HIPAA and Privacy in the ED: Disclosure Scenarios You Should Know
By William Sullivan, DO, JD, FACEP, FCLM, Director, Emergency Services, St. Mary's Hospital, Streator, IL; Sullivan Law Office, Frankfort, IL
Your daughter calls you from a party and tells you that she is on her way home. Two hours later, she hasn't arrived and she does not answer her cell phone. You call the emergency department (ED) and ask if she is registered as a patient there.
The person on the other end of the line states, "I'm sorry, sir, but federal privacy laws do not allow us to tell you whether or not that person in the emergency department."
Exactly what information may be disclosed under federal Health Insurance Portability and Accountability Act (HIPAA) privacy laws?
While not intended to be a comprehensive review of HIPAA legislation, this article will explore some of the more common scenarios where HIPAA privacy laws could apply to an ED healthcare provider's actions.
HIPAA was enacted in 1996 as an amendment to the Internal Revenue Code in order to "improve ... the efficiency and effectiveness of the health care system, by [standardizing] electronic transmission of certain health information."1 Despite being codified for well more than a decade, there is still significant misinformation about HIPAA's rules and regulations.
HIPAA contains a long list of definitions. Several definitions within HIPAA's privacy section are important in understanding the scope of the law's requirements.
HIPAA privacy laws apply to "covered entities," which are defined as any health care provider that transmits any health information in electronic form.2 For the purposes of this article, all health care providers will be considered covered entities. With the recent implementation of the Health Information Technology for Economic and Clinical Health (HITECH) Act, "business associates," or those that perform services utilizing individually identifiable health information on behalf of covered entities,3 are now held to the same standards and subject to the same penalties as covered entities.4 HIPAA laws limit use and disclosure of "protected health information," which is considered as any information that could reasonably likely be used to identify an individual patient.5
Protected health information may be disclosed without a patient's permission only under the circumstances delineated within the HIPAA statute. Absent those exceptions, a patient must provide written authorization for use or disclosure of protected health information.6
Health care providers may use and/or disclose protected health information without a patient's consent when the information is used for treatment activities, payment activities, and health care operations of themselves or of any other health care provider.7 Health care operations include activities such as quality control, evaluating practitioner performance, and training non-health care professionals.8
When protected health information is disclosed, the disclosures must generally be the "minimum necessary" to accomplish the intended purpose.9 There are several exceptions to the "minimum necessary" standard in which any patient information may be disclosed. Those exceptions include disclosures or requests by a health care provider for medical treatment, disclosures made to the patient, and uses or disclosures required by law.10
ED Situations Involving HIPAA Disclosures
Notifying a Caller of a Patient's Presence in the ED or Hospital.
HIPAA allows hospitals to create a facility directory containing a patient's name, location in the facility, and general condition.11 The patient must be informed about the information to be included in the directory, and must have the opportunity to restrict the information or opt out of being included in the directory. Unless a patient opts out of being included in the directory, a hospital may inform visitors or callers who ask for a patient by name about the patient's location in the facility and the patient's general condition.
Going back to the example at the beginning of this article, unless the patient requests that such information not be disclosed, it is perfectly acceptable under HIPAA to inform a caller asking for a patient by name whether the patient is in the ED and, if so, the patient's location and the patient's general condition. Note that the law requires that callers ask for an individual by name. It would not be proper to disclose information to callers seeking information about "the stabbing victim."
An example of circumstances in which a patient might not want to be included in a hospital directory and in which disclosure might not be in the best interests of the patient could involve a victim of domestic abuse or a potential crime victim where the patient fears further attacks or retribution for reporting the incident.
Disclosing Information to Family Members.
In emergency treatment situations, a health care provider may use or disclose protected health information without a patient's consent if the provider attempts to obtain such consent "as soon as reasonably practicable after the delivery of such treatment.12 Under this exception, disclosures to patient contacts would be permissible when a patient requires emergency treatment for major medical issues such as respiratory failure, cardiovascular collapse, or major trauma.
In addition to the emergency exception, relatives or close personal friends may be informed of information that is directly relevant to their involvement with the patient's care.13 If the patient is present and has decision-making capacity, HIPAA requires that the patient either expressly agree with the disclosure,14 that the patient has the opportunity to object to the disclosure and does not do so,15 or that, under the circumstances, a reasonable person would not object to the disclosure.16 If the patient is not present, does not have decision-making capacity, or is unable to consent due to incapacity, a covered entity may disclose that information it judges to be in the best interests of the patient.17 Any such disclosures must be directly relevant to the person's involvement with the patient's healthcare.
An example of a situation in which one would likely need to obtain permission from the patient before disclosing the patient's protected health information might be informing another party that the patient has contracted a sexually transmitted disease. Prefacing such information by asking the patient whether she wants other people in the room while you discuss the problem – giving the patient the opportunity to object to the disclosure – would satisfy one's duties under HIPAA laws. Similarly, telling a family member that a patient's chest pain is not due to a heart attack would likely not need a patient's permission since a reasonable person would not normally object to such a disclosure, but telling the family member that the patient's cocaine use is the cause of his chest pain would likely require the patient's permission.
Disclosure to Other Medical Providers.
Medical providers often contact each other seeking information about a patient's previous visits or medical testing. Although hospital policies often require that a faxed authorization be obtained before disclosing such information, HIPAA permits protected health information to be disclosed without a patient's consent when the information is used for treatment activities of any health care provider.18 In addition, the "minimum necessary" standard does not apply when information is disclosed to another medical provider for purposes of medical treatment.19
Notifying Third Parties of an Imminent Threat.
Suppose that a patient describes to you an elaborate plan to kill his ex-wife. Do HIPAA laws permit disclosure of this information to the police or to the patient's ex-wife?
Protected health information may be disclosed to avert a "serious and imminent threat" to health or safety of a person or the public if the disclosure is made to a person "reasonably able to prevent or lessen the threat, including the target of the threat."20
Not only is it permissible for medical providers to disclose imminent threats to others, many state statutes and court holdings require that physicians notify known parties of a specific threat. For example, Minnesota statutes state that:
"The duty to ... warn of ... violent behavior arises only when a client or other person has communicated to the licensee a specific, serious threat of physical violence against a specific, clearly identified or identifiable potential victim."21
Similarly, in Emerich v. Philadelphia Center for Human Development, the Pennsylvania Supreme Court held that:
"...a duty to warn arises only where a specific and immediate threat of serious bodily injury has been conveyed by the patient to the professional regarding a specifically identified or readily identifiable victim."22
Disclosing Protected Health Information to Law Enforcement
Healthcare providers may report victims of abuse, neglect, or domestic violence if the individual agrees with the disclosure, in order to comply with state laws, or if the disclosure is authorized by state regulations and the covered entity believes that disclosure is necessary to prevent serious harm to the individual or to other potential victims.23
Additional permissible disclosures for law enforcement purposes include any disclosures "required by law"; made pursuant to a court order, subpoena, or summons; made pursuant to administrative subpoena or summons; made in response to an authorized investigative demand; or occurring pursuant to a similar process authorized under law.24 If protected health information is disclosed pursuant to a civil or authorized investigative demand, the information must be "relevant and material" to a legitimate law enforcement inquiry and limited in scope to the purpose for which the information is sought.25 In other words, an investigative demand for disclosure of a patient's blood alcohol level after being involved in a motor vehicle accident would not permit disclosure of a patient's HIV status since HIV status is neither relevant nor material to a DUI investigation. However, if a patient's HIV status is relevant to a police investigation, the status may be disclosed. For example, in State v. Mubita,26 the Idaho Supreme Court held that a county prosecutor's request for disclosure of a patient's HIV status did not violate HIPAA when an HIV positive patient was accused of purposely having unprotected sex with multiple women. Another criminal case addressing this section of the HIPAA statute was State v. Carter.27 Here, a Florida appellate court held that no HIPAA violation occurred when a pharmacy disclosed a patient's prescription records to a law enforcement officer investigating the patient for violation of Florida's "doctor shopping" statute.28 The language in Florida's statue requires that pharmacies "produce, for inspection and copying by law enforcement officers, records of controlled substances sold and dispensed." Therefore, the court held that disclosures were proper under Section 164.512(f)(1) of the HIPAA statute.
Certain protected health information may be disclosed for the purpose of identifying or locating a suspect, fugitive, material witness, or missing person.29 Under this section, the permissible disclosures are limited to a person's name, address, date of birth, Social Security number, blood type, type of injury, date and time of treatment, and a description of any distinguishing physical characteristics. Specifically prohibited disclosures for this purpose are any information "related to the individual's DNA or DNA analysis, dental records, or typing, samples or analysis of body fluids or tissue." Using these rules, a healthcare provider would be permitted to disclose to law enforcement officers a description of a shooting victim and his injuries. However, this subsection would not allow healthcare providers to disclose to law enforcement officers the blood alcohol level or urine toxicology results of a suspected intoxicated driver since those results involve "analysis of body fluids."
Photography of hospital patients has become a contentious issue in the news. In December 2007, an Arizona Mayo Clinic surgeon was fired for taking pictures of a tattoo on a patient's genitals with his cellular telephone.30 In February 2009, two Wisconsin nurses were fired after being accused of taking pictures of a patient's X-rays and posting the pictures to the Internet. The X-rays demonstrated a foreign body in the patient's rectum. Subsequently, the case was referred to the FBI for investigation of possible HIPAA violations.31
Absent a patient's written authorization, individually identifiable data may not be used in any way not permitted under the HIPAA statute. For example, HIPAA permits pictures of a trauma patient's injuries to be placed in the patient's medical records and sent to a trauma center upon a patient's transfer since all of those actions are in furtherance of the patient's medical treatment.32 Additionally, maintaining "teaching files" of radiographic, laboratory, or other data falls under the definition of "health care operations"33 and would be permissible to maintain and use for educational purposes.34
While HIPAA laws do not permit obtaining a patient's protected health information for personal purposes or posting such information to the internet without the patient's permission, HIPAA laws do not apply to any protected health information that has been "de-identified."35 HIPAA contains an extensive list of information that must be removed from protected health information in order for it to be considered "de-identified." Included in that list is almost any unique information related to the patient, such as name, address, birth date, social security number, medical record number, etc.36 In addition, any "full face photographic images and any comparable images" and other "unique ... characteristic[s]" must be removed.37
In the first example given above, taking a picture of a patient's body part is unlikely to result in a violation of HIPAA, unless that body part is uniquely identifiable. For example, the picture of a rash on a patient's back would likely not be able to be traced back to the patient. However, a photograph of a tattoo on a patient's genitals is unique enough that it would likely be considered "uniquely identifiable." Therefore, the surgeon's actions most likely did violate HIPAA laws. Even assuming that there was no HIPAA violation, making recordings of another person's genitals may also violate state pornography or obscenity laws and photographing a child's genitals would likely violate state and federal child pornography laws.
In the second example above, pictures of an X-ray, unless demonstrating an extremely unique physical characteristic or showing hospital identifying data, would be very difficult to link to a given individual. Imagine jumbling 20 wrist X-rays and then trying to match them to 20 patients who had injured their wrists. Pictures of an isolated X-ray image would likely not violate federal HIPAA laws.
Whether HIPAA applies to pictures taken of patients or of protected health information is only one of the privacy issues involving patient photographs. In addition to state pornography laws, many state privacy laws prevent any photography of patients without their permission when a reasonable person would have an expectation of privacy. Hospital policies, employment policies, and physician contracts may also limit the disclosure and use of any patient data. Confidentiality clauses are common in physician contracts. Agreeing to a clause stating that "Physician may not copy, retain, or disseminate information related to services provided under this Agreement without advanced written permission from Corporation" and then taking a patient's picture would likely be considered a breach of the contract. Hospital policies may forbid taking a patient's picture without the patient's written consent – even if the picture is used for treatment purposes. Taking a picture without written consent, even though the action would comply with HIPAA laws, may still subject the employee to termination for violating the hospital policies.
Although HIPAA administrative safeguards require that covered entities apply "appropriate sanctions" against workforce members who fail to comply with the covered entity's security policies,38 violations of hospital privacy policies are not per se violations of HIPAA privacy laws and bald accusations of HIPAA violations against employees should be discouraged.
Penalties for HIPAA Violations
Patients do not have a private right of action against covered entities for HIPAA violations.39 The U.S. Supreme Court has stated that Congress must specifically create a private right of action before individuals may attempt to enforce a federal law.40 HIPAA contains no such language. Therefore, patients can't "sue you" for HIPAA violations. Until recently, the HIPAA statute permitted only the Secretary of the Department of Health and Human Services to impose civil fines on violators. However, the HITECH Act amended the HIPAA statute to permit state attorneys general to file civil actions against providers and obtain statutory damages against providers on behalf of state residents.41
Initially, HIPAA laws were rather forgiving.42 With enactment of the HITECH Act, penalties for HIPAA violations have increased to a minimum of $100 per violation for "unknowing" violations, $1,000 per incident for violations involving "reasonable cause," and up to $50,000 per incident for violations involving "willful neglect." Penalties for "unknowing" or "reasonable" violations may not be imposed if the violations are corrected within 30 days.43 Violations involving willful neglect incur minimum penalties of $10,000 per incident if corrected and $50,000 per incident if not corrected.44 Criminal HIPAA penalties are more severe. If a person knowingly obtains or discloses individually identifiable health information, that person can be fined up to $250,000 and imprisoned for up to 10 years.45 Violators have been convicted and sentenced under HIPAA for actions such as stealing medical data to create counterfeit identification documents,46 obtaining and disclosing information to be used against a patient in a court proceeding,47 and for viewing celebrity medical records without a permissible purpose.48
As of January 2010, just under 50,000 privacy complaints have been made in the nearly seven years since HIPAA enforcement began. Of those complaints, just over 10,050 required "corrective action," but not one case has resulted in imposition of a civil monetary penalty.49 The Office of Civil Rights has so far referred 469 cases to the Justice Department for possible criminal prosecution.50
As the financial incentives for prosecuting cases increases, and as states may now use HIPAA fines as an income source, the number of HIPAA investigations and prosecutions is expected to increase.
1. Health Information Privacy and Accountability Act of 1996, Pub. L. No 104-191
2. 45 C.F.R. § 160.103
4. HITECH Act §§13401(a) and (b).
5. 45 C.F.R. § 160.103
6. 45 C.F.R. § 164.508(a)(1)
7. 45 C.F.R. § 164.506(c)(1)
8. 45 C.F.R. § 164.501
9. 45 C.F.R. §§ 164.502(b) and 164.514 (d)
10. 45 C.F.R. § 502(b)(2)
11. 45 C.F.R. § 164.510(a)(i)
12. 45 C.F.R. § 164.506(a)(3)(i)(A)
13. 45 C.F.R. § 164.510(b)
14. 45 C.F.R. § 164.510(b)(2)(i)
15. 45 C.F.R. § 164.510(b)(2)(ii)
16. 45 C.F.R. § 164.510(b)(2)(iii)
17. 45 C.F.R. § 164.510(b)(3)
18. 45 C.F.R. § 164.506(c)(2)
19. 45 C.F.R. § 164.502(b)(2)(i)
20. 45 C.F.R. § 164.512(j)(1)(i)
21. Minn. Stat. § 148.975
22. 720 A.2d 1032 (Pa. 1998)
23. 45 C.F.R. §§ 164.512(c) and 512(f)(6)(ii)
24. 45 C.F.R. § 164.512(f)(1)
26. 188 P.3d 867 (Idaho 2008)
27. Case No. 1D09-702 (Fla. App. 11/30/2009)
28. Fla. Stat. § 893.07
29. 45 C.F.R. § 164.512(f)(2)
30. http://www.law.com/jsp/article.jsp?id=1198749902130. Accessed March 9, 2010.
31. http://www.wisn.com/news/18796315/detail.html. Accessed March 9, 2010.
32. 45 C.F.R. § 164.506(c)(1)
33. 45 C.F.R. § 164.501
34. 45 C.F.R. § 164.502(a)(1)(ii)
35. 45 C.F.R. § 164.502(d)(2)
36. 45 C.F.R. § 164.514
38. 45 C.F.R. § 164.308(a)(1)(C)
39. Acara v. Banks, 470 F.3d 569 (5th Cir 2006)
40. Alexander v. Sandoval, 532 US 275, 286 (2001)
41. HITECH Act § 13410(e)
42. 42 U.S.C. §§ 1320d-5
43. HITECH Act § 13410(d)(3)
44. HITECH Act § 13410(d)(1)
45. 42 U.S.C. § 1320d-6
46. http://oklahomacity.fbi.gov/dojpressrel/pressrel08/may08_08.htm. Accessed March 9, 2010.
47. http://littlerock.fbi.gov/dojpressrel/pressrel08/hipaaviol041508.htm. Accessed March 9, 2010.
48. http://www.justice.gov/usao/cac/pressroom/pr2010/004.html. Accessed March 9, 2010.
49. One 2008 case against Providence Health & Services was resolved with a $100,000 settlement and a corrective action plan. http://www.hhs.gov/news/press/2008pres/07/20080717a.html. Accessed March 9, 2010.
50. http://www.hhs.gov/ocr/privacy/hipaa/enforcement/highlights/index.html. Accessed March 9, 2010.