Every day, you share patients’ protected health information (PHI) to carry out tasks at work. However, is it okay to share PHI without the patient’s permission? In many cases, yes. HIPAA allows you to share PHI both internally and with business associates if it helps with treatment, payment, or healthcare operations (TPO). TPO disclosures allow your organization to run smoothly without having to get authorization at every turn. Furthermore, many of your organization’s daily activities are related to TPO.
Many people are cautious about sharing patients’ treatment information. However, withholding too much can cause gridlock that could lead to a patient’s harm. Therefore, HIPAA allows for many types of treatment disclosures, including:
- Sharing lab and imaging results, patient visit notes, patient history, or other information to help continue a patient’s care
- Talking with other staff members to help provide care
- Discussing dosage with an external pharmacy or a treatment plan with a specialist
- Ordering a test from a lab
- Referring patients to third parties
If you can’t share PHI, insurance companies can’t pay you, and you can’t send patients to collections for unpaid bills. Therefore, it’s important to know when you can share PHI for payment purposes. These include:
- Determining eligibility or coverage
- Billing patients
- Managing claims
- Completing collection activities
There’s a fine line between sharing enough PHI to help operations and sharing more than what’s needed. The minimum necessary standard limits the PHI you share to only what’s needed to carry out an activity. Acceptable operations disclosures include:
- Ensuring patient safety
- Developing protocol
- Completing training or compliance programs
- Conducting quality assessments and improvement activities
- Detecting fraud and abuse
- Planning business activities and development
Furthermore, besides TPO disclosures, there are other situations when sharing PHI is okay.
Preventing a Health Threat or Harm
In a situation that poses a serious and imminent threat to the safety of a person or the public, you can disclose a patient’s PHI to law enforcement, family members, and anyone else you believe can lessen or prevent the threat. However, in some cases, disclosing PHI is not only permitted but required. For example, if a patient is a potential threat to themselves or others and tells a staff member, they must report it.
Therefore, it’s important to understand when you can – and should – share a patient’s PHI without their permission. Not only do you protect your own organization from a potential breach, you also protect the safety of the patient and the community.
What is Information Blocking?
Check out our cheat sheet to understand when to disclose and what the exceptions are!