by Daniel J. Solove
Suppose your elderly mother is being treated at the hospital for a heart condition. Your mother tells her doctor that you can have access to her health information. The doctor, however, doesn’t disclose the information to you.
The doctor thinks that you can only have the information with a signed written authorization. Is this correct?
No. HIPAA doesn’t require a signed or even a written authorization. If a patient tells a doctor that protected health information (PHI) can be shared with family or friends, then that’s all that is needed. The doctor can disclose it to you.
So has the doctor violated HIPAA by refusing to disclose the PHI?
No. HIPAA doesn’t require disclosure under these circumstances. HIPAA merely permits disclosure.
Myths and Misunderstandings
There are countless misunderstandings when it comes to access to a patient’s PHI by friends or family members. More broadly, access to health information, as well as control over it, is an area where there is great confusion and difficulty. With friends and family, HIPAA handles this decently, but with a few shortcomings. In other related areas, HIPAA has some very significant weaknesses, such as patients’ access to their own medical records as well as patients’ right to correct their medical records and control who accesses them. I’ll discuss these other issues in subsequent posts.
My post today is inspired by an interesting recent article in the New York Times by Paula Span that chronicles difficulties people have in accessing the health information of family members – often the result of confusion by healthcare providers about what HIPAA requires.
The article discusses a case where a daughter wanted to supply information about her elderly mother’s medication allergies because her mother’s memory was impaired. But the staff refused to speak with her about her mother based on HIPAA. Finally, she was able to speak with a nurse and prevent the hospital from administering a medication that her mother was allergic to.
What HIPAA Says
HIPAA addresses access by friends and family at 45 CFR §164.510(b).
Under HIPAA, if a friend or family member is a personal representative of a patient, then a covered entity must disclose medical records that that person. In other situations, HIPAA permits but doesn’t require disclosure to a friend or family member. HIPAA contains provisions for when the patient is present or when the patient is not present or is incapacitated. When the patient is present, HIPAA states at 45 CFR § 164.510(b):
(2) Uses and disclosures with the individual present. If the individual is present for, or otherwise available prior to, a use or disclosure permitted by paragraph (b)(1) of this section and has the capacity to make health care decisions, the covered entity may use or disclose the protected health information if it:
(i) Obtains the individual’s agreement;
(ii) Provides the individual with the opportunity to object to the disclosure, and the individual does not express an objection; or
(iii) Reasonably infers from the circumstances, based the exercise of professional judgment, that the individual does not object to the disclosure.
If the patient is not present or is incapacitated, HIPAA provides — also at at 45 CFR § 164.510(b):
(3) Limited uses and disclosures when the individual is not present. If the individual is not present for, or the opportunity to agree or object to the use or disclosure cannot practicably be provided because of the individual’s incapacity or an emergency circumstance, the covered entity may, in the exercise of professional judgment, determine whether the disclosure is in the best interests of the individual and, if so, disclose only the protected health information that is directly relevant to the person’s involvement with the individual’s health care. A covered entity may use professional judgment and its experience with common practice to make reasonable inferences of the individual’s best interest in allowing a person to act on behalf of the individual to pick up filled prescriptions, medical supplies, X-rays, or other similar forms of protected health information.
HIPAA is written in a rather tedious way (to put it mildly), so I will translate and simplify: In these situations, healthcare providers are to make a reasonable judgment about whether the patient would want the friend or family member to know. Inferences should be made based upon context.
My Advice for Sharing PHI
with Friends and Family
My advice for healthcare providers is to ask patients whenever possible. If nobody is around at first, ask patients how they feel about sharing information with family and friends. Ask if there are certain people whom the patient wants to share health information with and if there are certain people with whom the patient definitely doesn’t want to share information with.
If someone is with the patient, ask the patient first before blurting out health information. Far too often, if someone is in the room with a patient, a provider just assumes disclosing anything is okay. But it isn’t always okay with the patient.
Even if a patient is okay with a friend or family member hearing their information, a provider should be careful to keep that information limited to what is needed and be thoughtful to the fact that patients may want friends and family to know certain things about their health, but not necessarily all things.
Organizations should train their workforce about this issue and how to exercise good judgment. They should have procedures in place to deal with situations for when there are doubts, questions, or disagreements.
HHS has provided some examples in a very useful guidance document. When a patient is present:
- An emergency room doctor may discuss a patient’s treatment in front of the patient’s friend if the patient asks that her friend come into the treatment room.
- A doctor’s office may discuss a patient’s bill with the patient’s adult daughter who is with the patient at the patient’s medical appointment and has questions about the charges.
- A doctor may discuss the drugs a patient needs to take with the patient’s health aide who has accompanied the patient to a medical appointment.
- A doctor may give information about a patient’s mobility limitations to the patient’s sister who is driving the patient home from the hospital.
- A nurse may discuss a patient’s health status with the patient’s brother if she informs the patient she is going to do so and the patient does not object.
- A nurse may not discuss a patient’s condition with the patient’s brother after the patient has stated she does not want her family to know about her condition.
Here are the examples for cases when the patient is not present or incapacitated:
- A surgeon who did emergency surgery on a patient may tell the patient’s spouse about the patient’s condition while the patient is unconscious.
- A pharmacist may give a prescription to a patient’s friend who the patient has sent to pick up the prescription.
- A hospital may discuss a patient’s bill with her adult son who calls the hospital with questions about charges to his mother’s account.
- A health care provider may give information regarding a patient’s drug dosage to the patient’s health aide who calls the provider with questions about the particular prescription.
- A nurse may not tell a patient’s friend about a past medical problem that is unrelated to the patient’s current condition.
- A health care provider is not required by HIPAA to share a patient’s information when the patient is not present or is incapacitated, and can choose to wait until the patient has an opportunity to agree to the disclosure.
Challenges and Problems
in Determining When to Share
The New York Times article has a good discussion about how the issue of family member access can be difficult:
“Seniors say, ‘I don’t want to burden my kids with my medical issues,’ ” said Bradley Crotty, the director of patient portals at Beth Israel Deaconess Medical Center in Boston and the study’s lead author. “And the family is saying, ‘I’m already worried. Not knowing is the burden.’ ”
The older group wanted help but not second-guessing or “spying,” Dr. Crotty added. They might agree to disclose the medications they take — just not all of them.
Moreover, the dynamic often changes with increasing disability or a health crisis.
“Say a senior has a serious medical condition — a stroke, for instance — and requires a lot of help and support,” Dr. Crotty said. “He could recover enough to want to take back control of his health information. It may go back and forth.”
Such negotiations require continuing discussions of what patients want to divulge and what families need to know. Personal relationships are tricky terrain.
In many cases, people want disclosure. According to an article in Hospitals & Health Networks notes that “most patients want — and need — the support and understanding of the key people in their lives. Almost four in five respondents in a recent study of more than 18,000 veterans were willing to share access to their electronic health records with family members and other nonprofessionals.”
At the end of the day, it comes down to good judgment. Beyond that, a very important dimension left out of HIPAA is that individuals need to have a way to challenge decisions when they don’t agree. HIPAA sees family member access as a permissible not a required disclosure, even when the patient wants it and even when in the best interest of the patient.
Healthcare providers should go beyond HIPAA and view such disclosure as more than just optional. As the story in the New York Times article illustrated, family member involvement can be critical to the care of the patient. Shutting out a family member or a close friend involved in the patient’s care can be tremendously damaging to the family member and friend as well as to the patient. It is important not to err on either side – overprotecting confidentiality and not speaking with friends and family can be bad as well as being too loose with information and providing it to any friend or family member who asks.
Providers shouldn’t be afraid of exercising judgment. HIPAA calls for good judgment in these situations; that’s why it doesn’t supply a set of rigid rules. And HIPAA was wise not to have a set of rigid rules in this area.
But HIPAA could do more to require covered entities to develop procedures for when there are questions, doubts, or disagreements with the judgments being made.
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of awareness training on privacy and security topics.
Professor Solove is the organizer, along with Paul Schwartz of the Privacy + Security Forum (Oct. 21-23 in Washington, DC), an event that aims to bridge the silos between privacy and security.