Under the HIPAA Privacy Rule, covered entities are required to protect the confidentiality and integrity of individuals’ Protected Health Information (PHI). One of the most frequently asked questions is whether a provider needs a patient’s authorization to disclose PHI. The answer depends on the purpose of the disclosure.
When Authorization Is Not Required
The HIPAA Privacy Rule permits providers to use or disclose PHI without the patient’s written authorization in certain situations. These exceptions are designed to facilitate patient care, public health, and operations while maintaining privacy protections.
1. Treatment, Payment, and Healthcare Operations (TPO):
A provider may disclose PHI to another healthcare provider for the purpose of treating the patient, to an insurance company for payment purposes, or for the provider’s own healthcare operations (such as quality improvement or training).
Important Note: If a provider wishes to transmit PHI to another provider for purposes other than treatment, such as an informal consultation or information sharing not tied to a referral or direct treatment, they must obtain the patient’s authorization. HIPAA permits disclosures between providers only when they are directly involved in the treatment of the patient. If the purpose does not meet the definition of treatment under HIPAA, consent is required.
2. Public Health Activities:
PHI may be disclosed without authorization to public health authorities for purposes such as preventing or controlling disease, reporting child abuse, or notifying people at risk of contracting or spreading a disease.
3. Judicial and Administrative Proceedings:
Disclosure is permitted in response to a court order, subpoena, or other lawful process, provided that certain conditions are met such as notifying the individual concerned or securing a protective order to safeguard the information.
*Please notify TMC upon receiving a court order or subpoena so we can ensure all necessary requirements are met before any information is released.
4. Law Enforcement Purposes:
PHI may be shared with law enforcement in specific scenarios, such as locating a suspect, identifying a missing person, or reporting a crime on the premises.
5. Required by Law:
When another law mandates disclosure (e.g., mandatory reporting of gunshot wounds), HIPAA defers to that requirement.
6. Emergencies and Incapacity:
In emergency circumstances or when the patient is incapacitated, providers may disclose PHI to family members or others involved in the patient’s care, if, in their professional judgment, it is in the best interest of the individual.
When Authorization Is Required
In situations not covered by the permitted disclosures above, the patient’s written authorization is required before PHI can be released. Authorization must be specific, detailed, and include the recipient, along with the date of expiration or event.
Examples where authorization is required include:
1. Non-Treatment Disclosures Between Providers:
As previously mentioned, if the disclosure is not for direct treatment or referral purposes, such as a request from a provider to whom you have not referred the patient, authorization is required.
2. Marketing:
PHI cannot be used for marketing purposes without authorization.
3. Psychotherapy Notes:
These require special protection and generally may not be disclosed without explicit authorization.
4. Research:
Unless a waiver is granted by an Institutional Review Board or Privacy Board, written authorization is typically required.
5. Disclosures to Employers:
PHI may not be disclosed to an employer without the patient’s authorization, even if the employer is paying for the healthcare.
Providers must carefully assess whether the purpose of a PHI disclosure meets one of HIPAA’s permitted exceptions. If it does not, obtaining the patient’s explicit written authorization is essential. HIPAA is not only a legal requirement, but also a framework for building patient trust through confidentiality and respect for individual privacy rights.
Total Medical Compliance
6124 Creft Circle
Indian Trail, NC 28079
Phone: (888) 862-6742
Fax: (866) 875-3809
©2023 Total Medical Compliance
Total Medical Compliance
6124 Creft Circle
Indian Trail, NC 28079
(888) 862-6742
Fax (866) 875-3809
©2022 Total Medical Compliance
