Did you see that the Department of Health and Human Services (HHS) released some new guidance documents for the Healthcare Portability and Accountability Act (HIPAA) Privacy Rule compliance activities on September 17?
I need to go through them more thoroughly, but upon a quick scan they look like they contain some pretty good, and interesting, guidance information for both patients and healthcare providers…
The new “Patient Guide: When Health Care Providers May Communicate About You with Your Family, Friends, or Others Involved in Your Care” and “Provider Guide: Communicating with a Patient’s Family, Friends, or Others Involved in a Patient’s Care” outline scenarios for which healthcare providers can disclose protected health information (PHI), but also note that providers are NOT REQUIRED to do so even if a patient is incapacitated or not present.
The guides also include some information on interpreter services, documentation requirements for when PHI is shared, and the rules for picking up someone else’s prescription, medical supplies, or PHI.
As a review, the Privacy Rule generally requires that if a patient is present, and able to make health care decisions, a provider must do one of three things before sharing information with a family member or friend: 1) obtain the patient’s permission, 2) give the patient an opportunity to object and receive no objection, or 3) decide based on professional judgment and the circumstances that the patient does not object.
However, this new guidance indicates that if a patient is incapacitated or not present, a provider can share PHI if he/she believes “based on professional judgment” that disclosure is in the patient’s best interest.
Tags: awareness and training, HHS, HIPAA, Information Security, IT compliance, IT training, patient privacy, PHI, policies and procedures, privacy training, risk management, security training