Permitted Uses and Disclosures of PHI Clarified by OCR

The Office for Civil Rights welcomes feedback from HIPAA-covered entities about aspects of HIPAA that are unclear or need further clarification. Some of the questions asked via the OCR website indicate some covered entities are struggling to understand the Health Insurance Portability and Accountably Act Rules covering the sharing of Protected Health Information (PHI).

HIPAA permits the disclosure of PHI for healthcare operations and the provision of treatment. Health information can be used to help patients receive medical care, as well as for the evaluation of care provided to patients. It is necessary to use PHI to co-ordinate care between different healthcare providers, and PHI is needed for billing purposes. Patients must also be allowed access to their health information so they can take a more active role in their own healthcare. HIPAA allows patient health information to be shared for all of these reasons provided PHI is secured at all times. However, a number of restrictions to apply.

Even though the HIPAA Privacy and Security Rules have been in effect for many years, and the Health Insurance Portability and Accountability Act was signed into law two decades ago, some covered entities are still uncertain about when PHI can be shared, for what purposes, and about the individuals and organizations that are permitted access to health data.

The U.S. Department of Health and Human Services’ Office for Civil Rights and Office of the National Coordinator for Health IT (ONC) have been collaborating and developing a number of new fact sheets to clear up confusion about HIPAA.

This month, two fact sheets have been published which explain some of the permitted uses and disclosures under HIPAA, including when PHI can be shared by covered entities without authorization from patients being obtained.

The first fact sheet provides further information on some of the allowable uses of PHI for healthcare operations, including when covered entities are allowed to share patient health information with other healthcare organizations and business associates. The definition of “healthcare operations” under HIPAA is explained and the fact sheet provides some useful examples of when patient data can and cannot be shared.

The second fact sheet covers the permitted uses and disclosures with regards to the provision of treatment to patients, and explains when it is possible to share PHI with healthcare providers to co-ordinate patient care.

The fact sheets can be downloaded from the Office for Civil Rights on the following links

Permitted Uses and Disclosures: Exchange for Treatment

Permitted Uses and Disclosures for Health Care Operations

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.