HIPAA Permitted Disclosures
One of the biggest compliance challenges for Covered Entities and Business Associates is understanding HIPAA permitted disclosures. This is because there are a number of scenarios in which exceptions exist to the general guidance about when it is permitted to disclose Protected Health Information (PHI) without patient authorization.
According to the Privacy Rule, Covered Entities must disclose PHI in only two scenarios – 1) when a patient requests access to their PHI or an accounting of disclosures, and 2) when the Department of Health and Human Services (HHS) conducts a review or a compliance investigation, or undertakes enforcement action. In neither scenario is patient authorization necessary.
Other Disclosures Permitted by the HIPAA Privacy Rule
Thereafter, Covered Entities are permitted, but not required, to disclose PHI without patient authorization for the following purposes or situations:
To the Individual
The Privacy Rule states that, except for the required HIPAA permitted disclosures for patient access or accounting of disclosures, Covered Entities may disclose PHI to the individual who is subject to the information. This clause enables Covered Entities to comply with the doctrine of informed consent and avoid potential medical malpractice claims for withholding information.
3 Steps To HIPAA Compliance
Please see HIPAA Journal
- Step 1 : Download Checklist.
- Step 2 : Review Your Business.
- Step 3 : Get Compliant!
The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.
Treatment, Payment, and Health Care Operations
The rules relating to HIPAA permitted disclosures of PHI for treatment and payment are straightforward. However, there are circumstances when permitted disclosures for health care operations could result in Covered Entities disclosing PHI to another Covered Entity´s Business Associate without a Business Associate Agreement being in place.
Opportunity to Agree or Object
This clause is one of the biggest challenges for understanding HIPAA permitted disclosures because it requires Covered Entities to obtain informal permission (consent) to include a patient´s PHI in a directory, disclose PHI to families and authorized individuals, or release PHI to identify a patient when they are incapacitated – contrary to the requirements for patient authorizations.
Incident to an Otherwise Permitted Use and Disclosure
Another grey area relating to HIPAA permitted disclosures is incidental disclosures. These occur when more than the minimum necessary PHI is disclosed during an otherwise permitted disclosure. HHS has issued guidance on incidental disclosures, but there are areas in which the guidance contradicts the Minimum Necessary Standard – which has itself been criticized for being vague.
Public Interest and Benefit Activities
In the context of HIPAA compliance, permitted disclosures for public interest and benefit activities (i.e., to public health agencies, law enforcement, etc.), are discretionary rather than mandatory. However, many states mandate disclosures for issues such as child abuse, and it is important Covered Entities are aware of which disclosures are mandatory and which are discretionary.
PHI in Limited Data Sets
Limited data sets are PHI from which certain specified direct identifiers of individuals and their relatives, household members, and employers have been removed. A limited data set may be disclosed for research, health care operations, and public health purposes, provided the recipient enters into a data use agreement promising specified safeguards for PHI within the limited data set.
HIPAA Permitted Disclosures: Patient Consent vs Patient Authorization
As mentioned above, the requirement to obtain informal patient consent before disclosing PHI in certain circumstances is one of the biggest compliance challenges for Covered Entities. This is because the potential exists for undocumented disclosures, subsequent to which the Covered Entity has no control over further disclosures.
This may not only invalidate accounting of disclosure requests, but also the requirement that patient authorizations must be obtained before PHI is disclosed for reasons not permitted by the Privacy Rule. Furthermore, patient authorizations must contain specific information about what PHI is disclosed, who it is disclosed by, who to, and what for.
Fundamentally, the opportunity to agree or object informally to certain disclosures of PHI could be interpreted to undermining the requirement to seek written and documented authorization. Certainly it is a grey area of HIPAA permitted disclosures that Covered Entities need to monitor carefully to avoid complaints from patients that PHI has been disclosed without authorization.
There are Many Issues Related to HIPAA Permitted Disclosures
It is completely understandable that Covered Entities and Business Associates find complying with the HIPAA permitted disclosures challenging.
- Despite being mandated to respond to patient access requests in a timely manner, there are multiple circumstances in which Covered Entities can deny access requests.
- There are scenarios in which Covered Entities are allowed to disclose PHI to a Business Associate without a Business Associate Agreement in place.
- The opportunity to agree or object to the disclosure of PHI potentially undermines the requirement to obtain a patient authorization before disclosing PHI.
- The guidance on incidental disclosures contradicts the requirements of the Minimum Necessary Standard – which itself is open to interpretation.
- State laws can preempt HIPAA with regards to discretionary disclosures of PHI for public health and benefit activities.
Consequently, Covered Entities and Business Associates are advised to conduct a survey of how PHI is disclosed in their organizations and implement policies that clarify how and when members of the workforce should disclose PHI. This will prevent a misinterpretation of HIPAA permitted disclosures and increase the likelihood of workforces operating compliantly within HIPAA.