Even if you mean no harm and believe the patient will never find out, it is still a violation of the person's privacy. When discussing anything that might possibly reveal a client's protected health information, you must always obtain their express consent (PHI). Even if you're requesting a testimonial. Even if they pay you for it.
Furthermore, if a patient asks that their medical record be kept private, you cannot disclose its contents to anyone else without the patient's consent. Even if they fail to pay you for your services or if they tell you they don't need your help any more. Even if they ask you to do so. Even if they threaten you with legal action if you don't.
In addition, under HIPAA there are certain circumstances where disclosure is required by law. For example, doctors must report patients who they suspect may be abusing drugs or alcohol. Also, when providing care to an individual who lacks legal protection as a result of being deported or removed from the country, physicians have an obligation to protect that individual's privacy by not asking them about their immigration status or otherwise disclosing it.
The bottom line is this: saying someone is your patient is only acceptable if they give you written permission to do so. If they don't want others knowing about their condition or treatment, don't tell them who else knows about it. And if they ask you not to tell, then don't.
The HIPAA Privacy Rule, 45 CFR 164.510(b), expressly allows covered organizations to disclose information that is directly related to a patient's engagement in the care or payment for health care with a spouse, family members, friends, or other people specified by the patient. This includes disclosures to spouses for purposes of obtaining this type of information from another person with whom they share a relationship.
Spouses can also release their own health information for treatment or payment purposes. For example, a husband could release his wife's medical records if she was being treated for cancer and needed her husband's consent before undergoing surgery or receiving radiation therapy.
Medical providers must obtain informed consent from both patients before releasing any health information about them that is not already in the public domain. If one patient refuses to give consent, no information can be released from which the patient's identity can be ascertained. In such cases, the provider must either not release any information or identify the patient in some way that does not reveal their true identity.
In addition to federal laws that regulate health information, each state has its own privacy laws that may apply to spousal disclosures. For example, in California, disclosure of medical information without the patient's permission is legal only if done for a purpose permitted by law. Such purposes include treatment, payment, healthcare operations, and healthcare management.
With few exceptions, HIPAA allows health care providers to disclose to other health providers any protected health information (PHI) contained in an individual's medical record for treatment, case management, and coordination of care, and it treats mental health information the same as other health information. A health care provider must obtain authorization from a patient or his or her legal representative before disclosing PHI.
HIPAA does not apply to mental health records if you are a law enforcement agency. Law enforcement agencies can receive information about an individual who has been arrested or taken into custody to help prevent further harm to that person. Health care providers must protect all information received from individuals involved in investigations or proceedings, including court cases.
Health care providers must also protect information they receive during meetings with patients' families to discuss treatment options or to inform them of important information related to their loved one's care. These meetings are called "grief counseling" sessions and must be conducted in a respectful manner. The health care provider should keep notes on these discussions and maintain them in the patient's record for at least five years.
Finally, health care providers must protect information they receive when conducting audits, such as quality assurance reviews, program evaluations, and other research activities. No personal information is released without consent from the patient.
HIPAA Privacy Rule Exceptions for Disclosure of PHI Without Patient Authorization
Some argue no, but in actuality, yes, because the information may still be used to identify someone. Protect your patients' privacy and your immaculate reputation, even if it means upsetting colleagues for a few days.
Hospitals have a legal duty to protect the confidentiality of their patients. This means that they cannot release any information about you or your family member without your consent. Patients may give this consent by signing forms, or sometimes hospitals will have generic policies regarding privacy. It is important to read these policies carefully before you sign anything, as some things may not be clear until later. For example, one policy stated that patients' information was released to send them gifts, while another said computers automatically upload data to the Internet. Neither of these things were mentioned on the form that was signed, so neither of them could be considered breaches of confidentiality.
The HIPAA Privacy Rule protects medical records from being shared with unauthorized parties. If a hospital discloses your information in ways other than what is allowed, such as disclosing your records to sell them or give them out in the open, they have violated this rule and are subject to fine. However, simply saying that someone is in the hospital or has had surgery does not constitute disclosure under the rule.
The Privacy Rule permits insured health care professionals to contact with their patients electronically, such as via e-mail, as long as they use reasonable protections. For example, if a health care professional receives an inquiry about an individual's health through his or her e-mail address, the health care professional must comply with that individual's privacy preferences by not using the information to contact that person directly.
In addition to the requirements for face-to-face contacts, HIPAA requires that electronic communications with individuals contain the same information that would be required of communications made in writing. This means that all parties to electronic communications should understand their rights and responsibilities under HIPAA, including the right to refuse to participate in any way in electronic communications.
If you have any questions regarding HIPAA and its effect on your business, please do not hesitate to contact us.
HIPAA does not prohibit you from researching your patients. Rather of submitting a patient's information online, you are serving as an observer of information. Despite the fact that conducting some web research on your patients' backgrounds is not strictly unlawful, it should not be taken lightly. You must ensure that any information you find online is accurate and complete. If you have a concern about the integrity of data that you find online, then you should contact those who have it posted to determine its validity.
Secure health information, including patient names and identifying numbers, is protected by law. HIPAA only protects the privacy of medical records that are contained in or maintained by healthcare providers or their agents. Thus, HIPAA does not protect the privacy of information that is collected by insurers from patients for purposes other than treating those patients. In addition, HIPAA does not apply to security measures used by a business to protect its own records or those of others.
HIPAA also requires that any personal information that an organization collects be secured against loss or theft. This means that all personal information must be stored in a secure environment, which limits access to those who need it. Also, personal information should be destroyed or de-identified within 12 months of no longer being needed by the organization.
Healthcare organizations that violate HIPAA can be fined up to $50,000 per violation. Individuals who believe that they have been victims of HIPAA violations may file a claim with their insurance company or their employer's benefits office. If you feel like your privacy was violated because someone accessed your medical record without your permission, contact a lawyer to determine what legal options are available to you.