Q: "I have always trained our staff that if a school calls and asks for confirmation about a patient appointment that we cannot answer it due to HIPAA. Giving a school release note directly to the patient isn’t an issue because they can give it to the school and we are still in compliance. However, when the school calls directly and asks for confirmation that the student is a patient of ours and had an appointment on a specific date - that is not information we can confirm, correct? This happened recently, a school called asking for confirmation and when we refused to disclose the information, the school administrator was very adamant that she was entitled to the information, and said they were not subject to HIPAA. I’m almost sure we handled this situation correctly. But just in case - can you please provide some clarification?"
A: Thank you for your question! And thank you for being proactive with your staff privacy training. Let’s see how the HIPAA law would specifically relate to the question about disclosing appointment details to a patient’s school. First – Is the information requested considered protected health information? The answer is yes. The patients’ name along with any details regarding an appointment or treatment are indeed considered PHI, so the HIPAA laws are applicable. The Privacy Rule of the HIPAA Law essentially states that you CAN disclose PHI for treatment purposes, billing purposes, and healthcare operations – any other disclosures are not permitted unless that patient gives you authorization or permission. For compliance purposes, this permission should always be documented.
So – is the purpose of this disclosure for patient treatment? No. Billing? No. Healthcare operations – which we can define as a necessary business operation that supports either treatment or billing? No. Since those three exceptions do not apply, we need patient authorization to disclose the information to the school. You may think that giving the patient a doctor’s note IS patient authorization, but it’s not. Authorizations to share PHI must be in writing and expressly permit the provider to disclose certain information.
Buried in the public health activities section in §164.512(b)(1)(vi), we can find an exception that seemingly says providers can disclose PHI about a student to a school. BUT, the next few lines limit this exception to only apply to immunization status and it still requires the student or parent to agree to the disclosure. So, the one exception targeted at schools still doesn’t apply to this situation. Remember that the HIPAA law ONLY applies to covered entities. A dental office IS a covered entity. A school is not. Schools are not held accountable to the HIPAA law when it comes to the privacy and security of their students. They have their own set of federal standards and regulations – but not HIPAA. You are required to comply with HIPAA with every disclosure of PHI. To summarize, you are not allowed to disclose a patient’s name to a school or confirm whether someone is a patient or had an appointment. This is all protected health information and cannot be disclosed to a school without written permission from the patient. You are allowed to provide a doctor’s note to the patient that the patient can then give to the school.
If you have a HIPAA question related to the day-to-day operations of your dental practice, feel free to send it my way. My email address is todd(at)bitesizehipaa(dot)com. I can’t promise I’ll be able to get to every question submitted – but I’ll do my best to find the most applicable ones to address in future Bite-Size HIPAA® Q&As.