Special Topics in Health Information Privacy
Does your organization collect and share consumer health information? When it comes to privacy, you’ve probably thought about the Health Insurance Portability and Accountability Act (HIPAA). But did you know that you also need to comply with the Federal Trade Commission (FTC) Act? This means if you share health information, it’s not enough to simply consider the HIPAA Privacy Rule. You also must make sure your disclosure statements are not deceptive under the FTC Act.
Protecting public health, including through public health surveillance, program evaluation, terrorism preparedness, outbreak investigations, and other public health activities, often requires access to or the reporting of the protected health information of individuals. This information is used to identify, monitor, and respond to disease, death, and disability among populations.
The Privacy Rule recognizes the legitimate need for public health authorities and certain others to have access to protected health information for public health purposes and the importance of public health reporting by covered entities to identify threats to the public and individuals. Thus, the Privacy Rule permits covered entities to disclose protected health information without authorization for specified public health purposes.
Researchers in medical and health-related disciplines rely on access to many sources of health information, from medical records and epidemiological databases to disease registries, hospital discharge records, and government compilations of vital and health statistics.
The Privacy Rule recognizes that the research community has legitimate needs to use, access, and disclose individually identifiable health information to carry out a wide range of health research protocols and projects. The Privacy Rule protects the privacy of such information when held by a covered entity but also provides ways in which researchers can access and use the information for research, subject to various conditions.
The Privacy Rule is carefully designed to protect the privacy of health information, while allowing important communications to occur. For example, the Rule permits the sharing of protected health information for emergency preparedness planning and response under a number of circumstances.
HHS has developed guidance materials addressing appropriate uses and disclosures of protected health information in emergency situations.
Health information technology (health IT) involves the exchange of health information in an electronic environment. Widespread use of health IT will improve the quality of health care, prevent medical errors, reduce health care costs, increase administrative efficiencies, decrease paperwork, and expand access to affordable health care. It is imperative that the privacy and security of health information be ensured as this information is maintained and transmitted electronically.
The Privacy Rule's established baseline of privacy protections and individual rights with respect to individually identifiable health information support the use of health IT and provide important protections in this area. The Security Rule supports the adoption of new health information technologies while setting standards to ensure appropriate protection of electronic protected health information.
Genetic Information Nondiscrimination Act (GINA) was signed into law on May 21, 2008. GINA prohibits discrimination in health coverage and employment based on genetic information.
GINA requires modifications to the Privacy Rule to clarify that genetic information is a type of health information and to prohibit most health plans from using or disclosing genetic information for underwriting purposes.
Living with HIV requires being active in your medical care – making decisions with your doctor, tracking your progress, and doing everything you can to be healthy. With HIV, you also may have concerns about keeping your status private.
Whether your health information is stored on paper or electronically, you’ve got the right to keep it private. Those rights are protected by HIPAA. HIPAA also gives you other important rights, including the right to a copy of your medical record.
On January 16, 2013, President Barack Obama announced a series of Executive Actions to reduce gun violence in the United States, including efforts to improve the Federal government's background check system for the sale or transfer of firearms by licensed dealers, called the National Instant Criminal Background Check System (NICS). Among those persons disqualified from possessing or receiving firearms are individuals who are subject to a Federal “mental health prohibitor” because they have been involuntarily committed to a mental institution; found incompetent to stand trial or not guilty by reason of insanity; or otherwise have been determined, through a formal adjudication process, to have a severe mental condition that results in the individuals presenting a danger to themselves or others or being incapable of managing their own affairs.
Concerns have been raised that, in certain states, the HIPAA Privacy Rule may be a barrier to reporting the identities of individuals subject to the mental health prohibitor to the NICS.
To address these concerns, HHS has issued a Notice of Proposed Rulemaking (NPRM) indicating its intent to modify the HIPAA Privacy Rule to permit certain HIPAA covered entities to disclose to the NICS the identities of persons prohibited by Federal law from possessing or receiving a firearm for reasons related to mental health, and soliciting public input on various issues. The proposed change would not permit the disclosure of individuals’ mental health records or any other clinical or diagnostic information.
The Department of Health and Human Services (HHS) has taken action to give patients or a person designated by the patient a means of direct access to the patient’s completed laboratory test reports. The final rule amends the Clinical Laboratory Improvement Amendments of 1988 (CLIA) regulations to allow laboratories to give a patient, or a person designated by the patient, his or her “personal representative,” access to the patient’s completed test reports on the patient’s or patient’s personal representative’s request. At the same time, the final rule eliminates the exception under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule to an individual’s right to access his or her protected health information when it is held by a CLIA-certified or CLIA-exempt laboratory. While patients can continue to get access to their laboratory test reports from their doctors, these changes give patients a new option to obtain their test reports directly from the laboratory while maintaining strong protections for patients’ privacy.
The HIPAA Privacy Rule recognizes the integral role that a spouse often plays in a patient’s health and health care. Consistent with the Supreme Court decision in Obergefell v. Hodges, OCR has issued guidance that makes clear that the terms marriage, spouse, and family member include, respectively, all lawful marriages (whether same-sex or opposite-sex), lawfully married spouses and the dependents of all lawful marriages, and clarifies certain rights of individuals under the Privacy Rule.
With the proliferation and widespread adoption of cloud computing solutions, HIPAA covered entities and business associates are questioning whether and how they can take advantage of cloud computing while complying with regulations protecting the privacy and security of electronic protected health information (ePHI). HHS has developed guidance to assist such entities, including cloud services providers (CSPs), in understanding their HIPAA obligations.
HIPAA and the Opioid Crisis
Current HIPAA regulations allow healthcare providers to share information with a patient’s loved ones in certain emergency or dangerous situations. This includes informing persons in a position to prevent or lessen a serious and imminent threat to a patient’s health or safety. Misunderstandings about HIPAA can create obstacles to the family support that is crucial to the proper care and treatment of people experiencing a crisis situation, such as an opioid overdose. It is critical for healthcare providers to understand when and how they can share information with patients’ family members and friends without violating the HIPAA Privacy Rule.
At times, health care providers need to share mental and behavioral health information to enhance patient treatment and to ensure the health and safety of the patient or others. Parents, friends, and other caregivers of individuals with a mental health condition or substance use disorder play an important role in supporting the patient’s treatment, care coordination, and recovery. The HIPAA Rules are designed to protect the privacy of all of an individuals’ identifiable health information and to ensure that health information is available when needed for treatment and other appropriate purposes. Given the sensitive nature of mental health and substance use disorder treatment information, OCR provides guidance addressing HIPAA protections, the obligations of covered health care providers, and the circumstances in which covered providers can share information—as applied to this context.