April 25, 2019

QUESTION:        One of our medical staff members asked if, under the Health Insurance Portability and Accountability Act (“HIPAA”), he can inform a patient he is currently treating about the cancer history of a former, deceased patient who was a family member of the current patient.  The physician believes that this information will assist the patient in making choices about the direction of her treatment. Can he do that?


ANSWER:            The HIPAA Privacy Rule protects “individually identifiable health information,” which is defined to include a patient’s past physical health condition.  Thus, the deceased patient’s cancer history meets this definition.  However, since the patient is deceased, is the information still protected under the HIPAA Privacy Rule?  The answer to this question is “yes.”  The HIPAA Privacy Rule protects individually identifiable health information of deceased patients for 50 years following the date of the death of the individual.  Assuming the patient hasn’t been dead for 50 years, the patient’s individually identifiable health information is subject to the protections of the HIPAA Privacy Rule.

That being said, it is certainly important that a patient understand his/her family history, including risks for certain diseases and disorders so that he/she can proactively address those risks.  Here, the treating physician’s hands aren’t completely tied when it comes to counseling the patient on such matters.  He has a few options.  The physician can rely on an exception to the HIPAA Privacy Rule, which permits the disclosure of protected health information for treatment activities.  According to guidance issued by the United States Department of Health and Human Services, the “treatment” exception “allow[s] use and disclosure of protected health information about one individual for the treatment of another individual.”  If the physician is concerned that counseling on a family member’s cancer history does not definitively meet the definition of “treatment” under HIPAA, he has other options.  First, and most obviously, the physician can ask the patient if she is aware of any family history of cancer.  If not, the physician can obtain a written HIPAA authorization from a personal representative (e.g., the deceased patient’s executor or administrator) to disclose the information.  If the physician is unable to obtain a written authorization for whatever reason (such as an inability to locate the personal representative) or believes this is too burdensome, the physician can still make treatment recommendations without disclosing health information protected under HIPAA.  For example, the physician may recommend more frequent cancer screenings based on the family history to which he is privy.

March 8, 2018

QUESTION:        We received a subpoena from an attorney requesting the medical records of a patient.  The attorney represents the plaintiff in the case, and the patient is the defendant.  We are not a party to the litigation and want to comply with the subpoena, but we don’t want to violate the Health Insurance Portability and Accountability Act (“HIPAA”) either.  Help!

ANSWER:            The regulations implementing HIPAA (the “HIPAA Privacy Rule”) require that certain conditions be satisfied before a covered entity, in this case a hospital, may disclose medical records in response to a subpoena.  Basically, these regulations require that a hospital receive “satisfactory assurances” that the patient has been notified of the subpoena and that any objections to the subpoena by the patient have been resolved.  Until the hospital receives these “satisfactory assurances,” it is prohibited by federal law from disclosing the medical records.

State law may also help here.  For example, the Pennsylvania Rules of Civil Procedure require a party in a lawsuit to serve a copy of a proposed subpoena on all other parties prior to issuing that subpoena to a third party (the hospital).  Also, the Rules state that a party that intends to serve a subpoena on a third party (the hospital) must file a certificate showing that it has notified other parties in the lawsuit of the subpoena.

So, as required by the HIPAA Privacy Rule, a hospital, or its attorney, should request that the individual who requested the medical records provide the hospital with documentation that indicates that the patient has received notice of the subpoena, has had an opportunity to object to it, and either no objections were filed or all objections have been resolved.  Once the hospital receives that documentation, it will be able to comply with the subpoena.

June 25, 2015

Our hospital would like to develop a “VIP” program by which certain individuals would receive special recognition when they are hospitalized. For example, current or past members of the Board of Directors or other individuals who have served the community might receive a card, flowers or a personal visit. Is such a program acceptable under HIPAA?

ANSWER:          HHS has issued no guidance on this topic. However, we believe a VIP program poses little risk under the HIPAA Privacy Rule.

The Privacy Rule permits hospitals to use or disclose protected health information for its own “health care operations.” “Health care operations” is defined broadly to include “general administrative activities,” which could reasonably be interpreted to include efforts to build and maintain relationships with individuals who are involved in the affairs of the community.

Of course, some hospitalized individuals who are particularly concerned with privacy may complain that the VIP program does not actually involve health care operations. One way to limit the possibility of such complaints is to ensure that any individual who has opted out of the facility directory, as permitted by the Privacy Rule, does not receive special recognition. More broadly, any dissemination of information within the hospital should be limited to those with a “need to know” for purposes of the VIP program.

Another way to limit complaints is to ensure that the health information of a patient is not disclosed outside of the hospital. For example, if flowers or other small gifts are ordered, they should be sent to an administrator’s office and then re-directed to the patient. Patients may expect hospital personnel to know they are hospitalized, but they may object to that information being shared with the local florist or other merchants.

We are unaware of any enforcement actions involving VIP programs, which might suggest that they are not viewed as a HIPAA violation by HHS. However, hospitals that choose to implement them should do so in a way that protects patient privacy and limits the disclosure of patient information.