PHI Use and Disclosure Under HIPAA
HIPAA’s privacy rule says that, as a general matter, do not use or disclose protected health information (PHI) without patient or (legal representative) authorization. [1] Use can be seen as occurring within a Covered Entity (CE) whereas disclosure involves the sharing of PHI outside the CE including with Business Associates (BAs). CEs must have in place a Business Associate Agreement (BAA) with all BAs. While obtaining patient authorization has certain requirements, health care providers cannot make their services conditional on receiving such authorization. [2]
HIPAA does, however, carve out of this general prohibition certain exceptions where PHI may be used or disclosed without patient authorization. The three main exceptions are for treatment, payment for health care, and health care operations.
Treatment, Payment, & Health Care Operations
HIPAA allows PHI to be disclosed or used without patient authorization for treatment, payment, or health care operations. Treatment is the provision, coordination, management of care, or related services including consults and referrals. Payment for health care includes reimbursement for health care, coverage, and all related activities. Health care operations include quality assessment and improvement; competency assurance, peer review, credentialing; audits, legal or medical reviews and compliance; insurance functions, business planning, development, management administration; and general administrative activities including de-identification or creating limited data sets. [3]
Minimum Necessary Standard
For payment and health care operations–the use or disclosure of PHI must be limited to the minimum amount necessary to accomplish the purpose of the intended use or disclosure. This is referred to as the “minimum necessary” standard. [4] CEs must make reasonable efforts to limit such access to PHI. This means that even within an institutional health care provider itself, access to PHI should be limited to those having a “need” to know the information. For example, if there isn’t a need to disclose an entire file or patient record–the disclosure should be limited to the portions that need to be disclosed.
The “minimum necessary” standard, however, does not apply where the use or disclosure is for treatment purposes. One underlying goal of this exception is to facilitate collaboration among medical professionals and ensure the patient receives the best possible care. So, if a CE or BA discloses PHI to another provider involved in the patient's care, or uses it internally for other treatment purposes, HIPAA allows full disclosure to promote the patient's safety and care.
Additional Avenues of Using or Disclosing PHI Without Patient Authorization
Apart from these three noted exceptions, HIPAA includes other uses and disclosures that are permitted or even required by law. These include mandatory reporting to state agencies and law enforcement in special circumstances and for certain litigation purposes.
Another exception, referred to as the "opportunity to agree or object" allows certain uses and disclosures of PHI without express authorization. [5] However, this exception requires that the patient is informed in advance and given the opportunity to agree, object, or restrict the use or disclosure. If the patient becomes incapacitated, or otherwise unavailable, health care providers generally can make such uses and disclosures, if they believe it is in the best interest of the patient.
Let’s consider a couple of examples related to the opportunity to agree or object exception. First, limited disclosures to facility directories are permitted. In a hospital or a care facility, the institution may include limited information about the patient in its facility directory (such as the patient’s name, location in the facility, general condition, and religious affiliation) and may release such information to certain people who ask for the patient by name, unless the individual objects or restricts the disclosure.
Another example is for family members or friends who are involved in the patient’s care. If you’ve ever wondered how your spouse is allowed to pick up your prescriptions from a pharmacy–this is how. Health care providers may disclose PHI to a patient's family members, friends, or other persons identified by the patient, who are involved in the patient's care or payment for health care, unless the patient objects or restricts the disclosure.
Mental Health Records: Elevated Protection?
HIPAA essentially treats behavioral health records in the same way as general medical records except for "psychotherapy notes." HIPAA requires separate authorization for psychotherapy notes, which are basically the notes of a mental health counselor who has provided therapy to a patient—but not the actual mental health record.
You should note, however, that several states have more stringent use and disclosure laws regarding mental health records. This is because they are seen as categorically “more sensitive,” and therefore have their own heightened level of privacy and protection. For example, Wisconsin has its own set of laws that secure mental health (and substance abuse) records. [6]
Steering Clear of Hefty HIPAA Violations
HIPAA violations for improper use or disclosure may result in hefty financial losses. And although there is no private right of action for a HIPAA violation, [7] there may be a private right of action under state law and HIPAA regulations may be cited as the standard of care.
Additionally, it’s important to note that state laws should be considered to determine if they are more stringent than HIPAA regarding the use or disclosure of PHI. There may also be other laws or regulations that need to be considered when implementing and enforcing your compliance initiatives related to privacy and security.
This Article lays out the general landscape of HIPAA’s use and disclosure of PHI, but the devil is in the details...and compliance is a whole other beast. If you have any questions, please feel free to contact your preferred health care lawyer for detailed guidance and specific advice on your use or disclosure of PHI and how to comply with applicable laws and regulations. I’m here to help.
[1] See 45 C.F.R. § 164.502.
[2] See 45 C.F.R. §§164.520-164.528.
[3] See 45 C.F.R. § 164.501.
[4] See 45 C.F.R. §§ 164.502(b); 514(d).
[5] See 45 C.F.R. § 164.510.
[6] See Wis. Stat. 51.30 and Wis. Admin. Code DHS 92.
[7] See, e.g., Rigaud v. Garofalo, No. Civ A. 04-1866, 2005 U.S. Dist. LEXIS 8735 (E.D. Pa. May 2, 2005).