June 25, 2015

Our hospital would like to develop a “VIP” program by which certain individuals would receive special recognition when they are hospitalized. For example, current or past members of the Board of Directors or other individuals who have served the community might receive a card, flowers or a personal visit. Is such a program acceptable under HIPAA?

ANSWER:          HHS has issued no guidance on this topic. However, we believe a VIP program poses little risk under the HIPAA Privacy Rule.

The Privacy Rule permits hospitals to use or disclose protected health information for its own “health care operations.” “Health care operations” is defined broadly to include “general administrative activities,” which could reasonably be interpreted to include efforts to build and maintain relationships with individuals who are involved in the affairs of the community.

Of course, some hospitalized individuals who are particularly concerned with privacy may complain that the VIP program does not actually involve health care operations. One way to limit the possibility of such complaints is to ensure that any individual who has opted out of the facility directory, as permitted by the Privacy Rule, does not receive special recognition. More broadly, any dissemination of information within the hospital should be limited to those with a “need to know” for purposes of the VIP program.

Another way to limit complaints is to ensure that the health information of a patient is not disclosed outside of the hospital. For example, if flowers or other small gifts are ordered, they should be sent to an administrator’s office and then re-directed to the patient. Patients may expect hospital personnel to know they are hospitalized, but they may object to that information being shared with the local florist or other merchants.

We are unaware of any enforcement actions involving VIP programs, which might suggest that they are not viewed as a HIPAA violation by HHS. However, hospitals that choose to implement them should do so in a way that protects patient privacy and limits the disclosure of patient information.