Bad Blood: Can a Family Member Violate HIPAA?

CanaFamilyMemberViolateHIPA_321.jpg

60% of people say that their family is the most important aspect of their life.

From a personal standpoint, I think that that statistic makes sense. I imagine that you’ve met someone who talks about how important their family is to them.

From a statistical point of view, children who live with their biological parents are 20% to 35% more physically healthy. While 85% of parents who adopted report their children being in excellent health.

In other words, our family structure has a direct impact on how healthy we are as individuals.

Our families play an important role throughout our lives. Our experiences with them throughout our childhood help shape who we are as an adult.

We don’t get to choose who our family is, yet we’re bonded to them forever.

Of course, not everything is sunshine and rainbows when it comes to families. More than 30% of children experience a major change in their household structure before the age of 6.

CanaFamilyMemberViolateHIPAA_1_321.png

Further, the United States divorce rate lands somewhere between 40% and 50%. While around 17% of people report experiencing estrangement from an immediate family member by the time they reach college.

The point I’m trying to make is that families aren’t perfect and achieving a winning dynamic isn’t possible.

As a result, certain laws that deal with privacy don’t even allow organizations to share personal information without the consent of the source individual, even if they’re a spouse.

One of the best examples of a law that exists with strict privacy stipulations is the Health Insurance Portability and Accountability Act (HIPAA).

Within the HIPAA Privacy Rule is a section known as Uses and Disclosures. That section of the law states that a covered entity may not use or disclose protected health information (PHI) without valid authorization.

Since PHI is some of the most sensitive data on the planet, it makes sense that the law goes the extra mile in protecting patient privacy. But the law and its safeguards are open to many interpretations.

As a result, we’re left with asking questions that may seem to have an obvious answer but require deep explanation. One of those common questions is, “Can a family member violate HIPAA?”

Table of Contents

What's Shareable?

Before diving into whether or not a family member can violate HIPAA, we have to understand what’s allowed by the physician.

The HIPAA Privacy Rule (§ 164.510) states, “a covered entity may use or disclose protected health information, provided that the individual is informed in advance of the use or disclosure and has the opportunity to agree to or prohibit or restrict the use or disclosure.”

In other words, medical professionals can share certain aspects related to their patient’s PHI with their spouse, family members, friends or other identified persons.

According to the Department of Health and Human Services, the HIPAA Privacy Rule permits healthcare professionals to share their patients…

  • Health status

  • Treatment

  • Payment arrangements

CanaFamilyMemberViolateHIPAA_2_321.png

But let’s say that the patient isn’t present. That changes things a little bit.

Let’s say you’re a specialty doctor who’s calling on one of your patients to remind them of their upcoming appointment. You call their house and they don’t answer. Can you leave a voicemail?

Yes. You’re allowed to leave a voicemail for your patient regarding their upcoming appointment. However, you’ll have to be selective in the information that you provide.

Since you don’t know who will hear the voicemail once it’s recorded and sent, you have to safeguard the individual’s privacy as much as possible. So, instead of saying what the appointment is for and giving details about what will happen, maybe you only say who you are and ask them to call you back.

It's All About Professional Judgment

Let’s say you go to the HHS website and read all of the different scenarios they give. You’ll soon realize a pattern. They use the verbiage “professional judgment” often.

What exactly does this mean and why do they use it so much?

One of the best examples they explain happens frequently. In fact, I’d wager to bet that you’ve done it for someone before in vice versa. Getting someone else’s prescription for them.

Maybe you’re at the grocery store and your roommate needs to pick up their prescription at the attached pharmacy but is at work. Since you’re already going to the store anyway, they ask you if you can pick up their medication.

Even if you don’t know about HIPAA, you’ve probably asked yourself whether or not this scenario is legal. Yet, once you got to the pharmacy and answered the pharmacist’s questions you received your roommate’s medication before you knew it.

CanaFamilyMemberViolateHIPAA_3_321.png

Isn’t the medication someone takes private?

Yes, a prescription is technically protected health information.

However, when you went to the front desk, the pharmacist asked you a series of questions to help them identify your intentions. They asked you what prescription you were picking up, their date of birth, and whether or not you’re that person. Those three questions don’t seem that important but they allow the pharmacist to understand the scenario they’re dealing with.

In other words, it’s obvious that you have their patient’s intentions in mind by identifying yourself, providing the patient’s birthday and telling the pharmacist that you’re not the person that the prescription is for.

At that point, the pharmacist used his or her professional judgment to determine whether or not you have the patient’s best intentions in mind. I do want to point out that this also probably wasn’t their first rodeo and what you’re doing is common. Thus, you were able to run an errand for your roommate and get on with your grocery shopping seamlessly while the pharmacist didn’t have to worry about committing a HIPAA violation.

What Does Your Policy Say?

If you’ve read any of the other blog posts I’ve written about HIPAA, you know that the law leaves a lot of room for interpretation.

For example, it’s a requirement that your organization establishes a training program of the law for your employees but it doesn’t tell you when or how often you should hold your sessions.

Unfortunately, getting permission to share protected health information also finds itself in a similar situation.

Let’s say that you’re a doctor at a hospital and were talking to a patient’s spouse about their condition. Are you allowed to hold a conversation about the patient?

This scenario goes back to professional judgment. However, you’re required to get permission from the patient before sharing any of their information. What you do to attain their permission ultimately depends on your organization’s policy.

CanaFamilyMemberViolateHIPAA_4_321.png

From HIPAA’s standpoint, you don’t have to get written permission to share information about a patient, only verbal. That’s a common misconception.

However, many healthcare facilities will make it their policy to have a patient sign a release form prior to allowing sharing their information. It’s a best practice to document permission granted by your patients for filing purposes. That way you’re protected if there are any miscommunications down the road and you have proof of the permission granted.

I do want to point out that if your organization has an established policy, you need to follow through with it. Although the law doesn’t require permission granted in writing, it does require continuity. If your organization requires consent form signage, you have to adhere to that policy.

If you don’t, you’ll risk termination because it puts your organization at risk of getting fined if a HIPAA audit occurs.

In Case of Emergency (Situations)

There are always exceptions to every rule, especially within healthcare.

What happens when an illness or injury incapacitates a patient? You might not have time as a medical professional to ask for permission to share information about an emergency situation.

This (as with everything else in this post it seems) goes back to professional judgment.

CanaFamilyMemberViolateHIPAA_5_321.png

Let’s the patient falls victim to a car accident and requires emergency surgery. In this scenario, the surgeon may use their professional judgment to determine that it is appropriate to call the “In Case of Emergency” contact in their phone and discuss with the individual on the line about the patient’s condition.

Regardless of what type of situation, the most important factor to keep in mind when determining whether or not sharing information with a family member or friend is a HIPAA violation is if doing so would be in the best interest of the patient.

Circumstances of Snooping

Even after all of the permission granted to healthcare providers allowing them to share sensitive information to the family members of their patients, there are still instances that happen where a violation occurs.

ClinicalAdvisor documented a unique scenario where a healthcare professional faced a HIPAA violation involving their own family member.

A nurse working in the cardiology department, referenced in the article as Ms. P worked with protected health information on a daily basis. She received many lectures from the HR department on patient confidentiality.

In fact, she even signed an agreement stating that she would protect her patient’s sensitive information, including a clause about maintaining family confidentiality.

CanaFamilyMemberViolateHIPAA_6_321.png

Yet, she found herself out of a job when she began snooping in the records of two of her family members after they visited another department.

Both of them had chronic conditions that required revisits to the facility that Ms. P worked at. As a result, Ms. P would check in on her family after each of their visits, by taking a peek into their medical file.

One of her coworkers noticed the correlation between her family visiting and Ms. P looking through their medical records and anonymously reported her actions to the facility’s compliance officer.

The officer launched an investigation on Ms. P and determined that she snooped into the file of her family members on 72 different occasions.

Her scenario isn’t common among healthcare organizations. Yet, I retold her story to show you that, although rare, family members can violate HIPAA.

Conclusion

Although HIPAA violations happen often, they aren’t usually caused between family members.

I’m not trying to say that this type of violation never happens, I’ve explained a few real-world scenarios throughout this blog. Yet, it’s very rare.

When this kind of HIPAA violation occurs, it’s usually the result of a medical professional being a little too curious or making a mistake in their professional judgment. Ultimately, the patient is in the power seat. It’s their personal, protected health information, so they can share as much or as little of it as they want. The organizations and medical professionals, on the other hand, need to keep in mind their patient’s best interests and receive permission.

Think of it this way, patients give their doctors the opportunity to reference their PHI, not own it.