In enacting HIPAA, Congress mandated the establishment of Federal standards for the privacy of individually identifiable health information. Under the patchwork of laws existing prior to adoption of HIPAA and the Privacy Rule, personal health information could be distributed—without either notice or authorization—for reasons that had nothing to do with a patient's medical treatment or health care reimbursement. For example, unless otherwise forbidden by state or local law, without the Privacy Rule patient information held by a health plan could, without the patient’s permission, be passed on to a lender who could then deny the patient's application for a home mortgage or a credit card, or to an employer who could use it in personnel decisions. The Privacy Rule establishes a federal floor of safeguards to protect the confidentiality of medical information. State laws that provide stronger privacy protections apply over and above the federal privacy standards.
Applies to all members of the UW HCC.
The HIPAA Privacy Rule requires that patients be provided with an opportunity to agree or object to certain uses or disclosures of their protected health information and, if the patient objects, the use or disclosure may not be made. UW–Madison follows HIPAA regulations regarding when patients must be provided with an opportunity to agree or object to certain uses or disclosures of their protected health information.
Under HIPAA, several types of uses and/or disclosures require that the patient be given the opportunity to agree or to object in advance of the use or disclosure and, if the patient objects, the use or disclosure may not be made. UW staff may orally inform the patient of the intended use or disclosure and obtain the patient’s oral agreement or objection, as follows:
It is expected that in most circumstances, UW HCC staff will be able to disclose protected health information to those involved in the care of the patient and/or for notification purposes based on options ii or iii above. For example, if the patient allows a family member or friend to be present during treatment, it is reasonable to infer that the patient would not object to disclosures of most types of protected health information to the family member or friend.
However, if UW HCC staff is aware of circumstances (e.g., “sensitive” diagnoses, dysfunctional family dynamics, etc.) that might result in the patient objecting to such disclosure, staff should obtain the patient’s agreement and document such agreement in the medical record before proceeding with the disclosure.
UW HCC staff may use or disclose protected health information to a public or private organization authorized by law or its charter to assist in disaster relief efforts, for the purpose of coordinating with such entities for the notification of, or to assist in the notification of (including identifying or locating), a family member, a personal representative of the patient, or another person responsible for the care of the patient of the patient’s location, general condition, or death, as follows:
It is expected that in most circumstances, when the patient is present, UW HCC staff will be able to disclose protected health information to disaster relief agencies for notification purposes, based on options B or C above.
However, if UW HCC staff are aware of circumstances that might result in the patient objecting to such disclosure, staff should obtain the patient’s agreement and document such agreement in the medical record before proceeding with the disclosure.
If the individual is deceased, UW HCC staff may disclose to a family member or another person as described in I.1.A above (who were involved in the individual’s care or payment for health care prior to death), protected health information that is relevant to such person’s involvement unless doing so is inconsistent with any prior expressed preference of the individual that is known to the covered entity.
The minimum necessary standard applies to disclosures made under this policy. See UW-109 Minimum Necessary Standard.
Failing to comply with this policy may result in discipline for the individual(s) responsible for such noncompliance.
Further, the U.S. Department Health and Human Services (HHS) Office for Civil Rights (OCR) is responsible for enforcing the HIPAA Privacy and Security Rules, and an individual’s noncompliance may result in institutional noncompliance and/or an investigation by OCR. OCR attempts to resolve investigations by obtaining voluntary compliance and entering into corrective action plans and resolution agreements. Failure to comply with HIPAA or cooperate with OCR in an investigation may result in civil and/or criminal penalties.
Additional information may be found at www.compliance.wisc.edu/hipaa.
09-22-2014: Effective date of the revised policy: 09-22-2014.
03-26-2020: Effective date of the revised policy: 03-26-2020.