CDT Testifies, Says HIPAA Sharing Rules Need Clarity
On Friday, Deven McGraw, Director of the Health Privacy Project at CDT, testified before the U.S. House Committee on Energy and Commerce Subcommittee on Oversight and Investigations at a hearing entitled “Does HIPAA Help or Hinder Patient Care and Public Safety?” The Subcommittee sought to explore whether the Health Insurance Portability and Accountability Act (HIPAA) of 1996 prevents hospitals and physicians from sharing mental health information with a patient’s family members. The Subcommittee also wanted to know if HIPAA permitted the disclosure of mental health information in order to prevent serious harm.
HIPAA establishes a national floor of protections for identifiable health information held by health care providers, health plans and health care clearinghouses and their contractors (known as business associates).States may enact health privacy laws that provide greater protection than HIPAA, and nearly all states have enacted greater protections for some mental health data. As noted in CDT’s testimony, the overarching purpose of HIPAA’s protections is to address medical privacy concerns and help ensure these concerns do not themselves pose barriers to treatment. The HIPAA Privacy Rule requires patient authorization before health information can be accessed, used or disclosed – but the Rule also recognizes a number of public policy exceptions. For example, as CDT noted in its testimony, the Privacy Rule allows information to be shared for treatment purposes without the need to first obtain patient authorization.
Of particular interest to the Subcommittee, the Privacy Rule also expressly permits an entity covered by HIPAA to “use or disclose protected health information if [it], in good faith, believes the use or disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public […]”.45 C.F.R. 512(j). The Privacy Rule also allows such entities to disclose even routine health information (not necessarily indicating a threat) to family members involved in a patient’s care, unless the patient has objected. If the patient is not in a position to be asked whether or not she objects—due to absence or incapacity—a health care provider can still share relevant information about the patient’s care if the provider thinks it would be in the patient’s best interest to do so.45 C.F.R. 510(b).
Among those testifying at the hearing were the families of individuals with very serious mental health conditions who had been told over and over again by their children’s health care providers that HIPAA prevented them from discussing their child’s condition, even with family members. HIPAA includes express provisions to enable sharing with family members – but these provisions are widely misinterpreted, with significant consequences for these families.
However, as CDT pointed out in its oral remarks, failing to share information with family members to assist in patient care or to avert a serious threat is not itself a violation of HIPAA. The Privacy Rule permits but does not require information to be shared in these circumstances. Nevertheless, fear of liability for violating HIPAA, coupled with misunderstanding of its provisions, can be a recipe for not sharing, even in circumstances where such sharing is expressly permitted and arguably important for patient care and/or public safety.
In both its written and oral remarks at the hearing, CDT urged the Office for Civil Rights (which enforces HIPAA) to provide further detailed guidance and clarification regarding permitted uses and disclosures under HIPAA. Additionally, OCR should work with relevant professional societies to ensure that this guidance is widely disseminated and written in terminology that is likely to be understood.