Originally appeared in the CAS Weekly Newsletter.
Written by Attorney William J. Roberts.
Dear Legal Mailbag:
Does HIPAA permit a physician or covered entity to release physical exam results to the school nurse, without prior authorization, for the purposes of permitting a student to participate in school athletics? It has become extremely frustrating when providers do not understand what they are permitted to disclose.
While I am not a lawyer (but watch their ads on TV), I have reviewed the law, and my conclusion is that providers may disclose a student’s physical exam to a school nurse as the exam’s results can be seen as either part of the student’s treatment (consultation between health care providers) or part of the school nurse’s health care operations [§ 164.506(c)(4)] to assure that it is safe for the student to participate in a sport.
Of course, the provider is not mandated to disclose but I would like to inform them of the law if all-knowing Legal Mailbag can confirm that I have not interpreted it in error due to my bias.
If you have time to look into this fascinating question, I would appreciate it.
Oh, HIPAA – my favorite topic. I love it so much that I insisted that Tom Mooney let me guest write this response for Legal Mailbag.
Any time we address a HIPAA question, we must address legal and practical aspects of the disclosure of health information, and here we start with the legal. In your question, you provided several citations to parts of HIPAA you found relevant (not copied above). Specifically, you raised the possibility of a physician releasing physical exam results to the school nurse, without prior authorization, for the purposes of permitting a student to participate in school athletics as being permitted by HIPAA as either for “health care operations” or “treatment.” First, while a good idea, a physician cannot rely upon HIPAA’s “health care operations” exception because a physician may disclose patient health information for “health care operations” to ONLY another covered entity – and public schools are not HIPAA covered entities. So, no luck there.
We may have better luck with HIPAA’s “treatment exception.” This exception permits a physician to disclose patient health information to another health care provider (not merely another covered entity – meaning school nurses qualify!!) if the purpose of the disclosure is related to the treatment of that patient. This means that, if a school nurse can convince a physician that the purpose of the disclosure is to permit the school nurse to treat or evaluate the student/patient, then HIPAA permits the disclosure. However, if the physician views the purpose of the disclosure as merely to let the student on the swim team (and not to assist with the nurse’s treatment or evaluation of the student), then HIPAA does not permit the disclosure.
This “in the eye of the beholder” issue leads us to the practical challenge of trying to get a physician to release physical exam results without an authorization. HIPAA imposes BIG penalties and LOTS of costs on a physician who discloses patient information inappropriately. Thus, if a physician releases physical exam results and a parent complains, the physician is in hot water. The school in such a situation is not, because the agencies that enforce HIPAA have no jurisdiction over schools, and HIPAA only penalizes the discloser, not the receiver. Thus, this results in physicians being very cautious and conservative about such disclosures – as lawyers, we tell them to be this way all of the time (seriously, I do it every day).
To make matters more complicated, even if a physician agrees that the disclosure is for “treatment” and is thus permitted by HIPAA, other legal issues may nevertheless prevent the disclosure. These include state laws limiting the disclosure of HIV, behavioral health or substance abuse information and the specific terms of the physician’s own “Notice of Privacy Practices” (a policy which the physician must comply with that, at times, may be stricter than HIPAA).
My advice is that you should recognize the bind physicians are in with HIPAA (and other privacy laws) and not waste your time trying to get them to take such a risk. While annoying to get authorizations, most physicians will (for good reason) require them.