Exceptions to the Health Insurance Portability and Accountability Act (“HIPAA”)

The dental attorneys at Nardone Limited in Columbus, Ohio want to ensure our clients execute the proper procedures when dealing with its patients’ protected health information (“PHI”). Specifically, we want to protect our clients from the implications of a possible inappropriate disclosure of a patient’s PHI, which could constitute a violation of the Health Insurance Portability and Accountability Act (“HIPAA”). All dental practices will deal with transmitting and receiving the PHI of patients, and to appropriately handle this highly confidential patient information, the dental practice must be well informed on the strict requirements of HIPAA and HIPAA’s exceptions.

Every dental practice knows that patients’ PHI is confidential, and that the dental practice must obtain the appropriate medical release form from the patient, or a person with authority over the patient, before transmitting any patient record or document. Overall complying with the stringent requirements of HIPAA seems straight-forward. But, there are exceptions to this law. Each state also has its own laws governing the transmission of PHI, and according to 45 CFR 164.512, a state law regarding PHI that is more stringent than the federal law will always override the federal law. Thus, the dental practice or covered entity should always check the state specific laws to verify how to comply with all medical privacy and confidentiality requirements, including HIPAA.

 Although there are strict parameters regarding the transmission of PHI, there are situations where exceptions to HIPAA are allowed. These exceptions are applied when there is: (1) unintentional access of PHI, (2) the inadvertent disclosure of PHI, and (3) the death of a patient. Every unauthorized disclosure is different, and the specific details of the disclosure will determine if an exception to HIPAA applies.

The unintentional access of PHI exception

One main exception to HIPAA is where there is any unintentional acquisition, access, or use of PHI by an employee or a person acting under the authority of a covered entity or a business associate. For this exception to apply, the acquisition, access, or use must have been made in good faith and within the scope of authority of the employee, or person acting under the authority of a covered entity or business associate. This exception also requires the unintentional access to not be further used or disclosed in a manner not permitted by HIPAA. § 164.402. An example of when this exception occurs is when a workforce member or employee accesses the wrong patient chart while conducting duties that the workforce member is authorized to do. This exception does not apply if the employee was “snooping” or if the employee purposefully looked at the wrong patient chart. This access would not be considered “unintentional” and “in good faith”, thus the exception would not apply.

The inadvertent disclosure of PHI exception

Another exception to the transfer of PHI is when there is an inadvertent disclosure by a person who is authorized to access PHI at a covered entity or business associate to another person authorized to access protected health information at the same covered entity or business associate. For this exception to apply, the information received as a result of such disclosure must not be further used or disclosed in a manner not permitted under HIPAA. Also, the disclosure of PHI must be inadvertent. An example of this exception is when a nurse inadvertently emails the wrong patient’s lab results to a doctor. The doctor, upon realizing it is the wrong patient’s lab results, should notify the nurse who inadvertently sent the lab results and promptly delete the email.

The death exception

Another exception to the transfer of PHI happens upon the death of a patient. This is typically not something a dental practice has to deal with, however, it is a situation that can occur. The dental practice or the covered entity is allowed to disclose the deceased patient’s PHI to law enforcement officials, if the PHI is necessary to determine the cause of death.

Further, the dental practice or covered entity is allowed to disclose the deceased patient’s PHI to the coroner or medical examiner to help identify the deceased patient’s cause of death. The dental practice or covered entity is also allowed to release the deceased patient’s PHI to a coroner or medical examiner for the purposes of identifying the decedent, investigating the cause of death, or to perform any other duties that a coroner or medical examiner may have as authorized by law. 45 CFR 164-512(g).

Contact Us

If you have any concerns about the HIPAA requirements or exceptions for your dental practice or medical facility, you should consult with a legal advisor or member of your state dental board to ensure that you are taking the necessary precautions to protect your business. The attorneys at Nardone Limited are well-versed in the area of HIPAA and can advise your dental practice or medical facility on the requirements necessary for compliance under HIPAA and with individual state laws. If you would like more information regarding your dental practice’s duties under HIPAA, contact Nardone Limited.