HIPAA Permitted Disclosures

HIPAA Rights

Share this article on:

One of the biggest compliance challenges for Covered Entities and Business Associates is understanding HIPAA permitted disclosures. This is because there are a number of scenarios in which exceptions exist to the general guidance about when it is permitted to disclose Protected Health Information (PHI) without patient authorization.

According to the Privacy Rule, Covered Entities must disclose PHI in only two scenarios – 1) when a patient requests access to their PHI or an accounting of disclosures, and 2) when the Department of Health and Human Services (HHS) conducts a review or a compliance investigation, or undertakes enforcement action. In neither scenario is patient authorization necessary.

Other Disclosures Permitted by the HIPAA Privacy Rule

Thereafter, Covered Entities are permitted, but not required, to disclose PHI without patient authorization for the following purposes or situations:

To the Individual

The Privacy Rule states that, except for the required HIPAA permitted disclosures for patient access or accounting of disclosures, Covered Entities may disclose PHI to the individual who is subject to the information. This clause enables Covered Entities to comply with the doctrine of informed consent and avoid potential medical malpractice claims for withholding information.

Treatment, Payment, and Health Care Operations

The rules relating to HIPAA permitted disclosures of PHI for treatment and payment are straightforward. However, there are circumstances when permitted disclosures for health care operations could result in Covered Entities disclosing PHI to another Covered Entity´s Business Associate without a Business Associate Agreement being in place.

Opportunity to Agree or Object

This clause is one of the biggest challenges for understanding HIPAA permitted disclosures because it requires Covered Entities to obtain informal permission (consent) to include a patient´s PHI in a directory, disclose PHI to families and authorized individuals, or release PHI to identify a patient when they are incapacitated – contrary to the requirements for patient authorizations.

Incident to an Otherwise Permitted Use and Disclosure

Another grey area relating to HIPAA permitted disclosures is incidental disclosures. These occur when more than the minimum necessary PHI is disclosed during an otherwise permitted disclosure. HHS has issued guidance on incidental disclosures, but there are areas in which the guidance contradicts the Minimum Necessary Standard – which has itself been criticized for being vague.

Public Interest and Benefit Activities

In the context of HIPAA compliance, permitted disclosures for public interest and benefit activities (i.e., to public health agencies, law enforcement, etc.), are discretionary rather than mandatory. However, many states mandate disclosures for issues such as child abuse, and it is important Covered Entities are aware of which disclosures are mandatory and which are discretionary.

PHI in Limited Data Sets

Limited data sets are PHI from which certain specified direct identifiers of individuals and their relatives, household members, and employers have been removed. A limited data set may be disclosed for research, health care operations, and public health purposes, provided the recipient enters into a data use agreement promising specified safeguards for PHI within the limited data set.

HIPAA Permitted Disclosures: Patient Consent vs Patient Authorization

As mentioned above, the requirement to obtain informal patient consent before disclosing PHI in certain circumstances is one of the biggest compliance challenges for Covered Entities. This is because the potential exists for undocumented disclosures, subsequent to which the Covered Entity has no control over further disclosures.

This may not only invalidate accounting of disclosure requests, but also the requirement that patient authorizations must be obtained before PHI is disclosed for reasons not permitted by the Privacy Rule. Furthermore, patient authorizations must contain specific information about what PHI is disclosed, who it is disclosed by, who to, and what for.

Fundamentally, the opportunity to agree or object informally to certain disclosures of PHI could be interpreted to undermining the requirement to seek written and documented authorization. Certainly it is a grey area of HIPAA permitted disclosures that Covered Entities need to monitor carefully to avoid complaints from patients that PHI has been disclosed without authorization.

There are Many Issues Related to HIPAA Permitted Disclosures

It is completely understandable that Covered Entities and Business Associates find complying with the HIPAA permitted disclosures challenging.

  • Despite being mandated to respond to patient access requests in a timely manner, there are multiple circumstances in which Covered Entities can deny access requests.
  • There are scenarios in which Covered Entities are allowed to disclose PHI to a Business Associate without a Business Associate Agreement in place.
  • The opportunity to agree or object to the disclosure of PHI potentially undermines the requirement to obtain a patient authorization before disclosing PHI.
  • The guidance on incidental disclosures contradicts the requirements of the Minimum Necessary Standard – which itself is open to interpretation.
  • State laws can preempt HIPAA with regards to discretionary disclosures of PHI for public health and benefit activities.

Consequently, Covered Entities and Business Associates are advised to conduct a survey of how PHI is disclosed in their organizations and implement policies that clarify how and when members of the workforce should disclose PHI. This will prevent a misinterpretation of HIPAA permitted disclosures and increase the likelihood of workforces operating compliantly within HIPAA.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.

Share This Post On