- Home
- » e-Newsletters
Domestic abuse complicates PHI disclosure rules
HIPAA Training Advisor, August 23, 2007
Domestic abuse is a difficult matter with which health-care providers must occasionally contend. HIPAA, with its complicated requirements for PHI disclosure, can easily add further trouble to an already tough situation.
"It's a very complicated and dangerous area for hospitals because of all the emotions involved, which tend to cloud judgment,'' says Bill Roach, a healthcare attorney with McDermott Will & Emery, LLP, in Chicago. Roach previously served on a hospital abuse team.
According to Roach, there are two different sections of HIPAA regulations that deal with domestic abuse: one section for child abuse and one for the abuse of adults, elders, or disabled persons.
HIPAA gives covered entities broader authority to disclose PHI in cases of child abuse than it does for abuse of adults. The regulation does not provide limits as to what the covered entity can disclose in cases of child abuse. However, it does set strict requirements for PHI disclosure for cases involving the abuse of adults. HIPAA states that you need to limit these disclosures to what the law requires and mandates that the hospital inform the patient of the disclosure. "It's important to understand that it's a much more restrictive disclosure,'' says Roach. "It's not as wide open as child abuse.''
In order for your facility to come up with an effective policy on domestic abuse, you will have to write a policy that takes into account all of the nuances of your state reporting laws. You will need to know which agencies you must report domestic abuse to, along with who is required to report cases of abuse. In some states, it is only licensed practitioners who must disclose cases; in other states, additional types of healthcare staff members are required to report abuse.
You will also need to know your state's definition of a child. When dealing with cases of abuse, your state may not always define a child in the same way it defines a minor, Roach says.
Similarly, you'll need to examine the way your state defines abuse. For example, check how your state differentiates between abuse, which is often defined as doing actual physical harm to a child, and neglect, which is usually failure to provide for the welfare of the child (e.g., not feeding the child). Some states require you to report neglect cases, as well as abuse.
"You need to understand what your state laws really say,'' Roach says. "You need to understand the scope of the mandatory reporting."
Know what you can disclose in child abuse cases
Set up a trained abuse team that can respond to incidents of suspected child abuse. Remember that in cases of child abuse, the injuries can be subtle, and untrained personnel may miss the signs.
The team should know how to document fully any relevant injuries. Many state laws about child abuse do give covered entities significant leeway in how they document the injury. Depending on your state law, you may need to take pictures or x-rays or perform other tests. Your team should also have training in interviewing parents or others who are possible abusers. In addition, you should be sure to record statements from parents or guardians about the details surrounding the injuries of a suspected abuse victim. This can be challenging if a story doesn't fit with an injury.
"The documentation has to be both detailed and objective,'' explains Roach. "You don't want emotional outbursts in the record or supposition and opinion, because it's likely to end up in court. Derogatory statements in the chart undermine the credibility of what's in the chart, and defense counsel can use this against you.''
Note that the minimum necessary provisions of HIPAA still apply in domestic abuse cases, so you should not disclose more than is necessary, Roach says. However, in most places, state law gives covered entities permission to disclose whatever information they think is relevant to the case, especially when a child is involved.
Roach suggests that, when deciding what information to disclose in a case of suspected child abuse, a hospital should "act to protect the child first and sort out the legal issues later.''
Restrict your disclosures for abused adults
You will have to be far more restrictive in your disclosures when dealing with cases of suspected abuse of adults, elderly, or disabled persons. In these types of domestic abuse cases, HIPAA defers to state law. HIPAA permits you to disclose the information that your state allows, but nothing more. Whereas HIPAA allows professionals to use their discretion when releasing PHI in cases of child abuse, there is no such leeway when it's a case of abuse against an adult, Roach said. Some state laws do give professionals a bit of flexibility with this rule, but many do not.
Some states allow for reporting of suspected cases of adult, elderly, or disabled person abuse but don't require it. In these states, HIPAA adds additional requirements in order to make such a disclosure. For example, you can make a disclosure only if the abuse victim agrees to it or if a covered entity believes the disclosure is necessary to prevent serious harm to the victim or other victims. If the victim is incapacitated, you can only make a disclosure if the agency investigating the allegation agrees that they won't use the information against the patient and that waiting until the patient can agree to the disclosure would seriously harm their investigation.
"If you've got a mandatory reporting statute, then you're fine, you can just report,'' says Roach. "But, if you've got a statute that doesn't require you to report but permits you to report, then you've got to put together an algorithm that allows you through all these conditions.''
Once you've reported the case, you also need to inform the patient that you did so-unless you believe that it would harm the patient or unless you are dealing with a patient's representative who is also the suspected abuser.
Train your administrative staff to watch for signs
It's important to note that in many states, abuse laws apply only to frontline patient care personnel. However, your health information management department, which may handle some requests for disclosure, may also have to get involved.
"There are different rules for a caregiver and for administrative workers,'' says Lisa McCusker, corporate compliance and privacy officer for Sisters of Providence Health System in Springfield, MA. "If anybody comes looking for records in our office, we ask for a release. That covers [our administrative staff members].''
Most law enforcement agencies will come armed with a court order or subpoena to get copies of the records, McCusker says. When a patient's representatives or others who may be involved in the abuse case ask for records, decisions become more difficult. Those requesting the records may not be entitled to see them. However, because the medical records personnel may not be aware there is an abuse allegation, they may inadvertently but inappropriately disclose the requested information.
Staff members should read all medical records before releasing them, anyway. So it's usually just a matter of training the staff to look for notations in the file that might indicate suspected abuse.
"You have to take every case on a case-by-case basis because you can't decide based on a medical record that someone is a victim of abuse,'' McCusker said. "We're on the tail end of everything. It's very difficult for a medical records department to decide, because we come in very much after the fact.''
Most Popular
- Articles
-
- Q/A: Volume requirement for reporting hydration services
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- Catch up on what's new with injections and infusions
- Topic: CMS, OESS post new security compliance review information, checklist
- What does case-mix index mean to you?
- QA:Coding multiple initial infusions
- Capturing all necessary codes for IUD insertion and removal can be challenging
- News and briefs: Oklahoma Osteopathic Association against residency bill change
- OB services: Coding inside and outside of the package
- HIPAA Q&A: Level of encryption needed for email
- E-mailed
-
- Q/A: Volume requirement for reporting hydration services
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- Catch up on what's new with injections and infusions
- New conflicts of interest create new challenges
- What does case-mix index mean to you?
- Q&A tackles coding questions about injections and infusions
- Joint Commission Center announces handoff communication solutions
- Inside best practice: Reduce patient falls with a stoplight
- Identify modifiable risk factors to prevent patient falls
- HIPAA Q&A: Level of encryption needed for email
- Searched