• E-mail
• Print
• RSS

Protecting reporters of abuse from retaliation

HIPAA Weekly Advisor, June 14, 2004

Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!

Q: I'm the privacy officer for a health department in rural NC, where we are required by law to report abuse/neglect issues and can do so without the client's or verified personal representative's authorization. The individual reporting the suspected abuse or neglect is supposed to remain anonymous.

If the parent or guardian of an abused minor angrily requests access to the minor's PHI to discover who reported the abuse, we can withhold the PHI to prevent retribution. We disclose the case to the Department of Social Services, and list it in the accounting of disclosures because the PHI is not given for treatment, payment, or healthcare operations (TPO). Are we required to grant the guardian's request for an accounting of PHI not for TPO? How can we avoid disclosure of the reporter's identity?

A: In your case, the personal representative would be requesting the name of the person reporting abuse or neglect. This person's identity is not PHI (not individually identifiable health information). However, the facts pertaining to the abuse probably are PHI, which means that you are required to provide an accounting of the place to which you disclosed the PHI, but not from which you received the information (i.e., the reporting person). In other words, the person reporting the abuse did not receive the information from you, and as a result, you are not required to include the reporting person in your accounting.

In general, the privacy rule treats an adult or emancipated minor's personal representative as the individual for purposes of HIPAA compliance. HIPAA provides an individual, or the personal representative/guardian the right to receive an accounting of PHI disclosures made by a covered entity. However, a covered entity does not have to provide an accounting of disclosures for treatment, payment, healthcare operations or disclosures made pursuant to an authorization. The accounting must provide the individual or personal representative with a written statement containing the following:

• Disclosures that occurred in the six years prior to the date of the request for an accounting
• Date of disclosure
• Brief description of the disclosed PHI
• Purpose of the disclosure 

The requirement of a written statement pertains to the covered entity responsible for an accounting of the PHI in its possession and to which entity you disclosed information. PHI includes individually identifiable health information that is transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium. 

This question answered by Cheryl S. Camin, JD, MPH, an associate in the Corporate/Health Law Practice Group of Gardere Wynne Sewell LLP in Dallas, Texas.

Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!

• E-mail to a Colleague
• Print
• RSS
• Archive