Governance & Risk Management , HIPAA/HITECH , Privacy
HHS Attempts to Clear Up HIPAA Confusion on PHI ReleaseOnline Resources Clarify When Patient Info Can Be Shared With Families, Caregivers
Federal regulators have set up online resources - one for healthcare providers and another for consumers - to help them navigate circumstances under which HIPAA permits a covered entity to disclose mental health and substance abuse information to a patient's family members and caregivers.
Security experts welcome the move as a way to help clear up confusion about HIPAA compliance.
The Department of Health and Human Services' Office for Civil Rights says the new resources were launched in response to the national opioid crisis while also implementing the 21st Century Cures Act.
"OCR continues its work to ensure that patients and their family members can get the information they need to prevent and address emergency situations, such as an opioid overdose or mental health crisis," HHS says in a statement.
"At the same time, these tools and initiatives also fulfill requirements of the 21st Century Cures Act to ensure that the healthcare sector, researchers, patients and their families understand how HIPAA protects privacy and helps improve health and healthcare nationwide."
Among the new materials for consumers and healthcare providers are guidance documents pertaining to releasing information to families of a child or adult patient with a mental health condition, substance abuse disorder or opioid addiction.
"Given the sensitive nature of mental health and substance use disorder treatment information, OCR is providing this guidance addressing HIPAA protections, the obligations of covered healthcare providers, and the circumstances in which covered providers can share information - as applied to this context," HHS says.
Some experts say the new resources and guidance address important information sharing and disclosure issues that are often confusing to covered entities, as well as patients.
"It is very challenging for providers - that means every front-line person with family contact - to know when, and when not, to share sensitive patient information with family members," says Kate Borten, president of privacy and security consulting firm The Marblehead Group.
"In most cases, patients are probably fine with it. However, if a provider slips up and discloses protected health information to a hostile or manipulative relative, it could mean a setback for a distraught patient, and possibly a HIPAA breach."
The new HHS resources come at a time when privacy and security issues related to sensitive data are increasingly in the spotlight - not only due to emerging threats and potential data breaches, but also in terms of navigating a complex regulatory climate, some experts note.
"OCR is trying really had to clear up confusion in a really tricky area," says privacy attorney Kirk Nahra of the law firm Wiley Rein LLP. "They are working at the intersection of a variety of laws, including HIPAA, 42 CFR Part 2 [regulations] dealing with substance abuse information and a variety of other laws, primarily at the state level.
"They are trying to emphasize the areas where HIPAA provides relevant flexibility to [offer] useful information to family members and others. This is an area where the overlaps in these laws - and the potential consequences for getting it wrong - are at their highest and most complicated."
Providers will still make their own individual decisions in context, Nahra stresses. "This is telling them that they can be more open to sharing, but it generally doesn't 'force' any particular disclosures," he says. "Providers should mainly recognize that they need to be thoughtful and helpful without being in violation of the HIPAA rules."
New Working Group
As called for under the 21st Century Cures Act, HHS is launching a working group to study and report on the uses and disclosures of PHI for research purposes.
The group will include representatives from federal agencies as well as researchers, patients, healthcare providers and experts in healthcare privacy, security and technology. It will release a report addressing whether uses and disclosures of PHI for research purposes should be modified to facilitate research while protecting individuals' privacy rights in compliance with HIPAA.
The 21st Century Cures Act, which was signed into law in December 2016, aims to accelerate the advancement of medical innovation as well as reform the nation's mental health system and address the opioid and heroin addiction crisis.