Policies should address difficult HIPAA scenarios
There can be murky situations in which the right interpretation of HIPAA is not obvious, says Patricia Wagner, JD, an attorney with the law firm of Epstein Becker Green in Washington, DC.
Many of them occur in provider-to-provider transfers, but others can involve family members. For example, a parent or guardian is allowed access to a child’s protected health information (PHI) except in certain circumstances. An adult child might seek information about a parent, and interpreting HIPAA might require some investigation into the legal status of the patient or asking the parent to provide permission. "Families can be very complex, and it’s not always OK to provide information to everyone in the family," Wagner says.
In addition, there can be confusion among staff regarding state privacy laws that might be more restrictive than HIPAA, Wagner notes. Some organizations also have longstanding habits on data sharing, such as requiring patients to sign consent for sharing information with another doctor, that might not be HIPAA-related, yet HIPAA is cited as the reason for refusal.
Clear policies and procedures can help alleviate some of those problems, Wagner suggests. Without an explicit instruction stating what is and is not required for the data exchange, staff are likely to default to the safest choice of not allowing the transfer, she says.
"The policy shouldn’t just reiterate the provisions of the HIPAA rule. It should delineate the exact steps that must be taken to approve the information release," Wagner says. "If you get a subpoena, here are the four steps you need to take. Or if you get a request from a parent of a minor, here are the three steps to take and the criteria to check off."