Patient Privacy and HIPAA

Patient Privacy and Health Insurance Portability and Accountability Act

This guideline was created by the Michigan Health and Hospital Association and was adapted and approved by the University of Michigan Health System.  For details about the University of Michigan Health System’s specific privacy practices, go to the official UMHS Notice of Privacy Practices.

Releasing Patient Information

The Health Insurance Portability and Accountability Act's medical privacy regulations govern the use and release of a patients' personal health information, also known as "protected health information." In the event state law or hospital policy is more restrictive than the HIPAA privacy regulations, the more restrictive law or policy will apply.

Under the HIPAA privacy regulations, patients must be informed about how their PHI will be used and given the opportunity to object to or restrict the use or release of their information. Hospitals may use and disclose PHI without a patient's consent for purposes of treatment, payment and health care operations.

In addition, the HIPAA privacy regulations have specific provisions for the release of limited information about the patient without the patient's authorization when someone specifically asks about the patient by name.

Unless a patient objects, the following information may be placed in a hospital directory:

  • the patient's name
  • the patient's location in the health care provider's facility
  • the patient's condition, described in general terms that do not communicate specific information about the individual
  • the patient's religious affiliation (may only be released to clergy - clergy do not have to inquire about a patient by name)

Disclosure of this information for directory purposes may be made to members of the clergy or, except for religious affiliation, to other persons who ask for the individual by name.

The HIPAA privacy regulations establish a minimum acceptable threshold for the use and release of a patient's health information. State and federal law, and hospital policies may establish stricter standards.

Minor Children

HIPAA guidelines are meant to preserve current state laws regarding minors. Generally, minor children (under the age of 18) may have information released with the consent of a parent or legal guardian, in accordance with the preceding guidelines.

Emergency Circumstances

The covered health care provider must provide patients with the opportunity to object to the use and disclosure of directory information, when feasible. The privacy regulations address situations where the opportunity to object to or restrict the use or disclosure of a patient's health information in the hospital's directory cannot be practicably provided because of an individual's incapacity or emergency treatment circumstance. In such cases, a covered health care provider may use or disclose an individual's information in the hospital's directory if the use or disclosure is:

  1. consistent with a prior expressed preference of the individual, if any, that is known to the covered health care provider; and
  2. in the individual's best interest as determined by the covered health care provider, in the exercise of professional judgment. Both conditions must be true for a provider to release patient information contained in the hospital's directory under HIPAA.

Confidential Information

In addition to the limitations on release of a patient's health information imposed by the HIPAA privacy standards, state and federal law also may impose specific limitations.For example, some states have restrictions in place that do not allow the release of any information concerning the HIV/AIDS status of a patient. State laws may also specify that, for example, patients who are involved in an alcohol or drug-treatment program are entitled to complete confidentiality, including whether they are in fact participating in the program or not.

Media Access to Patients

When the media want to interview or photograph a patient, a member of the U-M Health System  within the Department of Public Relations and Marketing Communications will check with the appropriate hospital staff to ensure the patient is physically and emotionally capable. The Public Relations representative must obtain the patient's permission. If the patient is a minor, permission must be obtained from the parent or legal guardian.

If the patient is under arrest, permission also must be obtained from the law enforcement officer in charge of the patient's custody.

Media representatives will be accompanied by a  PR representative at all times while in the hospital.

Disasters

Hospitals or other covered entities, pursuant to the HIPAA privacy regulations, may disclose information regarding a patient's health to a public or private entity authorized by law to assist in disaster relief efforts. Information may also be released to these types of organizations for the purpose of coordinating with such entities in contacting a family member, personal representative, or person directly responsible for a patient's care.

Deaths

The hospital should report the death of a patient to the authorities as required by law. Typically, public information about a death will be disclosed after efforts have been made to notify the next-of-kin. Information about the cause of death must come from the patient's physician, and a legal representative of the deceased must approve its release. This means that hospitals cannot share information with the media on the specifics about sudden, violent or accidental deaths, or deaths from natural causes, without the permission of the decedent's next-of-kin or other legal representative.

Public Information

Police reports and other information about hospital patients are often obtained by members of the media. Health care providers are required to observe the general prohibitions against releasing health information about patients that are found in the HIPAA privacy standards, state statutes or regulations, and the common law, regardless of what information is in the hands of public agencies or the public in general.

Emergency Medical Services

EMS units or ambulance services that provide health care services to patients and bill for those services electronically are considered covered entities under HIPAA and are subject to the same restrictions on use and disclosure of a patient's information.

Clergy

Members of the clergy frequently request access to names and locations of patients in a hospital to determine if members of their congregations have been admitted. Patient names, location, general condition and religious affiliation may be released to members of the clergy if a patient has not opted out of the hospital's directory. A patient may ask that the hospital not include his or her name and information in a hospital directory. A patient also may request that religious affiliation not be included in the directory. If the patient objects to inclusion of his or her name, clergy may not be told that person is in the hospital. If the patient does not object, clergy may receive the directory information without asking for the patient by name.

Additional Resources

For more information on HIPAA, go to the official UMHS Notice of Privacy Practices or the  Department of Health and Human Services, Office for Civil Rights website.