Rules and limitations on sharing patient data
In the SecurityMetrics HIPAA Security Rule Report, 84% of organizations believe that they are 80-100% compliant with the HIPAA Privacy Rule. While most healthcare oranizations think they are completely compliant with the HIPAA Privacy Rule, organizations don’t always know or follow permitted usage and disclosure practices.
If protected health information (PHI) is used or disclosed improperly, your organization faces severe financial and possible legal consequences. To avoid these consequences, you must understand and establish adequate organizational policies for proper use and disclosure of patient data.
In this white paper, you will learn the basics of acceptable uses and disclosures of patient data, what policies you need to have in place for unique situations, and best practices when using or disclosing PHI.
Before using or disclosing patient data, make sure you understand what information you are allowed to use or disclose as part of normal business practices. You’ll want to first identify what type of healthcare entity you are, then know the difference between various healthcare record sets.
Business Associates Vs. Covered Entities
To know how patient information can be used or disclosed, first understand where your organization fits in with HIPAA requirements.
A covered entity (CE) is a health plan, healthcare clearinghouse, or healthcare provider that electronically transmits health information (e.g., physicians, dentists, pharmacies, health insurance companies, company health plans).
A business associate (BA) is a person or entity that performs certain functions that involve the use or disclosure of PHI (e.g., CPA, IT provider, billing services, coding services, laboratories). Business associates can be from legal, actuarial, consulting, data aggregation, management, administrative, accreditation, and/or financial organizations.
Healthcare Record Sets
There are two basic types of patient records: designated records and legal health records. While these two record sets are fairly similar and are often comprised of identical data, there are slight differences you need to know.
Designated records are medical and/or billing records that are maintained by or for a covered entity. These records are often used in part or whole to make patient care decisions.
- Support an individual’s right of access
- Contain stored PHI
- Are directly used in documenting healthcare status
- Are often housed in multiple systems and/or
Designated record sets also include information about amendments, restrictions, and authorized access to patient data.
Legal Health Records
Legal health records act as an organization’s official business and legal record, and they contain information about services provided by a healthcare provider to a patient.
While legal health records often contain PHI similar to designated record sets, legal health records are used for different purposes. Specifically, legal health records are used to document and defend an organization’s care decisions.
Legal health records are often used for the following additional purposes:
- Assist and inform an organization’s internal business decisions (e.g., administrative decisions)
- Support decisions that were made in a patient’s care
- Support revenue sought by third-parties
- Legally document the services and treatment provided to patients (e.g., caregiver’s decisions)
Legal health records typically contain less patient information than designated record sets.
Uses and Disclosures Of PHI
Before using or sharing patient data, you need to learn exactly how you are allowed do so, and then you should establish detailed policies and procedures surrounding acceptable use and disclosure.
For example, you are required to disclose PHI in the following instances: if individuals (or their representatives) request this information or if the Department of Health and Human Services (HHS) undertakes a compliance investigation or review.
You are allowed (though not required) to use and disclose PHI without an individual’s authorization under the following situations:
- PHI is disclosed directly to a patient
- PHI is used for treatment, payment, or healthcare operations
- PHI is incidentally used and disclosed (e.g., lobby communication with patients during emergency situations)
- PHI is used or disclosed for any of the 12 national priority purposes
- Required by law
- Public health activities
- Victims of abuse, neglect, or domestic violence
- Health oversight activities
- Judicial and administrative proceedings
- Law enforcement purposes
- Cadaveric organ, eye, or tissue donation
- Serious threat to health or safety
- Essential government functions
- Workers’ compensation
However, there are several exceptions to this rule. For example, organizations can use or disclose patient data for research purposes without patient authoirzation if organizations follow approved research procedures. Also, you typically must receive patient authorization to use and disclose PHI for marketing purposes, unless it fits within HIPAA-allowed use and disclosure exceptions.
There are also likely other exceptions based upon what type of organization you are, specifically for business associates and subcontractors.
Authorization for Release of PHI
Types of disclosures that require patient authorization are:
- Psychotherapy notes (unless for treatment, payment, or healthcare operations)
- Marketing (except for face-to-face communications)
- Sale of PHI
- Any other type of disclosure that is not incidental, for treatment, payment, healthcare operations, public health activities, to the secretary of the HHS, or required by law.
Although an individual can authorize release of PHI for any reason, organizations should not establish normal business practices that require an individual’s authorization. Organizations may not require a patient to sign authorizations as a condition of:
- Treatment (unless the treatment is creating PHI required by an authorized third party, such as court requests)
- Enrollment in a health plan (unless the request is made prior to enrollment and is for underwriting or risk determination, not use of psychotherapy notes)
- Eligibility of benefits
Individuals can revoke authorizations in writing at any time. However, if a covered entity has already released information based on the original authorization, the revocation wouldn’t apply. Also, if the original authorization was obtained as a condition of gaining insurance, revocation wouldn’t be possible because the insurer has a right to use this information to contest a claim or the policy.
An authorization to release PHI must contain the following information:
- A description identifying the specific information to be used
- Employees’ names (or job roles) authorized to make the disclosure
- Individual’s name or organization to whom the disclosure is being made
- A description of each purpose for the disclosure
- An expiration date relating to the individual or disclosure’s purpose
- An individual’s signature and signature date
Use and Disclosure Restrictions
Organizations aren’t allowed to use or disclose patient data outside of what is permitted or required. However, there are also specific instances where you are not allowed to use or disclose patient data.
First, you aren’t allowed to sell patient data, unless complying with requirement §164.508(a)(4). Sale of patient data means PHI disclosure by a covered entity or business associate, where they directly or indirectly receive compensation from or on behalf of whoever received the PHI.
Selling PHI does not include disclosure when used under the following example circumstances:
- For public health purposes
- For research purposes (where compensation is a reasonable fee that covers the cost of PHI preparation and transmission)
- For treatment and payment purposes
- For the sale, transfer, merger, or consolidation of all or part of a covered entity
- To or by a business associate for services undertaken on behalf of a covered entity
- To an individual
- When required by law
Next, you aren’t allowed to use or disclose genetic information for underwriting purposes (regarding a health plan). Exceptions to this restriction are if this information will help determine:
- Benefits, coverage, or deductible changes (e.g., deductible changes by completing a health risk assessment)
- Premium or contribution amounts (e.g., discounts for activities participating in a wellness program)
- Application of pre-existing condition exclusion
- Other activities related to the creation, renewal, or replacement of health insurance or benefits
Special Uses and Disclosures Situations
In this section, we’ll discuss several common situations with specific use and disclosure requirements. However, there are many more exceptions and situations that can affect how your organization uses and discloses patient data, Make sure to receive professional assistance to help you with your specific environment.
Unlike other purposes for patient data usage, patient data can be used or disclosed without patient authorization if it’s for research purposes.
However, if you do disclose patient data without authorization, you must follow the Institutional Review Board (IRB) or Privacy Board Waiver conditions, which dictate research committees and how research can be performed.
With 16 different regulatory codes defining proper IRB establishment, compliance to the IRB standards can be tricky. But if you follow research basics, you should be fine.
First, make sure that your IRB has at least 5 research members from a variety of professional backgrounds, which allows for adequate review of the research activities. Specifically, one member’s primary concern should be in scientific areas, another in non-scientific areas, and another should not be affiliated with the organization, nor a family member of a person connected with the organization.
Board members should be knowledgeable with:
- Institutional commitments
- Applicable law
- Standards of professional conduct and practice
To meet the waiver requirements for authorization, follow all IRB requirements. For example, you need to document the IRB and the date when the waiver was approved. Include a brief description of the PHI that is necessary. You also need a statement that the waiver meets the following requirements:
- The use or disclosure of PHI involves no more minimal risk to an individual, including:
- A plan to protect identifiers from improper use or disclosure
- A plan to destroy identifiers (unless there’s a health, research, or legal justification for data retention)
- Written assurances that PHI will not be re-used or disclosed, unless required by law
- The research couldn’t be feasibly conducted without the waiver
- The research couldn’t be feasibly conducted without access to and use of PHI
Your waiver should also include a statement that the waiver has been approved under normal or expedited procedures, including the signature of the IRB chair (or chair-designated member).
Before starting research, the researcher must either orally or in writing clarify that PHI is only to establish a research protocol and that PHI will not be removed from the CE disclosure.
If you use research on deceased individuals, the researcher must explain orally or in writing that PHI is only for research on deceased individuals and necessary for their research. As a covered entity, you can ask the researcher to provide information about the individual whose information is being sought and how they died.
PHI should be part of a limited data set with a proper data use agreement set in place. However, PHI can also be disclosed for research purposes with patient authorization.
Patients must be notified of your intent to use PHI in directory information and they must be given an opportunity to object to being part of the directory. Notification happens at first encounter and inside your Notice of Privacy Practices (NPP), and includes what information will be kept and to whom it can be disclosed.
In emergency circumstances, the opportunity for patients to object can be bypassed, but only if it follows (i.e., is consistent with) a previously expressed permission or is in the patient’s best interest (which is determined by their healthcare provider).
Example directory information:
- Location within the facility
- Condition in general terms that doesn’t relay specific medical information
- Religious affiliation
Directory information can be disclosed to clergy members or other individuals who asks for the patient by name.
If you use or disclose patient data for marketing purposes, you need to gain patient authorization. HIPAA defines marketing as “communication about a product or service that encourages recipients of the communication to purchase or use the product or service.”
There are a few exceptions to this rule:
- Refill reminders or information about a prescribed drug
- Treatment by healthcare providers (e.g., alternative treatments, therapies, providers, settings of care)
- Health-related product or service provided by or part of a benefits plan (e.g., participating in a health plan or network, enhancing current health plan or network)
- Case management or care coordination
If financial payment is received from a third party for making the communication, then patients need to give authorization to contact or market to them (with the exception of refill reminders and if payment covers only the communication cost). If a third party is involved with financial payment, your authorization must say so.
Using or disclosing patient data for fundraising purposes requires patient notification and allowing them an opportunity to object. Your notification must be included in your NPP.
All communication must provide individuals with an opportunity to object, with objections not causing individuals undue burden or cost. Covered entities may not condition treatment or payment on the decision to agree or object to the communications. An individual’s decision to object must be honored; though, youare allowed to let individuals opt back in to fundraising.
A covered entity can use or disclose the following information to a business associate (or similar organization) to raise funds for its own benefit:
- Patient demographic information (e.g., name, address, contact info, age, gender, birth date)
- Dates of healthcare provided
- Department of service
- Treating physician
- Outcome information
- Health insurance status
When using or disclosing PHI for fundraising purposes, individuals must be allowed an opportunity to object.
USES AND DISCLOSURES BEST PRACTICES
When covered entities or business associates use, disclose, or request PHI to or from one another, they should follow the minimum necessary requirement. Minimum necessary is the principle to limit PHI access to only those who need to see that specific PHI to do their jobs.
For example, a receptionist (or someone who doesn’t provide direct patient care) probably doesn’t need to see the X-rays of a patient to do their job.
Start your minimum necessary policy by identifying people or job roles that require PHI access to perform their jobs. Next, identify and document what type(s) of PHI each group needs access to and what are appropriate access conditions. Establish policies to limit employee PHI access to their identified and approved types of PHI.
The easiest way to take charge of the data is by creating individual user accounts on a network. In the ideal scenario, each user account in a network, EHR/EMR, or computer system, would be given specific privileges based on their job title or a user’s role.
For example, a doctor’s privilege would get access to all PHI in their patient database because they need access to do their job, while an IT administrator would have restricted access to PHI because they’re not involved with patient care.
The minimum necessary also applies to PHI disclosed externally with business associates and subcontractors. Organizations are required to limit how much PHI is disclosed based on job responsibilities and nature of the third party’s business.
Both covered entities and business associates need to be careful about how much data they send, receive, and request.
To avoid these issues, covered entities and business associates should assess their responsibilities concerning minimum necessary data accordingly:
- Covered entity responsibility: determine what data is the minimum necessary to send, and then only send that data and nothing else.
- Business associate responsibility: only request, accept, and use the minimum necessary data.
On the other hand, minimum necessary does not apply in the following circumstances:
- Disclosure to or request made by a healthcare provider for treatment
- Uses or disclosures made to the patient
- Uses or disclosures that a patient has authorized
- Disclosures made to the Secretary of HHS
- Uses or disclosures made to the Secretary by law
- Uses or disclosures required by other HIPAA regulations
By limiting PHI access to the smallest number of people possible, the likelihood of a breach or HIPAA violation decreases significantly.
Using and Disclosing De-Identified PHI
If you need to use patient data for research, public health, or healthcare operations, you need to properly de-identify PHI. De-identifying PHI means that you need to remove all information that could identify an individual, such as the 18 PHI identifiers, which are:
- Geographic information (e.g., address, city, county,
zip code, precinct)
- Dates related to an individual (e.g., birth date, admission
date, discharge date, death date, all ages over 89)
- Phone number
- Fax number
- Social security number (SSN)
- Medical record number
- Health plan beneficiary number
- Account numbers
- Certificate/license numbers
- VIN and license plate numbers
- Device ID’s and serial numbers
- IP address
- Biometric identifiers (e.g., fingerprints, voiceprints)
- Full face photos and comparable images
- Any other unique number, characteristic, or code
Once PHI has been adequately de-identified, it is no longer protected by the HIPAA Privacy Rule. This means that you can disclose this information to anyone without authorization.
However, codes and other information used to re-identify de-identified PHI are considered PHI if disclosed. But these codes are not considered PHI if they are not related to and cannot be used to identify indiividuals without appropriate mechanisms (which cannot be disclosed).
You can also use a limited data set without patient authorization for the following purposes: healthcare operations, research, or public health. A limited data set is similar to de-identified data, except the limited data set can include the following information:
- Geographic subdivisions smaller than a state
- Elements of date except for year (e.g., birth date, admission date, death date, discharge date)
- Ages over 89 and dates indicative of such age
- Other unique identifying numbers, characteristics, or codes
But if you disclose limited data sets outside of your organization, your organization needs to have a data use agreement in place with the entity receiving this data. Your data use agreement must include:
- Permissible uses and disclosures
- Establish authorized parties/organizations
- Duty to safeguard PHI
- Duty to report security incidents/impermissible disclosures
- Agreement to not identify or contact the individuals referred to in the data
If this outside organization is one of your business associates, then your business associate agreement (BAA) can be used as a data use agreement.
Accounting of Disclosures
Individuals can request an accounting of your disclosures of their PHI made in the last 6 years. They are allowed to receive one free accounting per year, but after this request, organizations can charge individuals a fee based on the cost of time and material used to provide this accounting.
You need to provide this accounting within 60 days of the request, unless you receive a 30-day extension by providing the individual a written statement explaining your reasons for the delay and when to expect your disclosure information.
Your accounting of disclosures must include:
- Date of disclosure
- Frequency or number of disclosures made
- Name and address of entity or person who received the PHI
- Description of the PHI disclosed
- Statement describing the purpose of the disclosure
If PHI disclosures were made for research purposes and involved data from more than 50 individuals, make sure to include:
- Name of research activity
- Description of the research’s purpose and criteria used for selecting records
- Description of the PHI disclosed
- Date of disclosure period
- Name, address, and phone number of organization that sponsored the research
- Statement that an individual’s PHI may or may not have been disclosed for a particular protocol or other research activity
However, covered entities don’t have to provide an accounting of disclosures when healthcare practice and/or information:
- Did not require specific notification, authorization, or an opportunity to object (e.g., treatment, payment, healthcare operations)
- Was sent to the patient
- Was sent to business associates
- Received formal authorization from the patient
Business Associate Agreement
The 2013 HIPAA Final Omnibus Rule requires covered entities to implement or update a business associate agreement (BAA) for all relationships wherein the business associate creates, receives, maintains, and/or transmits electronic patient information.
In these new or revised BAAs, covered entities, business associates, and subcontractors agree to share responsibility for patient data protection and breach notification. Here are a few examples of what should be included in your business associate agreement:
- A minimum necessary policy: Business associates should not use more patient data than necessary
- Business associate’s permitted use of PHI: PHI only used to perform service for covered entity, unless assurances of confidentiality are obtained or required by law
- Prohibited use of PHI: Anything not expressly permitted or that is expressly prohibited cannot be used or disclosed by the business associate or subcontractor
- Termination provisions: Conditions for termination and policies on how PHI should be protected, returned, or destroyed upon termination of contract
Whether compromised from within your system or a business associate’s system, your organization can be liable for up to $50,000 per violation per day as a result of any breach of your patient data. This is just HHS penalties. This doesn’t include civil action, cost of mitigation, and loss of patient trust that may come after a breach.
With these consequences in mind, remember that you should only share minimal need-to-know data with your business associates, and regularly validate that they are following HIPAA requirements to properly handle PHI.
If a covered entity terminates a business associate contract, the business associate needs to follow the termination clause. Basically, a business associate needs to make sure that any PHI you have received, created, or maintained is:
- Returned to the covered entity
- Protected by adequate safeguards and security
- Not used or disclosed
- Permanently deleted
Remember that HIPAA regulations require you to take action if you know or believe a business associate is not HIPAA compliant.
Patient data usage and disclosure can be complex, with numerous exceptions to regulation on acceptable and restricted usage or disclosure of PHI. You’ll want to regularly review, analyze, and alter how your organization uses or discloses patient information.
Remember, your overall goal should be to limit the amount of PHI that your organization uses, discloses, or requests to the absolute minimum necessary to accomplish an intended purpose. Extend this philosophy to how much and what types of PHI your organization creates as well.
We help customers close security and compliance gaps to avoid data breaches. Our forensic, penetration testing, and audit teams identify best security practices and simplify compliance mandates (PCI DSS, HIPAA, HITRUST, GDPR). As an Approved Scanning Vendor, Qualified Security Assessor, Certified Forensic Investigator, we have tested over 1 million systems for security.