- Home
- » e-Newsletters
Focus on authorization, documentation before sharing PHI with friends/family
HIPAA Training Advisor, June 15, 2006
When it comes to HIPAA, there are grey areas in which it's not always clear whether a use or disclosure is permitted. One of those areas is disclosing PHI to friends and family members.
Making the right decision for the patient and your organization requires staff to communicate with the patient and exercise professional judgment. HIPAA allows disclosure of a patient's PHI that is directly relevant to a family member's or friend's involvement in the patient's care.
A patient's agreement to such a disclosure may or may not be required, depending on whether the patient is present and competent. This provision is intended to allow disclosures directly related to a patient's current condition and should not be construed to allow sharing of extensive information, says Martha P. Baxter, partner at Bricker and Eckler, LLP, in Columbus, OH.
When the patient is available prior to or during a use or disclosure and is capable of making decisions, the organization must do one of the following:
- Obtain the patient's agreement (this can be oral)
- Provide the patient with the opportunity to object to the disclosure
- Reasonably infer from the circumstances that the patient does not object to the disclosure
Get it in writing
Ask patients what they consider acceptable disclosures and document these discussions, says Baxter. Then make that documentation part of the patient's record, says Judy Thompson, PhD, CPHRM, director of quality assurance, risk management, and human resources at Cedar River Clinics in Seattle.
Make sure that after-hours staff who answer the phone know about restrictions on disclosures, says Thompson. "They may have to speak in hypotheticals. For example, staff may want to say, 'I can't give you any information, but if a woman had that condition, she would likely receive this treatment.' "
Sometimes, staff will simply have to use their best judgment. "Prudent patient care always comes first," she says. "But always document the reasons behind your decisions."
Make the right judgment
Professional judgment and experience come into play most when the patient isn't capable of deciding, says Baxter. "You have to determine what information the friend or family member needs to know."
According to the privacy rule, when the patient is not present for a disclosure or is unable to agree or object because of incapacity or emergency, the organization may determine whether the disclosure is in the patient's best interests.
If a disclosure is in the patient's best interest, the organization may reveal only the information that is directly relevant to the person's involvement in the patient's care. HHS commentary offers the following examples of acceptable disclosures when the patient is not present or capable of agreeing to the disclosures:
- Informing relatives or others involved in a patient's care (e.g., the person who accompanied the patient to the emergency room) that a patient has suffered a heart attack
- Providing updates on the patient's progress and prognosis when the patient is incapacitated and unable to make decisions about such disclosures
In addition, the privacy rule allows organizations to give functional information to individuals assisting in a patient's care (e.g., providing information about a person's mobility limitations to a friend driving the patient home from the hospital).
It also allows covered entities to use professional judgment to decide whether to allow a friend or family member to pick up prescriptions, medical supplies, x-rays, or other similar forms of PHI.
Refer to state law
"Many providers are forgetting that much of HIPAA is discretionary," says Baxter. "In most cases, state law will determine what they [should] do." Some providers believe that federal law prevails, but state law that is more stringent supersedes HIPAA, she says.
The privacy rule's provisions regarding disclosure of PHI to family or friends are permissive only, enabling covered entities to abide by more stringent state laws without violating these rules. Further, if state law creates an affirmative and binding legal obligation on the organization to make disclosures to family or other persons under specific circumstances, the regulations allow the organization to comply with these agreements.
Editor's note: Adapted from "Focus on authorization, documentation before sharing PHI with friends/family," Briefings on HIPAA, May 2006.
Most Popular
- Articles
-
- Q/A: Volume requirement for reporting hydration services
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- Catch up on what's new with injections and infusions
- Topic: CMS, OESS post new security compliance review information, checklist
- Capturing all necessary codes for IUD insertion and removal can be challenging
- What does case-mix index mean to you?
- QA:Coding multiple initial infusions
- News and briefs: Oklahoma Osteopathic Association against residency bill change
- HIPAA Q&A: Level of encryption needed for email
- OB services: Coding inside and outside of the package
- E-mailed
-
- Q/A: Volume requirement for reporting hydration services
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- Catch up on what's new with injections and infusions
- New conflicts of interest create new challenges
- Q/A. One injection code or two?
- What does case-mix index mean to you?
- ED-to-inpatient transfers are flawed with safety gaps
- Joint Commission Center announces handoff communication solutions
- Inside best practice: Reduce patient falls with a stoplight
- Identify modifiable risk factors to prevent patient falls
- Searched