Tag Archives: patient privacy

Why – You Look Like You Need an Authorization!

Nothing personal, but you really do need an authorization. An authorization signed by you, that can be used by your family members, significant others, and close friends in the event that something happens to you and you are either unconscious, or a physician has declared you to be not competent to make decisions about your care, can be a very handy little item to have.

And not just any old authorization, either. You need one that has all the elements required by the HIPAA Privacy Rules.

Just like me, you probably are relatively healthy, maybe a little high cholesterol and a little too much padding, but really, you’re okay. So you’re thinking no, you really don’t need to carry around an authorization. Umm, yes, you do. And here’s why.

What if you get hit by a bus on the way home tonight? Highly unlikely, and certainly we don’t want this to happen, but stay with me on this. You get hit by a bus, you’re taken to the best Emergency Department in the area, and your husband is called. He comes to the ED, and starts to ask questions about you: how are you, can he see you, what is happening or going to happen to you, etc.

Now, let’s say at this hospital the staff have been trained with respect to the HIPAA Privacy Rules. But, they’ve been badly trained. They think that they can’t talk to your husband about you, because that would be “against HIPAA.”

Or, worse, the staff have been well-trained in the HIPAA Privacy Rules but they just don’t feel like dealing with your husband, so they tell him that they can’t talk to him about you, once again because that would be “against HIPAA” and a violation of your privacy.

Think it can’t happen to you? I sincerely hope it doesn’t. But, it’s in your best interest, and that of your family, too, for you and all adult members of your family to have an authorization on hand that can be used in the event that you are unable to make a decision about your healthcare.

The HIPAA Privacy Rules have some very specific requirements regarding what needs to be included in a valid authorization – one that will be honored by that hospital or any of your healthcare providers, insurance companies, etc. Let’s go through them.

Per the HIPAA Privacy Rules (see 45 CFR 164.508[c][1]-[3]), the authorization must include all of the following items:

1. A description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion: what stuff can your healthcare provider disclose to whoever you’ve named in the authorization?

2. The name or other specific identification of the person(s), or class of persons, authorized to make the requested use or disclosure: that would be you.

3. The name or other specific identification of the person(s), or class of persons, to whom the covered entity may make the requested use or disclosure: that would be your family members, next of kin, significant other(s), close friends, etc. – who can the hospital or healthcare provider disclose your healthcare information to? (Be sure to include your name here. Trust me.)

4. A description of each purpose of the requested use or disclosure: the statement “at my request” is a sufficient description of the purpose when you initiate the authorization and do not, or elect not to, provide an additional statement of the purpose: either state “at my request” (or similar verbiage), or spell out in plain language the reason why you are authorizing healthcare information about you to be disclosed.

5. An expiration date or an expiration event that relates to (you) or the purpose of the use or disclosure: the statement “end of the research study,” “none,” “December 31, 2010” or all similar language is okay.

6. Your signature and the date. (Note: If the authorization is signed by a personal representative of the individual [for example, by a parent or guardian of a minor], include a description of the representative’s authority to act for the individual.)

7. A statement regarding your right to revoke the authorization in writing.

8. The exceptions to the right to revoke and a description of how you may revoke the authorization.

9. A statement that the covered entity (healthcare provider, hospital, etc.) may not condition treatment, payment, enrollment or eligibility for benefits on whether you sign the authorization: this means they cannot refuse to treat you just because you didn’t sign an authorization (not useful for you in most situations, but nonetheless a requirement).

10. The potential for information disclosed pursuant to the authorization to be subject to re-disclosure by the recipient and no longer be protected by this subpart: this means that you agree that if the hospital, for example, discloses information about you to your significant other – then the hospital is not responsible if your significant other subsequently discloses your information (gossips) to someone else.

11. The authorization must be written in plain language. Yeah.

Here are my recommendations: all adult members of your family, your significant others, and/or close friends, attorney, etc., should have a copy of your authorization for them to obtain healthcare information about you in the event that you are incapacitated, or incompetent, or even just to pick up your latest prescription. And, just as important, you should encourage them to have authorizations, too, with the names of all the individuals they would like to be able to obtain healthcare information about them in the event that they become incapacitated or incompetent, etc.

An authorization DOES NOT replace a medical power of attorney – you should ensure that all adult members of your family have a signed medical power of attorney prepared by a competent attorney in your state.

But, for situations in which a person may be unconscious or otherwise temporarily unable to authorize a disclosure of their current health situation to another family member or friend, having an authorization in your pocket of purse can save everyone a lot of stress and upset.

If you would like a copy of a HIPAA-proof blank authorization that you can use, email me at hipaadiva@yahoo.com, and I’ll send you one, for free. This offer is only valid until I get my website online; when it’s ready to go then I’ll be offering these authorizations for a fee.

I blog here fairly regularly on all subjects related to patient privacy, the HIPAA Privacy & Security Rules, patient advocacy, etc. I invite you to send me any questions you may have about your medical records, healthcare privacy rights, etc., to hipaadiva@yahoo.com.

If you happen to be a nurse or nursing student, check out cathylwhite.wordpress.com for information about legal issues affecting nurses.


You Took Your Injured Friend to the ED. He’s Unconscious. He Has No Relatives. His Doctors Won’t Tell You Anything. What Can You Do?

This is one of the most heart-wrenching situations that I hear about: a person brings their friend to the ED, because the friend is very sick or injured.  The ED is treating the friend, but for a period of time the friend is unconscious.  You inquire about your friend’s status.  The staff says, “We can’t tell you anything because of HIPAA.”  Or, “We can’t tell you anything because of privacy.”  Or some variation on the theme.

Frustrating and very upsetting, no?

Even more frustrating is that it’s NOT TRUE.

That’s right.   The HIPAA Privacy Rules specifically allow healthcare providers to give limited information about a person to the person’s friend or family members if, in the best judgment of the providers, such a disclosure would be in the best interest of the patient.

Well, geez, I’m thinking that it’s definitely in the best interest of your unconscious friend for the doc to let you know what’s going on, or at least what to expect.  What do they think — that you’re going to use the fact that your friend is suffering from, say, a bad concussion, to steal the friend’s identity and go on a spending spree with his credit cards?  Come on, get REAL.

Here’s what Health & Human Services — remember, they’re the ones that administer and are responsible for the HIPAA Privacy Rules — says about the subject — and I’m copying this straight from their website (http://www.hhs.gov/hipaafaq/notice/488.html)!

Here ya go —

Does the HIPAA Privacy Rule permit a doctor to discuss a patient’s health status, treatment, or payment arrangements with the patient’s family and friends?

Yes. The HIPAA Privacy Rule at 45 CFR 164.510(b) specifically permits covered entities to share information that is directly relevant to the involvement of a spouse, family members, friends, or other persons identified by a patient, in the patient’s care or payment for health care.

“If the patient is present, or is otherwise available prior to the disclosure, and has the capacity to make health care decisions, the covered entity may discuss this information with the family and these other persons if the patient agrees or, when given the opportunity, does not object.

“The covered entity may also share relevant information with the family and these other persons if it can reasonably infer, based on professional judgment, that the patient does not object. Under these circumstances, for example:

“A doctor may give information about a patient’s mobility limitations to a friend driving the patient home from the hospital.

“A hospital may discuss a patient’s payment options with her adult daughter.

“A doctor may instruct a patient’s roommate about proper medicine dosage when she comes to pick up her friend from the hospital.

“A physician may discuss a patient’s treatment with the patient in the presence of a friend when the patient brings the friend to a medical appointment and asks if the friend can come into the treatment room.

“Even when the patient is not present or it is impracticable because of emergency circumstances or the patient’s incapacity for the covered entity to ask the patient about discussing her care or payment with a family member or other person, a covered entity may share this information with the person when, in exercising professional judgment, it determines that doing so would be in the best interest of the patient. See 45 CFR 164.510(b). Thus, for example:

“A surgeon may, if consistent with such professional judgment, inform a patient’s spouse, who accompanied her husband to the emergency room, that the patient has suffered a heart attack and provide periodic updates on the patient’s progress and prognosis.

“A doctor may, if consistent with such professional judgment, discuss an incapacitated patient’s condition with a family member over the phone. 

“In addition, the Privacy Rule expressly permits a covered entity to use professional judgment and experience with common practice to make reasonable inferences about the patient’s best interests in allowing another person to act on behalf of the patient to pick up a filled prescription, medical supplies, X-rays, or other similar forms of protected health information. For example, when a person comes to a pharmacy requesting to pick up a prescription on behalf of an individual he identifies by name, a pharmacist, based on professional judgment and experience with common practice, may allow the person to do so.”

How about THAT! 

Sometimes I think that the excuse “We can’t do X-Y-Z because of HIPAA” is just that — an excuse that a lazy healthcare provider or administrative staff uses to get them out of doing their job.  Sounds official, though, doesn’t it?  “Can’t do it because of the HIPAA LAW.”  Well, uh, that isn’t what the HIPAA rules say.

There you have it — use this information next time you need it.

Next time on this blog — how to protect yourself and your family members and friends from having to deal with the “I can’t do it because of the HIPAA law” excuse.

I blog regularly about the HIPAA Privacy & Security Rules.  If you’re having a problem related to healthcare/patient privacy, getting a copy of your medical records (or those of your family), and other health privacy related questions — I’d be honored to help, so please email me directly at hipaadiva@yahoo.com.  And yes, I’m working on the website!  And yes, please tell your friends about this blog!