors. They may need to know if the decedent has AIDS, for example.
• Organ and Tissue Donation. A covered entity can disclose patient information to organizations engaged in tissue banking and transplantation to facilitate donations.
• Research. Researchers engaged in health research and other types of research often want access to health records. The rule allows disclosures for research but generally requires that a research project be approved by an Institutional Review Board (IRB). An IRB is an existing institution – often part of the organization conducting the research – that oversees research activities to protect human subjects. The research section of HIPAA is particularly convoluted in order to address different needs of researchers. We observe that HHS itself conducts and funds research using health records. The rule reflects the needs of HHS and researchers, while offering some procedural protections for privacy. There are many policy conflicts involving research disclosures, and the rule strikes a balance that some like and some do not.
• Serious Threats to Health or Safety. A covered entity may use or disclose a patient record if it believes in good faith that the use or disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public. There are a few other conditions.
• Specialized Government Functions. This category of uses and disclosures has six subcategories. Some relate to military, veterans, and prison functions. Another category allows disclosure to the Secret Service to protect the President and some other officials. Another broad subcategory allows disclosure to government programs providing public benefits.
The broadest disclosures in the government functions subcategory authorize disclosure to any national security or intelligence agency. HIPAA imposes no conditions or procedures for national security disclosures. The disclosures are not mandatory (at least not under HIPAA), but any national security or intelligence agency can request a health record on any individual without prerequisite and without violating HIPAA, even if the disclosure would violate medical ethics. We think this is the single worst provision in the HIPAA Privacy Rule.
• Worker’s Compensation. HIPAA allows any disclosure authorized and necessary to comply with laws relating to worker’s compensation. The worker’s compensation system typically requires the routine disclosure of health information about injured workers. HIPAA stays out of the way and allows the normal processes to continue without any procedural or substantive interference.
FAQ 61: What Should I Do if Asked to Sign an Authorization to Disclose my Record?
Although not everyone who asks you to sign an authorization will have a sinister motive, you should be cautious in signing an authorization for more disclosure of your information. Here are some things to look out for:
• Does the authorization say that all of your information can be disclosed? If you are authorizing disclosure to another physician who is treating you, a broad authorization may be appropriate. If you are authorizing disclosure to a life insurance company, the company will likely insist on a broad authorization as part of the application process. However, if the authorization is for disclosure to your employer to explain your absence from work, you may want to be sure that the authorization only covers your recent illness and not records from the past. You may not want your employer to know, for example, that you were treated for a psychiatric ailment ten years ago.
• Is there an expiration date or event for the authorization? There should be in nearly all cases. You should try to understand why the date or event was chosen and be very suspicious of any open-ended authorizations. Some long-term research activities may be able to justify not having an expiration date. Otherwise, you should try to insist on a short expiration date or near-term event.
• Is the person authorized to receive the information properly described? It is okay if the form says ABC Life Insurance Company rather than the name of a specific individual at the company. However, if the form is too vague (e.g., “bearer”), then you should definitely think twice.
• Is the purpose for the disclosure properly described? If you tell the covered entity why you are authorizing the disclosure, you may be revealing information that you don’t want to reveal and don’t have to share. It is okay to sign a form that merely describes the purpose as “at the request of the individual.” However, we wouldn’t normally sign an authorization written that way without a good reason and then only if we trusted the recipient. By stating a purpose, you may limit what the recipient can do with the information. Anyone seeking an authorization in good faith should be willing to include an appropriate purpose and, if someone does not suggest a narrow purpose, you should be wary. This can be a bit tricky when you authorize disclosure to a lawyer for a malpractice suit against a provider.
• Is the authorization for a marketing activity? We would never sign a disclosure for a marketing purpose, no matter what the inducement. Once a marketer obtains your information, the marketer can use it, keep it, and sell it without any restriction for the rest of your life. Don’t give away your health privacy for a chance to win a t-shirt. The Rule allows prescription refill reminders even though they are marketing, but it imposes a limit on how much a provider can be paid for sending a reminder.
The Rule about sale of PHI for marketing activities got a bit more complex in 2013. Generally, a covered entity needs your authorization if is getting paid (“financial remuneration”) for the use of your information for a marketing purpose. That’s good, but limiting the sale of PHI made for a complicated rule because there are some times when it’s okay if a provider receives payment for disclosing PHI. For example, a health researcher may pay a hospital for the cost of providing records for the research project. The Rule explains this, but we won’t because it’s not relevant to most patients.
• Is the authorization for a research project? Read it carefully because a 2013 rule change allows research authorizations to be more expansive than in the past. The same authorization can cover the project itself and the storage of a blood, data, or tissue sample about you forever. You may or may not be comfortable with that. We encourage you to ask lots of questions about research and researchers. Not all researchers are truly trustworthy.
We want to emphasize that while we think that you should be cautious in signing authorizations, in some circumstances it will be the right thing to do. Being asked to sign an authorization should happen infrequently enough that you can spend a little time asking questions.
We would be cautious if asked to sign an authorization as part of the process for admission to a hospital. The HIPAA rule allows the hospital to make all the disclosure necessary for your care and for the hospital’s operations. If you are presented with an authorization to sign, ask questions. We have heard that some hospitals routinely collect authorizations that allow disclosures to employers. Some standard authorizations allow the hospital to film your operation or use your blood or tissue samples for purposes unrelated to treatment. These are examples of disclosure that you may not want to permit without a specific reason. The hospital may seek a broad authorization for its own convenience so that it can make a disclosure without getting your signature later. We suggest that any extra paperwork may be worth it, because it may protect you. You can decline to sign the authorization or you can limit its effectiveness to the period while you are in the hospital or perhaps for an additional week. If we were asked to sign an authorization that has language we didn’t like, we would just cross it out.
FAQ 62: Do I Need a Disclosure Authorization to Care For My Elderly Parent?
Maybe. If you are helping a parent, other relative, or even an unrelated friend or neighbor, HIPAA allows a provider to disclose to a person who is involved in a patient’s care. These people are sometimes called caregivers, and the rule governing caregivers is discussed elsewhere. (See FAQ 58.) While the HIPAA caregiver policy usually works well, it may be useful to have a written authorization from the patient. This is good advice especially if you will be caring for someone for a long time, if there are many health care providers involved, or if you expect to have to deal with an insurance company or Medicare. Don’t give away your original authorization. Keep copies because you may need them regularly. If you are giving care to someone at a hospital or nursing home, bring a copy with you at all times. The nurse who knows you may not be there tomorrow.
If you obtain a health care power of attorney for another person, the power should specifically mention the authority to obtain protected health information about that person. Protected health information is the formal HIPAA term for a health record. You can obtain a power of attorney for a patient just for HIPAA disclosure purposes without having the authority to make substantive health decisions about the patient. If you sign or receive a broad health care power of attorney that authorizes someone to make substantive health decisions, that same power of attorney should also authorize disclosures to support those decisions.
We think it is a good idea to have a signed disclosure authorization for any family member (other than a dependent child) if you have some responsibility for his or her care. The more remote the relationship, the more important an authorization may be, especially if a hospitalization is expected. The same is true if you are responsible for a neighbor or friend. Ask the hospital for a blank form that it will accept. Plan to obtain the signed authorization in advance of the hospitalization if possible.
FAQ 63: What Can I Do if I Foolishly Signed an Authorization?
You can revoke the authorization, but you have to do it in writing. Your ability to revoke an authorization is restricted if a covered entity has taken action in reliance on the authorization or if the authorization was obtained as a condition of obtaining insurance coverage.
Remember that revoking an authorization may not be enough. The covered entity that you authorized to disclose your records must receive a copy of your revocation. If the authorization was obtained by a third party, you should make sure that the third party receives a copy of the revocation. If a third party obtained the authorization for your records from a specific hospital, formally notifying the hospital in writing that you revoked the authorization is also important.
FAQ 64: Can My Health Records be Used for Marketing?
The short answer is no, but the correct and longer answer is more complicated. Let’s go through it step by step.
The HIPAA rule tells covered entities that they can only use or disclose health records for marketing with the authorization of the patient. One reason for being careful with authorization is to make sure that you don’t casually authorize disclosure of your records to a company that wants to use them for marketing. Remember that other activities can reveal your medical history. If you accept a drug manufacturer’s coupon for a prescription drug, the manufacturer will learn your name and other information that it didn’t have before. Drug manufacturers are not covered entities or subject to privacy laws. Signing up for a disease-specific newsletter will also reveal your name and medical information. Joining a disease support group also effectively shares health information about you or a family member. If you chat on a health care provider’s Facebook page openly about your condition, you have effectively revealed your name and your medical information. HIPAA doesn’t protect any information you post on a social network.
HIPAA has two exceptions that allow marketing uses and disclosures. The first permits face-to-face communications by a covered entity to a patient. The second allows promotional gifts of nominal value provided by the covered entity. Under the first exception, for example, a nurse can invite you to visit the hospital’s new weight loss clinic. Under the second, the hospital can give you a refrigerator magnet with the phone number of its well-baby clinic. If the covered entity undertakes any marketing activity because someone, such as an outside entity, pays it to do so, then the covered entity must tell you it is being paid.
The 2013 changes effectively recognize an additional exception. The Rule allows prescription refill reminders, but it imposes a limit on how much a provider can be paid for sending a reminder. If you don’t like refill reminders, you may be able to opt-out of them. A pharmacy can send you a letter telling you to refill a prescription, but the Rule does not allow so-called switch letters. A switch letter tries to get you to use a different drug than the one you were originally prescribed.
The basic marketing rule is pretty good as far as it goes. Most doctors believe, and will tell you, that using – and especially disclosing – health records for marketing is unethical anyway.
So far, so good. The rule allows uses and disclosures for treatment purposes and for health care operations. When does a treatment recommendation constitute marketing? The line can be hard to draw. Advice from HHS says that any communication for the patient’s treatment, case management, care coordination, or recommendation of alternative therapies is permitted to the extent reasonably necessary. Further, population-based activities for health education or disease prevention (“Don’t Smoke!”) can also be okay.
The problem in line drawing here is that legitimate health activities overlap at the edges with marketing activities that many people are likely to find objectionable. Activities that fall on those edges can be characterized differently. Some activities that fall under the broad (and permissible) category of health care operations will look like marketing to some. When the answer requires a lawyer to dissect words, the result will be controversial at best.
The HIPAA rule helps a bit in limiting marketing disclosures. For example, you can expect that no covered entity will sell or rent lists of patients to drug manufacturers for the purposes of sending junk mail. However, there may be other forms of marketing-like activities that a covered entity’s lawyer may say is allowed under HIPAA.
We are not done yet, but we need more context to continue. If you receive mail hawking allergy medicines or medical devices for diabetics, does that mean that your allergist or internist or insurer or pharmacist gave your name and diagnosis to the advertiser? Anything is possible, but there are other, more likely, sources of the same information.
Marketing companies and list brokers sell or rent mailing lists of people by diagnosis. They offer lists of millions of people by dozens of different diseases and conditions. Where does the information come from? The answer is from many places, but you are the most likely source. If you show interest in a medical product by making a purchase, calling an 800 number, registering at a website, using a coded coupon, subscribing to a magazine, filling out a quiz, or entering a sweepstakes, you may reveal your interest and your diagnosis. If you fill out a warranty card or a consumer survey, any information about your health condition (“Why did you buy the vaporizer?”) that you reveal is likely to end up in a personal or household profile and can used and sold forever for marketing purposes. Websites that show ads and the advertisers often collect information about you, what you see online, and what you click on. That can all reveal health information not protected by law. Those who read carefully already saw our warning about turning your health records over to a commercial, advertising-supported company offering personal health record (PHR) services. (See FAQ 9.) That is another way that your records can leak into the marketing system. Any slip puts your personal information in the permanent possession of list brokers, marketers and profilers.
FAQ 65: What Does the Breach Notice I Received Mean?
Let’s start with the basics. What’s a breach? A breach is impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of PHI. The full definition of what is and is not a breach is too complicated for this FAQ. In general, if a covered entity has a qualifying breach, it will send you a notice to let you know. The notice will include details about the breach and advice about what you should do to protect yourself.
A breach can lead to negative consequences for you, but we don’t want you to overreact. Yes, you could become a victim of identity theft, either financial identity theft or medical identity theft. Yes, you are at greater risk because of the breach. Do not panic.
We cannot assess the probabilities, but not every breach results in consequences for the victims of the breach. If you are offered free credit monitoring, you may want to accept it. If the breach included disclosure of your credit card number or your health insurance number, you may want to pay close attention to credit card bills or explanation of benefits. Frankly, you should be paying close attention to these anyway. You should make sure that all charges to your credit card are correct, and you should follow up if any are not. Same with explanations of benefits from a health insurer. If it doesn’t look right, call the insurer or provider and ask questions.
We do not advise paying for identity theft insurance or even buying credit monitoring unless you have a very good and very specific reason for doing so. Identity theft insurance is rarely worth the cost.
You can learn more about medical identity theft at the World Privacy Forum website at http://www.worldprivacyforum.org/resource-page-medical-identity-theft-information/. There are lots of resources and advice. For more on financial identity theft, go the Identity Theft Resource Center at http://idtheftcenter.com/.
Roadmap: Patient’s Guide to HIPAA: Part 3: What You Should Know about Uses and Disclosures (FAQ 54 – 65)