January 21, 2019

HIPAA: Privacy Required, Even When Information Goes Public

A celebrity collapses on stage and is rushed to the hospital. Rumors race through social media faster than the ambulance can navigate city streets. Was it exhaustion? Was it her heart? Was there a gunshot? The press broadcasts through the night outside the ER. You are a hospital administrator who has access to information about the celebrity’s medical condition and treatment. You stay past your shift until the patient’s condition is stable and the 11 p.m. news reports have finished. You exit through a side door to avoid attention, but a man comes up alongside you. You know him from some prior incidents. He is an insurance investigator for the arena where the celebrity was performing. He asks you questions, seeking to confirm facts for a preliminary report he is filing.  All of the facts that he recites about the celebrity’s condition are true. All of them have been widely reported already. You keep quiet.

You have been well trained. That is what you should do.

HIPAA’s restrictions are not like the confidentiality provisions that you will find in many contracts. Often those contracts contain exceptions for:

  • information in the public domain,
  • information that the receiving party already knows when entering into an agreement,
  • information that the receiving party obtains without reference to any other confidential information, or
  • information that the receiving party obtains from a third party who has no obligation to keep it secret.

But these exceptions do not apply under HIPAA’s privacy rules. A health plan or health care provider that is subject to HIPAA is not permitted to disclose protected health information (PHI) other than to appropriate persons for permitted purposes, even if the person asking – even if virtually everyone in the country – already knows the information.

To be sure, there are times you may reveal PHI to third parties. Subject to various rules, HIPAA allows you to disclose PHI for the broad purposes of treatment, payment, and health care operations and for more specific reasons, such as compliance with laws other than HIPAA, public health activities, law enforcement, judicial and administrative proceedings, and research. In our example, assuming the celebrity is unconscious or unable to provide consent, you could still disclose PHI to the celebrity’s family and friends; provided the information is relevant to their involvement in her care and you, in your professional judgment, determine that the disclosure is in her best interests. You may also make disclosures with appropriate authorization.

But a disclosure like the one sought in the hospital parking lot? Without patient authorization? HIPAA doesn’t allow that, even if it’s all common knowledge.

Copyright © by Ballard Spahr LLP


About this Author

Edward I. Leeds, Philadelphia attorney, Ballard Spahr Law firm, Employee Benefits and Executive Compensationattorney

Edward I. Leeds concentrates on issues relating to the design, administration, and taxation of health and other welfare benefit plans. His practice has evolved with the laws and market forces that shape those plans. Mr. Leeds advises clients about compliance with the Affordable Care Act, HIPAA, HITECH, COBRA, cafeteria plan rules, and other legal requirements. He prepares clients for audits of their privacy and security measures under HIPAA and advises them about the rules governing wellness initiatives.

Mr. Leeds represents employers in the negotiation and drafting of contracts...

Corinne A. Militello, Ballard Spahr, Intellectual property lawyer

Corinne Militello advises on trademarks and copyrights, advertising, and internet issues, as well as on privacy and data security matters relating to the collection, use, sharing, and safeguarding of data, including information of consumers, patients, and employees.

Corinne advises on all aspects of brand protection—from trademark clearance through registration and enforcement, domain name strategy and protection, and license and settlement agreements. She advises both creators and users of copyrightable works on copyright ownership, registration, enforcement, licensing, and related contract negotiation and drafting. She also counsels clients on conducting IP audits and due diligence investigations, and has represented clients in copyright litigation matters.

Corinne's privacy and data security practice is focused on managing risks by developing privacy policies and procedures and establishing training and compliance programs. She advises on regulatory inquiries and investigations as well as breach investigations and response. Her work in this area spans a variety of industry sectors, with emphasis on the Health Insurance Portability and Accountability Act (HIPAA). She also counsels clients on preparing and implementing privacy policies and data-sharing agreements, and has assisted in internal investigations involving consumer privacy matters.

215 864 8155