When is it safe to share patients’ information?

[Editor’s note: This is a periodic column that will address specific questions related to Health Insurance Portability and Accountability Act (HIPAA) implementation. If you have questions, please send them to Sheryl Jackson, Hospital Home Health, American Health Consultants, P.O. Box 740056, Atlanta, GA 30374. Fax: (404) 262-5447. E-mail: sherylsmjackson@cs.com]

Question: Can home health staff members share information with patients’ family members or caregivers?

Answer: Yes, agency staff members may disclose information that is directly relevant to patients’ involvement with patients’ care or payment for care to family members, other relatives, close personal friends, and other persons identified by patients, says Elizabeth E. Hogue, Esq., a home health attorney in Burtonsville, MD.

"When patients are present during the disclosure or otherwise available prior to the disclosure and have the capacity to make health care decisions, the agency may disclose protected health information if the agency staff member obtains patients’ agreement, provides patients with an opportunity to object to the disclosure, and patients do not express an objection," she points out.

"Staff members may also disclose information when they reasonably infer from the circumstances, based on the exercise of professional judgment, that patients do not object to the disclosure," Hogue explains. When patients are not present during disclosures or the opportunity to agree or object to the disclosure cannot practicably be provided because of patients’ incapacity or an emergency circumstance, the agency staff members may, in the exercise of professional judgment, determine whether the disclosure is in the best interests of patients, she adds.

If so, the agency may disclose only the protected health information that is directly relevant to that person’s involvement with patients’ health care, she explains.

Question: If requests for information are received from family members or caregivers via telephone, what obligation, if any, do staff members have to verify that the callers are who they say they are?

Answer: Agency staff members should use sound judgment with regard to verification that individuals who telephone the agency asking for information about patients are who they say they are, Hogue says. "At a minimum, staff should document the full name of the individual to whom information was given and the date and time the staff member provided information."

On Feb. 13, the Department of Health and Human Services adopted final security standards that protect patient information that is maintained or transmitted electronically.

The rule requires covered entities to implement administrative, physical, and technical safeguards to protect electronic protected health information in their care. The security standards were published as a final rule in the Feb. 20 issue of the Federal Register with an effective date of April 21, 2003.

The rules require organizations to provide security awareness training to all employees, to conduct risk analyses to identify security vulnerabilities, to establish policies that allow access to protected health information on a need-to-know basis, to limit physical access to information, to establish audit controls, and to enforce sanctions.

The regulations will become enforceable for most covered entities on April 21, 2005.