When Can Patient Information Be Shared With Loved Ones?HHS Issues New HIPAA Privacy Guidance, Plus Contest for 'Model Privacy Notice Generator'
The Department of Health and Human Services has issued new health data privacy guidance and announced a contest to create an online "model privacy notice generator." Plus, it's issued a reminder about the importance of reviewing and securing audit logs to help prevent and detect breaches.
The issuance on Jan. 10 of new privacy guidance by HHS' Office for Civil Rights is aimed at clarifying that the HIPAA Privacy Rule permits disclosures of health information to a patient's loved ones regardless of whether they are recognized as relatives under applicable law.
The new OCR privacy rule guidance, issued in a frequently asked questions format, was developed in large part to address confusion following the 2016 Orlando nightclub shooting about whether and when hospitals may share protected health information with patients' loved ones, OCR says in a statement. "In particular, the FAQ makes clear that the potential recipients of information under the relevant permissive disclosure provisions ... are not limited by the sex or gender identity of the person," OCR says.
On that same topic, OCR also issued updated guidance "that makes clear that the terms 'marriage, spouse and family member' include, respectively, all lawful marriages - whether same-sex or opposite-sex) - lawfully married spouses and the dependents of all lawful marriages, and clarifies certain rights of individuals under the Privacy Rule."
Confusion in Times of Crisis
Confusion over these privacy-related issues - and whether patient information can be disclosed to various loved ones - often arises in times of crisis, such as the Orlando nightclub shooting last year "where hospitals reportedly ... thought they couldn't disclose [patient information] to families," notes privacy attorney Kirk Nahra of the law firm Wiley Rein.
"OCR is trying hard to be helpful on giving people clear indications of how they can make these decisions, but they aren't forcing anyone to disclose - and it typically isn't a violation of HIPAA to not disclose," he says.
"The guidance mainly reflects one of the key principles of the overall HIPAA Privacy Rule - the flexibility for responsible professionals to make reasonable decisions in the best interests of the patient/individual," Nahra notes. "The [new] guidance is trying - again - to make this point clear. The problem with the guidance - or with the flexibility itself - is that the rule is permissive, not mandatory. Therefore, professionals are permitted to disclose, but do not have to."
Nahra says his means that some professionals "will carefully and thoughtfully exercise appropriate discretion in these contexts, and others may just say 'it's too hard or risky - or whatever else - and so I won't do it.'"
Model Privacy Notice Contest
ONC says its Model Privacy Notice is "similar to a nutrition facts label ... providing a snapshot of a product's existing privacy practices, encouraging transparency and helping consumers make informed choices when selecting products." The model does not mandate specific policies or substitute for more comprehensive or detailed privacy policies, ONC notes.
ONC first released its model in 2011, but updated it in December 2016 to reflect the surge in new consumer products that have been released into the marketplace over the last several years.
"As retail products that collect digital health data directly from consumers are used, such as exercise trackers, it is increasingly important for consumers to be aware of companies' privacy and security policies and information sharing practices," ONC says.
Health technology developers can use the model "to easily enter their information practices and produce a notice to allow consumers to quickly learn and understand privacy policies, compare company policies, and make informed decisions," ONC says. "Many consumer health technologies are offered by organizations that are not subject to the HIPAA privacy and security standards."
ONC says its challenge "is a call ... to create an online MPN generator that is easy for health technology developers to use in customizing a privacy notice that is compelling and understandable to consumers."
Submissions must provide the code for an open source, web-based tool that allows health technology developers who collect digital health data to generate a customized privacy notice, ONC says. The office will award a total of $35,000 in prizes through this challenge. The deadline for submission is April 10, with winners expected to be announced in mid-2017.
"ONC is trying to make notices useful to individuals," Nahra notes. "HIPAA - while trying to provide information to patients - requires so much information to be disclosed that it is not ultimately a useful document for most patients. So, there is a bit of a disconnect here."
Audit Log Reminder
Meanwhile, a new monthly cyberawareness alert OCR issued on Jan. 13 urges covered entities and business associates to protect audit log and audit trails.
"Protecting audit logs and audit trails prevents intruders from tampering with the audit records and protecting their integrity," OCR says. "Not safeguarding audit logs and audit trails can allow hackers or malevolent insiders to cover their electronic tracks, making it difficult for covered entities and business associate to not only recover from breaches, but to prevent them before they happen."
The HIPAA Security Rule does not identify what information should be collected from an audit log or trail or how often the audit reports should be reviewed, OCR notes. When determining reasonable and appropriate audit controls for information systems containing or using electronic protected health information, covered entities and business associates must consider their risk analysis results and organizational factors, such as their current technical infrastructure, hardware and software security capabilities, the office points out.
"It is imperative for covered entities and business associates to review their audit trails regularly, both ... after security incidents or breaches and during real-time operations," OCR says. "Regular review of information system activity should promote awareness of any information system activity that could suggest a security incident or breach. Access to audit trails should be strictly restricted and should be provided only to authorized personnel."