Do nonprofits holding medical information fall under HIPAA coverage? Maybe yes, maybe no, but nonprofits must be careful, especially those nonprofits that provide medical services to patients, otherwise hold medical records, or from which disclosure of medical information may be sought. Such disclosure issues may arise through court orders, subpoenas, former employees’ requests, insurance claims, or other contexts. For each situation, it is critical to understand whether HIPAA applies, what judicial or other government requirements may apply, and how to follow best practices. This article first addresses HIPAA applicability to nonprofits, then focuses on related medical record access issues particularly for nonprofits that are “covered entities,” providing accompanying recommendations for both areas of legal compliance.
HIPAA Applicability
“Covered Entities”
Contrary to popular belief, the Health Insurance Portability and Accountability Act (“HIPAA”) does not apply to all medical records. HIPAA only applies to “covered entities” that hold medical records in their possession. Covered entities include certain healthcare providers (both for-profit and nonprofit) that transmit covered transactions electronically, health care clearinghouses, health plans, and any business associates of covered entities.
If a nonprofit medical practice accepts insurance, it is a covered entity to the extent it transmits claims electronically with the insurance company. Notably, an electronic transaction is not limited to insurance claims. It may include any exchange of information between two parties to carry out financial or administrative activities related to health care. (For more information, see the U.S. Centers for Medicare and Medicaid Services’ related resource). A large number of healthcare providers submit claims electronically to insurance companies, but some nonprofit healthcare providers do not. Nonprofit healthcare providers that are not transmitting medical information electronically would not be covered by HIPAA’s stringent requirements, including the Privacy Rule (as described below).
Most nonprofits holding medical information are not healthcare providers. But they may hold medical information, such as obtained through activity waivers, participation forms, or similar means. Additional contexts for HIPAA’s not so broad applicability or other privacy protections are addressed in our law firm’s related blog article. All nonprofits that hold such information nevertheless still generally owe a high degree of trust for management of medical records and other personal information.
Claims and Disclaimers
HIPAA’s requirements can be very onerous, and nonprofits not otherwise covered should not take on these requirements voluntarily. Nonprofits who are not covered by HIPAA should therefore not claim to be HIPAA-compliant. Such a claim could potentially be used adversely against the nonprofit, should a question arise regarding the nonprofit’s management or use of a person’s medical information. Rather, they should implement best practices regarding confidentiality and records retention.
Depending on the circumstances, it could be appropriate for a nonprofit to operate as if HIPAA applies, with due precautions for health-sensitive information, without expressly conceding such applicability. A more generally appropriate representation could be something along the following lines: “ABC Nonprofit maintains appropriate confidentiality for sensitive medical information of its _______ [employees, program participants, etc.]”. And then do so.
Protected Health Information per HIPAA
HIPAA’s Privacy Rule covers protected health information (“PHI”). The term PHI includes:
• individually identifiable health information which relates to the individual’s past, present, or future physical or mental health condition;
• the provision of health care to the individual;
• the past, present, or future payment for the provision of healthcare to the individual; and
• common identifiers including name, address, date of birth, social security number, etc.
Significantly, PHI does not include information that neither identifies nor provides a reasonable basis for the identification of the individual. A nonprofit thus could provide materials that are appropriately redacted or otherwise do not disclose PHI. (To the extent HIPAA applicability may be in question, it may nonetheless be advisable not to disclose such PHI).
PHI Accessibility for HIPAA-Covered Nonprofits
Authorized Uses
Nonprofits who are subject to HIPAA requirements must ensure that they use their patients’ PHI only for authorized uses. Some authorized uses include disclosure to the patient, the provision or coordination of health care for the patient, efforts to obtain payment or reimbursement for services, and the provider’s general healthcare operations. These uses do not require additional authorization from the patient.
Other uses require patient consent such as for the disclosure of PHI to family, friends, or other authorized individuals. Additionally, the law allows for, and sometimes requires, the disclosure of PHI in certain specific situations, a couple of which will be addressed in more detail below.
Notice Requirements
HIPAA requires covered healthcare providers to give patients a notice of its privacy practices. That notice must provide the following:
• Describe the ways the covered entity may use or disclose the patient’s PHI;
• State the entity’s duty to protect the patient’s privacy;
• Provide notice of the entity’s privacy practices;
• Outline the patient’s individual rights, including the right to complaint to the U.S. Department of Health and Human Services and to the covered entity if they believe their privacy rights have been violated; and
• Identify a point of contact for further information and for making complaints to the covered entity.
Additionally, covered entities with a direct treatment relationship must provide the patient with a copy of such notice no later than the first service encounter and by posting the notice at each service delivery site in a clear and prominent place. They must also make a good faith effort to obtain written acknowledgement that the patient received the notice.
Protection of PHI
Covered entities must implement reasonable and appropriate administrative technical, and physical safeguards to prevent the disclosure of PHI, whether intentional or unintentional. These safeguards may include document shredding, secure storage in lockable cabinets for physical records and password-protected devices for electronic records, and other similar limitations on access to PHI.
Nonprofit covered entities engaging in telehealth services must ensure the processes and technology used to provide these services confirm the identity of the patient, protect the privacy of the interaction, and otherwise prevent any improper disclosure of PHI.
Disclosure of PHI to Third Parties
Generally, nonprofits that are covered entities should seek patient authorization before disclosing PHI to third parties. Yet the HIPAA Privacy Rule recognizes several public interest purposes for which patient authorization is not required. These purposes include disclosure to public health authorities, when required by law or court order, for law enforcement purposes, in response to a subpoena in a judicial or administrative proceeding, and other similar situations. Nonprofit covered entities should be aware of the various procedures required before disclosing PHI for these public interest purposes, such as the following two examples.
Disclosure in Response to a Court Order or Subpoena
Covered entities, including nonprofits offering health clinic or other similar health-care services, may receive a court order or subpoena requesting copies of medical records. In the case of a court order, patient authorization is not required. However, the nonprofit should only provide the documents specifically described in the court order.
Like court orders, subpoenas require compliance. However, they are often signed by an attorney or clerk and not an order from a judge. Accordingly, nonprofit covered entities are legally required to take additional steps to ensure the patient’s privacy is protected. They must ensure (1) that the party seeking the PHI made a good faith effort to provide written notice to the patient, (2) that the notice included sufficient information about the litigation to enable to enable the patient to raise an objection, and (3) that the time for the patient to raise an objection has passed with either no objection being made or all objections being denied.
It is the nonprofit’s responsibility to obtain sufficient assurance that the patient received proper notice. A nonprofit thus may need to contact the patient and obtain a signed consent or release, which provides the best legal protection should a question about the disclosure arise later on.
Disclosure of Deceased Patient’s Protected Health Information
HIPAA’s Privacy Rule continues to protect a patient’s PHI for 50 years following the patient’s death. However, it does allow for covered entities to release the PHI of a deceased patient to the authorized executor, administrator, or other person who is otherwise authorized to act on behalf of the deceased or their estate.
For example, Illinois law authorizes the release of medical records to certain family members if there is no executor or administrator, and if the patient did not object to the disclosure of their records in writing prior to their death. In this case, the deceased’s surviving spouse, or in the absence of a surviving spouse, the deceased’s son, daughter, parent, or sibling can obtain the medical records if they provide a certified copy of the death certificate and a signed “Authorized Relative Certification” that is substantially similar to the related language provided by statute in 735 ILCS 5/8-2001.5.
Concluding Recommendations
Nonprofits that hold medical records should do so with due care. For optimal legal compliance, they should first determine whether they are a “covered entity” to identify if they are subject to HIPAA’s stringent requirements. If so, they should take steps to ensure compliance with these requirements. If a nonprofit is not a covered entity, it should still operate very carefully, taking appropriate safeguards to minimize any privacy or other security concerns. Particularly with respect to requests for disclosure of or other access to medical information, nonprofits may need to exercise special caution, identify what procedural steps may apply, and then follow through responsibly.
