Can a covered entity share PHI with another covered entity?

The Privacy, Security and Breach notification rules under the Health Insurance Portability and Accountability Act of 1996 was intended to allow information sharing by ensuring that sensitive health data is maintained securely and shared only for appropriate purposes or with the authorization of the individual.

Sharing Protected Health Information

Table of Contents

• Permitted Uses and Disclosures
• Authorizations
• Psychotherapy Uses and Disclosures
• Opportunities to Agree or Object
• Public Interest and Benefit Activities

Permitted Uses and Disclosures

There are permitted uses and disclosures of PHI for different purposes within the healthcare sector. All employees of an organization that acts as a covered entity or business associate must be aware of these guidelines. It is always permitted to use and disclose PHI for treatment, payment and health care operations. If the reason for disclosing the PHI is not for one of these purposes an authorization must be obtained. By following these guidelines, an organization may stay in compliance with HIPAA’s rules and be able to share protected health information.

Disclosure refers to the transfer, release, provision of access to, or divulging in any other manner of information outside the entity holding the information. These definitions are applicable to the sharing of electronic, paper or oral communications. This does not include the disclosure of PHI to the Individual himself or herself.

Use is a sharing, employment, application, use, examination or analysis identifiable health information within the entity that maintains such information.

A major difference between Disclosure and Use is that use PHI is internal to the covered entity while disclosure focuses on external communication of PHI.

Sharing with Health Care Providers

Keep in mind that HIPAA was written to not only protect PHI but to assist treatment providers in caring for the patient without requiring patient authorization in order to share their PHI. For example, it is permissible to share protected health information with health care providers who will treat the patient in their office or after hospital discharge. The sharing may be electronically and must be in a manner that is compliant with the Security Rule.

Sharing for Care Coordination

We now see the need to share data with health care providers for purposes of care coordination. This has expanded the “permitted uses and disclosures of PHI.”  This activity didn’t exist when HIPAA was written and is now required by CMS and is part of a treatment plan. A health care provider may disclose PHI to another for this treatment purposes without patient authorization. This information must be shared with all employees of the organization.

Sharing PHI for Treatment

Keep in mind that the purpose of HIPAA is to protect PHI. In addition, it assists treatment providers in caring for the patient without requiring patient authorization to share their PHI. For example, it is permissible to share PHI with health care providers who will treat the patient in their office or after hospital discharge. As a result, PHI can be shared for treatment electronically and must be in a manner that is compliant with the Security Rule. The disclosure of PHI may be made also for payment purposes as with a billing company. Finally, the PHI may be shared for healthcare operation activities. One must also understand these rules may vary from state to state as in the State of Ohio.

2. Authorizations

Health care providers, health care clearinghouses and health plans are obligated to obtain authorizations prior to using or disclosing PHI for purposes other than treatment, payment or health care operations. Psychotherapy notes cannot be disclosed to any other entity, for any purpose, without specific authorization according to the Privacy Rule.

Disclosure to an attorney’s office, and to a life or disability insurance company is an example of when an authorization is needed.

An Authorization must be obtained to disclose medical records in certain circumstances. First, one is not required when a patient consent to participate in a research project. Secondly, it is not required when they request a transfer of medical records to another medical providers office.

A covered entity can use one authorization form for all purposes. Of course, if the authorization is for multiple purposes, it must give a description of each purpose of the use or disclosure.

The authorization must be for a limited amount of time. The documentations must be retained for six years from the date of its creation or the date it last was in effect.

Writing Authorizations

Authorizations must be simply written using plain language. It must focus on the needs of the reader. It must contain the following items:

• A description of the information to be used or disclosed.
• The name of the person who will be authorized to make the requested use or disclosure.
• The person to whom the covered entity may make the covered the requested use or disclosure
• An expiration date that relates to the individual or purpose of the use or disclosures.
• A description of each purpose of the use or disclosure.
• The signature of the individual and the date

In addition to the above elements, the authorization must also contain other statements. These must contain the following:

• The individual has the right to revoke the authorization in writing and the exceptions to the right to revoke. There may also be a description of how the individual may revoke the authorization.
• A statement that treatment, payment, enrollment or eligibility for benefits is not affected by the refusal to sign the authorization.
• The potential for the information to be re-disclosed by the recipient.
• If the authorization is signed by the personal representative of the individual, a description of such representative?s authority to act for the individual.

Combined Authorizations

Authorizations for use or disclosure of PHI created for any research project that includes treatment may combined only with a notice of privacy practices.

Permissions authorizing the use or disclosure of psychotherapy notes may be combined only with other authorizations for such use or disclosure.

Authorizations may not be combined if treatment, payment, enrollment in a health plan or eligibility for benefits is conditioned upon a patient?s grant of one of the authorizations.

Revoking Authorization

An authorization may be revoked at any time, upon written notice, except to the extent that the authorization already has been relied upon. If an authorization is used to participate in a health plan it may not be revoked if other state or federal law provides the health plan with the right to contest a claim under the policy.

Authorization Created for Research with Treatment

Authorization is required to use or disclose PHI related, in part or whole, as part of any research that includes treatment. These research authorizations must also contain the following:

Description of how much the PHI created will be used to carry out treatment, payment and health care operations.

Description of PHI that will not be used for those purposes when individuals are required to have an opportunity to agree or object to the use of their PHI .

Description of PHI not to be used in situations when authorization or an opportunity to agree or object to the use of PHI is not required by the privacy standard.

State Law Requirements

The HIPAA compliant authorization permitting use of protected health information must contain certain elements. It is important to not forget to look at state law requirements. There are many states with laws that are more protective of PHI than the Federal HIPAA Rules. Organizations will require additional elements added to the authorization. It is necessary for the covered entity and/or business associate to determine which is most restrictive.

Deficient Authorizations

Authorization is not valid if it has one of the following defects:

• Expiration date has passed
• Authorization does not contain all required elements
• Authorization is attached or combined with other documents in a manner to not be valid under the privacy standard
• Authorization has false information

3. Psychotherapy Uses and Disclosures

“Psychotherapy notes” are described by the rule as notes recorded, either orally, written or otherwise, by a mental health professional who is documenting or analyzing the conversation with a counseling session. The psychotherapy notes generally do not include medication prescriptions and monitoring; the form and frequency of treatment; clinical test results; and summaries of diagnoses, functional status, the treatment plan, symptoms, prognosis and progress to date.

The disclosure of psychotherapy notes by a covered entity requires patient authorization, including when using or disclosing for another covered entity’s treatment, payment or health care operation purposes. The entity may use and disclose psychotherapy notes without an authorization to carry out its own treatment, payment and health care operation purposes as long as the originator of the notes uses it for treatment, the entity is using or disclosing the notes for its own training purposes for its mental health professionals, students and trainees or the entity is using or disclosing the notes to defend itself in a legal action or other proceeding brought by the individual.

If the notes are PHI for research that includes treatment of individuals it must obtain an authorization for the use or disclosure of such information.

There are situations in which these notes allow limited uses or disclosure without authorization. These are the following:

• If required by DHHS to enforce regulations
• If certain uses or disclosures are required by law
• For oversight of the health care provider who created the note
• For coroners or medical examiners to conduct their duties
• To avert a serious and imminent threat to health or safety

An individual does not have a right to access psychotherapy notes as part of their PHI. DHHS does encourage providers to allow patients to access these notes when appropriate.

Sharing Mental Health Information

In certain circumstances HIPAA allows sharing of mental health information by mental health providers based on professional judgment. It can be when it is in the best interests of the patient, or to prevent or lessen a risk of harm.

There are several ways the provider may address the situation. If the patient lacks ability to make decisions or is unconscious, the provider can share information with the patient?s personal representative (if applicable).

They can also share with family or friends involved in their care if it?s determined in the patients? best interest.

A provider may contact anyone reasonably able to lessen the risk of harm. This is important when they believe that a patient presents a serious and imminent threat to the health or safety to themselves or another person.

If there is a risk of harm to themselves or others, or if exhibiting behavior that may threaten their health or safety, providers need to be able to use professional judgment. As a result, they can identify the potential or likely risk and determine who can help lessen it.

The Office for Civil Rights (OCR)states it won?t second guess mental health provider?s judgement when a patient is a threat to himself or others. HIPAA allows mental health providers to share information in the appropriate circumstances.

For more detail see the OCR guidance on this vital topic. Remember to check state law for any restrictions on sharing. It is the responsibility of all providers of mental health treatment to know the rules before managing this information.

By following these simple guidelines organizations will be able to stay in compliance with HIPAA as they manage their PHI. One must also realize that there are other ways that one may safely share PHI without having to obtain permission. An example would be if there is an order from a court or for law enforcement purposes.

HIPAA Training

Get trained today

4. Disclosures Requiring Opportunity to Agree or Object

HIPAA allows the use and disclosure of PHI when an individual receives oral or written advance notice of the use and disclosure and is given the opportunity to object orally or agree. (In other words they are given an opt-out opportunity.)

The Privacy Rule realizes there are times an individual and covered entity make informal, oral agreements to disclose PHI. This can happen at a hospital when a relative calls a hospital to check on a patient?s health status. The hospital may disclose some information regarding the presence of the patient if there are no prior agreements preventing this. The provider must always give the patient the opportunity to opt out of such disclosures.

In most situations a covered entity may use the patient?s name, location in the facility, general condition and religious affiliation in order to maintain a directory for its facility.

A covered entity may disclose to a relative, close friend or any other person identified by the individual, any PIH that is related directly to person?s involvement with the patient?s care or health care payment. These disclosures do not include detailed information about the patient?s health history.

If a patient is present or available when PHI is to be disclosed to a relative, friend or other third party, the covered entity must give the patient the opportunity to refuse disclosure. If the individual is not present, or the individual cannot object or agree due to circumstances, the covered entity may use professional judgement and infer the patient does not object. An entity may also allow a third party to act on the patient?s behalf by picking up prescriptions, or other forms of PHI.

A covered entity is not required to verify the identity of relatives or other third parties involved in the individual?s treatment. If the individual has not objected to the involvement of third parties the covered entity can infer the individual would not object to the involvement of a third party and further verification is not necessary. All permissions must be evaluated on a case by case basis.

All disclosures must be related to a patient?s current condition but none of the specifics of the medial history. Disclosures should be narrowed to closest relationships of the patient and only information relevant to the condition.

Dealing with Family

Very importantly covered entities can also disclose information to family, friends and other involved in an individual?s care for notification purposes. One may disclose information to identify, locate and notify family members, guardians or anyone responsible for the care of the patient.

HIPAA and Same-sex Marriage

The HIPAA Privacy Rule recognizes the important role that family members, such as spouses, often play in a patient?s health care. Most importantly HIPAA and Same Sex marriage has become an important topic to be understood. It requires covered entities to treat an individual?s personal representative, who may be a spouse, as the individual responsible under the Privacy Rule, including the right to access the individual?s health information. In addition, the Privacy Rule provides protections against the use of genetic information about an individual, which also includes certain information about family members of the individual, for underwriting purposes.

A Major Court Decision

On June 26, 2013, the Supreme Court held section 3 of the Defense of Marriage Act (DOMA) to be unconstitutional in United States v. Windsor. Section 3 of DOMA had provided that federal law would recognize only opposite-sex marriages. By making this decision the federal government recognizes the rights of individuals in same-sex marriages. This decision did not resolve the status of such rights under state law. Two years later, on June 26, 2015, in Obergefell v. Hodges, the Court held that the Fourteenth Amendment requires a state to license a marriage between two people of the same sex and to recognize same-sex marriages lawfully performed in other States.

Effects of the Decisions

In light of the Windsor and Obergefell decisions, this guidance makes clear that the terms marriage, spouse, and family member include, respectively, all lawful marriages, lawfully married spouses, and both the lawful spouses and the dependents of all lawful marriages, and clarifies certain rights of individuals under the Privacy Rule. This guidance also updates and expands on related guidance issued in September 2014.

Marriage, Spouse & Family Member

The definition of family member in the Privacy Rule at 45 CFR 160.103 includes the terms spouse and marriage. The term marriage includes all lawful marriages. A lawful marriage is any marriage sanctioned by a state, territory, or a foreign jurisdiction if a U.S. jurisdiction would also recognize the marriage performed in the foreign jurisdiction. The term spouse includes all individuals who are in lawful marriages without regard to the sex of the individuals. The term family member includes lawful spouses and dependents of all lawful marriages. In addition, the terms marriage, spouse, and family member apply to all individuals who are legally married, regardless of where they live or receive health care services.

A family member is relevant to the application of ?164.510(b) regarding permitted uses and disclosures of PHI related to another person?s involvement in an individual?s care, and for making notifications about the individual?s location, general condition, or death. In addition, under certain circumstances, HIPAA permits covered entities to share an individual?s protected health information with a family member of the individual. Legally married spouses are family members for the purposes of applying this provision.

Consult With The Experts

Get Help Today

Disaster Relief

Covered entities may use or disclose PHI to disaster relief agencies to notify family members or other caregivers of the patient?s condition or location.

Providers and business associates may provide PHI during an emergency to another party so the second party may manage health information and share it to provide health care to people affected by emergency disasters.

The Privacy Rule allows covered entities to disclose necessary PHI without the individual?s authorization to a public health authority for the purpose of preventing or controlling disease, injury or disability.

The OCR and Emergency Situations

The OCR has previously stated it will not seek penalties for violations of business associate provisions under emergency situations.The Office for Civil Rights (OCR) issued a bulletin November 10, 2014 on ?HIPAA Privacy in Emergency Situations.? The purpose of the bulletin was to assure that covered entities and their business associates know how protected health information. Covered entities may share information during an emergency and that the privacy protections continue during emergencies. The OCR issued the bulletin in part due to the recent Ebola outbreak. Read the OCR bulletin Here.

Due to the outbreak this led many healthcare organizations to voice their concern regarding how best to keep their staff members safe. In addition, there was much discussion about how to remain HIPAA compliant and not to disclose inappropriately patients? protected health information (PHI). Since then other public catastrophes such as hurricanes and extensive flooding have also created significant concern. They want to know how to serve the communities? healthcare needs and stay in compliance with the HIPAA rule.

Managing HIPAA Privacy in Emergency Situations

The Department for Health and Human Services (HHS), Office for Civil Rights (OCR) has previously outlined how healthcare organizations can still follow HIPAA. OCR gave guidelines on treating in the midst of public crisis and ensure that appropriate uses and disclosures of health information are made. This allows them to treat patients, protect the nation’s public health and perform other critical functions.

The OCR stated, The HIPAA Privacy Rule recognizes the legitimate need for public health authorities and others responsible for ensuring public health and safety to have access to protected health information that is necessary to carry out their public health mission.

The Privacy Rule allows covered entities to disclose necessary PHI without the individual?s authorization to a public health authority for the purpose of preventing or controlling disease, injury or disability.

HIPAA and Imminent Danger

OCR allows disclosure of information if there is imminent danger to the patient. In addition, you may share if the information will lessen serious or imminent threat to the health and safety of the patient.

Follow the Rule

In any emergency situation covered entities must continue to use reasonable safeguards to protect PHI against intentional or unintentional impermissible uses and disclosures. In summary it is important for any covered entity to review and follow HIPAA Privacy in emergency situations. This will allow them to continue to protect PHI even in a catastrophic situation.

Disaster Relief

Covered entities may use or disclose PHI to disaster relief agencies to notify family members or other caregivers of the patient?s condition or location.

Providers and business associates may provide PHI during an emergency to another party so the second party may manage health information and share it to provide health care to people affected by emergency disasters.

The Privacy Rule allows covered entities to disclose necessary PHI without the individual?s authorization to a public health authority for the purpose of preventing or controlling disease, injury or disability.

The OCR and Emergency Situations

The OCR has previously stated it will not seek penalties for violations of business associate provisions under emergency situations.The Office for Civil Rights (OCR) issued a bulletin November 10, 2014 on “HIPAA Privacy in Emergency Situations.” The purpose of the bulletin was to assure that covered entities and their business associates know how protected health information. Covered entities may share information during an emergency and that the privacy protections continue during emergencies. The OCR issued the bulletin in part due to the recent Ebola outbreak. Read the OCR bulletin Here.

Due to the outbreak this led many healthcare organizations to voice their concern regarding how best to keep their staff members safe. In addition, there was much discussion about how to remain HIPAA compliant and not to disclose inappropriately patients? protected health information (PHI). Since then other public catastrophes such as hurricanes and extensive flooding have also created significant concern. They want to know how to serve the communities? healthcare needs and stay in compliance with the HIPAA rule.

5. Public Interest and Benefit Activities

The Privacy Rule allows the use and disclosure of PHI without authorization, and without providing and opportunity to agree or object for 12 national priority purposes. These are permitted, though not required by the Rule due to the important uses made of health information.

Required by Law

Covered entities may use and disclose protected health information without individual authorization as required by law (this includes statute, regulation or court orders).

Public Health Activities

There are several circumstances requiring release of PHI without the need of authorization or opt-out opportunities.

• Public health authorities authorized by law to collect or receive such information for preventing or controlling disease, injury, or disability and to public health or other government authorities authorized to receive reports of child abuse and neglect;
• Entities subject to FDA regulation regarding FDA regulated products or activities for purposes such as adverse event reporting, tracking of products, product recalls, and post-marketing surveillance;
• Individuals who may have contracted or been exposed to a communicable disease when notification is authorized by law; and
• Employers, regarding employees, when requested by employers, for information concerning a work-related illness or injury or workplace related medical surveillance, because such information is needed by the employer to comply with the Occupational Safety and Health Administration (OHSA), the Mine Safety and Health Administration (MHSA), or similar state law.

Abuse, Neglect or Domestic Violence

PHI concerning victims of abuse, neglect or domestic violence may be disclosed to a government authority, including social service or protective service agencies authorized to receive such reports. In these cases the disclosure must be required by law and limited to what the law allows.

OCR allows disclosure of information if there is imminent danger to the patient. In addition, you may share if the information will lessen serious or imminent threat to the health and safety of the patient.

The covered entity does not have to inform the personal representative, such as the person responsible for the abuse, neglect or injury of the disclosure.

Health Oversight Activities

Covered entities may disclose protected health information as authorized by, and to comply with, workers? compensation laws and other similar programs providing benefits for work-related injuries or illnesses.

When can you share PHI information?

When can an organization share PHI with others quizlet?