HIPAA FAQs - Uses & Disclosures of PHI

  


 
Under what circumstances can I use and disclose protected health information (PHI)?
You are permitted to use or disclose PHI: 
  • To the individual. 
  • To carry out treatment, payment, and health care operations (TPO). 
  • Without written authorization but with an opportunity to agree or disagree prior to the use or release (e.g., a patient directory listing). 
  • When data is de-identified. 
  • When public good permits the use/disclosure. 

You are REQUIRED to disclose information:

  • To the individual who is the subject of the records (except as noted in the authorization section). 
  • To the U.S. Department of Health and Human Services (HHS) to investigate compliance with the regulations. 

When can protected health information (PHI) be disclosed without patient authorization, other than for treatment, payment, and health care operations (TPO)?
Information can be disclosed without patient authorization to public health authorities and the Federal Drug Administration (FDA). It may also be released to law enforcement officials, the medical examiner or coroner after someone has died, and other instances as noted in your Notice of Privacy Practices (NPP) and as authorized by state or federal law.

Do I have to tell a patient that I have disclosed his/her protected health information (PHI) without authorization?
While you do not have to tell the patient, sometimes it is appropriate to do so. In the instance where you will be reporting a communicable disease to the authorities, you could inform the patient that you are doing so.

If you make a non-authorized disclosure of PHI, you MUST keep track of this disclosure and make the list of such disclosures available to the patient upon written request for six (6) years. You must list the date of disclosure, to whom you disclosed and for what purpose. All disclosures that are not related to treatment, payment, and health care operations (TPO) and disclosed without patient authorization outside of the organization must be accounted for. This accounting of disclosures does not apply to any disclosure prior to April 14, 2003.

What if a patient asks for frequent accounts of disclosure?
The first request in a 12-month period is free of charge, but your practice may charge for additional requests. You should have this practice clearly stated in your Notice of Privacy Practices (NPP) and you should inform the patient of the approximate charge prior to completing the additional requests for disclosure.

Back to Top