Yes. HIPAA protects patients’ health information, whether patients are alert, unconscious, or inebriated. Providers cannot disclose the person's condition to friends, family, or employers without the patient's consent unless one of the specific exceptions under HIPAA applies.
How HIPAA's Privacy Rules apply
Confidentiality: HIPAA's Privacy Rule mandates that healthcare providers safeguard patients’ protected health information (PHI). So, any information about an inebriated patient's condition, treatment, and medical history must be kept confidential.
Authorization: Generally, healthcare providers must obtain patient authorization before disclosing their PHI. However, if the inebriated patient is unconscious, their provider may operate under implied consent.
Minimum necessary standard: Healthcare providers should only disclose the minimum PHI necessary for the intended purpose. For example, if an inebriated patient is being treated, the providers should only share details relevant to their immediate care, not their entire medical history.
Patient rights: HIPAA allows inebriated patients to access their own health information and the right to request amendments to their records.
How HIPAA's Security Rules apply
Data encryption: HIPAA's Security Rule requires healthcare providers to implement technical safeguards to protect PHI. Providers must use HIPAA compliant emails or text messages when discussing an inebriated patient’s PHI.
Access controls: Healthcare providers must limit access to PHI so only authorized staff can view PHI.
Audit trails: HIPAA compliant platforms, like Paubox, maintain audit trails that record who accessed patient communication and when, to track any unauthorized access and ensure accountability. Additionally, audit trails can help provider organizations identify any potential security breaches or vulnerabilities in their systems.
Training and policies: HIPAA mandates that healthcare providers train their staff on privacy and security policies and procedures. Staff members must understand their responsibilities when handling patients’ PHI, including the PHI of those who are inebriated.
Permissible disclosures under HIPAA
According to the HHS Summary of the HIPAA Privacy Rule, “A covered entity is permitted, but not required, to use and disclose protected health information, without a patient's authorization, for the following purposes or situations:
- To the individual (unless required for access or accounting of disclosures);
- Treatment, payment, and health care operations;
- Opportunity to agree or object;
- Incident to an otherwise permitted use and disclosure;
- Public interest and benefit activities; and
- Limited data set for the purposes of research, public health or health care operations.”
Additionally, the HHS states “Covered entities may rely on professional ethics and best judgments in deciding which of these permissive uses and disclosures to make.”
Ultimately, providers must handle inebriated patients' information with the same level of confidentiality as any other patient. They cannot disclose an individual’s condition to friends, family, or employers without the patient’s consent unless one of HIPAA's specific exceptions applies.
Go deeper: What are the permitted uses and disclosures of PHI?
Practical implications
Public safety concerns
“The most relevant and permissible disclosure for physicians dealing with intoxicated patients is the provision about public safety”, according to an analysis of the HIPAA Privacy Rule and its implications for intoxicated patients.
If a physician believes that an inebriated patient poses a risk of harm upon leaving the emergency department, they are allowed to inform law enforcement officers to prevent an imminent threat to health or safety.
For example, if the patient intends to drive while still under the influence, the physician can contact law enforcement to prevent them from endangering themselves and others on the road.
Similarly, if the individual makes threats of violence, their physician can alert the authorities to mitigate any potential harm to the public.
Consent
Providers must obtain consent from inebriated individuals whenever possible before disclosing their PHI. If the individual is incapacitated, providers must use their professional judgment and follow HIPAA guidelines to determine appropriate disclosures.
Related: A HIPAA consent form template that's easy to share
Communication
HIPAA allows providers to share information with other medical professionals involved in a patient's care.
For example, if a person is brought to the emergency room in an inebriated state, the attending physicians use HIPAA compliant emails or text messages about the patient’s condition with other specialists, improving provider collaboration and ensuring comprehensive care.
Payment purposes
HIPAA permits sharing information with insurance companies for billing and payment purposes. For example, if an inebriated individual is admitted to a detoxification center, the facility can share treatment details with the patient's insurance company to process the claim and receive payment for their services.
Healthcare operations
HIPAA allows provider organizations to access and use inebriated individuals’ PHI when conducting activities necessary for the hospital or clinic’s operations, like quality assessments, audits, and business management.
FAQs
How should healthcare providers handle PHI for inebriated patients?
HIPAA mandates that providers safeguard inebriated patients’ protected health information (PHI) in the same way as any other patient, regardless of their intoxication level.
What is encryption?
HIPAA’s Security Rule requires all electronic communications containing PHI to be encrypted. Encryption makes PHI unreadable for unauthorized users, ensuring that data is protected during transmission and at rest.
What is HIPAA compliant communication?
HIPAA compliant communication involves securely exchanging protected health information (PHI) between authorized parties. Providers must use a HIPAA compliant platform, like Paubox, with encryption, authentication methods, and audit trails to safeguard PHI during these exchanges.
