The Duty to Disclose: When Can Health Care Providers Share Patient Information?

When a Health Care Provider determines that a specific, purposeful disclosure of a patient’s protected healthcare information is necessary to protect the patient or others, the law should provide that provider with protections. However, this is not always the case, as providers have not infrequently been exposed to investigations by agencies because of complaints lodged as a result of such good-intentioned disclosures. Here are some basic points about the particular statutory provisions that may help you to understand when such disclosures may be permitted or required.WASHINGTON STATE LAWThe general prohibition relating to disclosure of health care information by a health care provider under RCW 70.02.020 and confidentiality requirements under RCW 70.02.230 are subject to certain exceptions for mandatory and permissive disclosure.Generally, mandatory disclosures include those instances where “a health care provider shall disclose health care information about a patient without the patient's authorization”“to federal, state, or local law enforcement authorities to the extent the health care provider is required by law.” [RCW 70.02.200(2)(a)]“to federal, state, or local public health authorities,” for legally required reporting, licensure compliance determinations, and investigations of providers or facilities. [RCW 70.02.050(2)(a)]“when needed to protect the public health.” [RCW 70.02.050(2)(b)]In addition to mandatory disclosures, health care information can generally be disclosed as appropriate between providers or facilities in relation to the treatment of a particular patient. A facility or provider may determine that disclosure to a third-party is necessary in certain other circumstances. “A healthcare provider or health care facility may disclose health care information about a patient without the patient’s authorization”“to the extent a recipient needs to know the information, to any person if the health care provider or health care facility reasonably believes that disclosure will avoid or minimize an imminent danger to the health or safety of the patient or any other individual, however there is no obligation under this chapter on the part of the provider or facility to so disclose.” [RCW 70.02.050(1)(c)]“to immediate family members of the patient, including a patient's state registered domestic partner, or any other individual with whom the patient is known to have a close personal relationship, if made in accordance with good medical or other professional practice, unless the patient has instructed the health care provider or health care facility in writing not to make the disclosure.” [RCW 70.02.200(1)(b)]FEDERAL LAWFederal law regarding medical privacy and security includes a set of minimum standards for the protection of individually identifiable protected health information (PHI) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). One area of particular concern for health care providers and facilities is the existence of an exception or safe harbor in relation to disclosures of PHI or other breaches of confidentiality deemed necessary to prevent harm to the patient or other persons.Federal law permits use or disclosure of PHI, if the provider or facility making the disclosure believes in good faith that it is necessary “to prevent or lessen a serious and imminent threat to the health or safety of a person or the public; and is to a person or persons reasonably able to prevent or lessen the threat, including the target of the threat.” 45 CFR § 164.512(j). In this context, a “good faith belief” is one based upon “actual knowledge or in reliance on a credible representation by a person with apparent knowledge or authority” 45 CFR § 164.512(j)(4).The U.S. Department of Health & Human Services (HHS) made the following statement in January 2013 in a message issued to health care providers:“[T]he … Privacy Rule does not prevent your ability to disclose necessary information about a patient to law enforcement, family members of the patient, or other persons, when you believe the patient presents a serious danger to himself or other people….[T]he Privacy Rule allows the provider, consistent with applicable law and standards of ethical conduct, to alert those persons whom the provider believes are reasonably able to prevent or lessen the threat.”CONCLUSIONThe federal and state laws regarding disclosure of health care information are complex, much more so than this brief discussion contemplates. However, the above provisions highlight the language in applicable laws that a provider should keep in mind when making a determination about disclosures intended to protect the patient or other persons from potential harm. Rosenberg Law Group, PLLC, stands ready to provide legal assistance should you ever find yourself the subject of such a complaint or investigation.CAC (03/31/2017)