Disclosing PHI

Understanding PHI disclosures is challenging. Throughout your normal day, you are disclosing PHI internally and externally. Knowing when you can share PHI without an authorization from a patient is important in order to avoid a HIPAA breach.

Patient information can be shared internally and with your vendors with a Business Associate Agreement for treatment, payment, and health care operations (TPO). TPO disclosures do not require an authorization from the patient.

Treatment Disclosures

Many healthcare organizations overcomplicate treatment disclosures, because it is human nature to err on the side of caution. HIPAA recognized that requiring authorization for some disclosures would create gridlock that could lead to patient harm. Therefore, HIPAA allows for treatment disclosures without an authorization.

Treatment disclosures that do not require an authorization include:

  • Continuity of care – sending lab results, patient visit notes, imaging results, patient history, etc
  • Sharing PHI with the X-ray department
  • Discussing dosage with external pharmacy
  • Conferring over a treatment plan with a specialist
  • Ordering a test with the lab
  • All discussions among staff to provide care
  • Referrals and consultations with third parties

HHS has a nice list of treatment disclosure questions and answers you can refer to for more examples.

Payment Disclosures

Understanding how you can disclose PHI to receive payment for services is important. Without the ability to disclose certain information, you will be unable to receive payment from insurance companies or send patients to collections for unpaid bills.

Payment disclosures that do not require an authorization include:

  • Determinations of eligibility or coverage
  • Billing
  • Claims management
  • Collection activities
  • Review of health care services with respect to medical necessity
  • Utilization review activities

If you still have questions on payment disclosures, click here for the HHS questions and answers list.

Operations Disclosures

This is arguably one of the most difficult to understand of the three permissible disclosures in TPO, and so when you are considering operations disclosures, remember to keep minimum necessary access requirements in mind.

Operations disclosures can include:

  • Conducting quality assessment and improvement activities
  • Patient safety activities
  • Protocol development
  • Case management
  • Reviewing the competence or qualifications of healthcare professionals
  • Training programs
  • Accreditation, certification, licensing, or credentialing activities
  • Fraud and abuse detection and compliance programs
  • Conducting or arranging for medical review
  • Business planning and development

Still on the fence on a specific example? Check out the HHS questions and answers.

Preventing a Health Threat Disclosure

You are also permitted to disclose PHI without a patient’s authorization, or opportunity to agree or object, in order to prevent a serious threat to health or safety. You may disclose PHI if you believe the disclosure is necessary to prevent or reduce a serious and imminent threat to the health or safety of a person or the public. If you are making this type of disclosure, the person you notify must be reasonably able to prevent or lessen the threat.

Preventing Harm Disclosure

First, do no harm. The Hippocratic Oath can apply not only to the actual practice of medicine, but also to how we protect our patients and communities. HIPAA permits disclosures if you believe a patient is a potential threat to themselves or others and so if a patient tells a provider or other employee, it is their DUTY to report it.

Wrapping Up

Understanding PHI disclosures is an important step in preventing a privacy breach. Not only does understanding disclosures protect you, it also to ensures you are protecting the health and safety of your patients and the community you work with.