When Can I Disclose PHI?


Every day, you share patients’ protected health information (PHI) to carry out tasks at work. However, is it okay to share PHI without the patient’s permission? In many cases, yes. HIPAA allows you to share PHI both internally and with business associates if it helps with treatment, payment, or healthcare operations (TPO). TPO disclosures allow your organization to run smoothly without having to get authorization at every turn. Furthermore, many of your organization’s daily activities are related to TPO.

Treatment Disclosures

Many people are cautious about sharing patients’ treatment information. However, withholding too much can cause gridlock that could lead to a patient’s harm. Therefore, HIPAA allows for many types of treatment disclosures, including:

  • Sharing lab and imaging results, patient visit notes, patient history, or other information to help continue a patient’s care
  • Talking with other staff members to help provide care
  • Discussing dosage with an external pharmacy or a treatment plan with a specialist
  • Ordering a test from a lab
  • Referring patients to third parties

Payment Disclosures

If you can’t share PHI, insurance companies can’t pay you, and you can’t send patients to collections for unpaid bills. Therefore, it’s important to know when you can share PHI for payment purposes. These include:

  • Determining eligibility or coverage
  • Billing patients
  • Managing claims
  • Completing collection activities

Operations Disclosures

There’s a fine line between sharing enough PHI to help operations and sharing more than what’s needed. The minimum necessary standard limits the PHI you share to only what’s needed to carry out an activity. Acceptable operations disclosures include:

  • Ensuring patient safety
  • Developing protocol
  • Completing training or compliance programs
  • Conducting quality assessments and improvement activities
  • Detecting fraud and abuse
  • Planning business activities and development

Furthermore, besides TPO disclosures, there are other situations when sharing PHI is okay.

Preventing a Health Threat or Harm

In a situation that poses a serious and imminent threat to the safety of a person or the public, you can disclose a patient’s PHI to law enforcement, family members, and anyone else you believe can lessen or prevent the threat. However, in some cases, disclosing PHI is not only permitted but required. For example, if a patient is a potential threat to themselves or others and tells a staff member, they must report it.

Therefore, it’s important to understand when you can – and should – share a patient’s PHI without their permission. Not only do you protect your own organization from a potential breach, you also protect the safety of the patient and the community.

What is Information Blocking?

Check out our cheat sheet to understand when to disclose and what the exceptions are!

Information Blocking Cheat Sheet

Request A HIPAAtrek Demo

HIPAAtrek User
Compliance is complicated. Your compliance software doesn’t have to be. Schedule your demo today!

You Might Also Like

Is the Telehealth you’ve adopted secure?

Many patients and providers who would not have normally considered telehealth as a regular way to access healthcare are now utilizing the services. Many patients are afraid to go the hospital or doctor office in fear of exposing themselves and loved ones to Covid-19. Luckily, doctors can still reach their patients and provide medical care online. After this pandemic is over, many suspect that telehealth will still be sticking around. Now may be a good time to consider how to make your telehealth services more secure.

Read More »