Can Doctors Share Patient Information with Other Doctors?
Doctors can share patient information with other doctors provided the disclosure complies with the HIPAA Privacy Rule – and a Business Associate Agreement is entered into when required – and provided the patient information is not restricted by the patient or subject to HIPAA’s authorization requirements.
When asked the question can doctors share patient information with other doctors, many sources refer to §164.506 of the HIPAA Privacy Rule – “Uses or disclosures to carry out treatment, payment, or health care operations”. The section states doctors can share patient information with other doctors for treatment purposes, even if the two doctors are – or work for – different covered entities.
If patient information is shared for any other purpose (i.e., health care operations), the two doctors either have to be working for the same covered entity or there must a relationship between the two covered entities relating to the individual who is the subject of the information being shared. In such circumstances, the sharing of patient information may be subject to the minimum necessary standard.
However, as much as this looks like an answer to the question can doctors share patient information with other doctors, exceptions exist elsewhere in the HIPAA Privacy Rule. For example, what happens if one of the doctors is not – or does not work for – a covered entity, if the patient has requested that their information is not shared, or the nature of the information being shared requires an authorization?
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
When is a Doctor Not a Covered Entity?
It is important to be aware not all healthcare providers qualify as covered entities under HIPAA. This may be because they do not conduct transactions for which HHS has published standards (i.e. when a therapist bills clients directly), or because they do not conduct transactions electronically. Some paper-to-paper fax transactions and phone calls are not considered electronic transactions by HHS.
So, can doctors share patient information with other doctors if one of the doctors is not a covered entity? They can, but in order for a “covered” doctor to share information with a “non-covered” doctor, the “non-covered” doctor has to put safeguards in place to protect the privacy of the information being shared and enter into a Business Associate Agreement with the “covered” doctor.
If patient information is being shared by a “non-covered” doctor with a “covered” doctor, a Business Associate Agreement is not necessary, but state confidentiality laws may dictate other provisions that need to be considered. Similarly, if neither doctor is a HIPAA covered entity, HIPAA does not apply and communications between the two doctors are subject to state confidentiality laws.
What if Patient Information is Restricted?
Under §164.522 of the HIPAA Privacy Rule, patients have the right to request restrictions on uses and disclosures of their Protected Health Information. If a covered entity agrees to a restriction, doctors cannot share restricted health information with other doctors – even when both doctors work for the same covered entity – except for emergency treatment.
There are ways around this condition if – for example – the patient agrees to terminate the restriction either permanently or for a specific communication or transaction to take place. In such circumstances, unless the patient has requested the termination in writing, any agreement to lift the restrictions must be documented by the doctor sharing the patient’s information.
When is a Patient Authorization Required?
Another issue that can affect when doctors can share patient information with other doctors is when the disclosure of patient information is not permitted by the HIPAA Privacy Rule without an authorization form signed by the patient the information relates to. There is only one relevant example in the text of the HIPAA Privacy Rule, and this relates to disclosures of psychotherapy notes.
However, the HIPAA Privacy Rule states that covered entities may not use or disclose Protected Health Information for any reason not required or permitted by the HIPAA Privacy Rule. For this reason, it is important doctors check they are permitted to share patient information with other doctors before doing so; and, if sharing the information is not permitted by the HIPAA Privacy Rule, obtain patient authorization.
Share Patient Information with Other Doctors in Compliance with HIPAA
Generally, doctors can share patient information with other doctors for treatment purposes. However, as can be seen above, there are several occasions when conditions may apply. It is important that all applicable members of the workforce receive training on the times when conditions apply – and comply with the conditions as necessary – in order to avoid violations of HIPAA.
Because complying with the conditions to share patient information can involve administrative processes that a doctor might not ordinarily be involved with (i.e., entering into a Business Associate Agreement), any doctors unsure of their compliance obligations should seek advice from their organization’s HIPAA Privacy Officer or from an external compliance professional.
