The fundamentals of HIPAA’s privacy rule may seem basic on the surface: you share medical information with your doctor and he or she, along with the hospital, keeps it all confidential.
But when you dig deeper and consider how complex healthcare truly is and how one’s healthcare records move from one party to another to be processed and paid, you realize that HIPAA encompasses a broad spectrum of issues and players. It also comes with exceptions where healthcare information can be released and exchanged, all without the patient’s consent for each exchange – for good reasons.
With the complexity of healthcare, even with HIPAA, one solution does not fit all. If an organization chooses to get permission for the release of information, how they go about it varies greatly as well. HIPAA makes no specific provisions for what must be included in a consent form and what a process should look like. Both are “at the discretion of the covered entity electing to seek consent,” according to the law.
In today’s healthcare world, an individual’s medical information can change hands through several players, all at different times. HIPAA allows for releases to happen without the patient’s permission for the transfer of a patient’s information from one entity to another.
Healthcare providers can transfer medical information to other providers to consult with and refer patients. For example, a primary care doctor can send a copy of an individual’s medical record to a specialist who needs the information to treat the individual. The same thing routinely happens when a patient is transferred from one facility to another, like from a hospital to a nursing home.
When it comes to paying for that treatment, the pool of players sharing patient medical information widens considerably. HIPAA allows for medical records to travel across industries to every business in the chain of getting a patient’s healthcare paid. This includes insurance companies, consultants, and any business that a healthcare provider might contract with to deliver treatment. That pool of potential contractors broadens the disclosure provision even more, as the record is needed for each contractor to be paid for the part played in a patient’s treatment.
For example, under HIPAA, a healthcare provider can transfer records to a company that runs an ambulance company used to transport a patient. Records can be sent to a private lab, who did the testing for that patient’s case, so the lab can be paid.
Beyond the continuum of care and payment, HIPAA also allows for disclosure under the umbrella of “healthcare operations.” What does that include? A vast array of provider and payer activities, even at times when it does not relate directly to providing or paying for a person’s treatment. For example, according to HIPAA rules, a healthcare provider can give private medical information to an insurance company for their own internal data and information set to assess outcomes if the company has had a relationship with the patient.
“Healthcare operations” where HIPAA-protected medical information is allowed to be transferred and disclosed also include these activities:
- conducting or planning medical reviews, audits, and compliance programs
- fundraising for the benefit of the HIPAA-covered organization
- underwriting, risk rating and reinsuring risk
- planning, development and administration of the business
The U.S. Department of Health and Human Services requires that organizations who transfer and disclose medical information develop standards and policies that “reasonably limit” disclosures and requests for HIPAA-protected information. Organizations are not required to follow those standards and policies, though, when requests for information are made by government regulators or healthcare providers for treatment purposes.
The federal government also outlines 12 public benefit priorities under which the use and disclosure of medical information is allowed. Disclosure for these public interest issues are not mandatory, only allowed. Each issue comes with its own rules and limitations with the aim of protecting a person’s privacy, but it doesn’t require consent each time an individual’s medical information is shared, according to the law.
With public benefit priorities spanning from research activities to judicial and administrative proceedings, the use and disclosure of medical information varies widely. These issues are complex, each attached to a variety of scenarios with other entities that could allow for medical records to be legally released.
The considerations are many for patients, health systems, and health plans when it comes to the release of information throughout the delivery of healthcare. We will delve deeper in the weeks to come.