Here's what OBRA requires you to do.
In their quest to protect residents, ombudsmen sometimes cross the privacy line, and that puts the residents' rights ball in your court.
"The ombudsman should obtain permission from the resident or responsible party before seeking access to confidential information or invading a resident's privacy," emphasizes San Francisco attorney Kenneth Burgess.
"Under OBRA, a nursing facility must permit representatives of the state ombudsman to examine a resident's clinical records with the permission of the resident (or the resident's legal representative) and consistent with state law," explains Susan Wheaton, ombudsman program specialist with the federal Agency on Aging.
Where does HIPAA figure into the equation? The Health Insurance Portability & Accountability Act's medical privacy rules actually permit a facility to provide the ombudsman access to a resident's protected health information, but they don't require the facility to do so, notes Jennifer Downs, attorney with Arnall Golden Gregory in Atlanta. But since OBRA is stricter in that regard, it trumps HIPAA.
State laws can, however, add another layer to the privacy requirements, Downs notes. So it's a good idea to check state laws and regulations overseeing nursing home resident's privacy rights to see if these are more stringent than OBRA.
Get It in Writing
While OBRA requires the ombudsman to obtain authorization before accessing residents' medical information, the permission does not have to be in writing, Downs notes. "Even so, a facility would be wise to adopt a policy and procedure that calls for residents to give written authorization (in a HIPAA-compliant form) upon admission," she advises. The authorization could allow for disclosures to the ombudsman until the resident revokes his authorization in writing.
"If any resident refuses to give the authorization, or later revokes it, then the facility must exercise all reasonable safeguards to prevent disclosures of that resident's information to the ombudsman," Downs stresses. "For example, the facility staff might accompany the ombudsman through the facility at all times, or limit the ombudsman's access to the resident to a designated meeting room."
The ombudsman does have recourse if the resident's legal representative denies access to the resident's medical information and the ombudsman smells a rat. "If the ombudsman feels that the representative is not acting in the best interest of the resident, then the ombudsman can seek permission to access the records from the state ombudsman who obtains it from the facility,"
Wheaton notes.
Address Privacy Breaches
Of course, prevention of privacy breaches is always the best approach. So if you see the ombudsman trying to access the resident's health information without authorization, let him know in a non-confrontational way that he needs to obtain appropriate permission under OBRA and/or state laws, Burgess suggests. "Couch it in terms of residents' rights and cite the regulations or any directives from the AOA," he adds. "Find out what the ombudsman is concerned about and address that concern or help him secure the appropriate authorization to find the answer."
What if the ombudsman forges ahead and looks at the resident's health information without appropriate permission? Then the facility must treat that discovery as it would any other improper release of records. Downs advises facilities to:
If the ombudsman's actions appear to be intentional or deliberate, you could notify the state ombudsman's central office and consider notifying the state department of health or social services.
Tip: For questions and answers to HIPAA questions, check out