Hearing Clarifies Rules on Disclose of PHI under HIPAA
One of the main aims of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) – and its five subsequent rule amendments – was to create a national standard to protect medical records and other Personal Health Information and keep the data private and confidential.
The HIPAA Privacy Rule, one of the five amendments to the original legislation, was introduced specifically to address electronic PHI and ensure that healthcare organizations implemented the necessary technical, administrative and physical safeguards to maintain data security.
All entities covered by HIPAA were required to comply with this rule by 2003, and since the rule came into effect, the OCR has been policing healthcare organizations and ensuring that the new rules are adhered to. The Privacy Rule defines and limits the circumstances under which an individual’s protected heath information may be used or disclosed by covered entities.
Although the introduced rules have tried to simplify HIPAA policies and help healthcare organizations to put them into action, there are circumstances under which HIPAA regulations are unclear, with healthcare organizations given some room for interpretation.
Last month the U.S. House Energy and Commerce Subcommittee on Oversight and Investigations was involved in a number of hearings relating to situations when HIPAA regulations are alleged not to have been followed or have been misinterpreted. One hearing involved the case of Gregg Wolfe and his son. In his case, PHI was withheld by his doctors and it is alleged that the disclosure of this data could have saved his son’s life.
Wolfe testified that his 21-year old son, Justin Wolfe, died as a result of a heroin overdose, yet both he and his mother were unaware of his drug addiction problem. This information was not shared with either him or his wife, yet the information was shared between members of the medical team treating him. At least two of the three doctors who had been treating Justin were aware of his addiction to heroin.
At the hearing Wolfe said “With the HIPAA regulations, if I would have known, and would have been apprised that he was doing heroin, a whole different strategy would have been proposed and mandated as far as him getting the proper care that he deserved and needed.”
Wolfe believes that in cases such as his, parents should be informed of their children´s health problems. While his son was 21, and therefore a legal adult and technically not under their care, his son was actually covered by his father’s health insurance policy, as allowable under the Affordable Care Act which permits inclusion until the age of 26.
Wolf argues “we should have an exception where the parents or legal caretakers of a minor or emancipated adult with drug abuse or mental health histories who continue to cover them with health coverage or continue to support them financially, have access to their health care records until the age of 26 to prevent them from harming themselves or society.”
Wolfe gave three examples of actions his son took that endangered the health of others, including placing his other son’s lives in jeopardy. These actions would have been prevented if Mr. Wolfe had been made aware of his sons heroin use. Under HIPAA regulations information has been withheld which goes against the main premise behind the legislation; to protect patients.
At the hearing it was decided that current laws allow the release of this kind of PHI information under the circumstances described. No changes to legislation are necessary if an exception or permission currently exists. Wolfe believes that more clarification is required to make it clear when PHI can and cannot be disclosed and for this to be communicated throughout the healthcare industry. In the current climate, patient privacy and security is being placed above all else, which may not be to the benefit of the patient in question.
Had Wolfe’s son signed a HIPAA release form, doctors would have been able to disclose the information and no document had been in this case. Disclosure of PHI without a consent form is forbidden, although there are exceptions.
It is possible to disclose PHI to family members when there is a serious risk to health or safety, or imminent danger of harm to oneself or others. Leon Rodriguez, Director of Civil Rights at the OCR has stated that in instances such as this doctors have “clear authority” to inform parents, and a moral responsibility to do so if the health of the patient – or others – would be “seriously adversely affected,”
Detractors of the current legislation argue that in this regard parents and other family members should be informed of the problem as they are an integral part of the care team. Unfortunately, parents are being kept in the dark about issues such as drug addiction if no release form has been signed. This is a particular problem as adolescents move into adulthood, when drug addiction and mental health problems are likely to develop.
Many doctors appear to be unclear about when information can be disclosed and err on the side of caution. There is a current climate where PHI can and should be disclosed, but it is not done so voluntarily; only when there is a mandatory obligation to do so. There is a threat of a heavy fine for improper disclosure – currently up to $11,000 – potential civil suits and additionally, the difficult language used in the legislation makes it hard to interpret when disclosure of PHI is permissible.
According to Rodriguez the law I clear: “In those cases where there is a serious and imminent risk of harm to health or safety, HIPAA has a clearly recognized exception for disclosure in those cases. When I say an imminent risk to health or safety, it is not simply the scenario of an individual going out to commit a violent crime, but in fact, it covers a number of possible scenarios that a health care provider, particularly a mental health care provider, may encounter. We take our obligations to educate providers and patients on these flexibilities seriously.”