What is PHI disclosure?

Proper disclosure of PHI is important for covered entities to protect patient privacy and comply with HIPAA regulations. By understanding what constitutes PHI, knowing the permitted disclosures, and following best practices, covered entities can ensure the secure handling and transmission of PHI. 

What is PHI disclosure?

PHI disclosure is sharing or transmitting protected health information to individuals or organizations outside the covered entity. Covered entities, such as healthcare providers and health plans, are responsible for protecting PHI and ensuring its disclosure complies with HIPAA regulations.

Read more: 

• What is protected health information (PHI)? 
• What is a covered entity? 

The importance of PHI disclosure

When individuals seek healthcare services, they trust that their personal information will be kept confidential. Unauthorized access to PHI can lead to privacy breaches, identity theft, and other harmful consequences. By ensuring the proper disclosure of PHI, covered entities can protect patient privacy and maintain the trust of their patients.

Additionally, covered entities handle billing, insurance claims, and payments related to healthcare services. These financial transactions involve sensitive information, such as insurance and payment records. Proper safeguards must be in place to prevent unauthorized access or tampering, which can lead to fraudulent activities and financial losses.

Read also: What are the permitted uses and disclosures of PHI? 

Permitted disclosures of PHI

There are certain situations where the disclosure of PHI is permitted without an individual's authorization. These situations include:

When required by law

Covered entities are permitted to use and disclose PHI without individual authorization if it is mandated by law. This includes situations where specific statutes, regulations, or court orders are in place.

When needed for public health activities

Covered entities can disclose PHI to authorized public health authorities who collect or receive such information for activities related to disease prevention, injury control, or disability management. 

When it involves employees and work-related health

Employers can request PHI from covered entities regarding their employees if it pertains to a work-related illness or injury or for workplace-related medical surveillance. 

While reporting abuse, neglect, or domestic violence

In certain situations, covered entities can disclose PHI to appropriate government authorities concerning abuse, neglect, or domestic violence victims.

For health oversight activities

Covered entities can disclose PHI to health oversight agencies for legally authorized activities, including audits and investigations, to oversee the healthcare system and government benefit programs.

For judicial and administrative proceedings

In judicial or administrative proceedings, covered entities may disclose PHI if there is a court order, administrative tribunal request, subpoena, or other lawful process. However, certain assurances may be required, such as notice to the individual or a protective order.

For purposes of law enforcement

Covered entities can disclose PHI to law enforcement officials for specific law enforcement purposes, such as responding to a law enforcement official's request for information about a crime victim or suspected victim.

In circumstances involving deceased individuals

Covered entities can disclose PHI to funeral directors as necessary. PHI may be disclosed to coroners or medical examiners to identify a deceased person, determine the cause of death, and perform other authorized functions per the law.

During cadaveric, organ, eye, or tissue donation

Covered entities can use or disclose PHI to facilitate the donation and transplantation of cadaveric organs, eyes, and tissue.

For research

Under certain conditions, covered entities can use and disclose PHI for research purposes without an individual's authorization. This includes obtaining institutional review board or privacy board approval and providing representations that the use or disclosure of PHI is solely for preparing a research protocol or involving deceased individuals' PHI for research purposes.

When it involves a serious threat to health or safety

Covered entities can disclose PHI if they believe it's necessary to prevent or reduce a serious and immediate threat to someone's health or safety or the public.

For essential government functions

Certain government functions do not require authorization to use or disclose PHI. These functions include ensuring the proper execution of military missions, conducting intelligence and national security activities, providing protective services to the President, making medical suitability determinations for US State Department employees, safeguarding the health and safety of inmates or employees in correctional institutions, and determining eligibility for certain government benefit programs.

For workers' compensation purposes

Covered entities can disclose PHI as authorized and compliant with workers' compensation laws and similar programs. This allows for the disclosure of PHI to fulfill the requirements of these programs, which provide benefits for work-related injuries or illnesses.

Requirements for PHI disclosure

Under the HIPAA privacy rule, covered entities must make PHI disclosures in two specific situations:

Individual requests

A covered entity must disclose PHI to individuals (or their representatives) when they specifically request access to their PHI or want an accounting of disclosures made with their information. This allows individuals to manage and understand how their health information is handled.

Department of Health and Human Services (HHS) Involvement

The second situation where PHI must be disclosed is when the HHS conducts a compliance investigation, review, or enforcement action. This ensures that proper oversight and enforcement are in place to protect the privacy of health information.

Best practices for protecting PHI

• Implement strict access controls: Limit access to PHI to authorized individuals who require it for their job responsibilities.
• Encrypt PHI: Use encryption to protect PHI when it is transmitted or stored electronically.
• Conduct regular risk assessments: Identify and address potential risks to the confidentiality, integrity, and availability of PHI.
• Train employees on HIPAA compliance: Provide regular training to employees to ensure they understand their responsibilities regarding PHI.
• Establish incident response procedures: Develop a plan to address and mitigate PHI breaches or security incidents.
• Regularly update policies and procedures: Stay up-to-date with changes in HIPAA regulations and adjust policies and procedures accordingly.
• Monitor and audit PHI access: Regularly review access logs and audit trails to identify any unauthorized access or suspicious activity.
• Conduct regular HIPAA compliance audits: Assess the organization's compliance with HIPAA regulations and address any identified issues.
• Maintain business associate agreements: Ensure that business associates who handle PHI on behalf of the covered entity sign appropriate agreements outlining their responsibilities and compliance with HIPAA regulations.
• Use secure communication channels: Implement secure email solutions and other communication tools to ensure the confidentiality of PHI.

See also: HIPAA Compliant Email: The Definitive Guide

In the news

In Memphis, Roderick Harvey, and five former Methodist Hospital employees pled guilty to unlawfully disclosing patient information under HIPAA. Between November 2017 and December 2020, they sold patient names and phone numbers from motor vehicle accident cases to third parties. Harvey faces up to five years in prison and a $250,000 fine, while the others face a maximum of one year in prison and a $50,000 fine. Sentencing dates are set, and the case was investigated by the FBI and Tennessee Bureau of Investigation. 

FAQs

What is the best way to share PHI?

The best way to share PHI is by sending secure emails to users to access PHI. Users are directed to safe environments by employing secure connections, which offer more data protection.

What is an example of PHI?

An address is an example of PHI as it includes specific details beyond the state, such as a street address, city, county, precinct, and typically zip code, along with their corresponding geocodes.

How do you communicate with PHI?

To securely communicate PHI to users, transmit it as a password-protected or encrypted attachment. Also, avoid including patient names, identifiers, or other specific details in the subject heading of the communication. Instead, incorporate a confidentiality banner such as "This is confidential medical communication."