HIPAA Privacy Rule Changes
Question: Did the HIPAA Privacy Rule recently change?
Answer: Yes. This year’s modifications aim to protect the right to access reproductive health care. According to the U.S. Department of Health and Human Services (HHS), the Supreme Court’s 2022 decision in Dobbs v. Jackson Women’s Health Organization prompted more than 20 states to enact laws banning abortion and imposing other reproductive health restrictions. In response, HHS modified the HIPAA Privacy Rule on April 26, 2024, specifically designed to safeguard access to and the privacy of reproductive health care information. The compliance date for these modifications is December 23, 2024.
These updates address state laws concerning abortion and reproductive health by regulating how Covered Entities and Business Associates can use and disclose protected health information (PHI) related to individuals seeking, obtaining, providing, or facilitating reproductive health care. This regulation aims to prevent investigations or legal actions that might arise solely from these actions.
It’s important to note that HHS, under the Trump administration, may choose not to enforce these modifications. While changing the law is a lengthy process, regulators can exercise “enforcement discretion” in the meantime.
Remember, too, that states have the authority to enforce HIPAA. Class action lawsuits for privacy breaches often use HIPAA compliance as a standard for determining whether a healthcare organization has been negligent in protecting privacy. If you have questions about how to follow HIPAA and state law, be sure to consult with your legal counsel.
Social Media and HIPAA
Negative Online Reviews
Question: May we respond to a negative online review from one of our patients? One of our Clinical Directors attended a conference and heard from a presenter that providers may respond to negative reviews by saying “to retain you as a patient…” in a public response. The presenter said that as soon as a patient publicly provides information about their experience, the patient waives their privacy rights, and it is no longer a HIPAA violation to acknowledge or confirm that they are a patient.
Answer: This is not permitted. Patients may disclose their own protected health information (PHI) by posting an online review, but healthcare providers may NOT disclose PHI by responding. The simple act of confirming they are a patient is not permitted. There is no “waiver” of the provider’s responsibility to maintain privacy, even when the patient first went public. In 2023, a New Jersey healthcare provider was fined $30,000 under HIPAA for responding to an online review. If you want to respond to a negative review, use a general, neutral statement that does not confirm the reviewer is a patient, such as “Our practice is committed to providing quality health care.”
Protected Health Information Defined
What Qualifies as PHI?
Question: A written appointment reminder has no medical information, just the patient’s name and the date of their next appointment. That isn’t considered to be protected health information, is it?
Answer: An appointment reminder with a patient’s name on it (or any other piece of individually identifiable information), when connected to health care, like an appointment, is protected health information.
Question: Are medical record numbers (MRN) considered protected health information?
Answer: Yes. Medical record numbers are among the 18 named “identifiers,” when connected to the provision of past, present, or future health care, they are protected health information (PHI).
Using and Disclosing Protected Health Information
Talking with Family Members
Question: I’m talking with a patient in her hospital room when her daughter walks in. May I continue our conversation?
Answer: The key is understanding your patient’s preference. If you don’t know whether the patient has named her daughter as someone authorized to receive PHI, ask the patient. You do not need to get written permission. If the patient agrees verbally, go ahead. Best practices require that you document the patient’s agreement in her medical record.
Question: I’m treating a patient who is unconscious and unable to tell me – may I talk with his family?
Answer: If a patient cannot tell you, use your professional judgment to decide if it’s in the patient’s best interest. Be sure to follow the “minimum necessary” rule – only discuss information relevant to that person’s involvement with the patient’s care. Later, you should document this in the patient’s record.
Sending Statements Through the Mail
Question: We mail statements to patients if they have a balance on their account, but sometimes the mail is addressed to the “responsible party,” not the patient. For example, Susan has a balance, but her spouse, Tom, is listed as the party responsible for her account since he carries their insurance. The statement is addressed to Tom, but the information in the letter is about Susan. Is this OK, or would this be a violation of HIPAA?
Answer: It is not a HIPAA violation. The general rule is that providers do not need a patient’s authorization to use or disclose PHI when the use or disclosure is for “treatment, payment or health care operations.” The purpose here is for payment.
