If a patient in the emergency department can't communicate, is it a HIPAA violation to call a pharmacy to get medical information?
Response from Carolyn Buppert, MSN, JD
Healthcare attorney, Boulder, Colorado
Here is the full scenario provided by the emergency department nurse:
Patients sometimes present who are unable to give us their medical information (eg, a cardiac arrest), and no family members are available or the family does not know the medications or medical history of the patient. In the past, if I have found a pharmacy discount (or other) card that leads me to believe that a pharmacy may have information about a patient's health, I call the pharmacy, explain the situation, and ask whether they have any recent information. Many are eager to assist. My coworker brought up that this could be a violation of the Health Insurance Portability and Accountability Act (HIPAA) because I am disclosing that the patient is in the emergency department and is unable to give us information. I view it as continuity of care and believe that the information obtained could benefit the patient and help the medical team. What does the law say about inquiring about patient information when the patient is unable to give consent? Am I violating HIPAA when I call and ask for information?
HIPAA allows healthcare providers to communicate with other healthcare providers as necessary to treat the patient. If the patient is unable to communicate and it is necessary to obtain history from other providers, including pharmacists, then you are within the rules to ask a pharmacist for information needed to provide care, and it is within the rules for the pharmacist to provide you with the patient's medication list. Of course, the pharmacist should ascertain that he or she is talking to an emergency department nurse when giving out the information.
The US Office for Civil Rights (OCR) enforces the HIPAA rules. On that agency's Website, the OCR says, with respect to HIPAA:
A covered entity may, without the individual's authorization: use or disclose protected health information for its own treatment, payment, and healthcare operations activities. For example:
• A hospital may use protected health information about an individual to provide healthcare to the individual and may consult with other healthcare providers about the individual's treatment;
• "Treatment" generally means the provision, coordination, or management of healthcare and related services among healthcare providers or by a healthcare provider with a third party, consultation between healthcare providers regarding a patient, or the referral of a patient from one healthcare provider to another; and
• A hospital may use protected health information about an individual to provide healthcare to the individual and may consult with other healthcare providers about the individual's treatment.
As far as the hospital's responsibilities for protecting patient privacy, the OCR Website says:
A covered entity must develop policies and procedures that reasonably limit its disclosures of, and requests for, protected health information for payment and healthcare operations to the minimum necessary. A covered entity also is required to develop role-based access policies and procedures that limit which members of its workforce may have access to protected health information for treatment, payment, and healthcare operations, based on those who need access to the information to do their jobs. However, covered entities are not required to apply the minimum necessary standard to disclosures to or requests by a healthcare provider for treatment purposes.
The aim of HIPAA is to prevent communication of protected health information when it is not necessary for treatment, payment, or operational purposes. For example, HIPAA aims to prevent dissemination of patient records, patient status information, or lists of patients and their diagnoses to nonproviders. HIPAA prohibits healthcare providers from talking about patients in public areas or discussing patients with neighbors and friends.
On the basis of the volume of HIPAA-related queries I receive from nurses working at hospitals and other facilities, and given that the government is conducting HIPAA compliance audits, it seems to me that hospitals should have a HIPAA question-and-answer hotline for staff, so that nurses and other staff can get timely answers to questions such as this one, from a qualified compliance professional at their workplace. It would be a shame to delay care for a patient in an emergency department because the staff are afraid to gather the needed information, thinking that HIPAA stands in the way when it doesn't.
所謂HIPAA，就是美國政府1996年頒布的《健康保險隱私及責任法案》（Health Insurance Portability and Accountability Act，縮寫 HIPAA）。該法案制定了一系列安全標準，就保健計劃、供應商以及結算中心如何以電子文件的形式來傳送、訪問和存儲受保護的健康信息做出詳細的規定。法案規定在確保私密性的情況下保存病人信息檔案六年，還詳細規定了醫療機構處理病人信息規範，以及違法保密原則、通過電子郵件或未授權的網路註銷病人檔案的處罰方案。