How to Use the Privacy Exception to Deny an Abuser Access to EHI

by | Mar 5, 2021 | HIPAA Privacy, Information Blocking

  • The Privacy Exception allows an Actor deny a request for EHI if a precondition under applicable law has not been met.
  • A patient must, at a minimum, be afforded the opportunity to object to any disclosure of EHI to a family member or freind involved in the patient’s care. 
  • A covered entity may deny a patient’s personal represenative access to EHI in certain cases where abuse and neglect are suspected. 

Subscribe to HERE to Legal HIE’s compliance library to gain access to sample policies, documents and tools for compliance with the Info Blocking Rule.

When an Actor wants to potentially deny access of EHI to a person who is suspected of some type of abuse of patient (the “Abuser”) whose EHI is being sought, the natural inclination is want to look to the Information Blocking (IB) Rule’s Preventing Harm Exception to justify such denial.  However, the IB Rule’s Privacy Exception offers an additional option and, in some ways, more flexibility for the Actor to deny a suspected Abuser’s request for EHI.

Under the IB Rule’s Privacy Exception, an Actor may deny a request for EHI if a “precondition” is not satisfied.  This means that a State or Federal law requires one or more preconditions for providing access, exchange, or use of EHI, but one or more of those preconditions has not been satisfied.  (see 45 C.F.R. 171.202)

Under the HIPAA Privacy Rule, unless a signed authorization is obtained from the patient, a covered entity provider is permitted to disclose a patient’s electronic protected health information (for purposes of Info Blocking, “EHI”) to a person associated with the patient only under a few circumstances.  One such circumstance is where the person is a family member, relative, or close personal friend who is “directly involved with” the patient’s health care or payment related to such health care. I’ll refer to such persons as an “Involved Family Member or Friend.”  In these cases, HIPAA requires that, at a minimum, the patient must be given an opportunity to object to a disclosure of his/her EHI to such Involved Family Member or Friend, and not object to the disclosure.  Therefore, if an Involved Family Member or Friend is an Abuser and the patient objects to the disclosure of his/her EHI to such person, this precondition under the HIPAA Privacy Rule has not been met and the provider-Actor may withhold the requested EHI from the Abuser under the IB Rule’s Privacy Exception.  Easy-peasy — done.  (Note: if the patient does not object to the disclosure of his/her EHI to the Involved Family Member or Friend/Abuser, but a licensed health care professional with a clinician-patient relationship with the patient determines, in her professional judgement, that disclosing the EHI to the Abuser could result in “substantial harm” to the patient, then the Actor can still deny the Abuser access to the patient’s EHI based on the Preventing Harm Exception).

A second scenario where HIPAA would permit a covered entity provider to disclose the patient’s EHI to a person associated with the patient is if that person qualifies under law to act as the patient’s “Personal Representative.”  This is a legal term which requires that the person have actual legal authority under applicable law (usually arising from State law) to act on behalf of the patient.  Examples of individuals who might qualify as a Personal Representative include guardians (including parents of minors), and individuals with a Power of Attorney duly-executed by the patient.  State laws could provide other specific authority for a person to “act on behalf” a patient for health care-related decisions.  In any case, if a person has such legal authority under state law, that person must be treated as a Personal Representative of the patient and be permitted to essentially “steps into the shoes” of the patient and act as if he/she is the patient, including being allowed to make a request for access to the EHI.  However, the HIPAA Privacy Rule does allow for an exception for cases involving abuse, neglect and endangerment situations.  The relevant provision essentially says:

Notwithstanding a State law or any requirement [pertaining to Personal Representatives] the contrary, a covered entity may elect not to treat a person as the Personal Representative of a patient if:

The covered entity has a reasonable belief that:

— The patient has been or may be subjected to domestic violence, abuse, or neglect by such person;

or

— Treating such person as the Personal Representative could “endanger the individual.

In such a case, the covered entity, in the exercise of professional judgment, may decide that it is not in the best interest of the patient to treat the person as the individual’s personal representative.  See 45 C.F.R. 164.502(g)(5) et seq.

Therefore, if a Personal Representative is an Abuser and the covered entity has a reasonable belief that the patient has been or may become subjected to abuse or neglect, or otherwise in potential danger, the provider-Actor can deny the Personal Representative/Abuser access to the patient’s EHI based on the IB Rule’s Privacy Exception.

I know, I know.  You just got the Preventing Harm Exception figured out with the help of my last wonderful blog post (😉) explaining how to use that exception, and now I have just gone and muddied the entire situation for you, right?  You might be asking “can’t I just stick with the Preventing Harm Exception and get to the same place?”  Yes, probably in most cases. However, remember that in order to deny a Personal Representative access to EHI under the Preventing Harm Exception, a determination must be made by a “licensed health care professional with a clinician-patient relationship with the patient who determines, in her “professional judgement,” that disclosing the EHI to the Personal Representative/Abuser could result in “substantial harm” to the patient. Certainly doable, and practically speaking it would get you to the same place if such requirement can be met.  However, the Privacy Exception offers a covered entity provider an additional option to allow it to deny such access even more easily, so long as someone in his/her exercise of professional judgement makes the determination that disclosure of the EHI to the Personal Representative/Abuser is not in the best interest of the patient.

In the Final Rule, ONC recognized this overlap with the provision of the HIPAA Privacy Rule which allows a covered entity to decide not to treat a person as the Personal Representative.  Here is the relevant excerpt:

“The finalized [Preventing Harm Exception] does not cross-reference § 164.502(g)(5)(i), but it is constructed so that it does apply to practices interfering with a personal representative or other legal representative’s access to a patient’s EHI consistent with an actor declining to recognize such a representative on the same bases as a HIPAA covered entity could elect not to recognize a person as an individual’s personal representative consistent with § 164.502(g)(5)(i). In order to retain a clear, consistent set of harm standards throughout the § 171.201 type of harm condition, however, we note that where a HIPAA covered entity elects not to recognize an individual’s personal representative consistent with § 164.502(g)(5)(i), the Preventing Harm Exception would not apply.”

See 85 Fed Reg. 25642, 25839-25840 (May 1, 2020).

Bringing the Privacy Exception into the fold to consider for abuse scenarios might, at first glance, appear to make things unnecessarily confusing. However, I see it as just adding another option to allow an Actor to potentially deny a requestor’s access to EHI in appropriate situations — like where the requestor is suspected of some type of abuse or neglect.

Subscribe HERE to Legal HIE’s compliance library to gain access to sample policies, documents and tools for compliance with the Information Blocking Rule. Review our Table of Contents here.

Share this:

If you are not a subscriber to our backend Legal HIE compliance library, download our Table of Contents here to check out all of the tools, checklists, whitepapers, sample policies we make available to our members to help their organizations comply with Information Blocking, HIPAA, 42 CFR Part 2, Data Breaches and more. Ready to subscribe now? Click here to review our subscription options.

Archives