February 8, 2023

Volume XIII, Number 39

Advertisement

February 08, 2023

Subscribe to Latest Legal News and Analysis

February 07, 2023

Subscribe to Latest Legal News and Analysis

February 06, 2023

Subscribe to Latest Legal News and Analysis
Advertisement

HIPAA: Privacy Required, Even When Information Goes Public

A celebrity collapses on stage and is rushed to the hospital. Rumors race through social media faster than the ambulance can navigate city streets. Was it exhaustion? Was it her heart? Was there a gunshot? The press broadcasts through the night outside the ER. You are a hospital administrator who has access to information about the celebrity’s medical condition and treatment. You stay past your shift until the patient’s condition is stable and the 11 p.m. news reports have finished. You exit through a side door to avoid attention, but a man comes up alongside you. You know him from some prior incidents. He is an insurance investigator for the arena where the celebrity was performing. He asks you questions, seeking to confirm facts for a preliminary report he is filing.  All of the facts that he recites about the celebrity’s condition are true. All of them have been widely reported already. You keep quiet.

You have been well trained. That is what you should do.

HIPAA’s restrictions are not like the confidentiality provisions that you will find in many contracts. Often those contracts contain exceptions for:

  • information in the public domain,
  • information that the receiving party already knows when entering into an agreement,
  • information that the receiving party obtains without reference to any other confidential information, or
  • information that the receiving party obtains from a third party who has no obligation to keep it secret.

But these exceptions do not apply under HIPAA’s privacy rules. A health plan or health care provider that is subject to HIPAA is not permitted to disclose protected health information (PHI) other than to appropriate persons for permitted purposes, even if the person asking – even if virtually everyone in the country – already knows the information.

To be sure, there are times you may reveal PHI to third parties. Subject to various rules, HIPAA allows you to disclose PHI for the broad purposes of treatment, payment, and health care operations and for more specific reasons, such as compliance with laws other than HIPAA, public health activities, law enforcement, judicial and administrative proceedings, and research. In our example, assuming the celebrity is unconscious or unable to provide consent, you could still disclose PHI to the celebrity’s family and friends; provided the information is relevant to their involvement in her care and you, in your professional judgment, determine that the disclosure is in her best interests. You may also make disclosures with appropriate authorization.

But a disclosure like the one sought in the hospital parking lot? Without patient authorization? HIPAA doesn’t allow that, even if it’s all common knowledge.

Copyright © by Ballard Spahr LLPNational Law Review, Volume VIII, Number 138
Advertisement
Advertisement
Advertisement

About this Author

Edward I. Leeds, Philadelphia attorney, Ballard Spahr Law firm, Employee Benefits and Executive Compensationattorney
Counsel

Edward I. Leeds concentrates on issues relating to the design, administration, and taxation of health and other welfare benefit plans. His practice has evolved with the laws and market forces that shape those plans. Mr. Leeds advises clients about compliance with the Affordable Care Act, HIPAA, HITECH, COBRA, cafeteria plan rules, and other legal requirements. He prepares clients for audits of their privacy and security measures under HIPAA and advises them about the rules governing wellness initiatives.

Mr. Leeds represents employers in the negotiation and drafting of contracts...

215.864.8419
Corinne A. Militello, Ballard Spahr, Intellectual property lawyer
Counsel

Corinne Militello advises on trademarks and copyrights, advertising, and internet issues, as well as on privacy and data security matters relating to the collection, use, sharing, and safeguarding of data, including information of consumers, patients, and employees.

Corinne advises on all aspects of brand protection—from trademark clearance through registration and enforcement, domain name strategy and protection, and license and settlement agreements. She advises both creators and users of copyrightable works on copyright ownership, registration, enforcement, licensing, and related...

215 864 8155
Advertisement
Advertisement
Advertisement