Healthcare organizations face difficulties as they try to keep pace against cybersecurity threats that can compromise patient health information. A recent study revealed that twenty-four percent of healthcare employees had trouble identifying a handful of common signs of malware and more than twenty-five percent showed an inability to recognize phishing emails.[1]
While privacy is a major concern of the Health Insurance Portability and Accountability Act,[2] there are more than ten exceptions that allow covered entities to disclose patients’ protected health information without patient approval.[3]
In this module, we explore how a patient can explicitly permit a hospital or healthcare provider to disclose his personal health information and learn about HIPAA regulations that permit the disclosure of private medical information even without the patient’s approval.
HIPAA’s Privacy Rule differentiates “consent” from “authorization”.[4] A medical patient who voluntarily discloses personal health information, such as treatment history or medication history, consents to sharing his private medical information for further treatment, payment, or health care operations.
On the other hand, a patient who signs a written document that permits a covered entity to use a patient’s protected health information for specified purposes, or to disclose protected health information to a third party authorizes to sharing his private medical information.[5] A standard HIPAA authorization and release form must be dated and signed by the patient and it must include several elements, including a section on the right to revoke or withdraw authorization and a section on how to withdraw authorization.[6] It must include a description of the protected health information to be used and disclosed, the purpose for which the information may be used, the party to whom the covered entity may make the disclosure and an authorization expiration date.
The authorization doesn’t need to be notarized, but the patient must receive a copy of the signed authorization.[7] When a patient signs an authorization and release form, he waives protection of the covered health information.
A patient can revoke an authorization, though the revocation must be in writing and is only effective when the covered entity receives it. For example, Kaiser Permanente, one of the United States’ largest healthcare delivery systems, provides patients with a template Revocation of Authorization form. This form includes a line revoking all previous signed authorizations and requires the revoking party to provide the date he provided authorization and the name of the covered entity that was to receive his protected health information.
Exceptions to HIPAA’s Privacy Rule
A patient’s protected health information can be released without authorization in twelve different scenarios, collectively referred to as national priority purposes.[8] With these exceptions, the Privacy Rule allows a covered entity to reveal health information to serve purposes outside of the healthcare context.[9] The reasons for some of these exceptions, such as allowing a covered entity to reveal a patient’s personal health information to coroners, funeral directors, or medical examiners and for matters regarding cadaveric organ and tissue donation are self-evident. Others require analysis and explanation.
The first is an exception for uses and disclosures required by law, statute, or other regulation. For example, assume that an electrician living and working in Nebraska suffers a debilitating injury. He then files a workers’ compensation claim because he can no longer earn a living and is disabled. Nebraska requires healthcare providers to provide insurers, upon request, with an injured worker’s medical records that relate to treatment or hospitalization for which he seeks compensation.[10] The doctors may therefore disclose information regarding his medical treatment to his insurer without his authorization and without violating HIPAA.
Under the second exception to the Privacy Rule’s non-disclosure requirement, a covered entity can disclose protected health information to public health authorities who are legally authorized to receive such reports to prevent or control disease, injury, or disability, or to ensure the quality, safety, or effectiveness of an FDA-regulated product or activity.[11] For example, assume that a county health department is interested in reducing the burden and prevalence of childhood asthma in the county.[12] As part of this interest, it wants to understand the disease and monitor county-wide cases and so it requests a weekly data file from each area hospital with information about county residents under age twenty-one diagnosed with asthma during an emergency department visit. Data includes patient race, gender, height, weight, and age. The health department will analyze the hospital data on a weekly basis for internal use and inform the public about environmental conditions that can trigger asthma attacks. Here, though the county hospitals are revealing protected health information of patients under the age of twenty-one without patient approval, the health department’s request falls within the HIPAA public health exception. The health department has clearly articulated a need for information and is receiving patient health information relating to public health activity.
Judicial and Law Enforcement Exceptions
Third, a covered entity may disclose protected health information to a health oversight agency when that agency conducts legal oversight activities, such as audits, inspections, disciplinary actions relating to a state’s healthcare system, or in exchange for government benefits such as Medicaid.[13] For example, Arizona Pioneers’ Home, a well-known retirement community based in northern Arizona,[14] is a covered entity under HIPAA because it is a provider of healthcare services and transmitter of health information. It must respect each resident’s privacy, but it may disclose residents’ protected health information to the Arizona Department of Health Services’ Bureau of Residential Facilities Licensing if that state agency is conducting an audit to ensure that the facility follows state laws regarding resident treatment.
The fourth exception is that a covered entity may disclose protected health information during a judicial or administrative proceeding. This exception allows the covered entity to disclose protected health information in these proceedings without a written authorization from the patient if it adheres to special litigation rules.[15] First, the disclosure during the judicial or administrative proceeding can’t exceed what the order directs. Second, the covered entity can only disclose protected health information if it’s been served with an attorney’s subpoena and the attorney issuing the subpoena has made reasonable efforts to notify the person whose protected health information is being disclosed that she’s requested a disclosure. Reasonable efforts include sending a written statement about the disclosure request and accompanying documentation with the case number, case name, and name of the court.[16] This notice alerts the person that his protected health information will be disclosed and enables him to file an objection to the disclosure. Finally, the covered entity itself can make reasonable efforts to notify the person that it is disclosing his personal health information for litigation purposes and that it will return or destroy the health information at the litigation’s end.
Under the fifth exception, a HIPAA-covered entity can disclose protected health information to law enforcement without authorization.[17] Law enforcement authorities often need protected health information to perform their jobs, but this exception isn’t a blanket permission for police or other authorities to access protected health information whenever they want. The Privacy Rule limits the disclosure of protected health information for law enforcement purposes by setting forth that the disclosure must be required by law and in response to specified law enforcement activities.[18] For example, such a disclosure is permitted to prevent or lessen a serious and imminent threat to the health or safety of a person or the public; to locate a suspect, witness or fugitive; to report evidence of a crime that occurred on the covered entity’s premises; or to alert law enforcement to the death of a person when there is suspicion that his death is due to criminal conduct.
In United States v. Elliott, a federal court faced the issue of whether evidence regarding a driver’s blood alcohol concentration that was obtained from a hospital for a patient who was charged with driving under the influence could be admitted into the record.[19] The government used an improper subpoena to obtain the driver’s medical records and access the driver’s blood alcohol concentration at the time of his motor vehicle accident. Even with the procedural deficiency, the court held that the disclosure fell within the law enforcement exception, reasoning that the government’s interest in obtaining the driver’s medical records and to prosecute a drunk driver outweighed the driver’s right to withhold the medical records. Suppressing the driver’s medical records was not an appropriate sanction for the government’s use of an improper subpoena to obtain the records from the hospital under HIPAA.
Government Duties Exceptions
In early 2016, President Barack Obama issued a series of Executive Orders that increased a covered entity’s ability to report a person’s protected mental health information to the background check system for those wanting to purchase firearms.[20] Now, a covered entity may use or disclose protected health information for purposes of reporting information to the National Instant Criminal Background Check System. Known as the NICS, the system is a federal database that stores information about people prohibited by law from possessing firearms. The protected health information that a covered entity can reveal to NICS remains limited and narrowly tailored as the Executive Orders stipulated that the information that could be disclosed is the minimum necessary identifying information about individuals who have been involuntarily committed to a mental institution or otherwise have been determined by a lawful authority to be a danger to themselves or others.[21] Protected health information, such as diagnostic, clinical, or other mental health treatment information, remains private and unavailable to disclosure to NICS, even though the exception has been expanded.
The sixth exception is that a covered entity can release protected health information to the government for the completion of government duties and functions, which include military and veteran activities, national security and intelligence activities, protective services for the President or other authorized persons or foreign heads of state, and certain law-enforcement-custody situations. The most common way this exception arises is with protected health information disclosures of inmates in a correctional institution, which the Privacy Rule classifies as a covered entity because it handles and stores medical information for thousands of people.
A correctional institution having lawful custody of an inmate may use and disclose protected health information of inmates for any legitimate purpose and to provide for the health and safety of that inmate and other inmates. The information can be disclosed to medical professionals working in the prison, prison guards, law enforcement officials and even bus drivers who transport inmates. This exception is necessary to protect the health and safety of the other inmates and prison staff and this necessity overrides the privacy interests of an inmate with a medical condition.
This exception protects the prison staff’s health and safety and ensures that an inmate isn’t doing something illegal while in a correctional institution and is adhering to rules and regulations. For example, an inmate of a Kentucky state prison provided a urine sample at the request of prison officials to screen for illegal drug use and the test results revealed that the inmate had marijuana in his system, in violation of prison policy.[22] The inmate sued the Kentucky Department of Corrections, alleging a HIPAA violation for disclosure of medical test results without his consent or authorization. The court disagreed and held that the prisoner’s rights under HIPAA were not violated when the laboratory shared the urine test results with the Kentucky Department of Corrections. HIPAA permits disclosure of medical information to correctional facilities having custody over individuals.
Health, Safety and Research Exceptions
Seventh, in cases of suspected abuse, neglect, or domestic violence, a covered entity can report the incident to the authorities and provide a suspected victim’s protected health information to authorities.[23] Abuse, neglect, or domestic violence involving adults may be reported to law enforcement if:
1) the report is required by state law; or
2) the report is expressly authorized by state law based on the professional judgment of the healthcare provider to prevent serious harm.
Many states have already enacted laws permitting covered entities and individuals, such as physicians and nurses, to report suspected child abuse. Additionally, covered entities may use and disclose protected health information to appropriate governmental agencies regarding such victims. These include situations in which there is mandatory reporting of child, elder or vulnerable adult abuse or domestic violence, and situations where people must report violent crime victimizations or have the duty to warn of a credible threat directed to, or at, an identifiable target.
Preventing abuse, neglect, and domestic violence are so important that courts have found this exception to have a broad reach. In United States v. Mathis, the defendant was charged with possession of child pornography.[24] The government sought notes and information from the defendant’s psychotherapist that may have revealed how he acquired child pornography. The federal court had to determine whether these notes and protected health information could be disclosed under the abuse, neglect, or domestic violence Privacy Rule exception. The court sided with the government and found that the psychotherapist’s notes could be disclosed. It reasoned that not only did Tennessee state law require the psychotherapist to report any information regarding possession of child pornography to the authorities, but the psychotherapist’s professional judgment to reveal this protected health information could prevent serious harm.
Finally, a covered entity can release a person’s protected health information in the case of medical research.[25] A researcher may submit a proposed project to an Institutional Review Board, which is a committee designated by an institution to review proposed research on human subjects.[26] The review board is the gatekeeper that balances the need for research with patient privacy. This board must find that a researcher has satisfied the following Privacy Rule waiver criteria before it approves of research with unauthorized protected health information:[27]
- The use or disclosure involves no more than minimal risk because of an adequate plan to protect protected health information from improper use or disclosure or to destroy personal health identifiers at the earliest opportunity;
- The research could not practicably be conducted without the waiver or alteration; and
- The research could not practicably be conducted without access to and use of protected health information.[28]
For example, if a study involves the use of protected health information pertaining to numerous people whose contact information is unknown, and it would be impractical to conduct the research if authorization from each person was required, the board could waive the authorization requirements for research participants if the board determines that all the Privacy Rule waiver criteria ha
[1] Elizabeth Snell, 78% of Healthcare Workers Lack Data Privacy, Security Preparedness, HealthIT Security, (Feb. 6, 2018), https://healthitsecurity.com/news/78-of-healthcare-workers-lack-data-privacy-security-preparedness.
[2] Stephanie Pearl, HIPAA: Caught In The Cross Fire, 64 Duke L.J. 559, 582-83 (2014).
[3] See Jesse Pines, et. al., 10 Times HIPAA May Not Apply. Emergency Physicians Monthly, (Sept. 1, 2015), http://epmonthly.com/article/10-times-hipaa-may-not-apply/.
[4] What is the Difference Between “Consent” and “Authorization” Under the HIPAA Privacy Rule?, Health Information Privacy, U.S. Dep’t of Health & Human Servs., (July 26, 2013), https://www.hhs.gov/hipaa/for-professionals/faq/264/what-is-the-difference-between-consent-and-authorization/index.html.
[5] 45 C.F.R. § 164.508; What is the Difference Between “Consent” and “Authorization” Under the HIPAA Privacy Rule?, Health Information Privacy, U.S. Dep’t of Health & Human Servs. (July 26, 2013), https://www.hhs.gov/hipaa/for-professionals/faq/264/what-is-the-difference-between-consent-and-authorization/index.html.
[6] 45 C.F.R. § 164.508
[7] 45 C.F.R. § 164.508.
[8] Exceptions to the HIPAA Privacy Policy, Universal Class, (last visited May 28, 2018), https://www.universalclass.com/articles/medicine/exceptions-to-the-hipaa-privacy-policy.htm.
[9] Summary of the HIPAA Privacy Rule, Health Information Privacy, U.S. Dep’t of Health & Human Servs., (July 26, 2013), https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html.
[10] Neb. Dep’t Ins. Tit. 210, Chap. 87, http://www.sos.ne.gov/rules-and-regs/regsearch/Rules/Insurance_Dept_of/Title-210/Chapter-87.pdf.
[11] Summary of the HIPAA Privacy Rule, Health Information Privacy, U.S. Dep’t of Health & Human Servs., (July 26, 2013), https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html.
[12] Using Electronic Health Data for Community Health, de Beaumont Foundation, John Hopkins, (Nov. 2017), http://www.debeaumont.org/wordpress/wp-content/uploads/Electronic-Health-Data-Report-1.pdf.
[13] Permitted Uses and Disclosures: Exchange for Health Oversight Activities, Off. of the Nat. Coordinator for Health Info. Tech., U.S. Dep’t of Health & Human Servs., https://www.healthit.gov/sites/default/files/phi_permitted_uses_and_disclosures_fact_sheet_012017.pdf.
[14] Notice of Privacy Practices, Arizona Pioneers’ Home, (last visited May 28, 2018), https://pioneershome.az.gov/about/hipaa.
[15] Beverly Cohen, “Reconciling the HIPAA Privacy Rule with State Laws Regulating Ex Parte Interviews of Plaintiffs’ Treating Physicians: A Guide to Performing HIPAA Preemption Analysis,” 43 Hous. L. Rev. 1091, 1101 (2006).
[16] 45 C.F.R. § 164.512.
[17] Summary of the HIPAA Privacy Rule, Health Information Privacy, U.S. Dep’t of Health & Human Servs., (July 26, 2013),https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html.
[18] 45 C.F.R. §164.512(k)
[19] United States v. Elliott, 676 F. Supp. 2d 431, 433-34 (D. Md. 2009).
[20] William Maruca, Firearms, Mental Health, Executive Orders and HIPAA: A Volatile Mix, Fox Rothschild, LLP, (Jan. 6, 2016), https://hipaahealthlaw.foxrothschild.com/2016/01/articles/articles/firearms-mental-health-executive-orders-and-hipaa-a-volatile-mix/.
[21] Marianne Kolbasuk McGee, HIPAA Privacy Rule Modified for Gun Background Checks, Gov. Info Security, (Jan. 5, 2016), https://www.govinfosecurity.com/hipaa-privacy-rule-modified-for-gun-background-checks-a-8780.
[22] McMillen v. Kentucky Dep’t of Corr., 233 S.W.3d 203, 204-06 (Ky. Ct. App. 2007).
[23] Summary of the HIPAA Privacy Rule, Health Information Privacy, U.S. Dep’t of Health & Human Servs., (July 26, 2013), https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html.
[24] United States v. Mathis, 377 F. Supp. 2d 640, 645-46 (M.D. Tenn. 2005).
[25] Institutional Review Boards and the HIPAA Privacy Rule, Dep’t of Health and Human Servs,, (Aug. 2003), https://privacyruleandresearch.nih.gov/pdf/IRB_Factsheet.pdf.
[26] Id.
[27] The HIPAA Privacy Rule and Research, SOCRA, https://www.socra.org/publications/past-socra-source-articles/the-hipaa-privacy-rule-and-research/
[28] Id.