By Gregory Freeman
As long as HIPAA has been around, one of the most contentious issues has been whether spouses, partners, other family, or friends can receive information about a patient — or whether non-healthcare entities can discuss someone’s health. Healthcare providers often misinterpret HIPAA requirements in this area, either being overly restrictive or releasing protected health information (PHI) improperly.
Despite the healthcare community’s long experience with HIPAA, this still is an issue that is not well understood by some employees, says William P. Dillon, JD, shareholder with the Gunster law firm in Tallahassee, FL.
“I’ve been dealing with HIPAA since it came out. HIPAA is still very misunderstood,” he says. “We really saw that in COVID, where you would hear (that) somebody like a public official might have been asked their vaccination status and they respond ‘Oh, I can’t tell you that, because that would be violating HIPAA.’ No, it’s not, because it’s your information. You can tell anybody in the world about your healthcare if you want to.”
HIPAA only applies to three classes of entities — health plans, healthcare providers, and healthcare clearing houses, Dillon notes. So, it does not apply to the police department or a non-healthcare company, he says.
“They’re not a covered entity under HIPAA. Now, there may be other reasons why they don’t disclose things, but it’s not a specific HIPAA obligation,” he says.
HIPAA does allow some limited disclosure of information to a family member or someone who is involved in the care of that individual without a specific consent, Dillon says.
“So, for example, if my wife and I are in a car accident and she has to go to the emergency room, or even just a friend, and we’re in the emergency, they can give me some limited information because we’ve come in there. They can’t go over the whole history with me and things like that, but, clearly, I was involved in that portion of that person’s healthcare, so that’s going to be okay,” he says. “Where we need to have permissions are when my wife wants access to all of my medical information. I need to give that covered entity permission, to say yes, you can discuss my healthcare condition with my spouse or with my significant other.”
Covered entities also should address the issue of employees improperly accessing a family member’s medical record, Dillon says. He has had clients contact him about quarterly HIPAA audits that revealed an employee who was not involved in their spouse’s or another family member’s visit going into their electronic medical record.
“That’s wrong unless they had consent or authorization from that family member. They are not allowed to have that information,” he says. “Most entities will have a policy that employees can’t use the electronics for non-work purposes, and that includes surfing your family members’ records and things like that. Those things are going to be violations of HIPAA.”
Frequent Dilemma for Hospitals
Hospitals encounter this question about HIPAA and family members often, says Michael J. Madderra, JD, an attorney with the Morgan Lewis law firm in Seattle. Because of how HIPAA is written and how it intertwines with other rules and laws, it can be challenging to implement, he says.
Covered entities are always concerned about the minimum necessary rule, he notes. When you are asked by a spouse, family member, or close friend, most of the time, there is not a treatment or operations purpose, he says.
“Sometimes, there’s a payment reason, but, frequently, the covered entity is still subject to the minimum necessary rule where, even when they’re permitted to provide medical information, they have to provide only the minimum amount necessary to achieve the intended purpose,” Madderra says. “They should be extra cautious to understand what limits apply, what’s being asked, and not to exceed that amount even when they’re permitted. It’s tricky because one of the circumstances, for instance, under the rules where some information that is PHI can be provided, relates to when an individual has passed away.”
If an individual is deceased, the provider can give information about the fact that they are deceased, and they can give that information to persons who are involved in that individual’s care before their death, he explains. However, they cannot give more than that.
“There are circumstances where a spouse comes in and says, ‘Hey, I don’t have an authorization for my deceased husband. I want their medical records to understand how and why they died,’” Madderra says. “Without obtaining the proper paperwork showing that they are the personal representative and that they have the estate paperwork in hand, they’ll be entitled to get confirmation from the hospital that the spouse died there, but not more medical records. It can be a really unpleasant experience on both ends because you’ve got a spouse who wants the information, and the provider, understandably, may want to provide it but they can’t. Their hands are tied by the rule.”
Hospitals and covered entities are best served by having ready-to-go authorization forms on hand that they can have patients fill out for family members, spouses, and friends. That paperwork provides the cleanest resolution.
However, in some situations, there may be no need for paperwork or affirmative consent. “If I go into a medical appointment with my wife, and my wife is there getting treatment, the doctor can reasonably infer from the circumstances that my wife is giving consent and it’s fine for me to be there and hear her medical information,” he says. “That’s because, if she didn’t want me there, she would have the opportunity to say, ‘Hey, leave the room,’ or, ‘Hey, I don’t want this information in front of my partner here.’”
A harder situation is when a spouse seeks medical information about the patient when they are not present. An example might be a wife seeking information about her husband’s cancer treatment. In that case, the covered entity uses their professional judgment to determine what is in the best interest of the patient, including whether the person requesting the information is directly involved in the patient’s medical care, Madderra says.
“That would be permissible because they’re directly related in that care. But if it were a brother or sister or someone who is also related but may not have that direct relationship in the care, the provider could not give up the health information. So, it’s tricky,” he says. “It’s not as straightforward as you hope.”
Madderra points out that state laws also apply, not just HIPAA.
“HIPAA is the floor, not the ceiling. Washington state has a more stringent set of laws than HIPAA, so that when I’m advising clients located in Washington, I have to update that checklist to highlight extra additional information and steps or hurdles they may have to go through to comply with state law,” he says.
Failing to apply HIPAA correctly when a family member asks for PHI can result in a legal claim against the covered entity, Madderra says.
“They may go to their attorney, and they may file a complaint with the Office for Civil Rights. They may file a complaint with the state medical board. They feel like they’re entitled to the records, and, oftentimes, the people who are asking for the records don’t understand the nuances of HIPAA and the state medical laws,” he says. “They may be in a very stressful time, going through medical records of a sick partner or deceased partner or some other circumstance, and this is this another roadblock which they don’t want to deal with.”
Often, that roadblock prompts them to escalate the circumstance to legal counsel or a regulatory agency, he says. It is important when you are responding to requests to be as clear as possible about why the information cannot be released, he says. “Try to respond without all the legal jargon, but you still have to explain to them why we’re providing it, or here’s why we’re not providing it. Or here’s why we’re only providing a limited subset,” Madderra says. “I often like to give a short answer up front with a more detailed, nuanced explanation to follow and offer a call for further discussion to explain what the limits of what the provider is allowed to release and why. The people requesting information can take it very personally, even if it’s just a matter of the provider just trying to maintain compliance with the law.”
Educate Employees on Family Response
Employees must be taught that HIPAA specifically permits healthcare providers covered by the law to disclose PHI to the patient’s spouse, family members, friends, or other persons identified by the patient, with certain limitations and requirements, says Lani M. Dornfeld, JD, CHPC, member with the Brach Eichler law firm in Palm Beach, FL. One limitation is that the information disclosed must be limited to what is directly relevant to the person’s involvement in the patient’s care or payment for the patient’s care, she says.
“By way of example, if the only involvement of the individual requesting the information is that the individual holds the health benefits used by the patient, then the healthcare provider should limit information provided to only what is needed to ensure the provider can submit insurance claims for payment or, if the individual is paying the patient’s out-of-pocket expenses, strictly to invoices,” Dornfeld says.
The rule also provides that, if the patient is present or otherwise available before a disclosure of the patient’s health information to any such individuals, and has the capacity to make medical decisions, the provider may discuss information with the individual if the patient agrees or, when given the opportunity, does not object to the disclosure, she explains. The healthcare provider also may share the patient’s information with an individual if the provider reasonably infers from the circumstances, based on the exercise of professional judgment, that the patient does not object to the disclosures, she adds.
“Many healthcare providers include, in patient registration forms, a section for the patient to list the names and contact information of those individuals the patient agrees, in advance, may be communicated with regarding the patient’s care or payment for care, with the ability to describe any limitations on what information may or may not be shared,” she says. “If the patient is not present or the opportunity to agree or object to a disclosure is not possible due to the patient’s lack of capacity or other exigent circumstance, the healthcare provider may disclose limited information the professional reasonably determines is in the best interests of the patient.”
Typically, this would include only information relevant to the current condition of the patient, Dornfeld says.
Dornfeld has seen covered entities misapply HIPAA in this area by being too lax or overly restrictive. Examples of being too lax include the oversharing of the patient’s information beyond the individual’s involvement in the patient’s care (or payment for care) or the sharing of the patient’s information without providing the patient the opportunity to object, she says.
“I also have seen covered entities take an overly strict, improper stance on the sharing of patient information with family and friends by requiring a specific, written authorization from the patient for each disclosure or refusing to provide any information to a non-family member,” she says. “In some instances, a healthcare provider may be overly cautious on the amount of information provided to the patient’s loved ones by sharing only basic information, like the general condition of the patient without any details. This is inconsistent with HIPAA and, aside from violating HIPAA, could become a barrier to proper diagnosis and treatment of the patient.”
Covered entities can ensure they are properly complying with HIPAA’s requirements by having the required policies and procedures in place, having an appropriate privacy official in place, and providing frequent staff training, Dornfeld advises.
If a healthcare provider is overly strict in the amount of information it shares with the patient’s family, friends, or others involved in the patient’s care, negative consequences could result, including, for example, that relevant information is not given to the provider or to the patient, she says. This especially might be the case with an elderly patient who has some level of cognitive decline and may need assistance in communicating and digesting medical information. Potential malpractice liability could result, depending on the circumstances, she says.
“Of course, in this age of social media, patients often get vocal about grievances, including by posting negative online reviews or negative comments on social media,” Dornfeld says. “This could result in reputational harm to the healthcare provider.”
Greg Freeman has worked with Clinican.com and its predecessor companies since 1989, moving from assistant staff writer to executive editor before becoming a freelance writer. He has been the editor of Healthcare Risk Management since 1992 and provides research and content for other Clinician.com products. In addition to his work with Clinician.com, Greg provides other freelance writing services and is the author of seven narrative nonfiction books on wartime experiences and other historical events.
Sources
- William P. Dillon, JD, Shareholder, Gunster, Tallahassee, FL. Telephone: (850) 521-1708. Email: [email protected].
- Lani M. Dornfeld, JD, CHPC, Brach Eichler, Palm Beach, FL. Telephone: (973) 403-3136. Email: [email protected].
- Michael J. Madderra, JD, Morgan Lewis, Seattle. Telephone: (206) 274-6448. Email: [email protected].
As long as HIPAA has been around, one of the most contentious issues has been whether spouses, partners, other family, or friends can receive information about a patient — or whether non-healthcare entities can discuss someone’s health. Healthcare providers often misinterpret HIPAA requirements in this area, either being overly restrictive or releasing protected health information improperly.
You have reached your article limit for the month. Subscribe now to access this article plus other member-only content.
- Award-winning Medical Content
- Latest Advances & Development in Medicine
- Unbiased Content