When individuals apply for admission to a nursing home and are screened by PASRR, they cross a boundary of sorts from one kind of provider setting into another kind of provider setting – typically, from the hospital where they have been admitted to the world of PASRR screeners and evaluators, and finally (for many, if not all), to the world of the nursing home.
For many providers, these boundary crossings trigger concerns about complying with the requirements Health Insurance and Portability and Accountability Act (HIPAA), first passed in 1996. We at PTAC have heard many times that providers are unwilling to release information about an individual to Level II evaluators without his or her explicit consent, because doing so would violate HIPAA.
In fact, this is not the case at all: HIPAA permits providers to disclose protected health information (PHI) to other providers who are caring for, or providing services to, the same individual without consent.
But don’t take my word for it. Look instead at a guide to HIPAA recently released by the Office of the National Coordinator for Health Information Technology (ONC), a division of the federal Health and Human Services (HHS) agency. Version 2.0 of its Guide to Privacy and Security of Electronic Health Information is primarily applicable to physician groups and smaller health providers and businesses, but it provides a good overview of HIPAA for any “covered entity” (CE).
According to the Guide, covered entities include:
- Health care providers who conduct certain administrative transactions in electronic form, including doctors, clinics, hospitals, pharmacies, and nursing homes.
- Health plans.
- Health care clearinghouses.
Besides covered entities, the other key player in HIPAA is the so-called “business associate,” or BA. Examples of BAs include:
- A person or entity that provides data transmission services (involving PHI) to a CE.
- A subcontractor to a BA that creates, receives, maintains, or transmits PHI on the BA’s behalf.
- An entity that a CE contracts with to provide patients with access to a Personal Health Record (PHR) on behalf of a CE.
It’s clear from these lists that HIPAA applies to the entities and providers typically involved in PASRR. But does that mean it prevents those entities and providers from sharing PHI? The answer is often “No – HIPAA does not prevent the sharing of PHI.” Importantly, the Guide points out:
"A health care provider is not a BA of another health care provider when it uses and discloses PHI for treatment purposes. So the attending physician and the hospital do not have a BA relationship as they share PHI to treat their mutual patients.” (p. 13)
Another key quote from the Guide:
"In general, you as a CE provider may use and disclose PHI for your own treatment, payment, and health care operations activities – and other permissible or required purposes consistent with the HIPAA privacy rule – without obtaining a patient’s written permission." (p. 15)
Finally – and most importantly for our purposes – the Guide notes:
"You may disclose, without a patient’s authorization, PHI about the patient as necessary for treatment, payment, and health care purposes." (p. 15, emphasis added)
In other words: Hospitals and other providers cannot use HIPAA to impede PASRR evaluations. If they claim that HIPAA prevents them from releasing key patient records, they are wrong.
There is only one type of PHI that cannot be released for the purposes listed above: psychotherapy notes. Obviously, psychotherapy notes could be an important component of a Level II evaluation, and getting those would require the individual to give consent. By contrast, individual consent is not required to get medication records (even for psychotropics) or diagnostic information (even for serious mental illness).
The bottom line: HIPAA should not be a barrier to getting PASRR done in a timely manner.
I highly recommend reading all of Chapter 2 of ONC’s Guide; it’s well worth your time.
HIPAA is enforced by the HHS’s Office of Civil Rights (OCR), a sister agency to ONC. OCR has a set of pages devoted to HIPAA, with many excellent resources, including a decision tree for determining whether you or your organization qualifies as a covered entity.