A byproduct of the ever-increasing hyper-regulation of the practice of medicine is that practitioners have become more attuned to their absolute obligations towards patients’ privacy. One such obligation relates to the use and disclosure of patients’ identifying information and health records — designated “Protected Health Information”-by “covered entities” including healthcare practitioners and health plans. In establishing a set of national standards, the Department of Health and Human Services issued the socalled Privacy Rule to implement the requirements of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).
By now, surely all healthcare practitioners are aware of HIPAA as well as the general notion that significant measures are required to be undertaken in order to protect a patients’ Protected Health Information. They are also aware that, in many instances, the utilization and disclosure of Protected Health Information is necessary to promote quality healthcare and protect the well-being of the general public. Given the complexity and unpredictable nature of healthcare delivery today, the Privacy Rule seeks to protect the necessary utilization of Protected Health Information and disclosures while protecting a patient’s legitimate right to privacy.
Walking this line has become a daily challenge for healthcare practitioners. A common dilemma arises when one healthcare practitioner discloses (for whatever reason) a patient’s Protected Health Information to another. In making such disclosures, a practitioner must determine if it is permitted under the Privacy Rule and if the patient’s consent (whether written or verbal) must be obtained. As a hypothetical example, let’s assume two healthcare practices (one an ophthalmology practice and the other an optical specialty practice) are both owned by the same principal physicians. Both practices are run under distinct corporate entities, have separate tax identification numbers and submit claims for reimbursement for only the respective services it provides. Also suppose that the practices happen to be physically located in the same office space and participate in the same managed care plans.
Can these practices share/exchange Patient Health Information between them without the consent of the patient? According to the Privacy Rule, if such disclosure is intended to further the “treatment activity” of the other Covered Entity, it is permitted and the patients’ consent is not required.1 Specifically, § 164.506 of the Privacy Rule sets forth that:
” … [a] covered entity may use or disclose protected health information, for treatment, payment, or health care operations”, § 165.5 06 (a); and
“A covered entity may disclose protected health information for treatment activities of a health care provider.”, §165.506(c)(2).
Despite the Privacy Rule’s protections, healthcare practitioners are encouraged to include disclosures in their Notice of Privacy Practices (“NPP”), advising patients that Protected Health Information may be disclosed without consent in certain limited circumstances. As mandated by HIPAA, practitioners must develop a NPP and provide an opportunity for each new patient to review the same.2 If a new patient declines to view the NPP, it is advisable to have he/she sign a statement confirming their decision. Practitioners are also encouraged to consider possible Stark Law and Anti-Kickback issues that often arise in circumstances where practices share principals and financial interests.
1 Pursuant to New York State law, a patients’ consent in such a scenario is implied and, likewise, is not required to be obtained.
2 A model NPP is published in the “Legal Resources” section of the Kern Augustine, P.C. website at www.drlaw.com.