As a Covered Entity (CE) you disclose protected health information (PHI) throughout the day for treatment, payment, and health care operations (TPO).  These TPO disclosures do not require you to obtain an authorization from the patient.  Examples of treatment disclosures include when you draw a patient’s blood work at your clinic or practice, but you send the specimen to a reference lab to obtain the results. Similarly, you see a patient who needs to see a specialist, so you refer the patient to another provider.  This is also viewed as a treatment disclosure.  Payment disclosures occur when you bill an insurance provider for care rendered.  This includes when payment for care is obtained by billing Medicare, Humana, TRICARE, or any other healthcare insurance provider.  Healthcare operations disclosures are those management actions you take to administer your overall healthcare program.  Examples of healthcare operations disclosures include reviewing the competence or qualifications of your health care professionals, licensing or credentialing activities, conducting or arranging for medical review or legal services, as well as customer support to name a few.  Bottom line, you are permitted to use and disclose PHI for TPO without the patient’s authorization.

You are also permitted to disclose PHI without a patient’s authorization, or opportunity to agree or object, to avert a serious threat to health or safety. As a CE, you may, consistent with your state law or other applicable laws, disclose PHI if you believe the disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public, and, the person you notify is reasonably able to prevent or lessen the threat.  The following two examples demonstrate how this provision in the rule can be used.

A clinic learns that a child has tested positive for tuberculosis.  Upon learning that the child attends a local day care center, the clinic contacts the center immediately to have the child removed from the other children and isolated until the child can be picked up by his parents. The threat to health of the other children is the contagious disease the child had, and the person(s) notified of this PHI have the ability to lessen the threat by isolating the child from the other children.  In another example, a post-partum mother contacts the clinic and tells the front desk clerk that she feels depressed and is having thoughts of harming her newborns.  After the mother ends the phone call, the clerk contacts the neo-natal ward where the newborns are located, notifies them of their mother’s psychological condition, and contacts the police. When the mother arrives at the hospital where her newborns are, the police and a doctor are there to meet her at the door and assist the mother through her temporary crisis.  The threat to the safety of the newborns is the mother’s ideation about harming them and the PHI is the mother’s post-partum depressed condition.

In both examples above, the threat to the children and newborns is imminent and the individuals contacted were reasonably able to prevent or lessen the threat. To make a disclosure under this part of the HIPAA rule, the threat must be imminent, not just a probability or it could happen situation. In addition, the individual(s) contacted must be able to lessen or eliminate the threat.  It is important to understand that when you make this type of disclosure, the rule recognizes you are doing so in “good faith” based on your reasonable belief at the time that an imminent threat to health and safety exists.  As explained in the HIPAA rule preamble, this approach is consistent with the “duty to warn” third persons at risk, which had been established through case law.  In Tarasoff v. Regents of the University of California (17 Cal. 3d 425 (1976)), the Supreme Court of California found that when a therapist’s patient had made credible threats against the physical safety of a specific person, the therapist had an obligation to use reasonable care to protect the intended victim of his patient, against danger, including warning the victim of the danger. In the Tarasoff case, the patient told the doctor of his desire to kill Tarasoff, but the victim was never warned and subsequently murdered. To be clear, the HIPAA rule is not intended to create a duty to warn or disclose, rather it permits the CE to make a disclosure to avert a serious and imminent threat to health and safety.

As a CE, it is important to understand how this part of the HIPAA rule works and to ensure your staff have been trained to recognize this type of situation.  The specific citation that addresses this type of disclosure can be found at 45 CFR 164.512 (j)(i)Uses and disclosures for which an authorization or opportunity to agree or object is not required: Standard: Uses and disclosures to avert a serious threat to health or safety.  This type of disclosure is also accountable and should be added to the Accounting of Disclosure list.  For further questions on this subject or how HIPAAtrek can help you with your HIPAA compliance program, please contact our Account Executive Theresa Zemcuznikov at