Professional Documents
Culture Documents
This module is for educational purposes only. It is not designed to provide legal advice or
legal guidance. You should consult with your organization's attorneys if you have
questions or concerns about the relevant laws and regulations discussed in this module.
Introduction
As discussed in the CITI Program’s Basics of Health Privacy module, protections for
health information are required by federal laws and their associated regulations,
principally those that derive from the Health Insurance Portability and
Accountability Act (HIPAA).
In addition, state and local laws as well as accrediting/certi cation organizations have
additional requirements. This module focuses on HIPAA privacy rules as they relate
https://www.citiprogram.org/members/index.cfm?pageID=125#view 1/12
2/5/2020 CITI - Collaborative Institutional Training Initiative
to clinical activities.
Learning Objectives
Summarize HIPAA’s privacy requirements for health data that are used for clinical
purposes.
Describe situations where authorizations for information use and disclosure are
required and when they are not.
Explain the responsibilities of persons who engage in clinical activities for
appropriate use of health information.
HIPAA regulations at 45 CFR 164.506 (Security and Privacy 2013) recognize that
clinical care providers must have broad access to health information to carry out
their duties. Accordingly, “treatment,” along with “payment” and “health care
operations,” are categories for which no explicit authorization for use or disclosure is
typically required. Often this trio is referenced by the abbreviation “TPO” in HIPAA
contexts. Treatment is broadly de ned, as:
https://www.citiprogram.org/members/index.cfm?pageID=125#view 2/12
2/5/2020 CITI - Collaborative Institutional Training Initiative
Payment and health care operations are analogously broadly speci ed. These and
other HIPAA de nitions can be found at 45 CFR 164.501.
Note: Many healthcare facilities still ask for authorizations that cover TPO activities,
either out of an abundance of caution or because of state-level requirements that
must also be met (see next section).
State health privacy requirements that are more stringent than HIPAA’s requirements
generally remain in force. In many states, a general consent (another word for
authorization) requirement for information access remains in force, even for things
that meet the federal de nitions of TPO. It is critical that clinicians understand the
requirements that apply in their jurisdiction.
If required, a consent for information use and disclosure will typically be bundled
with the consent for treatment itself. Such consent forms are usually signed when
the patient registers for the rst time -- and, depending on the interpretation of state
laws, perhaps at subsequent visits as well.
Because most states' statutes also accord extra protection to information categories
(like HIV, genetic, mental health, and substance abuse information), separate
specialized consents for use or disclosure may be required for these. HIPAA does
extend explicit "extra" protection to one category of clinical information: the use or
disclosure of psychotherapy notes requires a HIPAA authorization in most
circumstances.
https://www.citiprogram.org/members/index.cfm?pageID=125#view 3/12
2/5/2020 CITI - Collaborative Institutional Training Initiative
For minors, it is common to have exceptions to the general rule of parental control
over information (for example, sexually transmitted infections [STIs] and pregnancy-
related information) depending on the level of emancipation. This is a particularly
complex area of health privacy, so consultation with local experts is strongly
recommended if one serves pediatric patients.
Both HIPAA and states' statutes tend to give treatment providers a large amount of
latitude in their handling of information. Re ecting this, disclosures to other entities
for treatment purposes are exempt from HIPAA's minimum necessary standard, so
that clinicians can feel freer to exchange information amongst themselves without
constraint. Uses for treatment (within the covered entity) are still bound by minimum
necessary, but the requirement arguably gets a liberal application in treatment
contexts. More on uses versus disclosures.
What does this mean in practice? Simply that clinicians’ longstanding professional
obligation to provide complete information to others participating in a patient's
treatment, in furtherance of the quality of that care, is not adversely a ected by
HIPAA.
https://www.citiprogram.org/members/index.cfm?pageID=125#view 4/12
2/5/2020 CITI - Collaborative Institutional Training Initiative
No set of safeguards works without individuals simply behaving safely every day.
That means something as basic as clinicians taking care not to be overheard when
conversing about a patient in a public area, or being careful about leaving a
computer workstation unlocked when unattended. It includes attention to how
information is exchanged via old-fashioned devices (such as telephones and fax
machines), as well as relatively new-fangled conveniences (like electronic mail and
instant messaging). For this reason, basic information security training is essential for
everyone who works in a clinical setting.
Clinicians may wonder why it is necessary to spend time thinking about things like
information safeguard categories, especially when most of the handling of o ce
equipment and the minutiae of information systems may fall to others. There are
two reasons:
https://www.citiprogram.org/members/index.cfm?pageID=125#view 5/12
2/5/2020 CITI - Collaborative Institutional Training Initiative
As noted, HIPAA currently extends special protections to only one kind of health
information: psychotherapy notes. States' laws, as also noted, usually extend special
protections to many categories. In addition to mental health data, information
related to HIV, sexually transmitted infections (STIs), genetic tests, and substance
abuse may also be protected. Disclosures in these categories generally require
separate authorization.
https://www.citiprogram.org/members/index.cfm?pageID=125#view 6/12
2/5/2020 CITI - Collaborative Institutional Training Initiative
Beyond these, HIPAA permits patients to request special protections or con dential
communication mechanisms for information they consider especially sensitive (as a
part of their rights with respect to their health records). Patients can now also
request withholding of information for matters for which they have self-paid.
It is not the clinician's province to decide if the information in question really merits
designation as sensitive. That is the patient's call. It is the clinician's responsibility to
decide if the extra protections or communications security is practical in a given
clinical setting. "Practicality" is in part a technical matter (for example, dependent on
what the facility's information systems allow). It is also a clinical matter, because
extra restrictions might present risks to quality or continuity of care.
As noted, once individuals enter a U.S. healthcare facility, they have ceded control to
that organization and its workforce for a broad range of information uses and
disclosures. Clinicians are inevitably a part of controlling treatment-related uses and
disclosures. They may also have a role in information use related to payment or
healthcare operations.
In the circumstances where the patient does retain control, the general rule is a
simple one: If the person controls a decision about treatment, he/she controls
decisions about the information associated with it. Where the patient is too young or
mentally incapacitated, a designated personal representative can decide on his/her
behalf.
Clinicians may be involved in asking the patient about permission to discuss his/her
condition with family members, or about inclusion in a facility directory (to include
name and current condition). These are areas where patients get to choose and for
which HIPAA requires only oral assent or refusal (though many facilities will want this
choice veri ed in writing).
https://www.citiprogram.org/members/index.cfm?pageID=125#view 7/12
2/5/2020 CITI - Collaborative Institutional Training Initiative
Patients must receive their HIPAA-mandated Privacy Notice the rst time they appear
at a clinical facility; this often occurs immediately prior to an encounter with a direct
treatment provider (HIPAA’s term for clinicians). Most patients simply sign the
acknowledgment-of-receipt for the notice and move on. However, some are
prompted to read it and a few may even ask questions about it.
Like it or not, clinicians are at times put in the position of being a patient's privacy
advisor. Indeed, the HIPAA notice-and-acknowledgment process is explicitly intended
to create an "initial moment" during which patients can discuss their particular
privacy questions and concerns with care providers. Clinicians should know enough
about privacy protections to have an intelligent conversation about the basics.
Clinicians should also know where in their organization to send patients if questions
arise that they and their sta are unable to answer.
That knowledge includes the basic facts about the patient's rights, such as:
https://www.citiprogram.org/members/index.cfm?pageID=125#view 8/12
2/5/2020 CITI - Collaborative Institutional Training Initiative
Clinicians must also understand the process for ling complaints (for example, who
the organization’s privacy o cial is, and how to reach him/her).
It is important for clinicians to have this knowledge because patients with problems
are likely to bring them to a clinician rst -- someone with whom they already have a
trusting relationship. It is not expected that a clinician will “ x” a patient's privacy
concerns personally. Rather it is expected that the clinician will make sure the patient
is able to nd someone who can, as well as provide basic information. HHS’s “HIPAA
for Individuals” is an excellent resource for that.
https://www.citiprogram.org/members/index.cfm?pageID=125#view 9/12
2/5/2020 CITI - Collaborative Institutional Training Initiative
When treatment providers participate in creating the data in a patient's record, they
are creating an object that jointly "belongs" to many parties: the clinicians
themselves; but also the facility in which the clinicians practice, health oversight
organizations at various levels, and, most critically, the patient him or herself.
Clinicians own the information in the sense that they are authors of its content and
may have some control over who else may be a co-author of the particular records
set. Further, one or more copies of it may reside in physical or electronic records
repositories under the control of the clinician or organization. It also belongs to the
patient in the sense that he/she has certain rights with respect to it -- access,
amendment, and so on.
It is a mistake (both logical and legal) to regard a medical record as any one party's
"property." Rights and obligations with respect to it are shared among many parties.
Some practitioners can still remember a time when patients were the last ones who
would ever get to see the unredacted contents of their own medical records. The
federal rights granted by HIPAA mean those days are over. The new openness means
that the patient's record is no longer a place to put "private" comments not intended
for the patient's eyes. A clinician should expect that whatever is put in a record
(unless it is in the category of psychotherapy notes), the patient will sooner or later
see.
https://www.citiprogram.org/members/index.cfm?pageID=125#view 10/12
2/5/2020 CITI - Collaborative Institutional Training Initiative
Instead of focusing on the "loss" of the practitioner's privacy in this regard, the
expansion in patients' access to their records can be seen as an opportunity for more
collaboration. There is no reason to make a patient le a formal request to see what
is in their health record. That opportunity should be provided as a matter of course.
Summary
Acknowledgements
Content for the CITI Program’s Information Privacy and Security (IPS) modules was
originally developed with support from the University of Miami Ethics Programs. It
has bene ted greatly from the editorial input of numerous CITI Program sta , and
the feedback of CITI Program learners.
References
https://www.citiprogram.org/members/index.cfm?pageID=125#view 11/12
2/5/2020 CITI - Collaborative Institutional Training Initiative
Additional Resources
SUPPORT LEGAL
https://www.citiprogram.org/members/index.cfm?pageID=125#view 12/12