Permitted use and disclosure of protected health information (PHI) under HIPAA
by Kapua Iao
The U.S. Department of Health and Human Services (HHS) enacted HIPAA to protect patient privacy and set security requirements for healthcare covered entities (CEs).
The federal regulation defines how, when, and why it is appropriate to safely and securely share PHI and what is shareable.
Over 20 years later, healthcare organizations still have questions about permissible PHI use and disclosure without patient authorization.
To provide further guidance, HHS, the Office of the National Coordinator for Health Information, and the Office for Civil Rights collaborated on two fact sheets that explore this issue.
Here is a basic summary of both fact sheets.
Use and disclosure for healthcare operations
Under HIPAA, PHI can be used and disclosed, without patient authorization, for essential healthcare operations, such as administrative, financial, legal, and quality improvement activities.
- quality assessments for patient safety or general health/healthcare costs
- in support of compliance
- the development of clinical guidelines and protocols
- the review and evaluation of healthcare providers
- employee training
- the detection of fraud
Such use and disclosures must reinforce or improve a CE’s core functions and help to improve patient care quality.
Use and disclosure for patient treatment
PHI can also be used and disclosed for patient treatment, broadly defined as the “provision, coordination, or management of healthcare and related services” by a CE or more than one CE.
PHI is shareable between CEs or within a CE in order to help the organization(s) provide strong patient care.
- a doctor providing PHI to a nutritionist for approved patient treatment
- a CE hiring a care planning business associate who requests access
- a hospital discharging a patient into a care facility
Such a consultation or referral, when required, may occur without direct patient authorization.
Be aware and be knowledgeable
There are also other details about HIPAA and PHI to consider.
First, the two fact sheets are not all-inclusive; other possible, necessary scenarios may occur as required by law, for a litigation or investigation, to report a communicable disease, for donation or research purposes, or to report abuse or neglect.
In such cases, health provides should use caution.
Second, CEs must be cognizant of other applicable regulations related to personally identifiable information (PII).
Third, CEs should meet four conditions whenever sharing PHI:
- The disclosing and receiving CE must have a relationship (past or present) with the patient
- The disclosed PHI must pertain to the relationship
- The discloser must still adhere to the privacy rule’s minimum necessary requirement and limit datasets (i.e. remove unnecessary PII)
- A patient must have an opportunity to agree or object.
Finally, a CE must make available to all patients a notice about its organization and PHI.
Health providers should pose further questions to HHS on its website or by communicating with a representative.
Be aware and be knowledgeable about HIPAA, general privacy regulations, and patient authorization.
RELATED: HIPAA Compliant Email
Combining familiarity with HIPAA regulations, implementing the right policies and technical solutions can only help your organization provide necessary patient privacy with solid patient care.