As a Covered Entity (CE) you disclose protected health information (PHI) throughout the day for treatment, payment, and health care operations (TPO). These TPO disclosures do not require you to obtain an authorization from the patient. Examples of treatment disclosures include when you draw a patient’s blood work at your clinic or practice, but you send the specimen to a reference lab to obtain the results. Similarly, you see a patient who needs to see a specialist, so you refer the patient to another provider. This is also viewed as a treatment disclosure. Payment disclosures occur when you bill an insurance provider for care rendered. This includes when payment for care is obtained by billing Medicare, Humana, TRICARE, or any other healthcare insurance provider. Healthcare operations disclosures are those management actions you take to administer your overall healthcare program. Examples of healthcare operations disclosures include reviewing the competence or qualifications of your health care professionals, licensing or credentialing activities, conducting or arranging for medical review or legal services, as well as customer support to name a few. Bottom line, you are permitted to use and disclose PHI for TPO without the patient’s authorization.
You are also permitted to disclose PHI without a patient’s authorization, or opportunity to agree or object, to avert a serious threat to health or safety. As a CE, you may, consistent with your state law or other applicable laws, disclose PHI if you believe the disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public, and, the person you notify is reasonably able to prevent or lessen the threat. The following two examples demonstrate how this provision in the rule can be used.
A clinic learns that a child has tested positive for tuberculosis. Upon learning that the child attends a local day care center, the clinic contacts the center immediately to have the child removed from the other children and isolated until the child can be picked up by his parents. The threat to health of the other children is the contagious disease the child had, and the person(s) notified of this PHI have the ability to lessen the threat by isolating the child from the other children. In another example, a post-partum mother contacts the clinic and tells the front desk clerk that she feels depressed and is having thoughts of harming her newborns. After the mother ends the phone call, the clerk contacts the neo-natal ward where the newborns are located, notifies them of their mother’s psychological condition, and contacts the police. When the mother arrives at the hospital where her newborns are, the police and a doctor are there to meet her at the door and assist the mother through her temporary crisis. The threat to the safety of the newborns is the mother’s ideation about harming them and the PHI is the mother’s post-partum depressed condition.
In both examples above, the threat to the children and newborns is imminent and the individuals contacted were reasonably able to prevent or lessen the threat. To make a disclosure under this part of the HIPAA rule, the threat must be imminent, not just a probability or it could happen situation. In addition, the individual(s) contacted must be able to lessen or eliminate the threat. It is important to understand that when you make this type of disclosure, the rule recognizes you are doing so in “good faith” based on your reasonable belief at the time that an imminent threat to health and safety exists. As explained in the HIPAA rule preamble, this approach is consistent with the “duty to warn” third persons at risk, which had been established through case law. In Tarasoff v. Regents of the University of California (17 Cal. 3d 425 (1976)), the Supreme Court of California found that when a therapist’s patient had made credible threats against the physical safety of a specific person, the therapist had an obligation to use reasonable care to protect the intended victim of his patient, against danger, including warning the victim of the danger. In the Tarasoff case, the patient told the doctor of his desire to kill Tarasoff, but the victim was never warned and subsequently murdered. To be clear, the HIPAA rule is not intended to create a duty to warn or disclose, rather it permits the CE to make a disclosure to avert a serious and imminent threat to health and safety.
As a CE, it is important to understand how this part of the HIPAA rule works and to ensure your staff have been trained to recognize this type of situation. The specific citation that addresses this type of disclosure can be found at 45 CFR 164.512 (j)(i). Uses and disclosures for which an authorization or opportunity to agree or object is not required: Standard: Uses and disclosures to avert a serious threat to health or safety. This type of disclosure is also accountable and should be added to the Accounting of Disclosure list. For further questions on this subject or how HIPAAtrek can help you with your HIPAA compliance program, please contact our Account Executive Theresa Zemcuznikov at email@example.com.
In a recent court case in of the state of Kentucky, Hereford v. Norton Healthcare, Inc. d/b/a Norton Audubon Hospital and Phyllis Vissman, (Ky. Ct. App. July 21, 2017) a nurse sued her employer after being fired for a HIPAA violation. A patient filed a complaint against the nurse because she was speaking too loudly and other patients could hear what she was saying. This case is about incidental disclosures and only using the minimum necessary to accomplish a job.
In this scenario, the nurse was helping other technicians prepare for a medical procedure. She told them to wear gloves because the patient had Hepatitis C. A patient filed a complaint because they felt she was too loud and other patients could hear her. This is considered a privacy violation. However, if she had kept her voice down so no one could hear her except the technicians, she would have been working within the rule.
To be clear, the HIPAA rule does allow for incidental disclosures that occur when you are doing your job correctly. For example, a couple of patients can be checking in at a front desk with partitions or dividers, and conversations may be heard. If the clerks are taking reasonable safeguards to speak quietly, then anything a patient hears would be considered an incidental disclosure and not a violation. In addition, when conducting business, only disclose the minimum amount of medical information you need to get the job done.
In contrast, if reasonable safeguards or the minimum necessary standard is not used, a violation of the privacy rule will occur. The courts ruled that the nurse did not take reasonable safeguards of speaking quietly to warn her colleagues to wear the gloves. Additionally, the courts found she did not use the minimum amount of protected health information to accomplish the necessary purpose. In other words, she could have simply reminded the colleagues to wear gloves without using the term Hepatitis C.
The best way to prevent these situations from occurring is to train your staff. A well-trained staff will be able to maneuver through different situations including what this nurse encountered without compromising a patient’s privacy. Therefore, ensure all staff are provided initial HIPAA training when they begin employment. You can also conduct periodic training and send out privacy reminders. While patient privacy is important, protecting the organization from litigation is important also. We at HIPAAtrek believe training is paramount to a robust HIPAA compliance program and have created a compliance software program to provide you all the tools you need, including HIPAA training. I invite you to look at how we can help your organization by contacting our Senior Account Representative, Theresa Zemcuznikov at firstname.lastname@example.org and let her know you want to see our training platform. Until then, happy HIPAA trekking.
Soon after implementation of the HIPAA privacy rule, some staff members would conclude that a violation had occurred because a doctor and a nurse were overheard speaking about a patient’s PHI, or a technician called out a patient by their actual name in the waiting room, or a white board at a nursing station contained PHI of patients on the Intensive Care Unit. Staff had yet to learn about the “Incidental Disclosure” rule that allows for incidental uses and disclosures that occur as a by-product of a use or disclosure permitted by the privacy rule, as long as reasonable safeguards are in place.
The same can be said today about breaches. There are still some staff members and some privacy officers that conclude that a breach has occurred when in fact the incident itself falls under an exception to the breach rule. With the implementation of the Omnibus rule on January 25, 2013, significant modifications to the breach notification rule were made to include three distinct exceptions to a breach. The definition of a breach remains the same and reads as follows: “a breach is defined as the acquisition, access, use, or disclosure of protected health information (PHI) in a manner not permitted under the privacy rule which compromises the security or privacy of the protected health information”. However, if the incident falls under one of these three exceptions, no breach has occurred. Let’s take a closer look at each of these exceptions as described by the breach notification rule.
The first exception to a breach involves any unintentional acquisition, access, or use of PHI by a workforce member or other person acting under the authority of the CE or BA, if the acquisition, access, or use was made in good faith and within the scope of authority and does not result in further use or disclosure in a manner not permitted by the privacy rule. For this exception to apply, the access must be unintentional and in good faith which can occur when a workforce member accessess the wrong patient’s chart. This exception would not apply if a technician is purposely “snooping” through electronic health records as this is not unintentional and certainly not in good faith. Additionally, the unintentional access would have to occur while the technician is conducting her duties for which she is authorized to do. Finally, after the unintentional access, the PHI cannot be further disclosed in a manner not allowed by the privacy rule. For instance, if the information is further disclosed for a treatment activity, this exception would apply. However, if the information garnered through the unintentional access is shared for “gossip” purposes, this first exception to a breach would not apply. In summary, the unintentional acquisition, access, or use must have been done in good faith, as part of the workforce member’s official duties, and not further disclosed in a manner not allowed by the privacy rule.
The second exception to a breach involves any inadvertent disclosure by a person who is authorized to access PHI at a CE or BA to another person authorized to access PHI at the same CE or BA, or organized healthcare arrangement in which the CE participates, and information received as a result of such a disclosure is not further used or disclosed in a manner not permitted by the privacy rule. For this exception to apply, the disclosure must be inadvertent. For example, a nurse on the B Ward inadvertently e-mails Dr. Serrano the wrong lab results. Dr. Serrano views the results noting that they belong to another patient and notifies the nurse who then sends him the correct lab results. Dr. Serrano deletes the e-mail and does not further disclose the lab results to anyone else in a manner not allowed by the privacy rule. Both the nurse and the doctor are authorized to access PHI, they both work at the same CE, and Dr. Serrano did not further disclose the PHI in a manner not allowed by the rule, thus this exception applies.
The third and final exception involves a disclosure of PHI where a CE or BA has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain the information. The preamble to the HIPAA rule uses the example of a CE, due to lack of reasonable safeguards, sends a number explanations of benefits (EOBs) to the wrong individuals and a few of the EOBs are returned by the post office, unopened, as undeliverable, therefore the CE can conclude that the improper addressees could not reasonably have retained the information. However, the EOBs that were not returned as undeliverable, and that the CE knows were sent to the wrong individuals, should be treated as potential breaches. The key for this exception to apply is whether the unauthorized person is able to retain the information. For example, sometimes pharmacies handout a wrong prescription bag to a patient. If the patient walks to the exit, discovers it is the wrong medication, and quickly returns it to the pharmacy, the pharmacy can make an on the spot assessment as to whether the patient (unauthorized person) was able to retain any of the demographic information belonging to the wrong prescription, i.e., name, DOB, etc. If the patient has not retained any of the information, this exception to a breach will apply.
In conclusion, the framers of the HIPAA privacy rule were aware of instances where unintentional or inadvertent uses or disclosures within a CE or BA, or disclosures to unauthorized individuals that could not reasonably retain the PHI, would pose little to no threat of compromise to a patient’s PHI. As a result, these three exceptions were created. When your next potential breach surfaces at your organization, don’t jump to conclusions. First gather all the facts and then determine if an exception applies. If so, document the incident and the exception you applied, and retain in your appropriate log or files. If none of the exceptions apply, proceed with the four-factor breach assessment to determine if there is a low risk of compromise to the PHI. The steps for the assessment are provided here: https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html
The need for Business Associate Agreements (BAAs) is not a new one. They have been required since the inception of HIPAA. As the HHS Office for Civil Rights (OCR) has increased its enforcement efforts of HIPAA compliance, organizations that are required to be compliant with HIPAA, should review their business associate lists to verify that every business associate has a BAA in place.
Yesterday (April 20, 2017), the OCR announced a settlement of $31,000 with a non-profit located in Illinois. The non-profit had failed to enter into a BAA with one of its vendors that stores records containing PHI.
Settlement cases cost far greater than the amount owed to the OCR as a result of the compliance deficiency. When an organization settles with the OCR for a HIPAA violation, the organization is placed on a Corrective Action Plan (CAP). CAPs can be extensive, particularly for small organizations.
In the case of the Illinois non-profit, they have to create policies and procedures within 60 days and train their staff within 30 days of finalizing the policies. This will be a costly and time consuming endeavor for the organization. In addition to creating policies and training their staff, the organization also is required to make annual reports to the OCR on their compliance status.
Not only does this organization have to pay the OCR $31,000 and pay to create policies and train their staff, the organization also faces potential a reputation impact which could cost the organization further.
Some organizations struggle with identifying their business associates. Examples of potential business associates include (but is not limited to):
- EMR/Practice Management (billing) software companies
- Consultants that have access to PHI
- Outside IT vendors
- Outside Billing Company
- Leased Copier/Printer/Scanner (if the device has a hard drive)
- Record Storage companies
- Any other software, consultant, or vendor that accesses, stores, or transmits PHI
For more information on BAAs, visit: https://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html
Happy HIPAA trekking!