HIPAA: Privacy Required, Even When Information Goes Public
A celebrity collapses on stage and is rushed to the hospital. Rumors race through social media faster than the ambulance can navigate city streets. Was it exhaustion? Was it her heart? Was there a gunshot? The press broadcasts through the night outside the ER. You are a hospital administrator who has access to information about the celebrity’s medical condition and treatment. You stay past your shift until the patient’s condition is stable and the 11 p.m. news reports have finished. You exit through a side door to avoid attention, but a man comes up alongside you. You know him from some prior incidents. He is an insurance investigator for the arena where the celebrity was performing. He asks you questions, seeking to confirm facts for a preliminary report he is filing. All of the facts that he recites about the celebrity’s condition are true. All of them have been widely reported already. You keep quiet.
You have been well trained. That is what you should do.
HIPAA’s restrictions are not like the confidentiality provisions that you will find in many contracts. Often those contracts contain exceptions for:
- information in the public domain,
- information that the receiving party already knows when entering into an agreement,
- information that the receiving party obtains without reference to any other confidential information, or
- information that the receiving party obtains from a third party who has no obligation to keep it secret.
But these exceptions do not apply under HIPAA’s privacy rules. A health plan or health care provider that is subject to HIPAA is not permitted to disclose protected health information (PHI) other than to appropriate persons for permitted purposes, even if the person asking – even if virtually everyone in the country – already knows the information.
To be sure, there are times you may reveal PHI to third parties. Subject to various rules, HIPAA allows you to disclose PHI for the broad purposes of treatment, payment, and health care operations and for more specific reasons, such as compliance with laws other than HIPAA, public health activities, law enforcement, judicial and administrative proceedings, and research. In our example, assuming the celebrity is unconscious or unable to provide consent, you could still disclose PHI to the celebrity’s family and friends; provided the information is relevant to their involvement in her care and you, in your professional judgment, determine that the disclosure is in her best interests. You may also make disclosures with appropriate authorization.
But a disclosure like the one sought in the hospital parking lot? Without patient authorization? HIPAA doesn’t allow that, even if it’s all common knowledge.