Although the federal government is transitioning with a new administration and some policy shifts, HIPAA stands strong. Remember that states also enforce HIPAA and state privacy laws. Moreover, lawsuits for breach of privacy use HIPAA as a standard for healthcare organizations’ responsibility. Compliance is essential to protecting patient privacy and avoiding liability.
Today, we will review some recent common HIPAA questions and their answers.
HIPAA and ICE Deportation Actions
Question: If we are asked about a patient’s location or other information concerning a deportation process, does it violate HIPAA to provide the information?
Answer: It is not a violation of HIPAA to provide an individual’s information to a law enforcement official in connection with an investigation or administrative procedure. If an official from the U.S. Immigration and Customs Enforcement (ICE) asks for help identifying or locating a patient or individual in your system, the following information may be disclosed: a. Name and address, b. Date and place of birth, c. Social Security number, d. ABO blood type and Rh factor, e. Type of injury, f. Date and time of Treatment or death if applicable, and g. Physical characteristics such as height, weight, gender, race, hair and eye color, presence or absence of facial hair (beard or mustache), scars, and tattoos.
However, this blog does not provide legal advice. Always consult with counsel if you are asked to respond to a law enforcement investigation or receive a subpoena or warrant.
Privacy Protections for Reproductive Health Care
Question: Should we continue to follow the 2024 Privacy Rule Update requirements concerning reproductive health care? We heard that the Trump administration will overturn those changes.
Answer: The most likely scenario is that the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) will not enforce the new reproductive health care protection requirements that became enforceable in December 2024. Today, HHS turned off its website, reproductiverights.g*v which was designed to help patients and healthcare providers comply with the law.
The regulations cannot be overturned or eliminated overnight, so they remain on the books, but OCR can elect not to enforce them.
However, states also enforce HIPAA and state privacy laws, and some will continue to enforce the Privacy Law update. For example, last week, North Carolina Governor Josh Stein issued an executive order reaffirming the protection of reproductive health care. Other states likely to enforce the Privacy Rule update include California, Oregon, Washington, Illinois, Vermont, Maryland, New Jersey, New York, and Hawaii. Note that this is not a complete or definitive list. You should consult with counsel and review your own state’s policies.
Communicating with a Deceased Patient’s Family
Question: A patient’s son wants to discuss his late father’s record, specifically his outstanding account balance. We do not have authorization or consent from the deceased patient to allow the son access to his file. May we communicate with the son about his father’s account?
Answer: You may talk to the deceased patient’s son about the account without authorization or consent. HIPAA privacy rights extend beyond death for 50 years. However, in this situation, you are communicating with a family member about payment for care, and HIPAA permits uses and disclosures without authorization “for purposes of treatment, payment or healthcare operations.”
Online Reviews
Question: Should we respond to online reviews? One of our Clinical Directors attended a conference where a presenter discussed how to respond to negative reviews. The presenter said that when patients publicly share information about their experience in a review, acknowledging/confirming that they are patients is no longer a HIPAA violation.
Answer: Do not respond to online reviews. Patients may disclose their own protected health information (PHI) by posting an online review, but healthcare providers may NOT disclose PHI by responding. The simple act of confirming they are a patient is not permitted. There is no such “waiver” of the provider’s responsibility to maintain privacy under HIPAA, even when the patient went public first.
Internal Use of Patient Photos
Question: We are a long-term care skilled nursing facility. When residents are admitted, we ask permission to use their image in online publishing, e.g., the facility newsletter or our website. If the resident says “no,” we do not use the image in any publications. However, our nursing staff has asked whether they may put a picture of each resident in our internal electronic health record (EHR) system as a backup i.d. system. Residents do not wear identification bracelets since it is a nursing home and not a hospital. The nursing staff wants a picture in the EHR to confirm residents’ identity for treatment and medication. Does the use of the resident’s picture in our EHR violate HIPAA?
Answer: You do not need a resident’s authorization to use or disclose protected health information, like their photograph, internally “for healthcare operations.” You may also use or disclose PHI without authorization for treatment or payment purposes. If you can obtain their photograph, you may use it internally in the EHR to help identify them to staff, and HIPAA does not require you to get their authorization or consent.
HIPAA Security Rule Changes are Ahead
Cybersecurity risks in healthcare are not going away. Proposed Security Rule updates are pending review by the new administration. While the proposal may change in some fashion, cybersecurity has always been a bipartisan issue.
Review your HIPAA Risk Analysis and Risk Management procedure. Learn more about the voluntary Cybersecurity Performance Goals (CPG) and reinforce workforce training.
The HIPAA E-Tool® Stays Up-to-Date
If you have questions about compliance or enforcement, let us know.
