Potential HIPAA Changes That Would Allow Healthcare Providers to Disclose Phi and Better Protect Patients

by Lindsey Phillips, Burr & Forman

On December 10, 2020, the Office for Civil Rights (“OCR”) at the United States Department of Health and Human Services (“HHS”) announced proposed changes to the regulations implementing the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). The proposed changes, which are set out in the Notice of Proposed Rulemaking (“NPRM”), are a part of the broader initiative to promote value-based care, enable better coordination among healthcare providers, and facilitate patient autonomy and engagement. 

One key theme found in the NPRM that will likely enable better coordination among healthcare providers and potentially increase patient safety is expanded permission to disclose protected health information (“PHI”) to third parties in emergency situations. For example, under the proposed changes, covered entities would be allowed more flexibility to disclose PHI in emergencies like a mental illness and substance abuse crisis. The current standard for disclosure of PHI in an emergency or health crisis is based on the covered entity’s “professional judgment.” This standard has often left covered entities unsure as to when a disclosure is permitted. The proposed modification relaxes this standard slightly in that it would allow a covered entity to disclose PHI in an emergency situation or health crisis when the covered entity has a good faith belief that the disclosure is in the best interest of the individual. A good faith belief could be based either on direct knowledge of relevant facts or representations by a person who can reasonably be expected to know relevant facts. For example, OCR has provided the following scenarios:

Good faith would permit a licensed health care professional to draw on experience to make a determination that it is in the best interests of a young adult patient, who has overdosed on opioids, to disclose relevant information to a parent who is involved in the patient’s treatment and who the young adult would expect, based on their relationship, to participate in or be involved with the patient’s recovery from the overdose. Likewise, front desk staff at a physician’s office who have regularly seen a family member or other caregiver accompany an adult patient to appointments could disclose relevant information to the family member or caregiver as a way of checking on the welfare of the patient, when a patient misses an appointment, based on the staff’s knowledge of the person’s involvement and a good faith belief about the patient’s best interest.

But not only would covered entities be allowed more flexibility to disclose PHI when individuals are experiencing emergencies or health crises, they would also be allowed more leniency to disclose PHI to avert a threat to safety. While covered entities are currently allowed to disclose PHI to prevent threats to health and safety, the current standard is considerably more stringent in that it allows the disclosure of PHI to avert a threat to health or safety only when the threat is “serious and imminent.” Under the changes proposed in the NPRM, covered entities could make a disclosure when the threat is “serious and reasonably foreseeable.” OCR has stated that “[a]dopting a ‘serious and reasonably foreseeable’ standard can enable a health care provider to timely notify a family member that an individual is at risk of suicide, even if the provider cannot predict that a suicide attempt is ‘imminent.'” In addition, “[a]n emergency room doctor who sees an elderly patient with COVID-19 could contact the patient’s nursing home to alert them of the potential exposure of other residents and staff based on the serious and reasonably foreseeable threat of infection with COVID-19 without delay caused by the need to assess whether the threat is sufficiently ‘imminent’ to permit the disclosure.” 

These proposed modifications provide additional clarity regarding PHI disclosures that would assist in the Department’s initiatives to increase coordination among healthcare providers and ultimately improve patient safety. Both of these proposed changes would hopefully empower covered entities to disclose PHI in situations where there is a genuine belief that harm is likely without being fearful of HIPAA penalties because the harm was not imminent.

Lindsey Phillips is an associate at Burr & Forman LLP practicing exclusively in the firm’s Healthcare Industry Group.