Health Information Compliance Alert

Published on Sat Aug 05, 2006 PDF

3 scenarios help you when patients can't speak for themselves.

It's a common occurrence in many health care facilities: A patient arrives at your facility and is unable to speak, much less sign an authorization to disclose his protected health information. Do you know what medical information you're allowed to disclose to the patient's family and friends?

In general: As a covered entity, you're allowed to disclose PHI to family members, relatives or close personal friends as long as that data is directly related to their involvement in the incapacitated individual's care or payment related to that care, notes Dr. Rory Jaffe, chief compliance officer with the UC-Davis Health System.

But there are unique circumstances that make PHI disclosure rules tricky. Take a look at these three different scenarios regarding requests for an incapacitated patient's PHI--and what the correct response should be:

Example #1

If a heart attack patient is incapacitated or otherwise unable to make decisions about PHI disclosures, "you may inform relatives or others involved in [that] patient's care, such as the person who accompanied the individual to the emergency room," explains Jaffe, and you can "provide updates on the patient's progress and prognosis when the patient is incapacitated."

Example #2

If you suspect that an incapacitated patient is the victim of domestic abuse and that the person seeking information about the patient may be the abuser, then don't disclose any information about the patient to the suspected abuser "if there is reason to believe that such a disclosure could cause the patient serious harm," Jaffe warns.

Example #3

If, say, you want to contact a priest to provide last rites to an incapacitated patient you know to be Catholic, but there are no family or friends available and the call to the priest is not considered treatment, ask yourself if such a call is in the patient's best interests.

Up to you: That's for you to decide, according to the privacy rule, notes attorney Gretchen McBeath with Bricker & Eckler in Columbus, OH. McBeath acknowledges that there may be situations where you feel it's absolutely necessary to disclose an incapacitated patient's PHI to someone who does not meet the HIPAA definition of family and friends involved with the care or payment of the patient, but she urges you to use your own professional judgment in such cases. 

And Jaffe admonishes facilities to ensure that any disclosures you make are directly related to that patient's care, and advises CEs to disclose PHI only when the patient benefits from such disclosures.

Remember:  When making decisions involving incapacitated patients and patients in emergency situations, HIPAA does not prevent you from deciding whether to include some portions of the patient's information (the individual's name, perhaps) but not other information (such as location in the facility) as long as those disclosures protect that patient's best interests. 

If a patient is incapacitated and there is no legal representative available to sign an authorization, from a pure legal standpoint, the health care provider should go to court and have the court appoint a legal guardian or power of attorney for the incapacitated patient, McBeath tells Eli. 

McBeath says a patient's lack of representation is especially common in facilities where patients suffer from dementia. In such cases, if an authorization is required and the provider cannot find any exception in HIPAA to permit a disclosure of the patient's PHI, such a disclosure would be a violation of HIPAA if the patient were unable to sign.

Care takes precedence: "HIPAA red tape should never stand in the way of disclosures that are necessary for the welfare of the patient or the general public's health and safety, says McBeath. On the other hand, "disclosures that are solely for the provider, such as for marketing, fundraising, et cetera should be done in strict compliance with the HIPAA rules."