Special Report: Striking the Balance: HIPAA & the ED
Special Report
Striking the Balance: HIPAA & the ED
by Meghan Cosgrove, Esq., Centers for Medicare and Medicaid Services1
Editor's Note: In a previous issue, we focused on several common HIPAA issues that challenge ED staff members. This issue continues with more common privacy issues and how they affect the emergency department (ED). In a future issue we will discuss the Security Rule and future challenges of HIPAA.
E-Prescribing
In tandem with the movement toward electronic medical records, electronic prescribing has gained momentum, most notably with the mandate found in the Medicare Modernization Act to adopt standards by 2008.
The MedsInfo-ED experience is a good example of the continual balancing act that must occur between regulatory requirements, such as HIPAA, and improvements in patient safety and care. MedsInfo-ED is a Massachusetts clinical data exchange pilot that uses prescription claims data obtained from the six major area health plans to deliver patient medication history to ED clinicians at the point of care.2
HIPAA directs that when using or disclosing protected health information (PHI), covered entities must make reasonable efforts to limit the use or disclosure to the "minimum necessary" to accomplish the task in question.3 Due to this requirement, the patient search function in the MedsInfo-ED software asked for further information to narrow the search to a single patient rather than return multiple patient names and medication histories.4
At the time the MedsInfo-ED software was developed and implemented, all patients were required to verbally agree to the access of their medication history because of a Massachusetts consent law.5 While a manual physician override was incorporated into the software for emergency situations, notification of access was required once a patient's condition improved.6 The pilot software was further limited by a drug filter — necessitated by state laws — which protects certain categories of medication information, such as HIV/AIDS, mental health, or substance abuse, from disclosure without a patient's consent.7 Balancing the requirements of HIPAA with new and emerging technologies must evolve without frustrating clinicians and staff to the point of disuse.
Visitor issues
Decreasing the traffic of visitors to the ED, such as family members, also can help to avoid confidentiality breaches. The presence of family members may be a source of comfort to patients in the ED, but also may be a source of stress to both patient and staff. The question is not only how to draw the line between permissible and restricted visitors but also when. Seeking patient consent for the admission of a visitor is often the best route.8 In Arizona, for example, an ED clerk allowed a medicine man to visit a tribal elder who had been brought into its facility.9 Although admission of the medicine man may have reflected the patient's wishes, the clerk allowed the medicine man because of his position in the community, not because of patient consent.10 As a result of this violation, the hospital added medicine men to its list of approved clergy to give them approved access in certain situations under the HIPAA privacy rule.11
In addition to using patient consent to restrict visitors, many EDs limit visitors based on their level of relationship with a patient. How-ever, imposing a relationship limitation can be problematic when it intersects with cultural, social, or religious beliefs. In the gypsy community, for example, it is important for the entire extended family to gather and keep vigil over the individual.12 Shifting social norms, such as the advent of gay marriage, also require a flexible approach to visitor policies. The nature or cause of a patient's injury also may require visitor restrictions. The potential presentation of victims of domestic, child, and elder abuse require ED staff to be cognizant of the often unknown circumstances and parties responsible for a patient's injury and to act appropriately.
Obtaining patient consent and relationship restriction policies limit who is permitted in the ED, but when to restrict permissible visitors brings up additional issues of patient privacy. A current debate is whether relatives should be present during cardiac resuscitations. In a recent study, only 30% of the patients surveyed believed that the presence of family members during the resuscitation of a loved one violated a patient's confidentiality and privacy.13 In these situations, ED staff should be able to rely on written policies or guidelines to help determine whether relatives should be allowed during the resuscitation of a family member.
The best method to improve patient confidentiality and privacy overall is to eliminate all unnecessary visitors to the ED. Beyond reducing the volume of ED visitors, additional steps, such as obtaining patient consent before allowing a visitor and restricting visitors by their level of relationship with the patient, also serve to help maintain the privacy of a patient. In addition, written policies that guide staff on the issue of visitors during sensitive situations, such as cardiac resuscitations, are beneficial.
Issues related to minors
Disclosures made to parents, as the personal representatives of their minor children, present several challenges for ED clinicians and staff. The Privacy Rule requires covered entities to recognize the rights of "personal representatives" — those legally authorized to act for an individual.14 Under 45 C.F.R. §164. 514(h), covered entities are required to verify whether a personal representative has the authority to act on behalf of another.15 In the ED — where time is of the essence — this type of verification is often a difficult task. It also may be complicated by factors such as a minor's level of consciousness, lack of identification, or the provision of false information.
The general rule is that parents are the personal representatives of their minor children. The Privacy Rule carves out three occasions when a parent is not the minor's personal representative:
1. When state law does not require parental consent before a minor seeks a particular health service and the minor consents.16 Example: Many states have passed laws that allow minors to consent to treatment related to sexual activity, substance abuse, and mental health care.17
2. Where a court or law grants health care decision-making authority for the minor to someone other than a parent.18 Example: A court may appoint a guardian for a minor, such as a grandparent, aunt, or other relative.
3. Where a parent consents to a confidential relationship between a minor and a physician.19
In these three situations, a parent is not afforded rights under HIPAA and, therefore, cannot control the minor child's PHI.
Parental rights and access to their minor child's PHI often is limited or expanded by the scope of state laws. Some states have 'mature minor' laws that give adolescents of a certain age more control over their own medical decision making, confidentiality, or both.20 These laws allow minors who are deemed sufficiently intelligent and mature to consent to treatment without parental consent.21 In addition, if a minor is deemed emancipated by court order or by state law, then he or she may obtain complete control over all PHI, in-cluding information amassed while unemancipated.22
As noted above, many states have laws that allow a child to seek a particular health care service without parental consent.23 In Alabama, for example, minors may seek outpatient mental health treatment without parental consent.24 Even if treatment was provided without parental consent, however, parents still may obtain a minor child's PHI provided the parent has the authority to act under state law.25 Parents have the authority to request disclosure if parental rights have not been terminated, the disclosure is not barred by state law, and there is no suspicion of abuse or neglect.26 State law may require a provider to obtain a minor child's permission before disclosure to a parent or may allow a parent to obtain access to a minor's record against a minor's wishes.27 In Iowa, for example, parental notification is required when a minor tests positive for HIV.28 The Privacy Rule defers to these state laws that require, permit, or prohibit the use or disclosure of a minor's PHI to a personal representative.29 Where state law is silent concerning parental access to a minor's PHI, a licensed health care professional at the covered entity has the discretion to permit or deny access under these circumstances by determining what is in the best interests of the minor.30
Some courts have acknowledged the need to protect the medical privacy rights of adolescents. On April 18, 2006, a U.S. District Court blocked enforcement of a legal interpretation of a mandatory child abuse reporting law that would require health professionals to report when adolescents were having consensual sexual relations with other minors.31 In issuing its ruling, the court found the 2003 legal interpretation issued by Kansas Attorney General Phill Kline tread dangerously upon the informational privacy rights of minors concerning sexual activity.32 ED policies and procedures related to the treatment of minors and disclosures to parents should be flexible keeping HIPAA, state law, and the comfort level of caregivers in mind.33
The HIPAA privacy issues highlighted above relating to caregiver discussions, medical records, medical students and physician residents, e-prescribing, visitors, and the treatment of minors are exacerbated in the ED setting where space and time constraints are coupled with a high patient and visitor volume. An awareness of these privacy pitfalls must be kept at the forefront; failure to do so may cause patients to keep important treatment information confidential or abandon treatment altogether. Raising awareness through training, cultural reforms, and improvements in the design and operations of the ED are several methods that have the potential to increase confidentiality in the ED.
Public interest and benefit disclosures
The use and disclosure of PHI without authorization for 12 public interest and benefit activities is permitted under HIPAA.34 These statutory exceptions are found in Table 1.35
The use and disclosure of protected health information (PHI) without authorization for the following public interest and benefit activities is permitted under HIPAA.34 |
Required by law
One of the 12 exceptions to non-disclosure provides that a covered entity may use or disclose PHI to the extent that such use or disclosure is required by law and is limited to the relevant requirements of such law.36 This section often intersects with state public records laws, evidencing a growing tension between the protection of private medical records and the disclosure of public records.37
In March 2006, the Ohio Supreme Court found that the state's open records law trumped HIPAA.38 The records at issue were lead-contamination notices sent by the Cincinnati Health Department.39 While the court found that these records did not contain PHI as defined under HIPAA, the court went on to speculate that even if the records included PHI they were subject to disclosure under the "required by law" exception to the HIPAA Privacy Rule.40
Emergency disclosures
The events of September 11, 2001, and Hurricane Katrina brought the issue of disclosures of PHI during emergency situations to the forefront. In a September 2005 Office for Civil Rights (OCR) bulletin, the U.S. Department of Health and Human Services (HHS) remind-ed providers that they may share information without authorization in order to respond to an emergency.41 This exception allows providers to share information without authorization to provide treatment, locate and notify family members, prevent any imminent danger to the public or individuals, and to aid disaster relief organizations.42 HHS also created a decisional tool and flowchart to further aid emergency preparedness and recovery planners in determining how the Privacy Rule applies to certain disclosures.43 The goal of this tool is to help covered entities evaluate how to handle disclosures that arise during emergency situations in advance. It is important to note that this tool does not factor in other federal or state laws.
The required-by-law and emergency disclosures issues discussed above highlight disclosures of PHI under HIPAA where a strong public interest or benefit outweighs the interests of an individual. The 12 classes of public interest disclosures are tempered, however, by specific conditions or limitations that serve to protect individual privacy in these areas as much as possible.44
References
1. The author wishes to thank Charlotte Yeh, MD, FACEP and Maureen Kerrigan, Esq. for their extensive HIPAA knowledge and for insights into the practice of emergency medicine.
2. Gottlieb LK, Stone EM, Stone D, Dunbrack LA, Calladine J. Regulatory and Policy Barriers to Effective Clinical Data Exchange: Lessons Learned From MedsInfo-ED, 24 Health Affairs 5, 1197, 1197-1204 (2005).
3. 45 C.F.R. §164.502(b)
4. Gottlieb at 1201-1202.
5. Id. at 1200-1201.
6. Id. at 1200.
7. Id. at 1200-1201.
8. Moskop JC, et al. From Hippocrates to HIPAA: Privacy and Confidentiality in Emergency Medicine, 45 Ann Emerg Med.1, 61, 53-67 (January 2005).
9. Youngstrom N. When Faith and HIPAA Collide: Entities Struggle to Accommodate Personal Beliefs, AIS Health Report on Patient Privacy, at http://www.aishealth.com/Compliance/Hipaa/RPP_Faith_HIPAA_Collide.html (June 2005). Accessed on: May 29, 2006.
10. Id.
11. Id.
12. Shunear SN. Growing up as a Gypsy, at http://www.osi.hu/iep/minorities/ResBook1/Growing.htm (1992). Accessed: May 29, 2006.
13. Gulla JM, Twist, M, Singer AJ. Research Forum Abstract: Should Families Be Present During Resuscitations?, 44 Ann Emerg Med.4, S67 (2004).
14. 45 C.F.R. §164.502(g)
15. 45 C.F.R. §164.514(h)
16. 45 C.F.R. §164.502(g)(3)(i)(A) and U.S. Department of Health and Human Services Office for Civil Rights, Summary of the HIPAA Privacy Rule, at http://www.hhs.gov/ocr/privacysummary.pdf (May 2003) Accessed: May 29, 2006.
17. Boonstra H, Nash E. Minors and the Right to Consent to Health Care, at http://www.guttmacher.org/pubs/tgr/03/4/gr030404.html (August 2000) Accessed: August 15, 2006. American Bar Association, State Laws Allowing a Minor to Consent to Medical Treatment, at http://www.abanet.org/media/factbooks/cht1.html Accessed: August 15, 2006.
18. 45 C.F.R. §164.502(g)(3)(i)(B)
19. 45 C.F.R. §164.502(g)(3)(i)(C)
20. Youngstrom N. Minors & Adolescents Pose Complex HIPAA Privacy Problems, AIS Health Privacy Report, at http://www.aishealth.com/Compliance/Hipaa/RPP_Minors_PHI.html (October 2005). Accessed on: May 29, 2006.
21. Boonstra, supra.
22. Youngstrom, supra. 1-10 Medical Records Privacy APPENDIX 10 HHS December 2002 Guidance on Final Rule 45 CFR §164.502(g)
23. Boonstra, supra.
24. Id.
25. Youngstrom, supra.
26. Id.
27. 1-10 Medical Records Privacy APPENDIX 10 HHS December 2002 Guidance on Final Rule 45 CFR §164.502(g)
28. Id.
29. U.S. Department of Health and Human Services Office for Civil Rights. Summary of the HIPAA Privacy Rule, at http://www.hhs.gov/ocr/privacysummary.pdf (May 2003) Accessed: May 29, 2006. 45 C.F.R. § 164.502(g)(3)(ii)(A), 45 C.F.R. § 164.502(g)(3)(ii)(B).
30. Id. at 16-17. 45 C.F.R. § 164.502(g)(3)(ii)(C).
31. Press Release, Court Sets Precedent, Stopping Kansas Attorney General's Effort to Invade Teen Privacy, Center for Repro-ductive Rights, at http://www.reproductiverights.org/pr_06_0418KansasPrecedent.html (April 18, 2006). Accessed: May 29, 2006.
32. Id.
33. Youngstrom N. Minors and Adolescents Post Complex HIPAA Privacy Problems, AIS Health Report on Patient Privacy, at http://www.aishealth.com/Compliance/Hipaa/RPP_Minors_PHI.html (October 2005). Accessed: May 29, 2006.
34. 45 C.F.R. §164.512
35. Id.
36. 45 C.F.R. §164.512(a)(1)
37. Press Release, Open Records Law Trumps HIPAA in Records request case, The Reporters Committee for Freedom of the Press, at http://www.rcfp.org/news/2006/0324-foi-openre.html (March 24, 2006). Accessed: May 29, 2006.
38. State ex rel. Cincinnati Enquirer v. Daniels, 844 N.E.2d 1181, 1183-1184 (Ohio, 2006)
39. Id. at 1183.
40. Id. at 1183-1184.
41. U.S. Department of Health & Human Services Office for Civil Rights. Hurricane Katrina Bulletin: HIPAA Privacy and Disclosures in Emergency Situations, at http://www.hhs.gov/ocr/hipaa/KATRINAnHIPAA.pdf (September 2, 2005). Accessed: May 29, 2006.
42. Id.
43. U.S. Department of Health & Human Services Office for Civil Rights. HIPAA Privacy Rule: Disclosures for Emergency Preparedness. At: http://www.hhs.gov/ocr/hipaa/decisiontool/
44. U.S. Department of Health and Human Services Office for Civil Rights. Summary of the HIPAA Privacy Rule, at http://www.hhs.gov/ocr/privacysummary.pdf (May 2003) Accessed: May 29, 2006.
In tandem with the movement toward electronic medical records, electronic prescribing has gained momentum, most notably with the mandate found in the Medicare Modernization Act to adopt standards by 2008.Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.