The 6 Permitted Uses and Disclosures of HIPAA

Protected health information can be used or disclosed under these conditions

All healthcare providers have a responsibility to keep their staff trained and informed regarding Health Insurance Portability and Accountability Act (HIPAA) compliance. Whether intentional or accidental, unauthorized disclosure of protected health information (PHI) is considered a violation of HIPAA. Remind your staff each meeting about the importance of avoiding disclosure of information through routine conversation; discussing patient information in waiting areas, hallways or elevators; proper disposal of PHI; and access to information be strictly limited to employees whose jobs require that information.

A covered entity may use or disclose PHI without authorization under certain conditions.

1
PHI Can Be Disclosed to the Individual

Patient and doctor
Maodesign/Getty Images

Providers or other covered entities are allowed to disclose PHI to the individual patient without authorization. Since the patient is the subject of the information being shared, information can be freely given to them.

More »

2
Disclosure for Treatment, Payment, and Healthcare Operations

medicare
Ariel Skelley/Getty Images

 A covered entity may use or disclose protected health information without authorization for treatment, payment, and healthcare operations reasons.

  1. Treatment: Providers can share PHI between each other for the purpose of treating the patient including consultations and referrals.
  2. Payment:  Health plans and providers are allowed to share PHI with each other so the health plan can fulfill benefit obligations and providers can receive reimbursement for services.
  3. Health care operations: Includes activities such as case management, care coordination, medical reviews and audits, and others.

3
Uses and Disclosures with Opportunity to Agree or Object

BSIP/UIG/Getty Images

This covers a provider's right to obtain informal permission in certain circumstances. Informal permission allows the provider to contact a third party on the patient's behalf or list the patient in its facility directory.

4
Incidental Use and Disclosure

Jim-Craigmyle.jpg
Jim Craigmyle/Getty Images

Reasonable safeguards must be taken to minimize the risk of an incidental use or disclosure of PHI. This means that information may be used or disclosed as a result of another use or disclosure.​

5
Public Interest and Benefit Activities

physicians, nurses, medical office
Kristian Sekulic/Getty Images

 Specific conditions may require that PHI is shared for the purpose of public interest. Public interest may outweigh the need for a patient's personal privacy. These conditions include situations:

  1. As required by law such as in a court order
  2. To government authorities regarding victims of abuse, neglect or domestic violence
  3. Health care oversight activities such as audits and investigations
  4. Judicial and administrative proceedings
  5. Law enforcement purposes such as information about a suspect or victim of a crime
  6. Information about a deceased person
  7. Information about the donation and transplantation of cadaveric organ, eye, or tissue
  8. The purpose of research
  9. To prevent serious threat to health or safety
  10. To assist with certain essential government functions
  11. To comply with worker's compensation laws

6
Limited Data Set

Reza Estakhrian/Getty Images

 A limited data set of PHI can be shared as long as certain identifiers are removed from the information. PHI can be broken down into 18 identifiers.

  1. Names
  2. Address
  3. Elements of dates including birth date, admission date, discharge date, and date of death
  4. Telephone numbers
  5. Fax numbers
  6. E-mail address
  7. Social security numbers
  8. Medical record numbers
  9. Insurance policy numbers
  10. Account numbers
  11. Certificate/license numbers
  12. License plate numbers
  13. Device identifiers and serial numbers
  14. URLs
  15. IP addresses and numbers
  16. Finger Prints
  17. Photos
  18. Any other unique identifying number, characteristic, or code

7
Releasing Protected Health Information With an Authorization

HIPAA privacy
Christopher Furlong/Getty Images

The individual can authorize a release of their PHI. This is often done for purposes such as qualifying for health insurance or life insurance. A valid authorization to release protected health information includes:

  • Identity verification such as a driver's license.
  • A description of the information to be used or disclosed.
  • The name of the person or organization authorized to disclose the information.
  • The name of the person or organization that the information is to disclosed.
  • Signature of the person authorized to release the information.

More »

Reminder

As a health care provider, it is your responsibility to be informed about the standards involving PHI under the HIPAA Privacy Rule. The HIPAA Privacy Rule details information on how protected information can be used and disclosed and what information is considered PHI. It also identifies the role providers have in informing patients of their privacy rights.

Continue Reading