Part 3: What You Should Know about Uses and Disclosures (FAQs 55 - 65)
The HIPAA health privacy rule is long and complex. Implementation guides for use by the covered entities that must comply with the rule can be hundreds of pages. For example, the rule sets out ten administrative requirements for covered entities. They relate to designation of a privacy officer, privacy training for staff, establishment of safeguards, sanctions for violations, and the like. We are happy that the rule includes these requirements, but we don’t think that you need to know the details. The parts of the rule directly relevant to patients are long enough.
The most important part of the rule – after the provisions that define the rights of a patient – restricts use and disclosure of health information by covered entities. We’ve already discussed the seven patient rights. (See FAQs 13-54.) The rest of this guide focuses on the use and disclosure provisions.
55. Does HIPAA Really Restrict Use and Disclosure of My Health Records?
This is a tough question to answer in a simple way. The answer depends in part on your perspective. If you thought that your health records would never be disclosed without your consent, then you won’t think much of the HIPAA use and disclosure provisions.
One answer is that HIPAA regulates all uses and disclosures. If the rule does not allow a use or disclosure, then the only way that a covered entity can use or disclose the record is with your written authorization. If you think that sounds good, you should keep reading because the rule allows a large number of uses and disclosures without your consent... By the way, a use of information occurs when a covered entity makes a record available to someone within the organization that maintains the record. A disclosure occurs when a record is shared with someone outside the organization.
A second answer is that HIPAA allows many uses and disclosures to occur without any need for your approval. Typically, these are disclosures made so a covered entity can be paid for services, manage its operations, provide treatment, or comply with government reporting requirements.
It is genuinely difficult to count the number of categories of permissible uses and disclosures. Much depends on how you do the counting. The number of government and private institutions that can ask for and receive health records without your permission numbers in the tens of thousands. A covered entity can make nearly all permissible uses and disclosures without your consent or authorization. Indeed, with only a few exceptions, a covered entity can make most allowable uses and disclosures even over your express written objection.
A third answer is that HIPAA did not really change the practice for most covered entities regarding use and disclosure. Instead, HIPAA established universal standards and procedures for covered entities. The universal standards and procedures were new. However, the uses and disclosures that HIPAA allows are largely those that became routine in the last half of the twentieth century. Even many health care providers were not aware of how widespread the use and disclosure of health records had become. Before HIPAA, many providers thought that they only disclosed patient records with the consent of the patient, but it just wasn’t true. HIPAA made everyone pay attention to and learn about privacy, often for the first time.
The biggest drivers for the sharing of medical records are:
All of these activities and others contributed to the demand for access to individually identifiable medical records. Most of these activities serve important public or personal purposes, and it is not always easy to dismiss the HIPAA rule’s policies as anti-privacy. Disclosure often serves another significant but competing goal. Protecting privacy is only one objective in the health care system.
Second, too many activities that could have used non-identifiable records started at a time when few paid attention to privacy or to alternatives to the use of identifiable records. Methods that might have increased use of non-identifiable records do not always exist because nothing forced their development.
Third, it is increasingly difficult to talk about non-identifiable records. As the amount of data recorded and available throughout society increased, the domain of truly non-identifiable records diminished. It is easier and easier to identify records even though overt identifiers have been removed. To make the point, more than 85% of the population of the United States can be uniquely identified just by date of birth, gender, and five-digit zip code. All records, no matter how they may have been edited, may be potentially identifiable with enough time, effort, and other data. Powerful modern computers make it easier to link records and to re-identify records that have been “de-identified.”
56. Is My Consent Needed to Disclose Records for Treatment or Payment?
No. Medical records can be used and disclosed without your approval for treatment, payment, and health care operations. Treatment is the providing, management, or coordination of health care by a health care provider. The formal definition is slightly more complicated, but the basic concept is relatively simple.
The definition of payment is more complex. It includes activities by a health plan to determine coverage and provision of benefits and activities by a provider to obtain reimbursement. Payment also includes determining eligibility or coverage, including benefit coordination, cost sharing, adjudication and subrogation (making a third party pay) of benefits. It includes risk adjustment based on enrollee status and characteristics. Patient data may also be used for billing, claims management, collection activities for bad debts, and reinsurance activities.
We are not done with payment. It also includes review for medical necessity and appropriateness of care as well as utilization review, such as pre-certification and preauthorization services. Disclosure to credit bureaus of information relating to collection of premiums or reimbursement is another payment disclosure.
All of those activities, and perhaps a bit more, fall under payment. The breadth of payment activities reflects the complexity of the health care system, the multiple inter-relationships between providers and payors, and the range of insurance activities.
The definition of payment is just a warm up for understanding disclosures for health care operations, another category of disclosure that does not require patient consent. The formal definition goes on for about 400 words. It includes quality assessment, quality improvement, development of clinical guidelines, management and care coordination, review of provider competence, student training, underwriting, premium rating, medical review, legal services, auditing, fraud detection, business planning, business management, customer service, transfer or sale of a business, and fundraising.
We didn’t include every type of health care operation here, but you should already get the idea. Further, many of the functions mentioned here are complex tasks that encompass other layers of activities and involve the sharing of medical records with people far removed from any activity that the average person would readily identify as part of routine health care management.
57. Are Disclosures for Treatment, Payment and Health Care Operations Okay?
At one level, yes. Health care is a complex business that represents a large chunk of America’s economy. If you think about it, you may realize that major health care treatment and payment institutions are big businesses that engage in a wide variety of activities just like other businesses. Management and internal controls require access to some records. If we spent the time to list the comparable data-intensive activities engaged in by banks or governments, we would also find a long list of uses and disclosures of personal information that are, for better or worse, a routine part of those functions.
At one level, then, treatment, payment and health care operations (TPO) disclosures are routine. Just about all of the functions supported by TPO uses and disclosures went on before HIPAA, although few health professionals paid attention to them. Before HIPAA, if your consent was sought for the sharing of your records for these purposes – and it frequently was not sought – you weren’t told any of the specifics. Doctors, hospitals, and insurers asked patients to consent to “any and all disclosures” without telling patients what that meant.
HIPAA eliminated the need for consent for TPO. A covered entity may still seek your consent, but this seems to happen rarely. It is easier to rely on the authority provided by the rule to justify use and disclosure. Some privacy advocates see the lack of consent as a great gap in privacy protection that removes any pretense of patient control over records.
58. Do I Have a Say in Any Disclosures? (Facility Directories and Caregivers)
Yes, but only in a few circumstances.
First, if you are in a facility (e.g., an inpatient in a hospital), the facility can disclose basic information about your presence, location, and general condition through a facility directory. One limitation is that the facility can’t reveal information that discloses specific medical information about you (e.g., you are an inpatient on the psychiatric floor or are in a kidney dialysis unit).
The idea behind facility directory disclosures is that if someone comes to visit you or sends flowers, the hospital can say that you are there and, perhaps, where you are. The hospital may disclose your religious affiliation, but only to a member of the clergy.
You have a right to object to facility directory disclosures. The covered entity must offer you an opportunity to object to the inclusion of your information in a facility directory. If because of incapacity or emergency treatment, you weren’t offered the chance to object, the hospital can make still limited disclosures in emergency circumstances. For example, if you are unconscious, the emergency room can tell your spouse where you are. That seems perfectly reasonable.
Second, HIPAA has a complex set of rules governing disclosures to caregivers. A caregiver can be your next of kin, other family member, or another person involved in your care (e.g., a roommate). The HIPAA rule allows disclosure of information relevant to the caregiver’s involvement in your care. A covered entity can make a disclosure to locate a family member or other caregiver.
If you (the patient) are present at the time of a disclosure to a caregiver, the covered entity can seek your agreement, offer you an opportunity to object, or reasonably infer from the circumstances that you do not object. Essentially, the rule specifically allows the exercise of professional judgment for the types of disclosures that have long been made to caregivers.
If a patient is not present or is incapacitated at the time of disclosure, the covered entity may exercise professional judgment and make disclosures directly relevant to a caregiver’s responsibility. Thus, the rule allows your spouse to pick up your prescription at the pharmacy without written consent from you.
Another provision addresses disclosures for disaster relief purposes. An example is disclosure to the Red Cross following a hurricane. The disaster relief provision, after a bit of confusion, allowed appropriate disclosures during and after Hurricane Katrina.
Third, a covered entity can use or disclose information for its own fundraising purposes. The allowable fundraising disclosures are limited to dates of care and demographic information. You have the right to object to these disclosures, and you must be notified of the right in any solicitation. A hospital can call you on the telephone asking for a contribution. However, if you object to the use of your information for fundraising, the hospital can still demand that you object in writing. That strikes us as a bit unbalanced. You should be able to object while on the telephone, and the objection should be valid.
Fourth, you have the right to authorize the disclosure of your health records to anyone you like. The HIPAA rule sets standards for authorization forms, and if a form does not meet HIPAA standards, then the form does not constitute patient authorization. We are not going to bore you with the technical requirements for authorization forms. We discuss the strategy for authorizations later. (See FAQs 62-64.)
When might a patient authorize disclosure? You might authorize disclosure if you are applying for life or disability insurance. You might authorize your doctor to send information to your employer or to a school to explain an absence. You could authorize your doctor to disclose your records to your lawyer, a family member, or a researcher. You might want records disclosed to support a disability claim made with the Social Security Administration. It is also possible that you might even want to share your records with the police under some circumstances (perhaps to clear you of suspicion).
For the most part, however, HIPAA has defined the range of non-consensual uses and disclosures to include nearly every possible disclosure that is either necessary or convenient for the health care system to operate or for the government to carry out its many functions. After all, the HIPAA rule was written by the Department of Health and Human Services, one of the biggest users of health records in the country. The first thing that HHS did in writing the rule was to take care of its own interests in obtaining access to records.
59. Does HIPAA Allow Uses and Disclosures Without My Approval?
Yes, does it ever. The HIPAA rule allows dozens of different uses and disclosures without any need for patient consent or authorization. The rule permits so many uses and disclosures that it is hard to count them. The rule has about five pages of dense type describing allowable uses and disclosures of health records.
One important feature of the rule’s allowable uses and disclosures is that they are mostly permissive. Just because a use or disclosure can be made without violating the rule does not mean that a covered entity must make the disclosure. A covered entity can just say no to almost any person who asks for a disclosure permitted by the rule. This means that the rule itself is not the most important factor in determining how your record may be used or disclosed. In most cases, it is up to your health care provider or insurer to decide whether to make your record available for a particular activity. If anyone tells you that HIPAA requires a disclosure, you should be very suspicious.
The only two types of disclosure that the rule actually requires are:
We will go over one type of allowable use and disclosure in detail in FAQ 59 to give you better insight into the complexity of use and disclosure.
60. What Are Uses and Disclosures Required by Law?
We want to discuss the category of uses and disclosures required by law. For purposes of this discussion, we will focus on disclosures rather than uses. HIPAA recognizes that other laws sometimes require the disclosure of health records. In one of the shortest sections dealing with disclosure, HIPAA says that a covered entity can make a disclosure that is required by law.
What does this mean? It means that any federal, state or local law requiring disclosure of medical records remains in force. (A law means a statute or a regulation.) For example, when a state law requires a physician to report a suspected case of child abuse to a state agency, the HIPAA rule does not interfere with that disclosure (although it establishes some conditions on the disclosure). If a city passed an ordinance that said that the entire medical record of any individual hospitalized in a local hospital must be published in full in the local newspaper, HIPAA would permit that disclosure too.
We do not expect to see laws requiring newspaper publication of records of hospitalized patients any time soon. We just want to point out the breadth of the HIPAA deference to other laws. Any law, no matter what its purpose or scope, that requires disclosure is sufficient for HIPAA’s purposes. If another law says disclose, then HIPAA says disclosure is permitted but only to the extent of the requirements of the other law. Any compulsion about disclosure comes from that other law and not from HIPAA, however.
For some disclosures allowed by HIPAA, the rule provides that the procedures established by HIPAA continue to apply to covered entities even when disclosures are made under the authority of other laws. This is a complicated area, and you may want to skip the rest of this paragraph. For example, HIPAA allows disclosures to report suspected cases of abuse, neglect, or domestic violence to the proper authorities. Most or all states have comparable laws. HIPAA includes a set of procedures that a covered entity must comply with before or after making a disclosure of abuse, neglect, or domestic violence. Under some specified circumstances, the covered entity making the disclosure must inform the subject of the disclosure (i.e., the victim) about the disclosure. However, the rule specifies that in some circumstances, notifying the victim will place the victim in greater peril so telling the victim is not always required. The HIPAA rule says that if state law mandates disclosure about abuse, the covered entity making the disclosure must still comply with the HIPAA procedures. HIPAA also imposes additional duties for disclosures for judicial and administrative proceedings and for disclosures for law enforcement purposes.
However, for other allowable disclosures, none of the conditions in HIPAA applies if another law requires disclosure. For example, the HIPAA rule allows disclosures for health research under a lengthy and complex set of conditions. If a covered entity wants to make a disclosure for research, it must comply with all of the HIPAA conditions. However, if a state law requires disclosure for health research with fewer or no conditions, then HIPAA says that the disclosure can be made without complying with any of HIPAA’s conditions.
This is complicated stuff, and we have not covered all the nuances. The covered entities that make disclosures need to pay close attention to the details. The message for patients is that many laws affect the confidentiality of health records. If you thought that no one disclosed your medical records without your approval, keep reading to see how wrong you were.
61. What Are the Allowable Uses and Disclosures?
We will list each HIPAA category of allowable use and disclosure, together with some discussion as appropriate. (If we included every detail of every disclosure, the discussion would double the size of this guide.) A covered entity that must comply with the HIPAA rule needs to know all the specifics, but a patient generally only needs to be aware of the categories of uses and disclosures. Every covered entity’s notice of privacy practices should include some information about each type of allowable disclosure. Those who want to know more can read the rule itself.
62. What Should I Do if Asked to Sign an Authorization to Disclose my Record?
Although not everyone who asks you to sign an authorization will have a sinister motive, you should be cautious in signing an authorization for more disclosure of your information. Here are some things to look out for.
We want to emphasize that while we think that you should be cautious in signing authorizations, in some circumstances it will be the right thing to do. Being asked to sign an authorization should happen infrequently enough that you can spend a little time asking questions.
We would be cautious if asked to sign an authorization as part of the process for admission to a hospital. The HIPAA rule allows the hospital to make all the disclosure necessary for your care and for the hospital’s operations. If you are presented with an authorization to sign, ask questions. We have heard that some hospitals routinely collect authorizations that allow disclosures to employers. That is a type of disclosure that you may not want to permit without a specific reason. The hospital may seek a broad authorization for its own convenience so that it can make a disclosure without getting your signature later. We suggest that any extra paperwork may be worth it, because it may protect you. You can decline to sign the authorization or you can limit its effectiveness to the period while you are in the hospital or perhaps for an additional week.
63. Do I Need a Disclosure Authorization to Care For My Elderly Parent?
Maybe. If you are helping a parent, other relative, or even an unrelated friend or neighbor, HIPAA allows a provider to disclose to a person who is involved in a patient’s care. These people are sometimes called caregivers, and the rule governing caregivers is discussed elsewhere. (See FAQ 58.) While the HIPAA caregiver policy usually works well, it may be useful to have a written authorization from the patient. This is good advice especially if you will be caring for someone for a long time, if there are many health care providers involved, or if you expect to have to deal with an insurance company or Medicare. Don’t give away your original authorization. Keep copies because you may need them regularly. If you are giving care to someone at a hospital or nursing home, bring a copy with you at all times. The nurse who knows you may not be there tomorrow.
If you obtain a health care power of attorney for another person, the power should specifically mention the authority to obtain protected health information about that person. Protected health information is the formal HIPAA term for a health record. You can obtain a power of attorney for a patient just for HIPAA disclosure purposes without having the authority to make substantive health decisions about the patient. If you sign or receive a broad health care power of attorney that authorizes substantive health decisions, that same power of attorney should also authorize disclosures to support those decisions.
64. What Can I Do if I Foolishly Signed an Authorization?
You can revoke the authorization, but you have to do it in writing. Your ability to revoke an authorization is restricted if a covered entity has taken action in reliance on the authorization or if the authorization was obtained as a condition of obtaining insurance coverage.
Remember that revoking an authorization may not b enough. The covered entity that you authorized to disclose your records must receive a copy of your revocation. If the authorization was obtained by a third party, you should make sure that the third party receives a copy of the revocation. If a third party obtained the authorization for your records from a specific hospital, formally notifying the hospital in writing that you revoked the authorization is also important.
65. Can My Health Records be Used for Marketing?
The short answer is no, but the correct and longer answer is more complicated. Let’s go through it step by step.
The HIPAA rule tells covered entities that they can only use or disclose health records for marketing with the authorization of the patient. One reason for being careful with authorization is to make sure that you don’t casually authorize disclosure of your records to a company that wants to use them for marketing. Remember that other activities can reveal your medical history. If you accept a drug manufacturer’s coupon for a prescription drug, the manufacturer will learn your name and other information that it didn’t have before. Drug manufacturers are not covered entities or subject to privacy laws. Signing up for a disease-specific newsletter will also reveal your name and medical information.
HIPAA has two exceptions that allow marketing uses and disclosures. The first permits face-to-face communications by a covered entity to a patient. The second allows promotional gifts of nominal value provided by the covered entity. Under the first exception, for example, a nurse can invite you to visit the hospital’s new weight loss clinic. Under the second, the hospital can give you a refrigerator magnet with the phone number of its well-baby clinic. If the covered entity undertakes any marketing activity because someone, such as an outside entity, pays it to do so, then the covered entity must tell you it is being paid. The basic marketing rule is pretty good as far as it goes. Most doctors believe, and will tell you, that using – and especially disclosing – health records for marketing is unethical anyway.
So far, so good. The rule allows uses and disclosures for treatment purposes and for health care operations. When does a treatment recommendation constitute marketing? The line can be hard to draw. Advice from HHS says that any communication for the patient’s treatment, case management, care coordination, or recommendation of alternative therapies is permitted to the extent reasonably necessary. Further, population-based activities for health education or disease prevention (“Don’t Smoke!”) can also be okay.
The problem in line drawing here is that legitimate health activities overlap at the edges with marketing activities that many people are likely to find objectionable. Activities that fall on those edges can be characterized differently. Some activities that fall under the broad (and permissible) category of health care operations will look like marketing to some. When the answer requires a lawyer to dissect words, the result will be controversial at best.
The HIPAA rule helps a bit in limiting marketing disclosures. For example, you can expect that no covered entity will sell or rent lists of patients to drug manufacturers for the purposes of sending junk mail. However, there may be other forms of marketing-like activities that a covered entity’s lawyer may say is allowed under HIPAA.
We are not done yet, but we need more context to continue. If you receive mail hawking allergy medicines or medical devices for diabetics, does that mean that your allergist or internist or insurer or pharmacist gave your name and diagnosis to the advertiser? Anything is possible, but there are other, more likely, sources of the same information.
Marketing companies and list brokers sell or rent mailing lists of people by diagnosis. They offer lists of millions of people by dozens of different diseases and conditions. Where does the information come from? The answer is from many places, but you are the most likely source. If you show interest in a medical product by making a purchase, calling an 800 number, registering at a website, using a coded coupon, subscribing to a magazine, or entering a sweepstakes, you may reveal your interest and your diagnosis. If you fill out a warranty card or a consumer survey, any information about your health condition (“Why did you buy the vaporizer?”) that you reveal is likely to end up in a personal or household profile and can used forever for marketing purposes. Those who read carefully already saw our warning about turning your health records over to a commercial, advertising-supported company offering personal health record (PHR) services. (See FAQ 9.) That is another way that your records can leak into the marketing system. Any slip puts your personal information in the permanent possession of marketers and profilers.