With growing awareness to protect sensitive health information, questions arise when health information is shared outside traditional medical contexts, like when an airline damages a passenger’s wheelchair and initiates repairs.
Companies like Scootaround and Global Repair Group, who are often subcontracted by the airlines, frequently will be in contact with passengers who share personal health information so that personalized repairs can be made.
Since health information is sensitive and protected, these exchanges comply with Health Insurance Portability and Accountability Act (HIPAA) regulations.
What HIPAA requires in non-traditional health settings
HIPAA's Privacy Rule mandates specific protections around the use and disclosure of protected health information (PHI). While the airlines and repair contractors would not normally be considered a covered entity, there is still the possibility that PHI is involved when discussing a wheelchair’s repair.
HIPAA restricts how PHI can be disclosed, limiting PHI shared to the minimum necessary standard. Furthermore, disclosure is only permissible if “the disclosure is to the individual involved or their personal representative,” or “for the purposes of treatment, payment, or health care operations.”
HIPAA also allows for disclosure "to a family member, or other person involved in the individual's care or payment for such care, so long as such disclosure is permitted under the Privacy & Security Rule."
Moreover, airlines and repair companies handling PHI must verify that passengers or their representatives have authorized any required disclosures or are fully informed of who will handle their information and why.
Read also: When is a non-healthcare company a covered entity?
HIPAA authorizations and passenger health information
If a passenger's wheelchair requires specialized adjustments due to a medical condition, the repair companies would need current and valid authorization that outlines what information can be shared and with whom. HIPAA compliant authorization should also include an option for "the right to revoke authorization,” giving passengers control of their information.
How to use HIPAA compliant forms for passenger authorization
Obtain informed consent
Airlines and wheelchair repair companies must use a HIPAA compliant form, like Paubox, to use or disclose passengers’ PHI. These forms can help airlines confirm up-to-date, signed, and appropriately documented authorizations.
Limit disclosure to minimum necessary information
HIPAA compliant forms should specify which health details are necessary and ensure that only these limited details are shared. For instance, rather than providing a full medical history, the form focuses on specific conditions affecting wheelchair modifications.
Account for all PHI disclosures
HIPAA compliant forms can help airlines and wheelchair repair companies track and report any disclosures, especially when the information extends beyond typical healthcare operations.
These records meet compliance standards and create an audit trail of how companies maintain passenger privacy.
Provide staff training on privacy practices
Staff who handle sensitive health information need training to recognize when HIPAA compliance applies, how to manage HIPAA compliant forms, and how to adhere to HIPAA’s minimum necessary standard.
Ultimately, regular HIPAA training keeps staff educated in protecting PHI and minimizes the risk of potential data breaches.
Go deeper: How to train healthcare staff on HIPAA compliance
FAQs
What is a covered entity under HIPAA?
A covered entity, as defined by HIPAA, is any healthcare provider, health plan, or healthcare clearinghouse that transmits any health information in electronic form.
How does HIPAA protect electronic health information?
HIPAA requires covered entities to safeguard patients' protected health information (PHI) from unauthorized access or disclosure, ultimately securing electronic health data.
Can HIPAA compliant forms improve efficiency?
Yes, HIPAA compliant forms can streamline an organization’s efficiency by digitizing paperwork, reducing errors, and automating tasks like data entry.
