Sharing PHI With Your Board

A member posed this question, “We are in a small town, and Board members get approached by family members. Sometimes they believe they need to get involved.  sometimes our board members believe they need to speak to their problems but they don’t know anything about the resident. When the administrator reports on residents how much information can be legally given to the board members in a regular meeting or executive session?” 

Here’s what Cory Kallheim, VP of Legal Affairs at LeadingAge, had to say:

"While you may share some PHI with your board to fulfill their responsibilities, HHS recommends that it be de-identified as much as possible. The board should be operating at a strategic/generative level, so the less it can be dragged into operational issues, the better.  Easier said than done though....”

Excerpt from HHS’s Summary of HIPAA

 (2) Treatment, Payment, Health Care Operations. A covered entity may use and disclose protected health information for its own treatment, payment, and health care operations activities. A covered entity also may disclose protected health information for the treatment activities of any health care provider, the payment activities of another covered entity and of any health care provider, or the health care operations of another covered entity involving either quality or competency assurance activities or fraud and abuse detection and compliance activities, if both covered entities have or had a relationship with the individual and the protected health information pertains to the relationship. See additional guidance on  Treatment, Payment, & Health Care Operations.

Health care operations are any of the following activities: (a) quality assessment and improvement activities, including case management and care coordination; (b) competency assurance activities, including provider or health plan performance evaluation, credentialing, and accreditation; (c) conducting or arranging for medical reviews, audits, or legal services, including fraud and abuse detection and compliance programs; (d) specified insurance functions, such as underwriting, risk rating, and reinsuring risk; (e) business planning, development, management, and administration; and (f) business management and general administrative activities of the entity, including but not limited to: de-identifying protected health information, creating a limited data set, and certain fundraising for the benefit of the covered entity.22 https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html

 Also, here is a paragraph from a law firm memo titled "HIPAA Top Ten for Board Members" that reinforces that approach:

 PHI should only be accessed and used on a “need to know” basis by authorized users and only for authorized purposes. For example, a physician is authorized to access a patient’s PHI for treatment, peer review or other authorized business purposes. Absent any “need to know” for an authorized purpose, a healthcare professional’s access to the medical record of a neighbor, friend or family member out of curiosity would most certainly represent a HIPAA violation. In the event board members are required to review dashboard reports that concern quality, safety, peer review or other confidential matters involving patient care, it is best to only include “de-identified” patient data to avoid any risk of an unauthorized use (or disclosure) in violation of HIPAA.