2/5/2020 CITI - Collaborative Institutional Training Initiative

Vanessa Zuleta Quintero

ID 9011046

Health Privacy Issues for Clinicians

Universidad de Antioquia - Researchers - IPS

Health Privacy Issues for Clinicians

Content Author

Reid Cushman, PhD

CITI Program

This module is for educational purposes only. It is not designed to provide legal advice or
legal guidance. You should consult with your organization's attorneys if you have
questions or concerns about the relevant laws and regulations discussed in this module.

Introduction

As discussed in the CITI Program’s Basics of Health Privacy module, protections for
health information are required by federal laws and their associated regulations,
principally those that derive from the Health Insurance Portability and
Accountability Act (HIPAA).

In addition, state and local laws as well as accrediting/certi cation organizations have
additional requirements. This module focuses on HIPAA privacy rules as they relate

https://www.citiprogram.org/members/index.cfm?pageID=125#view 1/12
2/5/2020 CITI - Collaborative Institutional Training Initiative

to clinical activities.

Learning Objectives

By the end of this module, you should be able to:

Summarize HIPAA’s privacy requirements for health data that are used for clinical
purposes.
Describe situations where authorizations for information use and disclosure are
required and when they are not.
Explain the responsibilities of persons who engage in clinical activities for
appropriate use of health information.

HIPAA Rules for Clinical Contexts

HIPAA regulations at 45 CFR 164.506 (Security and Privacy 2013) recognize that
clinical care providers must have broad access to health information to carry out
their duties. Accordingly, “treatment,” along with “payment” and “health care
operations,” are categories for which no explicit authorization for use or disclosure is
typically required. Often this trio is referenced by the abbreviation “TPO” in HIPAA
contexts. Treatment is broadly de ned, as:

https://www.citiprogram.org/members/index.cfm?pageID=125#view 2/12
2/5/2020 CITI - Collaborative Institutional Training Initiative

Payment and health care operations are analogously broadly speci ed. These and
other HIPAA de nitions can be found at 45 CFR 164.501.

At least as far as federal law is concerned, persons who wish to be seen at or

admitted to a healthcare facility must surrender almost all control over use or
disclosure information for TPO purposes. This is in contrast to activities like
fundraising, marketing, and research, for which a HIPAA authorization requirement is
the default.

Note: Many healthcare facilities still ask for authorizations that cover TPO activities,
either out of an abundance of caution or because of state-level requirements that
must also be met (see next section).

State Treatment-Related Authorization

State health privacy requirements that are more stringent than HIPAA’s requirements
generally remain in force. In many states, a general consent (another word for
authorization) requirement for information access remains in force, even for things
that meet the federal de nitions of TPO. It is critical that clinicians understand the
requirements that apply in their jurisdiction.

If required, a consent for information use and disclosure will typically be bundled
with the consent for treatment itself. Such consent forms are usually signed when
the patient registers for the rst time -- and, depending on the interpretation of state
laws, perhaps at subsequent visits as well.

Because most states' statutes also accord extra protection to information categories
(like HIV, genetic, mental health, and substance abuse information), separate
specialized consents for use or disclosure may be required for these. HIPAA does
extend explicit "extra" protection to one category of clinical information: the use or
disclosure of psychotherapy notes requires a HIPAA authorization in most
circumstances.

https://www.citiprogram.org/members/index.cfm?pageID=125#view 3/12
2/5/2020 CITI - Collaborative Institutional Training Initiative

For minors, it is common to have exceptions to the general rule of parental control
over information (for example, sexually transmitted infections [STIs] and pregnancy-
related information) depending on the level of emancipation. This is a particularly
complex area of health privacy, so consultation with local experts is strongly
recommended if one serves pediatric patients.

Treatment and "Minimum Necessary"

HIPAA’s minimum necessary standard generally requires that reasonable e orts be

made to limit uses and disclosures of identi able health information (in HIPAA terms,
“protected health information” or PHI) to the smallest amount reasonably needed for
the circumstances.

Both HIPAA and states' statutes tend to give treatment providers a large amount of
latitude in their handling of information. Re ecting this, disclosures to other entities
for treatment purposes are exempt from HIPAA's minimum necessary standard, so
that clinicians can feel freer to exchange information amongst themselves without
constraint. Uses for treatment (within the covered entity) are still bound by minimum
necessary, but the requirement arguably gets a liberal application in treatment
contexts. More on uses versus disclosures.

What does this mean in practice? Simply that clinicians’ longstanding professional
obligation to provide complete information to others participating in a patient's
treatment, in furtherance of the quality of that care, is not adversely a ected by
HIPAA.

Treatment and "Incidental Uses and Disclosures"

Absolute privacy is rarely possible, and it is particularly challenging to achieve in a

busy clinical practice. Accidents happen -- or, to use the o cial HIPAA language,
incidental uses and disclosures inevitably happen.

https://www.citiprogram.org/members/index.cfm?pageID=125#view 4/12
2/5/2020 CITI - Collaborative Institutional Training Initiative

It is not required that a state of zero-privacy-defects be achieved. It is required only

for those who work in clinical practices to take reasonable and appropriate
precautions to keep such incidentals to a minimum. Accepting incidentals does not
mean that negligence is excused, and the inadvertent result must in any case be
associated with what is otherwise a permissible activity.

Kinds of Safeguards in Clinical Settings

Safeguards include everything from locks on the doors (a "physical" safeguard) to

computer passwords (a "technical" one). It also includes policies and procedures (in
other words, standard operating procedures [SOPs]), and training on how to follow
the SOPs (this last falls into the category of "administrative safeguards").

No set of safeguards works without individuals simply behaving safely every day.
That means something as basic as clinicians taking care not to be overheard when
conversing about a patient in a public area, or being careful about leaving a
computer workstation unlocked when unattended. It includes attention to how
information is exchanged via old-fashioned devices (such as telephones and fax
machines), as well as relatively new-fangled conveniences (like electronic mail and
instant messaging). For this reason, basic information security training is essential for
everyone who works in a clinical setting.

Clinicians' Leadership Role

Clinicians may wonder why it is necessary to spend time thinking about things like
information safeguard categories, especially when most of the handling of o ce
equipment and the minutiae of information systems may fall to others. There are
two reasons:

https://www.citiprogram.org/members/index.cfm?pageID=125#view 5/12
2/5/2020 CITI - Collaborative Institutional Training Initiative

Is some clinical information special?

As noted, HIPAA currently extends special protections to only one kind of health
information: psychotherapy notes. States' laws, as also noted, usually extend special
protections to many categories. In addition to mental health data, information
related to HIV, sexually transmitted infections (STIs), genetic tests, and substance
abuse may also be protected. Disclosures in these categories generally require
separate authorization.

https://www.citiprogram.org/members/index.cfm?pageID=125#view 6/12
2/5/2020 CITI - Collaborative Institutional Training Initiative

Beyond these, HIPAA permits patients to request special protections or con dential
communication mechanisms for information they consider especially sensitive (as a
part of their rights with respect to their health records). Patients can now also
request withholding of information for matters for which they have self-paid.

It is not the clinician's province to decide if the information in question really merits
designation as sensitive. That is the patient's call. It is the clinician's responsibility to
decide if the extra protections or communications security is practical in a given
clinical setting. "Practicality" is in part a technical matter (for example, dependent on
what the facility's information systems allow). It is also a clinical matter, because
extra restrictions might present risks to quality or continuity of care.

Control of Patients' Information

As noted, once individuals enter a U.S. healthcare facility, they have ceded control to
that organization and its workforce for a broad range of information uses and
disclosures. Clinicians are inevitably a part of controlling treatment-related uses and
disclosures. They may also have a role in information use related to payment or
healthcare operations.

In the circumstances where the patient does retain control, the general rule is a
simple one: If the person controls a decision about treatment, he/she controls
decisions about the information associated with it. Where the patient is too young or
mentally incapacitated, a designated personal representative can decide on his/her
behalf.

Clinicians may be involved in asking the patient about permission to discuss his/her
condition with family members, or about inclusion in a facility directory (to include
name and current condition). These are areas where patients get to choose and for
which HIPAA requires only oral assent or refusal (though many facilities will want this
choice veri ed in writing).

https://www.citiprogram.org/members/index.cfm?pageID=125#view 7/12
2/5/2020 CITI - Collaborative Institutional Training Initiative

Clinicians may also be involved if a patient is being approached regarding "extra"

uses like research -- either as a conduit for the request, or as someone the patient
consults about the appropriateness of such participation. These uses beyond TPO
functions generally require an authorization.

Discussing Privacy with Patients

Patients must receive their HIPAA-mandated Privacy Notice the rst time they appear
at a clinical facility; this often occurs immediately prior to an encounter with a direct
treatment provider (HIPAA’s term for clinicians). Most patients simply sign the
acknowledgment-of-receipt for the notice and move on. However, some are
prompted to read it and a few may even ask questions about it.

Like it or not, clinicians are at times put in the position of being a patient's privacy
advisor. Indeed, the HIPAA notice-and-acknowledgment process is explicitly intended
to create an "initial moment" during which patients can discuss their particular
privacy questions and concerns with care providers. Clinicians should know enough
about privacy protections to have an intelligent conversation about the basics.
Clinicians should also know where in their organization to send patients if questions
arise that they and their sta are unable to answer.

That knowledge includes the basic facts about the patient's rights, such as:

https://www.citiprogram.org/members/index.cfm?pageID=125#view 8/12
2/5/2020 CITI - Collaborative Institutional Training Initiative

Clinicians must also understand the process for ling complaints (for example, who
the organization’s privacy o cial is, and how to reach him/her).

It is important for clinicians to have this knowledge because patients with problems
are likely to bring them to a clinician rst -- someone with whom they already have a
trusting relationship. It is not expected that a clinician will “ x” a patient's privacy
concerns personally. Rather it is expected that the clinician will make sure the patient
is able to nd someone who can, as well as provide basic information. HHS’s “HIPAA
for Individuals” is an excellent resource for that.

Who "owns" the information?

https://www.citiprogram.org/members/index.cfm?pageID=125#view 9/12
2/5/2020 CITI - Collaborative Institutional Training Initiative

When treatment providers participate in creating the data in a patient's record, they
are creating an object that jointly "belongs" to many parties: the clinicians
themselves; but also the facility in which the clinicians practice, health oversight
organizations at various levels, and, most critically, the patient him or herself.

Clinicians own the information in the sense that they are authors of its content and
may have some control over who else may be a co-author of the particular records
set. Further, one or more copies of it may reside in physical or electronic records
repositories under the control of the clinician or organization. It also belongs to the
patient in the sense that he/she has certain rights with respect to it -- access,
amendment, and so on.

It is a mistake (both logical and legal) to regard a medical record as any one party's
"property." Rights and obligations with respect to it are shared among many parties.

Making the Best of Joint Ownership

Some practitioners can still remember a time when patients were the last ones who
would ever get to see the unredacted contents of their own medical records. The
federal rights granted by HIPAA mean those days are over. The new openness means
that the patient's record is no longer a place to put "private" comments not intended
for the patient's eyes. A clinician should expect that whatever is put in a record
(unless it is in the category of psychotherapy notes), the patient will sooner or later
see.

https://www.citiprogram.org/members/index.cfm?pageID=125#view 10/12
2/5/2020 CITI - Collaborative Institutional Training Initiative

Instead of focusing on the "loss" of the practitioner's privacy in this regard, the
expansion in patients' access to their records can be seen as an opportunity for more
collaboration. There is no reason to make a patient le a formal request to see what
is in their health record. That opportunity should be provided as a matter of course.

Summary

Under HIPAA, treatment-related uses and disclosures do not require written

authorizations from patients. Neither do those associated with payment or
healthcare operations. However, state law may require it. Treatment uses and
disclosures are only lightly-bound by the minimum necessary rule that covers other
types of information access, giving clinicians broad latitude. Absolute privacy is not
required, but clinicians must take reasonable steps to keep "incidental uses and
disclosures" to a minimum, and overall, set a good example. Clinicians should be
prepared to help patients nd answers to questions about privacy issues.

Acknowledgements

Content for the CITI Program’s Information Privacy and Security (IPS) modules was
originally developed with support from the University of Miami Ethics Programs. It
has bene ted greatly from the editorial input of numerous CITI Program sta , and
the feedback of CITI Program learners.

References

Security and Privacy, 45 CFR § 160, 162, and 164 (2013).

U.S. Department of Health and Human Services (HHS). 2017. "Incidental Uses and
Disclosures." Accessed February 2.

https://www.citiprogram.org/members/index.cfm?pageID=125#view 11/12
2/5/2020 CITI - Collaborative Institutional Training Initiative

Additional Resources

U.S. Department of Health and Human Services (HHS). 2013a. "Modifications to

the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under
the Health Information Technology for Economic and Clinical Health Act and
the Genetic Information Nondiscrimination Act; Other Modifications to the
HIPAA Rules; Final Rule." Federal Register 78(17):5566-702.
U.S. Department of Health and Human Services (HHS). 2013b. "Combined
Regulation Text of All Rules." Accessed February 2, 2017.
U.S. Department of Health and Human Services (HHS). 2017. “FAQ: Treatment,
Payment, and Health Care Operations Disclosures.” Accessed January 27.

Original Release: May 2006

Last Updated: December 2017

Este módulo tiene un cuestionario.

Volver al libro de calificaciones Tomar la prueba

SUPPORT LEGAL

888.529.5929 Accesibilidad del Sitio

8:30 a.m. – 7:30 p.m. ET Derechos Autorales

Lunes – Viernes Política de Privacidad y Cookies

Contáctenos Condiciones de Uso

https://www.citiprogram.org/members/index.cfm?pageID=125#view 12/12