Healthcare providers often limit unnecessarily their ability to use or disclose protected health information without the patient’s consent, thereby increasing their potential liability for unauthorized disclosures. For example, providers often:
- Tell the patient that the provider will only disclose the patient’s information to those persons identified by the patient, thereby precluding disclosures to others who are not identified.
- Ask the patient to list those to whom the provider may disclose information, thereby expressly or impliedly suggesting that they will not disclose information to others.
- Ask that the patient authorize disclosures to payers and/or other providers, thereby expressly or impliedly agreeing that they will not disclose information to payers or providers if not authorized by the patient.
They do so under the mistaken belief that HIPAA requires such. In reality, such practices may actually increase potential HIPAA liability.
Agreement to Limit Uses or Disclosures. Under HIPAA, providers may use or disclose the patient’s information for certain purposes without the patient’s written authorization. For example, HIPAA allows disclosures for purposes of treatment, payment or healthcare operations whether or not the patient consents (45 CFR §§ 164.502(a)(1)(ii) and 164.506); consequently, providers are generally not required to obtain the patient’s permission to disclose information to other providers or payers. Although not required, if a provider agrees with the patient to limit its uses or disclosures of patient information for purposes of treatment, payment or healthcare operations, the provider must comply with the agreement; the failure to do so violates HIPAA. (45 CFR §§ 164.502(c) and 164.522(a)(1)). By voluntarily agreeing to limit its uses or disclosures, the provider increases the risk of a HIPAA violation. The risk corresponds to the scope of the limitations to which the provider agrees: if the provider agrees that he or she will not disclose information except to those entities whom the patient has identified or approved, disclosures to other entities (including other providers, payers, business associates, family members, collection agencies, or others to whom the provider routinely makes disclosures) would violate HIPAA. The risk is compounded when others in their organization do not realize that such routine disclosures have been restricted. They may not check the particular patient’s file to confirm whether such restrictions exist, or they may mistakenly assume that such restrictions do not apply to common or routine disclosures. Consequently, a provider’s well-intentioned but unnecessary representation or agreement to restrict disclosures exposes the provider to HIPAA penalties when the agreement is breached. It is safer not to agree to limit uses or disclosures otherwise permitted under HIPAA.1
Lists of Persons To Whom Disclosures May Be Made. Similarly, upon registration, many providers ask the patient to identify those persons to whom the provider may disclose the patient’s information, e.g., family members, other providers, etc. By doing so, the provider may expressly or impliedly represent that it will not disclose information to persons and entities who are not identified. Again, the patient’s list likely will not include many entities to whom the provider routinely discloses information for purposes of treatment, payment or healthcare operations, including payers, other providers, or business associates—entities to whom disclosures may be made without the patient’s consent but for the contrary representation or agreement of the provider. (45 CFR § 164.506).
Asking the patient for such a list is generally unnecessary under HIPAA. HIPAA already allows healthcare providers to disclose information to family members and others involved in the patient’s care or payment for care without written permission so long as (1) the patient was given the opportunity to object to such disclosures and the patient did not object, or the provider reasonably infers from the circumstances that the individual does not object to such disclosures, (2) the information disclosed is limited to that which is directly relevant to such person’s involvement with the patient’s healthcare or payment, and (3) disclosure is reasonable under the circumstances. (See 45 CFR § 164.510(b)). A well-crafted notice of privacy practices informs the patient that the provider may disclose information to family members or others involved in the patient’s care unless the patient objects. (See 45 CFR § 164.520(b)(ii)). Arguably, such notice provides the patient with the opportunity to object so as to satisfy § 164.510(b), thereby allowing disclosures to family members and others involved in the patient’s care or payment for care so long as the patient does not object and it is reasonable under the circumstances. Accordingly, asking a patient for a specific list of persons to whom disclosure may be made is unnecessary, may invite objections that would not otherwise be made, and limit otherwise permissible disclosures, thereby increasing HIPAA risks.
Asking the patient to identify persons to whom disclosures may be made is not necessarily a bad practice so long as the provider makes it clear that the list is not exclusive, i.e., the provider expressly reserves the right to disclose information to others who may not be on the list if and to the extent allowed by HIPAA, including but not limited to disclosures for treatment, payment or healthcare operations. By doing so, the provider may avoid the situation in which the patient, rightly or wrongly, assumes that the list of permissible disclosures is exclusive. However, asking for such a list still invites the patient to object to disclosures to family members or others who are not on the list, thereby restricting permissible disclosures. Consequently, if the provider is going to obtain such a list, it should train its personnel to regularly review the list to ensure that they do not disclose information to family members or friends who are not on the list. From a HIPAA perspective, it is likely safer to avoid creating the list altogether.
Consent to Disclose in Registration Forms. Providers usually include on their patient registration forms a section in which the patient consents to disclosures to payers and/or other providers. Again, such a consent is unnecessary because HIPAA already allows such disclosures without the patient’s consent for purposes of treatment or payment.2 (45 CFR § 164.506). By asking for the patient’s consent, the provider may expressly or impliedly represent that such disclosures will not be made unless the patient consents. What happens if the patient fails or refuses to sign the consent? Or the statement may suggest that other disclosures require consent. Again, to resolve any doubt and minimize liability, providers should consider removing such unnecessary consents.
Reserve Right to Disclose. If a provider wants to document specific permission from the patient to disclose information, the provider should, at the very least, make it clear to the patient that the provider is not waiving its right to make additional disclosures without the patient’s consent if and to the extent allowed by applicable law. Doing so may help avoid misunderstanding or unintentional agreements to restrict otherwise permissible disclosures. Language such as the following may help:
“This consent is not intended to limit PROVIDER’s authority to use or disclose protected health information to such other persons or entities to the extent allowed by applicable law, including but not limited to 45 CFR §§ 164.506, 164.510, and 164.512, and PROVIDER does not agree to such restriction. PROVIDER reserves the right to use or disclose patient’s protected health information without patient’s consent to the extent allowed by applicable law, including but not limited to uses or disclosures identified in PROVIDER’s Notice of Privacy Practices.”
Beware Your Notice of Privacy Practices. Providers should also ensure that their notice of privacy practices does not restrict their right to make otherwise permissible uses or disclosures of information. HIPAA requires providers to create and give to patients a notice of privacy practices explaining the provider’s permissible uses and disclosures of patient information. (45 CFR § 164.520). Among other things, the notice must describe the uses and disclosures that the provider may make without that patient’s authorization. (Id. at § 164.520(b)(ii)). The notice must include “a statement that other uses and disclosures not described in the notice will be made only with the individual’s written authorization…” (Id. at § 164.520(b)(ii)(E)). Although not required, the provider may choose to make its privacy practices more restrictive than HIPAA; however, if it does so, it must comply with its more restrictive practices as stated in the notice. (Id. at § 164.520(b)(viii)). The notice must contain a statement that the provider “is required to abide by the terms of [its] notice….” (Id. at § 164.520(b)(ii)(E) and (v)(B)). Thus, the notice functions like a contract between the provider and the patient: the provider’s failure to abide by its terms may subject the provider to HIPAA penalties. If they have not done so recently, providers should review their notice of privacy practices to ensure that (1) the notice adequately identifies the situations in which disclosures may be made without the patient’s consent or written authorization (presumably all of those situations identified in 45 CFR §§ 164.506, -.510, and -.512), and (2) the notice does not impose greater limitations than required by HIPAA or other applicable law.
Beware Business Associate Agreements. Agreeing to unnecessary restrictions also affects business associate agreements (“BAA”) because the business associate may not use or disclose protected health information in a manner that would violate HIPAA if done by the provider. (45 CFR §§164.502(a)(3) and 164.504(e)(2)(ii)). Any restriction that the provider agrees to or undertakes must be passed through to the business associate. That creates logistical problems in communicating with and getting the business associate to implement such restrictions, especially if it would cause the business associate to change its normal operations. BAAs often require the provider to disclose such restrictions to the business associate, and may obligate the provider to forego such restrictions to the extent they adversely affect the business associate. The net effect is that any restrictions undertaken by the provider also creates risks for and potential liability to the business associate.
Remember More Restrictive Laws. The foregoing analysis applies to HIPAA. To the extent that there is another law that is more restrictive than HIPAA, including state laws or regulations, the provider must comply with the more restrictive law. It may be that a particular state or other agency requires specific patient consent even though HIPAA does not. If that is the case, then the provider must comply with the more restrictive law.
Conclusion. For the foregoing reasons, voluntarily agreeing to restrictions that are not otherwise required by HIPAA increases the burden and potential liability of healthcare providers and business associates. Providers should review their forms, processes, and notice of privacy practices to ensure that they do not impose more restrictions than necessary or required by HIPAA.