Health Information Compliance Alert

PRIVACY:

HIPAA Meets the Holy, Asks For ID

Simply Praying For Compliance Won't Absolve You Of Privacy Violations

A rabbi, a minister and a priest walk into a hospital ...

No it's not the beginning of a joke -if a patient in your hospital opts out of your facility's directory, permitting the clergy to visit that patient would be no laughing matter.

Frequently, members of the clergy visit patients who are members of their church, temple, or mosque. In the past - before HIPAA became law -patients had the ability to restrict visitation rights, but it was rare that hospital staff would remind them of that entitlement. Now, HIPAA's privacy rule demands that patients be apprised of their right to opt out, and if you improperly permit the clergy to visit a patient that's opted out of your directory, you should be prepared to have complaints levied against your organization.

In its so-called "Opportunity to object" provision ( 164.510(a)(2)), the privacy rule states that "a covered health care provider must inform an individual of the protected health information that it may include in a directory and the person to whom it may disclose such information (including disclosures to clergy of information regarding religious affiliation) and provide the individual with the opportunity to restrict or prohibit some or all of the uses or disclosures permitted by ... this section."

Patients admitted to a hospital must now receive their notice of privacy practices, and that notice specifically must ask them if they wish to opt out of the patient directory and must inquire if patients will permit a member of the clergy to have visitation rights. If someone is being admitted for a sensitive issue, then the patient may not wish to be called on, says Michael Callahan, chairman of the health information and HIPAA compliance practice group at Katten Muchin Zavis Rosenman in Chicago.

Callahan says patients must be told of their rights at the time of admission when they receive their notice of privacy practices. But hospital staffers aren't required to ask each patient individually if he or she wishes to opt out. He says patients often choose to opt out of specific disclosures like their name or condition, but they may opt to provide their religious denomination. For example, Callahan says patients may provide their name or general condition or location in the hospital, but still might not wish to see the priest or rabbi. In that case, the patient has made a declaration that he doesn't want to talk to the clergyperson - and if a patient's name isn't in the directory, you're obligated to prohibit the clergy member from visiting the patient.

Just as with anyone else, if a clergyman calls your hospital and asks for information about a patient, you cannot give out any information unless you first receive that patient's name from the clergyman. And technically, that clergyman is required to come to the hospital to see who's on your facility's list.

Training Heals Bruised Egos

Like all members of your workforce, volunteer clergy members should be trained with respect to the proper uses and disclosures of protected health information, informs Brain Gradle, an attorney with Epstein, Becker& Green. Gradle says the hospitals he's worked with include those volunteers in their work-force's HIPAA training efforts.

But there are potential problems with this rule, especially for clergy who had fairly free reign of their facility before HIPAA was enacted, and Gradle knows it can be difficult to turn away someone with a white collar: "Some people have reacted by saying, 'Hey, wait a minute, if [patients] are from our parish, I should have the right to visit them.'" But covered entities must be aware that rules are rules, and Gradle says that's the time when you might want to retrain or re-sensitize your volunteer staffers with respect to patient rights.

And Callahan agrees that the opt out provision of the privacy rule may take some adjustment, especially from the clergy. "There's going to be a period of adjustment and not everyone is going to like [the opt out provision], but people will address and modify policies as appropriate, and while everyone can make a mistake once, if there's a pattern of noncompliance, that's kind of forcing the OCR's hand."

Editor's Note: To view the privacy rule's "uses and disclosures requiring an opportunity for the individual to agree or to object," go to http://www.hhs.gov/ocr/combinedregtext.pdf.