THE HIPAA PRIVACY RULE
AND DISCLOSURES UNDER STATE LAW
Introduction
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a broad federal law that is in part designed to provide national standards for protection of certain health information. As required by HIPAA, the federal Department of Health and Human Services (DHHS) promulgated complex regulations known as the Privacy Rule, which implement the federal law.
In general, the Privacy Rule prohibits health care providers from using or disclosing a patient's protected health information (PHI) without written authorization from the patient except for treatment, payment and health care operations. However, the Privacy Rule provides exceptions to this prohibition for a number of public policy reasons. Such exceptions include, but are not limited to, reporting certain injuries to law enforcement officials, reporting child abuse or vulnerable adult abuse, reporting the occurrence of certain diseases to public health officials, and complying with court orders and subpoenas.
When determining whether a health care provider may use or disclose PHI without the patient's authorization, both state and federal law must be considered. The Privacy Rule provides an extensive list of permitted disclosures, however, where state laws provide greater privacy protections or privacy rights with respect to PHI, state laws will apply.
Required Disclosures
A. Mandatory Reporting
- Gunshot Wounds and Life-Threatening Injuries
- Suspected Child Abuse
- Suspected Vulnerable Adult Abuse
- Sexual Battery
- Deaths
- Public Health Surveillance
- Worker's Compensation
Under the Privacy Rule, a health care provider may disclose PHI as required by law, including laws that require reporting of certain types of wounds or physical injuries. (45 CFR 164.512(f)(1)(i)).
In Florida, any physician, nurse, or employee of a hospital, sanitarium, clinic, or nursing home treating or receiving a request for treatment must report immediately to local law enforcement officials any gunshot wound or life-threatening injury indicating an act of violence. (Fla. Stat. 790.24).
The Privacy Rule permits the disclosure of PHI to a public authority or other appropriate government authority authorized by law to receive reports of child abuse or neglect. (45 CFR 164.512(b)(1)(ii)).
Florida requires any person, including a health care provider, who knows or has reasonable cause to suspect child abuse, abandonment or neglect by a parent, legal custodian, caregiver, or other person responsible for the child's welfare, to report such knowledge or suspicion to the Department of Children and Families (DCF) Central Abuse Hotline. (Fla. Stat. 39.201(1)).
The Privacy Rule permits disclosure of PHI about an individual whom the health care provider reasonably believes to be a victim of abuse or neglect to a government authority, including a social service or protective services agency, authorized by law to receive reports of such abuse or neglect to the extent that the disclosure is required by law and the disclosure complies with and is limited to the relevant requirements of such law. (45 CFR 164.512(c)(1)(i)).
Florida law requires any person who knows or has reasonable cause to suspect the abuse, neglect or exploitation of vulnerable adults to immediately report such knowledge to the DCF Central Abuse Hotline. (Fla. Stat. 415.1034(2)).
Under the Privacy Rule, health care providers may disclose to a law enforcement official PHI that the health care provider believes in good faith constitutes evidence of criminal conduct on the premises . (45 CFR 164.512(f)(5)).
There are two (2) statutes in Florida that require reporting of a crime of sexual battery. The first requires any person who observed the commission of a crime of sexual battery to immediately report such offense to a law enforcement official. (Fla. Stat. 794.027).
The second, contained in Florida's School Code, requires instructional personnel or administrative personnel having knowledge that a sexual battery has been committed by a student upon another student to report the offense to a law enforcement agency having jurisdiction over the school or over the place where the sexual battery occurred, if not on the grounds of the school. (Fla. Stat. 1012.799). This statute would not supersede a health care provider's duty to maintain the patient's confidentiality. Thus, this disclosure would only be required if the individual learned of the sexual battery in his or her capacity as an instructor or administrator, rather than as a health care provider.
The Privacy Rule contains three (3) provisions for the reporting of deaths. First, a health care provider may disclose PHI to a law enforcement official for the purpose of alerting law enforcement of the death of an individual if the health care provider has a suspicion that the death may have resulted from criminal conduct. (45 CFR 164.512(f)(4)). Second, a health care provider may disclose PHI to a coroner or medical examiner for the purpose of identifying a deceased person, determining a cause of death, or other duties as authorized by law. (45 CFR 164.512(g)(1)). Third, a health care provider may disclose PHI to funeral directors as necessary to carry out their duties with respect to the decedent, this includes prior to, and in reasonable anticipation of the individual's death. (45 CFR 164.512(g)(2)).
Florida law requires any person who is required to report cases of suspected abuse, abandonment, or neglect who has reasonable cause to suspect that a child died as a result of child abuse, abandonment, or neglect is required to report his or her suspicion to the appropriate medical examiner. (Fla. Stat. 39.201(3)).
Additionally, it is the duty of any person in the district where a death occurs becomes aware of the death of any person in the State occurring under the following circumstances, to report such death and circumstances to the district medical examiner. (Fla. Stat. 406.12):
• as a result of criminal violence
• by accident
• by suicide
• suddenly, when in apparent good health
• unattended by a practicing physician or other recognized practitioner
• in any prison or penal institution
• in police custody
• in any suspicious or unusual circumstance
• by criminal abortion
• by poison
• by disease constituting a threat to public health
• by disease, injury of toxic agent resulting from employment
The Privacy Rule permits health care providers to disclose PHI to public health authorities that are authorized by law to collect and receive health information for the purpose of preventing or controlling disease, injury, or disability, including, but not limited to, the reporting of disease, injury, vital events such as birth and death, and the conduct of public health investigations and interventions. 45 CFR 164.512(b)(1)(i)).
Florida law provides for reporting the following diseases and injuries to the Florida Department of Health:
• Sexually transmissible diseases (Fla. Stat. 384.25)
• Tuberculosis (Fla. Stat. 392.53)
• Cancer (Fla. Stat. 385.202)
• Adverse incidents involving medical treatment (Fla. Stat. 459.026)
Under the Privacy Rule, a health care provider may disclose PHI to the extent such disclosure is required by law. (45 CFR 164.512(a)(1).
Upon the request of the employer, the carrier, an authorized, qualified rehabilitation provider, or the attorney for the employer or carrier, Florida law requires that the medical records of an injured employee be furnished to those persons and the medical condition of the injured employees be discussed with those persons, if the records and the discussions are restricted to conditions relating to the workplace injury. (Fla. Stat. 440.13(4)(c)).
The Privacy Rule permits health care providers to comply with certain requests for PHI. These include court orders or court-ordered warrants, subpoenas or summons, grand jury subpoenas, and administrative summons or civil investigative demands. (45 CFR 164.512(f)(1)(ii)). In the case of administrative summons or civil investigative demands, if de-identified information cannot reasonably be used, the information sought must be relevant and material to a legitimate law enforcement inquiry, and the request must be specific and limited in scope to the extent reasonably practicable in light of the purpose for which the information is sought.
In the case of a subpoena issued in the course of any judicial or administrative proceeding, there are additional requirements. Before disclosing PHI pursuant to a subpoena, a health care provider must obtain satisfactory assurance that the federal privacy requirements have been met. A satisfactory assurance includes one of the following: 1) a valid Authorization to Use and Disclose Protected Health Information signed by the patient or the patient's personal representative, 2) a Certificate of Compliance signed by the requesting attorney and accompanied by appropriate documentation, or 3) a court order. (45 CFR 164.512(e)).
Under Florida law, medical records may be furnished in any case or criminal action, unless otherwise prohibited by law, upon the issuance of a subpoena from a court of competent jurisdiction, provided proper notice is given to the patient or the patient's legal representative by the party seeking such records. (Fla. Stat. 456.057(7)(a)(3)).
Permitted Disclosures
The Privacy Rule permits health care providers to disclose PHI if the health care provider believes in good faith the disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public and the disclosure is to a person or persons reasonably able to prevent or lessen the threat, including the target of the threat. (45 CFR 164.512(j)(1)(i)). There are three (3) laws in Florida which permit these types of disclosures.
A. Disabled DriversA physician, person or agency, having knowledge of any licensed drivers or applicant's mental or physical disability to drive or need to obtain or to wear a medical ID bracelet is authorized to report such knowledge to the Department of Highway Safety and Motor Vehicles. The report should be in writing and limited to full name, DOB, address and description of the alleged disability of any person over 15 years of age having mental or physical disorders that could affect his or her driving ability. (Fla. Stat. 322.126(2)).
If a health care provider, who is providing medical care in a health care facility to a person injured in a motor vehicle crash, becomes aware, as a result of any blood test performed in the course of medical treatment, that the persons' blood-alcohol levels meets or exceeds 0.08 grams of alcohol per 100 ml. of blood, the health care provider may notify any law enforcement officer or law enforcement agency. The notice must be given within a reasonable time after the health care provider receives the test result. The notice is limited to the name of the person being treated, the name of the person who drew the blood, the blood-alcohol level indicated by the test and the date and time of the administration of the test. (Fla. Stat. 316.1933 (2)(a)).
The confidentiality between a clinical social worker, mental health counselor, or psychotherapist may be waived when there is a clear and immediate probability of physical harm to the patient or client, to other individuals, or to society and the clinical social worker, mental health counselor, or psychotherapist communicates the information only to the potential victim, appropriate family members, or law enforcement or other appropriate authorities. (Fla. Stat. 491.0147(3)).
Additionally, a psychiatrist may disclose patient communications to the extent necessary to warn any potential victim or communicate a threat to a law enforcement agency where:
(1) The patient is engaged in a treatment relationship with the psychiatrist;
(2) The patient has made an actual threat to physically harm an identifiable victim or victims; and
(3) The treating psychiatrist makes a clinical judgment that the patient has the apparent capability to commit such an act and that it is more likely than not that in the near future the patient will carry out the threat. (Fla. Stat. 456.059).
Prohibited Disclosures
Although the Privacy Rule may permit the disclosure of PHI without the patient's authorization for purposes of payment, Florida law does not. "Medical records may not be furnished to, and the medical condition of a patient may not be discussed with, any person other than the patient or the patient's legal representative or other health care practitioners and providers involved in the care or treatment of the patient, except upon written authorization of the patient." No exception is provided for disclosure of PHI to insurance companies for purposes of payment. (Fla. Stat. 456.057(7)(a)).
