Individuals protected under HIPAA

[Guest kbs]

Assume that a health provider subject to HIPAA receives PHI regarding an individual who is not a patient. Even if the individual is not a patient, doesn't the health care provider still have the responsibility to protect the information under federal law?

I have the same question concerning a health plan subject to HIPAA. If a health plan receives PHI regarding an individual who is not a participant in the plan, isn't the health plan required to protect this information under federal law?

Thanks.

[Steve72]

Interesting question.

PHI is information held by a covered entity about an individual's treatment, medical condition or payment for treatment. An individual is defined in HIPAA as the person who is the subject of the PHI.

If the covered entity receives medical information about a non-patient (or non-participant), then I would say you are right, that the covered entity must extend HIPAA protections to the information.

However, it's important to point out that the covered entity must receive this information in its role as a covered entity in order for HIPAA to apply. For example, if a hospital receives information about an employee for absence management purposes, then it has received the information as an employer, not as a hospital. This information is not protected by HIPAA.

[GBurns]

A provider who receives PHI on a non patient would be prudent to protect this info in the same manner as if protected by HIPAA even if it turns out that it is not covered by HIPAA. There are not only many other privacy laws such as the Public Health laws but privacy rights under state laws. For example when an individual contracts any of the major communicatable diseases, such as an STD, under public health laws a disclosure of other contacted individuals is made. What do you think the consequences would be if any provider who is treating any of the disclosed individuals releases info on the others who are not patients? The same applies when a provider collects Family history in order to assisit in diagnosing such things as Diabetes, hypertension etc. If family history, as a general issue is not protected, what do you think would be the result?

A health plan, whenther as employer or provider is no different. The fact that an employer finds out, as an employer, that an employee has contracted a disease does not allow that employer to release or use the information about any others who might be involved in the transmitting of that disease to their employee. In fact, an employer getting employee information in the manner that Steve72 describes is not free to use the information as he pleases, there are still restrictions on its use.

Even if HIPAA did not exist, such information is protected otherwise.

[jeanine]

Perhaps I'm wrong but I thought the poster was asking about information received in error, either by fax or mail. We get accidental information fairly infrequently but when we do we contact the sender. We give them the option of us sending it back to them or we shred it. If we return or shred I don't think we have any further responsibility for it.

[GBurns]

Receiving in error does not change the fact that it was received. Returning or shredding does not change the fact that it was received.

After you return or shred the original, What happens with what remains in the minds of those who saw the info? What happens to copies made, whether known or not? What happens if you return to an unauthorized person, considering that something sent to XYZ Company will not be delivered to the company itself but to an individual at that company?

[jeanine]

We only return something to the sender or offer to forward to the appropriate party once we have contacted that party in person by phone. I can't erase what is in someone's mind, but if something is sent to us in error it means that the responsible Covered Entity disclosed something inappropriately. I stand by my statement that we do not keep copies or assume any responsibilities other than destroying or forwarding/returning. If they are not our enrollee or our patient, how do we have an obligation towards them?

[Steve72]

My answer below is limited to HIPAA issues, since I believe that was what the question was geared towards.

There are two issues you've raised, Jeanine. First is whether there is a HIPAA obligation. Second is whether you have met that obligation.

If, in your role as a covered entity, you erroneously receive health information about a non-patient (e.g., a file mistakenly sent to the wrong hospital), I think that information is still PHI. It is individually identifiable health information received by a covered entity.

However, the obligation created here is to not use or disclose information in a manner inconsistent with HIPAA. Destruction and returning to sender (once you have used appropriate methods to ensure that the sender is the correct party) are not inconsistent with HIPAA. Ironically, the real concern here is the six year maitenance requirement and individual rights.

I would argue that those requirements apply to PHI in a designated record set. There is no designated record set here, as the PHI is never "used" other than returning to sender.

As far as erasing someone's mind, I believe if you ensure that individuals treat the PHI received erroneously with the same care they treat PHI received in the course of their duties, then you have met your obligation.