HIPAA Wiki: Disclosures
In some instances, the law requires covered entities to disclose PHI. PHI must be disclosed to patients under the Privacy Rule’s right of access provision, and under the right to an accounting of disclosures (a list of whom the covered entity has disclosed PHI to provision healthcare). PHI also must be disclosed when the federal Department of Health and Human Services needs the PHI to determine whether a covered entity is complying with HIPAA.
On the opposite end of the spectrum, in some instances, a covered entity cannot disclose PHI. If the PHI is genetic information, a health plan may not use that information for underwriting purposes. A covered entity may not sell an individual’s PHI, unless the patient provides written authorization.
In between “must disclose” and “must not disclose” is the category of “is permitted, but not required, to disclose.” A covered entity may (but is not required to) disclose PHI under the following circumstances and for the following reasons:
- For public interest and benefit activities
- When required by law
- For public health activities
- When the covered entity suspects that a patient is the victim of abuse, neglect, or domestic violence
- Health oversight activities
- For law enforcement purposes, including apprehension of suspected criminals
- For functions (such as identification) concerning deceased individual
- To organ procurement organizations that engage in cadaveric organ, eye, or tissue donation or transplantation
- Research, under certain conditions
- To prevent or lessen a serious threat to health or safety
- To enable the performance of essential government functions (such as military operations and national security activities)
- To workers’ compensation insurance carriers
In these instances, patient authorization is not required, nor is patient consent (the difference between authorization and consent is that an authorization must contain certain language and meet certain requirements to be valid; consent – mere agreement – is not sufficient to permit a use or disclosure of PHI).
HIPAA Wiki: Authorization and Consent
Authorizations are required in certain instances and not in others. A covered entity must obtain patient authorization before disclosing psychotherapy notes, before the covered entity conducts certain marketing activities, and as a precondition to the sale of PHI. Authorizations are not required for payment, treatment, or healthcare operations. In the middle ground between “authorization is required” and “authorization is not required” is the category of disclosures, the making of which, patients must be given an opportunity to consent to (consent generally need not be in writing). An example of a disclosure in this third category is facility directories. A hospital is permitted to include patient PHI in facility directories, but only if the patient is informed of this fact beforehand, and consents to the inclusion. If the patient objects and asks for a restriction of the PHI to be included in the directory, the hospital must honor the objection.