Generally, HIPAA-covered providers cannot share identifiable protected health information with the MDT as a whole. Statutory case review MDT members may disclose confidential information to each other as allowed by G.S. 108A-118.6(a), but not when such a disclosure is prohibited by federal law. HIPAA’s restrictions will generally prohibit MDT members that are HIPAA “covered entities” from disclosing protected health information, but there are some exceptions that may allow disclosure to particular MDT members in certain circumstances. For example:

  • HIPAA has an exception that allows a covered provider to disclose confidential information when required by state law (45 CFR 164.512(a))—and a disclosure to DSS to report suspected abuse, neglect, or exploitation of a disabled adult is required by state law (G.S. 108A-102). If the report involves suspected abuse or neglect, the provider should also comply with the requirements of 45 CFR 164.512(c) when making this disclosure to DSS.
  • HIPAA allows a covered provider to share confidential information with law enforcement regarding an individual who is (or is suspected to be) a victim of a crime, if certain criteria are met (45 CFR 164.512(f)(3)). In certain circumstances, a provider could also share certain information with law enforcement if it is necessary for law enforcement authorities to identify or apprehend a suspect, fugitive, material witness, or missing person. 45 CFR 164.512(f)(2).
  • A HIPAA covered provider may also disclose confidential information if the provider, in good faith, believes the use or disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public; and the disclosure is made to a person or persons reasonably able to prevent or lessen the threat. 45 CFR 164.512(j).
  • A HIPAA covered provider could disclose confidential information if they have an authorization to release information that is signed by the patient and meets HIPAA’s requirements for such authorization (though in some cases, this simply won’t be possible to obtain due to the patient’s lack of capacity). See 45 CFR 164.508.

If none of HIPAA’s exceptions apply and an authorization to disclose information cannot be obtained, EMS and healthcare providers cannot disclose protected health information to the MDT. But that doesn’t mean they don’t have a valuable role to play on the MDT. Most other members of the MDT will be authorized to share case-specific information in statutory case review MDT meetings, and based on that information, EMS and healthcare providers could still contribute to the MDT by offering their professional insights based on information shared by other MDT members, advising on service provision and coordination for the vulnerable adult, and sharing system-wide trends and issues without revealing case-specific details.

This resource, Quick Reference: Information Sharing in Elder Abuse Cases, provides more details and examples of HIPAA exceptions. This resource, “Creating Release of Information Forms for Use by Multidisciplinary Teams,” speaks to the requirements for creating a HIPAA-compliant authorization to release information form and discusses foundational principles to consider when obtaining consent to disclose confidential information from a vulnerable adult.