Clarifying a patient’s misunderstanding of the HIPAA privacy rule

© MclittleStock - stock.adobe.com

Pause for a moment and think – have I ever been to a doctor’s office or other covered entity setting such as a laboratory or physical therapy? The answer is likely “yes.” Now, what happens when you check in to say a cardiologist’s office? You check in, may confirm some basic information verbally and sit down. Then, a nurse or assistant calls your name to come back to be seen. Health Insurance Portability and Accountability Act of 1996 (HIPAA) violations? Very, very unlikely if one actually understands the HIPAA Privacy Rule. But why?

Initially published in the Federal Register on December 28, 2000, the HIPAA Privacy Rule, as the U.S. Department of Health and Human Services (HHS) states, “does not require that every risk of an incidental use or disclosure of protected health information [PHI] be eliminated. A use or disclosure of this information that occurs as a result of, or as ‘incident to,’ an otherwise permitted use or disclosure is permitted as long as the covered entity has adopted reasonable safeguards as required by the Privacy Rule, and the information being shared was limited to the ‘minimum necessary,’ as required by the Privacy Rule.”

45 CFR § 164.506 seeks to balance personal protections with creating unnecessary barriers to the delivery of quality health care. A separate Final Rule related to the Privacy Rule was published in the Federal Register on August 14, 2002, addressed a likely common misconceptions that some patients may have about being asked their name or date of birth in an office or hospital setting then having their name called out by a nurse or assistant for them to come back into a treatment room.

The August 2002 Final Rule’s outcome? There are a few items that are relevant.

1. CFR § 164.502 – Uses and Disclosures of PHI: “December 2000 Privacy Rule. The December 2000 Rule did not explicitly address incidental uses and disclosures of protected health information. Rather, the Privacy Rule generally requires covered entities to make reasonable efforts to limit the use or disclosure of, and requests for, protected health information to the minimum necessary to accomplish the intended purpose. See § 164.502(b).”
2. March 2002 Notice of Proposed Rule Making: “After publication of the Privacy Rule, the Department received a number of concerns and questions as to whether the Privacy Rule's restrictions on uses and disclosures will prohibit covered entities from engaging in certain common and essential health care communications and practices in use today. In particular, concern was expressed that the Privacy Rule establishes absolute, strict standards that would not allow for the incidental or unintentional disclosures that could occur as a by-product of engaging in these health care communications and practices. It was argued that the Privacy Rule would, in effect, prohibit such practices and, therefore, impede many activities and communications essential to effective and timely treatment of patients. For example, some expressed concern that health care providers could no longer engage in confidential conversations with other providers or with patients, if there is a possibility that they could be overheard. Similarly, others questioned whether they would be prohibited from using sign-in sheets in waiting rooms or maintaining patient charts at bedside, or whether they would need to isolate X-ray lightboards or destroy empty prescription vials. These concerns seemed to stem from a perception that covered entities are required to prevent any incidental disclosure such as those that may occur when a visiting family member or other person not authorized to access protected health information happens to walk by medical equipment or other material containing individually identifiable health information, or when individuals in a waiting room sign their name on a log sheet and glimpse the names of other patients.” (emphasis added).
3. 2002 Final Modifications: “Final Modifications. In response to the overwhelming support of commenters on this proposal, the Department adopts the proposed provision at § 164.502(a)(1)(iii), explicitly permitting certain incidental uses and disclosures that occur as a by-product of a use or disclosure otherwise permitted under the Privacy Rule. As in the proposal, an incidental use or disclosure is permissible only to the extent that the covered entity has applied reasonable safeguards as required by § 164.530(c), and implemented the minimum necessary standard, where applicable, as required by §§ 164.502(b) and 164.514(d). The Department continues to believe, as was stated in the proposed Rule, that so long as reasonable safeguards are employed, the burden of impeding such communications is not outweighed by any benefits that may accrue to individuals' privacy interests.”

Take for example an office that uses an iPad for check-in. If the individual is asked for their date of birth either by the device or by an attendant at the front desk, this is not a HIPAA violation. Presuming that the iPad is encrypted, no other patient names are visible and there are appropriate user access controls, then the request meets the minimum necessary and has adequate safeguards. Then, if a patient is called from the waiting room, then that is not a HIPAA violation either.

HHS sums it up,

“the Department reiterates that the Privacy Rule must not impede essential health care communications and practices. Prohibiting all incidental uses and disclosures would have a chilling effect on normal and important communications among providers, and between providers and their patients, and, therefore, would negatively affect individuals' access to quality health care. The Department does not intend with this provision to obviate the need for medical staff to take precautions to avoid being overheard, but rather, will only allow incidental uses and disclosures where appropriate precautions have been taken.”

While there are instances where Privacy Rule violations have occurred when inadequate safeguards were present (i.e., 2012 Phoenix Cardiac Surgery fined $100K because a calendar of all appointments and patients were available online).

Rachel V. Rose, JD, MBA, advises clients on compliance, transactions, government administrative actions, and litigation involving healthcare, cybersecurity, corporate and securities law, as well as False Claims Act and Dodd-Frank whistleblower cases. She also teaches bioethics at Baylor College of Medicine in Houston. Rachel can be reached through her website, www.rvrose.com.