HIPAA has strict rules governing patient data storage and sharing. However in limited circumstances, the HIPAA Privacy Rule allows a covered entity to use or disclose a patient’s Protected Health Information (PHI) without prior written authorization.
First in our series of HIPAA in-depth blog posts, this piece looks at circumstances under which you don’t require a patient’s permission to use or share their personal data and most importantly, how to do so while remaining HIPAA compliant.
Read on to learn about each of these exceptions.
1. Treatment purposes
You may share a patient’s PHI as necessary to enable treatment.
Treatment comprises managing or coordinating healthcare and related services by one or more healthcare providers. It also involves consultation between providers and the patient’s referral for treatment.
For instance, if your patient is referred to another physician, you may share the patient’s personal data with the new physician to ensure that he/she has the necessary info to diagnose/treat the patient.
You can also disclose a patient’s PHI to health care providers outside your facility who may be involved in the patient’s care.
For instance, if the patient stays in a nursing facility, it may be necessary to disclose the medication prescribed to him/her for proper administration by the facility.
2. Payment purposes
You can share PHI as necessary to enable or facilitate payment.
It may be necessary to share your patient’s personal data to collect payment for treatment and services from his/her insurer or other third-party payers.
Bills requesting payment typically include info that identifies the patient, his/her diagnosis, and supplies or procedures used.
You can also share PCI without the patient’s authorization to obtain prior services from the person’s health insurer.
In addition, it may be necessary to release your patient’s PHI to another healthcare provider or covered entity for payment of their activities.
3. Public health activities
You can share a patient’s PHI for the public good under the following circumstances:
i. Collection of information by public health agencies
You may disclose your patient’s personal data to a public health authority legally allowed to receive such info to prevent or control disease, disability, or injury.
The shared information may be used to report disease, injury, or imminent events. It can also be used for public health investigations, surveillance, and intervention.
You can also share your patient’s PHI with a foreign agency partnering with the public health authority.
ii. Child abuse or neglect
You may share your patient’s PHI with a government authority legally authorized to receive child abuse and neglect reports.
iii. Food and Drug Administration (FDA)
You may disclose a patient’s personal data to an organization mandated by the FDA to report adverse events, biological product deviations, and product defects.
You can also share the data for trading products, enabling recalls, making repairs, and post-marketing surveillance.
iv. Communicable diseases
You may release a patient’s PHI if legally authorized, to a person exposed to a communicable disease or is at risk of contracting or spreading a condition or disease.
v. Workplace injuries
You may share a patient’s personal info, if legally authorized, in some circumstances regarding the reporting of workplace injuries.
Other scenarios which allow use and disclosure of your patient’s data without authorization include:
- Disclosure made in compliance with the law.
- Disclosure consistent with state and federal law requirements to the appropriate government entity if your patient is a victim of abuse, domestic violence, or neglect.
- Disclosure to health oversight agencies as per the law for inspections, investigations, and audits.
- Disclosure to comply with a court order, discovery request, or in certain conditions like a response to a subpoena.
- Disclosure for law enforcement purposes including:
- Disclosures in response to a legal procedure.
- Disclosures to identify a suspect, his/her location, material witness, or a missing person.
- Disclosures in case of a death occurring due to crime.
- Disclosure for purposes of determining the cause of death.
- Disclosure to facilitate organ, tissue, or eye transplant/donation.
- Disclosure for research purposes.
- Disclosure to prevent or lessen a serious threat to the patient or the public.
- Disclosure following government functions including personal data for army personnel killed in military missions.
Secure patient data with Polymer DLP
While you can share your patient’s personal data without authorization, you want to ensure that only the correct recipient receives and sees the information.
That’s why you need Polymer Data Governance and data loss prevention (DLP) tool to help share your patient’s personal information without leaking the data to the wrong third parties.
The tool has an intuitive wizard and dashboard to enable you to customize and manage HIPAA policies at the click of a button.