q. what is directory information and can it be released to the media under hipaa?
under hipaa, hospitals may maintain a directory including a patient's name, location in the hospital, general condition and religious affiliation. if a hospital maintains such a directory, patients must be given the opportunity to object to or restrict the use or disclosure of this information. in no event may information concerning a patient's religious affiliation be released, except to the clergy. other directory information may be released only if the media or the public asks for the patient by name and only after the patient has been given the opportunity and consented to the release of directory information.
q. if a patient has opted not to restrict information, what kinds of condition information may be disclosed?
if hipaa privacy standards are met, information, such as general condition information (information that does not communicate specific information about the individual) may be released. the american hospital association recommends, and many hospitals are using, the following terms:
undetermined - patient awaiting physician and assessment.
good - vital signs are stable and within normal limits. patient is conscious and comfortable. indicators are excellent.
fair - vital signs are stable and within normal limits. patient is conscious but may be uncomfortable. indicators are favorable.
serious - vital signs may be unstable and not within normal limits. patient is acutely ill. indicators are questionable.
critical - vital signs are unstable and not within normal limits. patient may be unconscious. indicators are unfavorable.
treated and released - patient received treatment but was not admitted.
with written authorization from the patient, a more detailed statement regarding a patient's condition and injuries or illness can be released.
q. what about patients who are unconscious or otherwise unable to give advance consent for release of their information?
in situations where the opportunity to object to or restrict the use or disclosure of information cannot be provided because of an individual's incapacity, a covered entity may use or disclose protected health information if the use and disclosure is: (1) consistent with a prior expressed preference of the individual, if any, that is known to the covered entity; and (2) in the individual's best interest as determined by the covered entity, in the exercise of professional judgment. both conditions (1) and (2) must apply for a provider to release patient information under hipaa if the patient is incapacitated.
myth #7: a patient cannot be listed in a hospital's directory without the patient's consent and the hospital is prohibited from sharing a patient's directory information with the public
fact: the privacy rule permits hospitals to continue the practice of providing directory information to the public unless the patient has specifically chosen to opt out.
the regulation states that a health care provider, such as a hospital, may maintain a directory that includes the patient's name, location in the facility, and condition in general terms, and disclose such
information to people who ask for the patient by name. the patient must be informed in advance of the use and disclosure and have the opportunity to opt out of having his or her information included in the directory. emergency situations are specifically provided for in the regulation, so if the patient is comatose, or otherwise unable to opt out due to an emergency, the hospital is
permitted to disclose directory information if the disclosure is consistent with the patient's past known expressed preference and the provider determines disclosure is in the individual's best interest. the provider must provide the patient with an opportunity to object, “when it becomes practicable to do so.” any more restricted uses of directory information, such as requiring patients to ask to be listed in, or opt into, the directory, are either the hospital's own policy
or confusion about the privacy regulation. 164.510(a), http://www.hhs.gov/ocr/privacysummary.pdf
(page 6), http://www.hhs.gov/ocr/hipaa/
(faq section, page 2, question 37).
myth # 9: patients can sue health care providers for not complying with the hipaa privacy regulation.
fact: the hipaa privacy regulation does not give people the right to sue
. even if a person is the victim of an egregious violation of the hipaa privacy rule, the law does not give people the right to sue. instead, individuals must file a written complaint with the secretary of health and human services via the office for civil rights. it is then within the secretary's
discretion to investigate the complaint. hhs may impose civil penalties ranging from $100 to $25,000, and criminal sanctions ranging from $50,000 to $250,000, with corresponding prison terms, may be enforced by the department of justice. however, since the law went into effect, hhs has focused on a complaint-driven process that relies on voluntary compliance with the law. so far, not one civil monetary penalty has been issued. 160.306, 160.312 (a)(1), 160.304(b), 42 u.s.c 1320 et seq., http://www.hhs.gov./news/facts/privacy.html
sometimes it is hard to believe there is still so much misinformation and paranoia about hipaa 3 years after it going into effect.