|
|
HIPAA/LAW:
Legal Q/A
January 2003
"Incidental or Prohibited Use/Disclosure under HIPAA?"
by Steve Fox & Rachel Wilson, Esqs., Pepper
Hamilton LLP
With the April 14, 2003 compliance date looming larger by the minute,
we thought it would be helpful to provide some concrete examples
of how to apply the HIPAA Privacy Rule (the "Rule") in
real-world situations. This month, we focus on incidental uses and
disclosures of protected health information ("PHI").
Incidental Use and Disclosure
Incidental uses and disclosures of PHI are secondary uses or disclosures
that occur as a by-product of a use or disclosure permitted under
the Rule. Such uses and disclosures are permitted under the Rule
so long as reasonable efforts have been undertaken, where applicable,
to limit the PHI used or disclosed to the minimum amount necessary.
The following scenarios, all of which are based on actual events
experienced by one of the authors during the preceding week, highlight
the importance of training and scrutinizing routine practices.
SCENARIO 1:
When patients are sent to the medical office laboratory for tests,
the physician gives them a form indicating which lab tests have
been ordered, and the patients are instructed to take the form to
the lab. Upon arrival at the lab, the patient sees a table set up
in front of a small sliding glass window, which is generally unattended.
On the table is a sign-in sheet and a notice advising the patient
to deposit the form into an open basket that sits adjacent to the
sign-in sheet in the waiting room. The forms lie face-up in the
basket, and include the patient's name, address, birth date, social
security number and other demographic information.
Permissible Use or Disclosure?
This practice is not HIPAA-compliant. Reasonable precautions have
not been taken to minimize the chance of incidental disclosures
and to limit the information disclosed to the minimum amount necessary.
Although the disclosure described above is the incidental by-product
of an otherwise permissible disclosure, precautions have not been
taken to minimize the risk that PHI will be disclosed to other patients
nor have there been any reasonable limitations placed on the amount
of information disclosed. For example, if the purpose of the current
procedure is simply for patients to sign-in to the lab area, that
may be accomplishedwith the sign-in sheet alone, which requires
only the patient's name. Eliminating the open basket would prevent
disclosure of more sensitive PHI, including the specific tests that
the doctor requested and all of the other patient demographic information.
Moreover, the risk of incidental disclosure could be minimized by
any number of reasonable alternatives, such as:
- relocating the basket inside the window, so that the forms
would be in a location less visible and/or accessible to other
patients;
- instructing patients to hand the form directly to a lab employee;
- placing the form in a folder or envelope before providing it
to the patient; or
- asking patients to deposit the form in a mail slot in the wall,
leading to a private area off limits to patients.
Scenario 2:
A psychiatrist is dining out with friends when she is paged by
her answering service, with an urgent message to call one of her
patients. Having left her own cell phone in her car, the doctor
uses her dinner companion's phone to return the patient's call.
The borrowed phone automatically maintains a log of the outgoing
telephone number.
Permissible Use or Disclosure?
Without question, the preceding scenario involves the (inadvertent)
disclosure of PHI. Under the Rule, a disclosure occurs whenever
information is transferred, or access to the information is made
available or divulged in any manner, to a third-party individual
or entity outside of the covered entity. The patient's phone number
constitutes PHI because it may easily be used to identify or contact
the patient.
Although the disclosure described above may not be technically
prohibited under the Rule, since it is not a disclosure to, or request
by, a provider for treatment purposes, the minimum necessary rule
is applicable. So, if there is a pay phone available to the psychiatrist
or if it is possible or appropriate for the psychiatrist to wait
and contact the patient from her home or office, she has an obligation
to avail herself of such an option. Similarly, she could have used
the borrowed phone to call her answering service and ask them to
transfer her directly to the patient. In that case, only the answering
service's telephone number would have been left on the phone's log,
and no PHI would have been disclosed. (The appropriateness of calling
the patient from a booth in a crowded restaurant will have to await
a future column.)
Scenario 3:
During a routine blood test, a patient chats with the lab technician
about a recent sporting event. The lab technician responds by telling
an amusing anecdote concerning a well known sports figure who happened
to have his blood test on the previous day.
Permissible Use or Disclosure?
There is no justification under these circumstances for a staff
member to discuss any aspect of one patient's care or treatment
with another patient. This is not an inadvertent or incidental disclosure,
but is purely the result of a lack of education and training on
the part of the covered entity.
Conclusion
There is no expectation that covered entities will be able to protect
PHI from any and all potential risk of inadvertent use or disclosure.
Nor is the Rule intended to impede customary and necessary practices,
such as using sign-in sheets, keeping patient folders outside of
examining rooms or calling patients by name from the waiting room.
Rather, HIPAA's goal is to insure that covered entities utilize
reasonable safeguards, policies and procedures to insure that PHI
will be protected, utilizing not less than a reasonable standard
of care as defined by the Rule.
Read past HIPAA Legal Q/A articles.
Steve Fox, Esq., is a partner at the Washington, DC office of Pepper
Hamilton LLP. This article was co-authored by Rachel H. Wilson,
Esq., an associate of Pepper Hamilton LLP. www.pepperlaw.com
Disclaimer: This information is general in nature and should
not be relied upon as legal advice.
|
 |
 |
