DISCLOSURES OF PHI UNDER HIPAA
AND FLORIDA STATE LAW
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a broad federal law that is in part designed to provide national standards for protection of certain health information. As required by HIPAA, the federal Department of Health and Human Services (HHS) established regulations, which implement the federal law. These regulations are known as the Privacy Rule.
In general, the Privacy Rule prohibits health care providers from using or disclosing a patient's protected health information (PHI) without written authorization from the patient except for treatment, payment and health care operations. However, the Privacy Rule provides exceptions to this prohibition for a number of public policy reasons. Such exceptions include, but are not limited to, reporting certain injuries to law enforcement officials, reporting child abuse or vulnerable adult abuse, reporting the occurrence of certain diseases to public health officials, and complying with court orders and subpoenas.
When determining whether a health care provider may use or disclose PHI without the patient's authorization, both state and federal law must be considered. The Privacy Rule provides an extensive list of permitted disclosures, however, where state laws provide greater privacy protections or privacy rights with respect to patients' PHI, state laws will apply, overriding HIPAA.
A. Mandatory Reporting
- Gunshot Wounds and Life-Threatening Injuries
- Suspected Child Abuse
- Suspected Vulnerable Adult Abuse
- Sexual Battery
The Privacy Rule permits a health care provider to disclose PHI as required by law, including laws that require reporting of certain types of wounds or physical injuries. (45 CFR 164.512(f)(1)(i)).
Florida law requires any physician, nurse, or employee of a hospital, sanitarium, clinic, or nursing home treating or receiving a request for treatment to report immediately to local law enforcement officials any gunshot wound or life-threatening injury indicating an act of violence. (Fla. Stat. 790.24).
The Privacy Rule permits the disclosure of PHI to a public authority or other appropriate government authority authorized by law to receive reports of child abuse or neglect. (45 CFR 164.512(b)(1)(ii)).
Florida law requires any person, including a health care provider, who knows or has reasonable cause to suspect child abuse, abandonment or neglect by a parent, legal custodian, caregiver, or other person responsible for the child's welfare, to report such knowledge or suspicion to the Department of Children and Families (DCF) Central Abuse Hotline. (Fla. Stat. 39.201(1)).
The Privacy Rule permits disclosure of PHI about an individual whom the health care provider reasonably believes to be a victim of abuse or neglect to a government authority, including a social service or protective services agency, authorized by law to receive reports of such abuse or neglect to the extent that the disclosure is required by law and the disclosure complies with and is limited to the relevant requirements of such law. (45 CFR 164.512(c)(1)(i)).
Florida law requires any person who knows or has reasonable cause to suspect the abuse, neglect or exploitation of vulnerable adults to immediately report such knowledge to the DCF Central Abuse Hotline. (Fla. Stat. 415.1034(2)).
The Privacy Rule permits health care providers to disclose to a law enforcement official PHI that the health care provider believes in good faith constitutes evidence of criminal conduct on the premises. (45 CFR 164.512(f)(5)).
Two Florida statutes require reporting of a crime of sexual battery:
The first requires any person who observed the commission of a crime of sexual battery to immediately report such offense to a law enforcement official. (Fla. Stat. 794.027).
The second, contained in Florida's School Code, requires instructional personnel or administrative personnel having knowledge that a sexual battery has been committed by a student upon another student to report the offense to a law enforcement agency having jurisdiction over the school or over the place where the sexual battery occurred, if not on the grounds of the school. (Fla. Stat. 1012.799). This statute would not supersede a health care provider's duty to maintain the patient's confidentiality. Thus, this disclosure would only be required if the individual learned of the sexual battery in his or her capacity as an instructor or administrator, rather than as a health care provider.
The Privacy Rule permits the reporting of deaths with three provisions.
First, a health care provider may disclose PHI to a law enforcement official for the purpose of alerting law enforcement of the death of an individual if the health care provider has a suspicion that the death may have resulted from criminal conduct. (45 CFR 164.512(f)(4)).
Second, a health care provider may disclose PHI to a coroner or medical examiner for the purpose of identifying a deceased person, determining a cause of death, or other duties as authorized by law. (45 CFR 164.512(g)(1)).
Third, a health care provider may disclose PHI to funeral directors as necessary to carry out their duties with respect to the decedent, this includes prior to, and in reasonable anticipation of the individual's death. (45 CFR 164.512(g)(2)).
Florida law requires any person who has reasonable cause to suspect that a child died as a result of child abuse, abandonment, or neglect is required to report his or her suspicion to the appropriate medical examiner. (Fla. Stat. 39.201(3)).
Additionally, it is the duty of any person in the district where a death occurs who becomes aware of the death of any person in the State occurring under the following circumstances, to report such death and circumstances to the district medical examiner. (Fla. Stat. 406.12):
- • as a result of criminal violence
- • by accident
- • by suicide
- • suddenly, when in apparent good health
- • unattended by a practicing physician or other recognized practitioner
- • in any prison or penal institution
- • in police custody
- • in any suspicious or unusual circumstance
- • by criminal abortion
- • by poison
- • by disease constituting a threat to public health
- • by disease, injury of toxic agent resulting from employment
The Privacy Rule permits health care providers to disclose PHI to public health authorities that are authorized by law to collect and receive health information for the purpose of preventing or controlling disease, injury, or disability, including, but not limited to, the reporting of disease, injury, vital events such as birth and death, and the conduct of public health investigations and interventions. 45 CFR 164.512(b)(1)(i)).
Florida law requires reporting of the following diseases and injuries to the Florida Department of Health:
- • Sexually transmissible diseases (Fla. Stat. 384.25)
- • Tuberculosis (Fla. Stat. 392.53)
- • Cancer (Fla. Stat. 385.202)
- • Adverse incidents involving medical treatment (Fla. Stat. 459.026)
The Privacy Rule permits a health care provider to disclose PHI to the extent such disclosure is required by other laws. (45 CFR 164.512(a)(1).
Florida law requires, upon the request of the employer, the carrier, an authorized, qualified rehabilitation provider, or the attorney for the employer or carrier, that the medical records of an injured employee be furnished to those persons and the medical condition of the injured employees be discussed with those persons, if the records and the discussions are restricted to conditions relating to the workplace injury. (Fla. Stat. 440.13(4)(c)).
B. Disclosures to Law Enforcement
The Privacy Rule permits health care providers to comply with court orders or court-ordered warrants, subpoenas or summons, grand jury subpoenas, and administrative summons or civil investigative demands. (45 CFR 164.512(f)(1)(ii)).
In the case of an administrative summons or civil investigative demand, if de-identified information cannot reasonably be used, the information sought must be relevant and material to a legitimate law enforcement inquiry, and the request must be specific and limited in scope to the extent reasonably practicable in light of the purpose for which the information is sought.
In the case of a legally issued subpoena, before disclosing PHI, a health care provider must obtain satisfactory assurance that the federal privacy requirements have been met. A satisfactory assurance includes one of the following: 1) a valid Authorization to Use and Disclose Protected Health Information signed by the patient or the patient's personal representative, 2) a Certificate of Compliance signed by the requesting attorney and accompanied by appropriate documentation, or 3) a court order. (45 CFR 164.512(e)).
Florida law allows medical records to be furnished in any case or criminal action, unless otherwise prohibited by law, upon the issuance of a subpoena from a court of competent jurisdiction, provided proper notice is given to the patient or the patient's legal representative by the party seeking such records. (Fla. Stat. 456.057(7)(a)(3)).
The Privacy Rule permits, but does not require, health care providers to disclose PHI if the health care provider believes in good faith the disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public and the disclosure is to a person or persons reasonably able to prevent or lessen the threat, including the target of the threat. (45 CFR 164.512(j)(1)(i)).
Three Florida laws also permit, but do not require, these types of disclosures.
A. Disabled Drivers
A physician, person or agency, having knowledge of any licensed drivers or applicant's mental or physical disability to drive or need to obtain or to wear a medical ID bracelet is authorized to report such knowledge to the Department of Highway Safety and Motor Vehicles. The report should be in writing and limited to full name, DOB, address and description of the alleged disability of any person over 15 years of age having mental or physical disorders that could affect his or her driving ability. (Fla. Stat. 322.126(2)).
B. DUI and Motor Vehicle Accidents
If a health care provider, who is providing medical care in a health care facility to a person injured in a motor vehicle crash, becomes aware, as a result of any blood test performed in the course of medical treatment, that the persons' blood-alcohol levels meets or exceeds 0.08 grams of alcohol per 100 ml. of blood, the health care provider may notify any law enforcement officer or law enforcement agency. The notice must be given within a reasonable time after the health care provider receives the test result. The notice is limited to the name of the person being treated, the name of the person who drew the blood, the blood-alcohol level indicated by the test and the date and time of the administration of the test. (Fla. Stat. 316.1933 (2)(a)).
C. Clinical Social Worker, Mental Health Counselor, Psychotherapy / Psychiatry Communications
The confidentiality between a clinical social worker, mental health counselor, or psychotherapist may be waived when there is a clear and immediate probability of physical harm to the patient or client, to other individuals, or to society and the clinical social worker, mental health counselor, or psychotherapist communicates the information only to the potential victim, appropriate family members, or law enforcement or other appropriate authorities. (Fla. Stat. 491.0147(3)).
Additionally, a psychiatrist may disclose patient communications to the extent necessary to warn any potential victim or communicate a threat to a law enforcement agency where:
(1) The patient is engaged in a treatment relationship with the psychiatrist;
(2) The patient has made an actual threat to physically harm an identifiable victim or victims; and
(3) The treating psychiatrist makes a clinical judgment that the patient has the apparent capability to commit such an act and that it is more likely than not that in the near future the patient will carry out the threat. (Fla. Stat. 456.059).
The Privacy Rule may permit the disclosure of PHI without the patient's authorization for certain purposes, such as for payment for health care services, or to law enforcement officers investigating alleged crimes, but Florida law does not:
"Medical records may not be furnished to, and the medical condition of a patient may not be discussed with, any person other than the patient or the patient's legal representative or other health care practitioners and providers involved in the care or treatment of the patient, except upon written authorization of the patient." (Fla. Stat. 456.057(7)(a)).
No exception is provided for disclosure of PHI to insurance companies for purposes of payment, or to law enforcement officials investigating an alleged crime. In fact, in both cases, health care providers may not even acknowledge that a patient has or has not been seen or scheduled for an appointment.