Your Health Information in Government Hands- the HIPAA Rule

In October Congress passed the Patients and Communities Act; bipartisan legislation to confront our nation’s opioid crisis on a Federal level. One of the key issues in drafting the law was how a physician or other provider could share information about a patient’s opioid use.

Those advocating greater privacy protections won (on sharing records between providers) but at the same time the new law enhances reporting to state government entities called Prescription Drug Monitoring Programs (PDMPs).

Watching that debate- and reading posts from people concerned about their privacy- left me with a more basic question: Do people know how often their medical information is already shared with the government- federal, state and local- without their notice or consent?

Disclosures Permitted Under the HIPAA Privacy Rule

I am sure all of you readers are aware of HIPAA and know that it protects your health information. But do you know that it doesn’t protect all your information all the time?

There are three kinds of disclosures under HIPAA:

Permissive Disclosures are the most frequent and usually involve sharing your medical records for treatment- such as when one of your doctors sends your information to another doctor taking care of you (ex: your Family Physician sends your chart to the cardiologist she referred you to.) Permissive disclosures also include sharing your information to get your provider paid for caring for you (ex: sending your records for an office check-up to your insurance company), as well as sharing your information in operating their office or facility (ex: your chart is on the frozen computer screen seen by the IT support person who is fixing the system.) Permissive disclosures do not require your permission– these are all disclosures you already permitted (hence the name) when you signed the acknowledgment of the office Privacy Practices.

Authorized Disclosures, on the other hand, can only occur with your specific, written permission. The Authorization form must include multiple components required under HIPAA. An authorization is required any time your information is shared for a reason other than treatment, payment or operations– but the two most common times Authorization is required are to release mental health records (records created by your Psychiatrist, Psychologist, or Licensed Counselor) or for marketing purposes (ex: the hospital wants to include you in their marketing materials).

Mandatory Disclosures are the third type of disclosure under HIPAA, and the focus of this Fontenotes. These disclosures occur when a provider (such as your doctor or your hospital) sends your health information to a government entity.

Mandatory Disclosures of Your Health Information

There are 12 “national priority purposes” that may result in a government entity obtaining your health information from one of your providers (depending on the purpose the entity may be a local authority, part of your state administration, or the federal government). Every one of these disclosures will happen without a requirement to notify you or your consent. You could not stop these disclosures if you wanted to.

The categories of Mandatory Disclosures are as follows:

  1. Disclosures Required by Law: these are disclosures of your records by your provider because they are required to do so by law- a catchall provision in addition to the many listed here;

  2. Public Health Activities: all states have reporting statutes for infectious diseases for public health reasons, many states also have reporting laws for types of injuries (such as those involving firearms); there are reports required for FDA regulated products (such as a defective drug), as well as OSHA reporting requirements for work-related injuries;

  3. Victims of Abuse, Neglect or Domestic Violence: health care providers are required to report their suspicion of any of these causes under state law- the standard applied is not that they are correct in their concern, but that they are notifying authorities in good faith;

  4. Health Oversight Activities: your records could be audited as part of the constant surveillance to assure proper use of government funds
    in health care (i.e., searching for potential Fraud) or other oversite activities;

  5. Judicial Administrative Proceedings: your provider must release your records to answer a subpoena, a court order, or as required as part of a lawsuit or other judicial process;

  6. Law Enforcement: This category incorporates many situations, including sharing information in your record to identify or locate a suspect or fugitive, to alert authorities of a suspicious death, or when your chart constitutes evidence of a crime;

  7. Decedents: your information may be given to a coroner, medical examiner, or a funeral home;

  8. Cadaveric Organ, Eye, or Tissue Donation: your information may be shared to facilitate the donation and transplantation of your organs, eyes, and tissue (all which does require your prior consent or that of your loved ones);

  9. Research: another broad category- in sum HIPAA does allow sharing your information for purposes of research, but it happens- in most cases- in a de-identified manner. No one should be able to trace any data back to you;

  10. Serious Threat to Health or Safely: sharing your health information is necessary to prevent or lessen a serious and imminent threat to a person or the public, or it is needed to identify or apprehend an escapee or violent criminal;

  11. Essential Government Functions: another big category but highlights include sharing your information to prevent or lessen a serious and imminent threat to a person or the public; conducting intelligence and national security activities that are authorized by law, and providing protective services to the President (my personal favorite);

  12. Workers’ Compensation: your provider can share your medical records to help your employer comply with Workers’ Compensation requirements and other work-related-injury benefit programs.

These disclosures are not bad per se– I expect they will make sense to most of you.

My purpose here is not to protest- just inform.

Putting Opioid Reporting in Context

Drug addiction and addiction treatment are particularly confidential matters. The higher protections offered for medical records related to substance abuse treatment under both HIPAA and the new Patients and Communities Act reflect the sensitivity of this information.

I know there are some affected by the opioid crisis who do not want their information in any government entity’s hands. If nothing else, perhaps I can convince those of you who might agree with that concern that it is a futile fight.

In an odd way I hope that is helpful news.

Want to Know More?

The tracking of opioid prescription and use is essential to control opioids in our communities. Prescription Drug Monitoring Programs (PDMPs) are programs which allow states to do just that (and date back to 1918!). PDMPs should not conflict with appropriate medical use, but are “one of the most promising tools available to address prescription drug misuse, abuse, and diversion” [quote] Frequently Asked Questions about PDMPs are available here.

HIPAA is a law that continues to cause confusion 14 years after it came into effect. Many people in the general public have been led to believe that the law prevents them from sharing medical information about others, even it is well-intended. If you would like to know whether HIPAA protections extend to casual friends and office-mates, please take a look at Fontenotes #36: “Can You Sign that Get Well Card?” (Spoiler Alert! Sign the Card!).