Check Request Status610-994-7500

PHI disclosure legal issues, part 3: Adopting ROI policies that are stricter than HIPAA and state laws

Sara Goldstein Blog 3

It comes as a surprise to many requesters of medical records that healthcare providers can implement policies that are stricter than both HIPAA and state law. This is because HIPAA was designed to permit the adoption of more stringent federal and state laws, as well as healthcare provider policies, to further safeguard Protected Health Information (PHI).

As Health Information Management (HIM) professionals are aware, the HIPAA privacy rule serves as a “federal floor” of privacy protections for patients’ PHI, meaning that it sets the minimum standards that healthcare providers must follow for disclosure.

States can enact laws that provide additional protections for PHI as long as they are not contrary to HIPAA, meaning that it should not be impossible for a healthcare provider to comply with both HIPAA and the state law; state law should not be an obstacle to accomplishing the purposes and objectives of HIPAA. Most states have adopted laws to further protect certain types of PHI from disclosure that are not specifically addressed by HIPAA or other federal laws, such as mental health records and PHI related to a patient’s treatment for AIDS/HIV.

Additionally, many healthcare providers have implemented their own disclosure policies that are more restrictive than both HIPAA and applicable state laws. For example, HIPAA and some states permit the disclosure of PHI when subpoenaed as long as it is accompanied by “satisfactory assurance” – documentation that the patient subject to the subpoena was notified and was given opportunity to object to the disclosure. A healthcare provider, however, can choose to adopt a more restrictive policy in the interest of protecting patient privacy, such as requiring that subpoenas be accompanied by a HIPAA-compliant authorization or a court order signed by a judge.

Facilities, however, should be cautious before adopting policies that are more stringent than HIPAA and state law because such policies may be seen as restricting a patient’s access to PHI. For example, it may seem more secure to only process requests for copies of PHI with a healthcare provider’s authorization. However, if such a policy was adopted and a HIPAA-compliant authorization were rejected, the facility may be subject to a complaint with the Office of Civil Rights (OCR) for restricting a patient’s access to their PHI. Thus, healthcare providers need to make sure that their policies do not run contrary to the objectives of HIPAA and the applicable state laws.

Given the myriad of federal and state laws related to disclosure of PHI, it is important that healthcare providers and their HIM staff adopt Release of Information (ROI) policies that do not contradict the applicable federal and state laws. MRO’s ROI specialists who work at our clients’ facilities are trained on how to disclose PHI according to the applicable federal and state laws and facility policies to ensure they remain compliant with all relevant rules and regulations.

This is the third post of a five-part blog series discussing different legal issues surrounding Release of Information and PHI disclosure management. This blog post is made available by MRO’s privacy and compliance counsel for educational purposes only as well as to give you general information and a general understanding of the law, not to provide specific legal advice. This blog post does not create an attorney-client relationship between the reader and MRO’s privacy and compliance counsel. This blog post should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.

Sign Up for Future Blog Posts

Read More

Reputational damage of data breach the most lingering consequence

Data Breach - Steves Blog

Few other industries emphasize and value reputation more than healthcare, especially when it concerns patient care quality and experience. When a provider organization discloses Protected Health Information (PHI) to an unauthorized party, that organization’s reputation can suffer significant damage. Reputational damage is just one of the elements that I described in my last post about the financial risks of a PHI breach, but I wanted to focus on it exclusively in this post because the consequences are so far reaching beyond financial penalties.

I also want to emphasize that healthcare organizations can help prevent the lingering reputational damage associated with a breach by partnering with a PHI disclosure management vendor that offers state-of-the-art technology and a highly trained and knowledgeable staff who are experts in HIPAA compliance and avoiding breaches.

Patients key stakeholders for reputational risk

A “negative reputation event,” such as a data breach, can cause a “loss of brand value” for healthcare providers, according to a group of healthcare and life sciences executives who were surveyed recently by consulting firm Deloitte.

The survey also found that customers (patients for healthcare organizations) were the “most important stakeholders for managing reputational risk.” Although patients can easily find out about a PHI breach in the news, smaller breaches, which are much more common, can also be damaging to hospitals’ reputations. Word of a breach can spread online through social media, such as Facebook and Twitter, through consumer rating sites, such as Yelp, and even through Google results when someone searches for the hospital. These online assessments are increasingly influencing patients’ expectations, Deloitte reported.

Patients sharing experiences with others online about hospitals and providers is also another reflection of how patients are even more so becoming healthcare consumers with much more mobility and choice over where they seek their care. If patients don’t trust providers with their PHI, they are more likely than ever before to move their healthcare dollars elsewhere.

Establishing a culture of compliance

Decreased patient volume due to reputational damage is just one of the financial impacts of a PHI breach. But the lingering effects of reputational damage, I believe, are more long lasting and difficult to quantify in terms of dollars and cents. Apart from the loss of patient trust, breaches can impact employee morale, providers’ confidence, and degrade the overall culture of the organization to one of instability and confusion.

By instilling a culture of adherence to HIPAA-compliant PHI disclosure policies and procedures, and offering employees the support and tools they need to comply, organizations can avoid these breach-caused negative reputation events and their impacts.

A trusted PHI disclosure management partner that has already established a culture of HIPAA compliance and knowledge, supported by technology to prevent improper disclosures, can be a significant advantage to an organization in protecting its reputation and its bottom line.

To learn more about the financial and reputational impacts of a PHI breach, please download our white paper: “Mitigating breach risk in an era of expanding PHI disclosure points and requests for health information.”

Sign Up for Future Blog Posts

Read More