The Challenges of HIPAA Compliance for Long Term Post-Acute Care Medical Groups


“Relying on the government to protect your privacy is like asking a peeping tom to install your window blinds.” – activist John Perry Barlow

Unless you’ve been stranded on a desert island for about 20 years, you’ve undoubtedly heard of the Healthcare Insurance Portability and Accountability Act, aka HIPAA. On April 14th, 2003 a mandate was enacted to comply with the Privacy Rule and defined Protected Health Information (PHI) as “any information held by a covered entity which concerns health status, the provision of healthcare, or payment for healthcare that can be linked to an individual.”

The Privacy Rule is a set of regulations recorded in the Code of Federal Regulations (CFR), specifically 45 CFR Sections §160, §162 and §164. Trying to decipher those documents almost requires a law degree. Fortunately, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) and the Office of the National Coordinator for Health Information Technology (ONC) have several resources, including: white papers, blog posts, and other examples to assist those without a law degree in understanding what is required.

Long Term Post-Acute Care (LTPAC) Medical Groups have unique challenges in complying with the HIPAA Privacy Rule

  • Patients admitted to a facility from a hospital are in most cases too ill to properly consent.
  • Hospital discharge paperwork does not include a copy of the Privacy Notice signed at the hospital.
  • The facility may obtain a signed Privacy Notice but often does not share it with the medical group.
  • Determining who is the legal decision maker when the patient is too ill to consent; such as identifying who has a legal Power of Attorney for the patient.
  • Bound by a HIPAA Privacy Notice that is too narrow in focus and not generated by the medical group.
  • Interoperability may be limited by HIPAA Privacy Notices.

Patient treatment by a clinician is always covered under the HIPAA Privacy Rule.  This “continuity of care” is mandated.  A Covered Entity (CE – Clinician, Facility or Health Insurance Plan) is permitted to forward PHI to another CE or Business Associate (BA) for the purposes of treatment, payment or healthcare operations without consent of the patient (45 CFR §164.502(a)(1)(ii) and 45 CFR §164.506).  This means clinicians can treat patients, ask for guidance from specialists, present information for payment and use PHI for healthcare operations.  Further details that constitute valid healthcare operations can be found at this link:

Communications with Family Members

The HIPAA Privacy Rule gives a clinician permission to speak with family members (45 CFR §164.510(b)) if:

  • The patient was given the opportunity to object, and
  • The information disclosed is limited in to information relevant to a family member’s involvement in healthcare or payment, and
  • The disclosure is reasonable under the circumstances.

If the patient is unable to consent, a clinician may speak with family members or legal representatives (Healthcare Power of Attorney designees) to provide direct care information and collect payment information.  Once the patient can consent, a medical group MUST obtain a signed HIPAA Privacy Notice and provide a Notice of Privacy Practices. Once obtained, the LTPAC Medical Group is bound by what is identified in those documents.


The ability to share data between systems and entities is now being championed by HHS to allow for better patient care and to assist with providing better patient outcomes.  An example of interoperability is a facility system sharing patient demographics with a Certified Electronic Health Record (CEHR). Another example is an Accountable Care Organization (ACO). In both instances the sharing of PHI is covered by the HIPAA Privacy Rule. Please see the blog series by ONC from 2016 which details this topic in more depth. This blog series gives all providers, medical groups/clinicians, and BA’s the guidance needed to safely and legally share PHI.

Opting In

LTPAC Medical Groups need to be keenly aware of how their HIPAA Privacy Notices and Notices of Privacy Practice are crafted. Most have taken the approach of an “opt-in” model where patients can state exactly to whom their PHI can be shared. That model is inherently dangerous. The medical group is legally bound to stay within the confines of the “opt-in” list, even if it is narrow. The “opt out” model, which states the medical group will share information with other CE/BA groups for treatment, payment, healthcare operations and family members is the preferred method. It does not place restrictive limits on when PHI can be shared and lets a patient provide a list of those with whom not to share information, especially family members. That guidance can avoid the all too often scenario when “brother Johnny” is not allowed to know what is going on with the patient.

I would suggest reviewing your HIPAA Privacy Notice and Notice of Privacy Practices with legal counsel. Most LTPAC Medical Groups have not updated these in some time. The movement towards interoperability and the nature of patients in the LTPAC setting dictate the documents are using the “opt-out” model or you could face some legal consequences.