When Can PHI be Disclosed?

By | October 21, 2022

Most sources of information answering the question when can PHI be disclosed refer to the standards of the HIPAA Privacy Rule that specify the required and permissible uses and discloses of PHI, and those that require the consent or authorization of the individual (§164.502 – §164.514).

However, it is important to be aware that there are inconsistencies within these standards. Scenarios exist when “permissible” disclosures are actually “required” disclosures, when only a limited amount of information can be provided in a permissible disclosure, and when PHI can be disclosed for purposes other than those listed in the Privacy Rule.

It is also important to be aware that the Privacy Rule has limited scope inasmuch as It only applies to Covered Entities and Business Associates (subject to the contents of a Business Associate Agreement). Any healthcare provider that is not a Covered Entity – or any organization not covered by HIPAA – is not required to comply with the standards for when can PHI be disclosed.

When Can PHI be Disclosed According to the Privacy Rule?

The standards of the Privacy Rule distinguish between when PHI has to be disclosed, when PHI can be disclosed, and when PHI must only be disclosed if a written authorization exists from the subject of the PHI or their personal representative. There is also a standard for occasions when an individual should be given an opportunity to agree or object to a disclosure of PHI.

When Does PHI Have to be Disclosed?

According to the Privacy Rule, PHI has to be disclosed when an individual requests access to it or when HHS´ Office for Civil Rights is conducting an audit, an investigation, or a compliance review. Other than in these two scenarios, disclosures of PHI are “permitted” by the Privacy Rule or require a written authorization from the subject of the PHI or their personal representative.

When Can PHI be Disclosed?

There are many scenarios in which PHI can be disclosed but the disclosure is not “required” (according to the Privacy Rule). These include, but are not limited to:

  • Disclosures to the individual or their personal representative other than access requests or requests for an accounting of disclosures.
  • Disclosures for treatment, payment, and healthcare operations (TPOs). This includes disclosures to external healthcare providers for treatment purposes.
  • Disclosures as required by other federal laws or state legislation – for example, to report abuse, neglect, or domestic violence.
  • Disclosures for the twelve public interest and benefit activities listed in 164.512 – subject to compliance with the Minimum Necessary Standard.
  • When PHI is disclosed in a Limited Data Set for the purposes of research or public health subject to a data use agreement being in place.
  • When a Covered Entity of Business Associate receives a subpoena for medical records in connection with a judicial or administrative proceeding.

Which Disclosures Require an Authorization?

Practically all other disclosures of PHI require a written authorization from the subject of the PHI or their personal representative. This includes “protected” disclosures such as the disclosure of psychotherapy notes and substance abuse disorder records, as well as disclosures for marketing and fundraising – which the subject of the PHI has the right to revoke at any time.

The Opportunity to Agree or Object

The exception to the authorization requirement is when an individual has the opportunity to informally agree or object to a disclosure of PHI. Cases in which this option exists are limited to inclusion in a hospital directory and for notifying family and friends of an admission. However, if the individual is unable to agree or object, Covered Entities can make a good-faith judgment instead.

What Inconsistencies Exist within these Standards?

It is important for Covered Entities and Business Associates to be aware that inconsistencies exist in the Privacy Rule standards to ensure PHI is not inadvertently disclosed – or withheld. It was mentioned above that scenarios exist when “permissible” disclosures are actually “required” when only a limited amount of information can be provided in a permissible disclosure, and when PHI can be disclosed for purposes other than those listed in the Privacy Rule. Here are a few examples:

It would have been impossible for the Department of Health and Human Services to predict state legislation in respect of the mandatory reporting of abuse, neglect, and domestic violence at the time the Privacy Rule was published; but federal laws – such as OSHA – existed and had mandatory reporting requirements. Under these reporting requirements, the disclosure of PHI is required (by OSHA) rather than permissible – an inconsistency that has raised issues in the past.

With regards to limited “permissible” disclosures, these can limit what PHI can be disclosed to less than the minimum necessary. An example of this inconsistency occurs with regard to the identification of a suspect, fugitive, witness, or missing person. In such cases, Covered Entities may not be able to provide law enforcement officers with sufficient PHI to achieve the intended purpose because they are not allowed (amongst other things) to disclose photos of the individual.

The issue of when can PHI be disclosed for purposes other than those listed in the Privacy Rule depends on what information is being disclosed and whether it is maintained in a designated record set. For example, car license numbers are considered PHI if they are maintained in a designated record set along with health information; but, if a patient´s car is blocking an emergency exit, is it acceptable to request the car is moved over a Public Address system? The Privacy Rule says no!

When Can PHI be Disclosed by Other Organizations?

Not all organizations that collect, receive, maintain, or transmit PHI are subject to the HIPAA Privacy Rules for uses and disclosures. For example, a healthcare provider that accepts payments directly from patients is not a Covered Entity under HIPAA because they do not conduct transactions for which the Department of Health and Human Services has developed standards. Whether or not they can disclose PHI will be subject to state privacy legislation rather than HIPAA.

Also not subject to the Privacy Rule are vendors of Personal Health Devices (although they are subject to the Breach Notification Rule) and payment processors. Payment processors such as PayPal and Venmo are known to disclose data to advertisers, and therefore it is important Covered Entities only use services that are not subject to the Privacy Rule when a payment is initiated by a patient. Covered Entities should never request a payment nor create an invoice using an unsecure service.

It is also important that Covered Entities conduct due diligence on potential Business Associates before entering into a Business Associate Agreement to ascertain if they use third-party services that are not subject to the Privacy Rule. If the third party was to disclose PHI without the Business Associate first entering into a Business Associate Agreement with the third party – for example, PayPal will not sign a Business Associate Agreement – the Covered Entity could be considered liable for any breach of unsecured PHI. If doubts remain about when can PHI be disclosed, seek professional compliance advice.

The post When Can PHI be Disclosed? appeared first on HIPAA Journal.