Guest Column

Does request for data meet the HIPAA test?

Health care attorney offers guidelines

By Loren Ratner
Nixon Peabody LLP, Garden City, NY

[Editor’s note: The analyses and conclusions contained in this article are limited to review of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy regulations. It is essential that state laws and regulations in your state also be reviewed to determine whether they contain any additional requirements and whether any applicable provisions preempt the HIPAA privacy regulations, i.e., if the state law relates to the privacy of individually identifiable health information and provides greater privacy protections for individuals’ health information or greater rights to individuals with respect to that information, than the privacy regulations do.]

Almost two years after implementation of the final HIPAA privacy regulations, a review of hospitals’ experience with the regulations and a discussion of some common issues that arise in hospital settings is timely and appropriate. All health care providers in the country were required to comply with the regulations, commonly referred to as the privacy rule, by April 14, 2003. Preparation for compliance was a major undertaking for most providers. It began weeks and months earlier and progressed to a feverish pitch until the implementation date; things have calmed considerably since that time.

The nation’s hospitals and other covered health care providers have established HIPAA privacy policies and procedures, provided HIPAA training to their employees, notified their patients of their privacy practices, and satisfied the many other requirements provided in the privacy rule. Still, despite the best planning, the clearest policies, and the most comprehensive procedures, hospitals receive numerous requests for disclosure of protected health information (PHI) that were not anticipated in advance.

Here is discussion of a few such requests from HIPAA:

Question: When and to whom can information pertaining to deceased patients be disclosed without an authorization, and who can authorize other disclosures?

Answer: A hospital may receive requests for PHI pertaining to a deceased patient from various individuals and for diverse reasons. For example, requests may be received from family members, physicians and other health care providers, and attorneys. The hospital’s ability to make the requested disclosure varies according to the facts and circumstances of the request, as exemplified by the following scenarios:

Dr. Jones requests PHI from Medical Center pertaining to a deceased patient, John Doe. The request is made on behalf of Susan Smith, the adult child of John. Can the PHI be disclosed to Dr. Jones?

If Dr. Jones’ request is made to provide health services or treatments to Susan, Medical Center can disclose the relevant PHI. The privacy rule provides that PHI pertaining to a deceased patient that is relevant to a relative’s health care can be disclosed to the relative’s health care provider without a HIPAA-compliant authorization. The disclosure of the information is for treatment purposes [and is] a type of disclosure permitted under the rule.

Susan Smith submits a written request to Medical Center’s medical records department asking for a copy of her deceased father John’s medical records.

Medical Center is not permitted to disclose PHI pertaining to John in response to Susan’s request, which is for a use not specifically permitted by the privacy rule. This is in contrast to permitted uses, such as treatment described above. Susan may have any one of a number of reasons for desiring the information. For example, she may be requesting the records to gain information to determine whether to bring a medical malpractice lawsuit.

Unless it is a disclosure specifically permitted by the privacy rule, however, Medical Center cannot disclose the PHI without a proper authorization that satisfies HIPAA’s privacy rule.

In response to Medical Center’s denial of Susan’s request, as described in the previous paragraph, Susan agrees to authorize the disclosure, as John’s adult child.

Can Medical Center release the PHI?

Unless Susan is the executor or administrator of John’s estate, or is otherwise legally authorized to act on behalf of John or his estate, Medical Center cannot act on Susan’s authorization for disclosure. Such authorization can be provided only by John’s "personal representative."

A deceased patient’s personal representative is the deceased patient’s legally authorized executor or administrator, or a person who is otherwise legally authorized to act on behalf of the deceased individual or his estate.

A deceased patient’s personal representative, as defined by the privacy rule, is provided the same rights under the rule as the patient himself would receive, if alive. Because John’s personal representative is afforded the right to authorize disclosure of the PHI, Medical Center can disclose the PHI only with John’s personal representative’s authorization. Such authorization must be fully compliant with the privacy rule. In conclusion, Susan’s request must be denied unless John’s personal representative authorized such disclosure. Susan will have to use other legal avenues to obtain the information.

Question: Is a hospital permitted to release PHI to ambulance providers? What happens when Acme Ambulance Company requests information pertaining to Ed, a patient brought by Acme to Medical Center’s emergency department, to enable it to pursue reimbursement from insurers?

Answer: Medical Center can respond to Acme’s request for information pertaining to Ed, when the information requested to be used by Acme is to pursue payment for the services it rendered to Ed. Ambulance providers frequently transport patients who are unconscious or otherwise unable to communicate essential information with the ambulance staff, and the ambulance providers need patient information to submit claims for reimbursement.

Some hospitals have been uneasy about disclosing patient information to the ambulance providers, and a few have even considered treating such ambulance providers as business associates to ensure that PHI is fully protected in accordance with the privacy rule. Such measures are not necessary, as hospitals are permitted to disclose PHI to another health care provider for the payment activities of that provider.

In making requests for disclosures of PHI, covered entities are required to limit their requests for information to the minimum necessary. Ambulance providers should limit their requests accordingly to information necessary to enable them to seek payment.

In summary, because the request for PHI is for a payment purpose, Medical Center can release the information to Acme.

Question: Under what circumstances can a hospital disclose information pertaining to patients to police officers?

Answer: Police officers and other law enforcement authorities frequently seek information from hospitals pertaining to patients in various circumstances. Hospital privacy officers need to know the circumstances under which they are permitted to disclose PHI to law enforcement without a court order or other legal directive. HIPAA addresses several different such situations as follows:

Police Officer arrives at Medical Center seeking information pertaining to patient Polly, to investigate an allegation that Polly assaulted another patient

Medical Center is permitted to disclose PHI to Police Officer what Medical Center believes, in good faith, constitutes evidence of criminal conduct that occurred on the premises of Medical Center. Medical Center, however, must limit its disclosure of PHI to the minimum necessary for reporting of the crime to Police Officer.

Police Officer requests information about Polly because she is suspected of committing a serious crime and recently was a patient at Medical Center.

Medical Center may disclose certain information to Police Officer regarding Polly. Under the privacy rule, PHI may be disclosed in response to a request by law enforcement for the purpose of identifying or locating a suspect, fugitive or material witness, or a missing person.

The PHI disclosed is limited to the following: patient’s name and address, date and place of birth, Social Security number, blood type (ABO and Rh factor), type of injury, date and time of treatment, date and time of death (if applicable), and a description of distinguishing physical characteristics, including height, weight, gender, race, hair and eye color, presence or absence of facial hair, scars, and tattoos.

Information pertaining to the patient’s DNA, dental records, or typing, and samples or analysis of body fluids or tissue cannot be disclosed for the purpose of identification or location of a suspect, a fugitive or material witness, or a missing person.

Police Officer requests information from Medical Center pertaining to Velma, believed to be the victim of an assault that precipitated her hospitalization at Medical Center.

If certain conditions are met, Medical Center is permitted to disclose information about Velma to Police Officer. The privacy rule permits a health care provider to respond to a law enforcement official’s request for information about an individual who is, or is suspected to be, a victim of a crime.

Prior to disclosure by the hospital, either the patient must agree to the disclosure, or if the patient cannot agree to disclosure because of incapacity or other emergency circumstances, the following condition must be satisfied. The law enforcement official must:

1. represent that the information is needed to determine whether a violation of law by a person other than the victim has occurred and the information is not intended to be used against the victim;

2. represent that the immediate law enforcement activity that depends upon the disclosure would be materially and adversely affected by waiting until the patient can agree to disclosure.

In addition, the disclosure must be in the best interests of the individual, as determined by the hospital, in the exercise of its professional judgment. We recommend that Medical Center’s privacy officer make this determination based upon the information available and in consultation with any appropriate individuals (such as legal counsel). Further, Medical Center should document such determination along with the required representations of Police Officer in Velma’s medical record.

Responding to HIPAA privacy issues has become a routine part of hospitals’ daily activities. While most HIPAA activities are routine and uneventful, requests and issues do arise that require a careful review of the circumstances and consideration of the requirements of the privacy rule and any applicable state laws and regulations. A hospital can best protect itself by staying up to date on HIPAA issues, including unusual requests for disclosure of patients’ PHI.

(Editor’s note: Loren Ratner is an attorney specializing in health and hospital law in the Health Services Group of Nixon Peabody LLP, in its Garden City, NY, office.)