The Case

A two-year-old female, seen three days ago at different local emergency department (ED)—Children’s General—presents with fever, headache, and neck pain. Her parents say that when she was previously seen, blood and urine were tested, and some type of X-ray and a spinal tap were performed. They were told she might have a kidney infection and she was prescribed cephalexin (Keflex). They return to the ED because her symptoms have not resolved, and her headache seems worse. The parents only have a copy of the discharge instructions, and your hospital and Children’s General do not share electronic health records.

The Problem

You need to know what was done at Children’s General, especially imaging, CSF, and urine results. You call to speak to their on-duty emergency physician but are told by the clerk that to get protected health information (PHI), you need to fax a request to their medical-records department, specifying the information needed, and with a signed parental consent. Then the medical-records department will try to find and fax back those records—but not in enough time to help you decide on the need for CT imaging, repeat lumbar puncture, and intravenous antibiotics.

Sound familiar? That’s because misunderstanding about the Health Insurance Portability and Accountability Act (HIPAA) commonly causes emergency physicians and our departments to shoot ourselves in the foot by building unnecessary barriers to sharing relevant clinical information, which, as illustrated by this case, can be critical for management decisions and avoiding redundant testing.

The Solution

HIPAA was enacted in 1996 to establish national standards for security of PHI, i.e., any individually identifiable health information that could be transmitted in any form, including electronic, paper, or oral. While HIPAA requires safeguards to protect PHI, commonly misunderstood is that section of the HIPAA regulations that specifically permits PHI transmittal without consent for the purpose of patient treatment, including communication of PHI directly over the phone between emergency physicians.¹ In 2016, this was reinforced by the Office of the National Coordinator for Health Information Technology and the Department of Health and Human Services’ Office for Civil Rights, stating that clinicians, “may disclose PHI (whether orally, on paper, by fax, or electronically) to another provider for the treatment activities of that provider, without needing patient consent or authorization.”² However, many emergency physicians are unaware of this interpretation, instead letting concern for violating HIPAA override patient-care needs.

Assessing and Addressing Common HIPAA Misunderstanding—ED Chief Survey

To investigate this, we collected confidential responses from a convenience sample of the first 25 U.S. ED medical directors responding to a survey asking their ED’s usual practice for cases like the one above. The most frequent responses indicated that written consent was necessary and either routed to the medical-records department or handled by the ED clerk. Some participants indicated that patient consent was only required for fax transmission of PHI. However, a sizable minority already knew that information can be given without consent over the phone as long as its purpose is to support the patient’s treatment.

For transmitting PHI in this circumstance, HIPAA only requires “reasonable” standards of security. In this case, reasonable would mean that the person requesting PHI confirms that they are the patient’s clinician and that any transmitted documents will have secure receipt, e.g., to the department’s fax machine at the clerk’s desk, away from any general access. While a clinician should inform a patient or parent of their intent to get relevant PHI from another clinician for the purpose of treatment, consent is not required, including for faxed records.

Making a Change

Change starts with individual awareness. However, to the extent these practices derive from departmental or institutional policies, emergency physicians need to work with ED nursing and clerical staff and hospital administration to revise overly conservative approaches to PHI transmittal of relevant clinical information. And, when alerted of a bounce-back to another hospital, it’s in everyone’s best interest to know about and help rectify any possible previous mistakes as soon as possible. That’s even more reason to assist your colleague across town calling for help, and to work to address HIPAA misunderstandings at your own institution.

When it comes to sharing important clinical PHI, let’s talk—HIPAA allows it.

References

1. Department of Health and Human Services §164.506. GovInfo website. https://www.govinfo.gov/content/pkg/CFR-2011-title45-vol1/pdf/CFR-2011-title45-vol1-sec164-506.pdf. Published 2011. Accessed October 9, 2023.
2. Department of Health and Human Services – Office of the National Coordinator for Health Information Technology and DHHS Office for Civils Rights. Permitted uses and disclosures: exchange for treatment. HHS website. https://www.hhs.gov/sites/default/files/exchange_treatment.pdf. Published January 2016. Accessed October 9, 2023.

DR. TALAN is professor of emergency medicine and infectious diseases at UCLA. 

DR. GUNDERSON is a 4^th year medical student at UCLA David Geffen School of Medicine.