The HIPAA Privacy Rule
The Privacy Rule protects most individually identifiable health information held or transmitted by a covered entity or its business associate in any form or media, whether electronic, paper or oral. The Privacy Rule calls this information “protected health information” or “PHI.” Individually identifiable health information is information including demographic information, that relates to:
- The individual’s past, present or future physical, mental health or condition,
- The provision of health care to the individual or
- The past, present or future payment for the provision of health care to the individual.
In addition, individually identifiable health information identifies the individual or there is a reasonable basis to believe it can be used to identify the individual.
When is Consent Required to Disclose PHI?
In summary, uses and disclosures of PHI fall into three categories with regard to the need to obtain the individual’s consent: 1) No consent required, 2) Verbal consent or acquiescence required and 3) Written consent required.
1) No Consent Required—
TPO: In general, a covered entity may use and disclose PHI for treatment, payment and health care operations activities (a.k.a., TPO) without obtaining an individual’s written permission (e.g., consent or authorization). Treatment is the provision, coordination or management of health care and related services for an individual by one or more health care providers, including consultation between providers regarding a patient and referral of a patient by one provider to another. One exception to this general statement exists concerning psychotherapy notes—see the Written Consent Required section.
Public Health and Safety: A covered entity may disclose PHI without individual authorization in certain situations—sending immunization records to schools; reporting to a public health authority for purposes of preventing or controlling disease, injury or disability; reporting to a foreign government agency at the direction of a public health authority; and to warn persons at risk, prevent or control the spread of disease.
Prevent or Lessen Imminent Danger: A covered entity may disclose PHI that it believes is necessary to prevent or lessen a serious and imminent threat to a person or the public, when such disclosure is made to someone you believe can prevent or lessen the threat (including the target of the threat). Covered entities may also disclose to law enforcement if the information is needed to identify or apprehend an escapee or violent criminal.
2) Verbal Consent or Acquiescence Required—
Disclosures to Family, Friends and Others: To make disclosures to family and friends involved in an individual’s care or for notification purposes, or to other persons whom the individual identifies, you must obtain informal permission by asking the individual outright, or by determining that the individual did not object in circumstances that clearly gave the individual the opportunity to agree, acquiesce or object. Where an individual is incapacitated, in an emergency situation or not available, a covered entity generally may make such disclosures, if the provider determines through his/her professional judgment that such action is in the best interests of the individual.
Disclosures in Facility Directories: In health care facilities where a directory of patient contact information is maintained, a covered entity may rely on an individual’s informal permission to list in its facility directory the individual’s name, general condition, religious affiliation and location in the provider’s facility.
3) Written Consent Required—
General: A covered entity must obtain an individual’s written authorization for any use or disclosure of PHI that is not for TPO or otherwise permitted or required by the Privacy Rule. A covered entity may not condition treatment, payment, enrollment or benefits eligibility on an individual granting an authorization, except in limited circumstances.
Psychotherapy Notes: As noted previously, a covered entity cannot disclose psychotherapy notes without an individual’s written authorization.
Marketing Activities: A covered entity must obtain an individual’s authorization prior to using or disclosing PHI for marketing activities. Marketing is any communication about a product or service that encourages recipients to purchase or use the product or service. If you are being paid for such use or disclosure in marketing, the authorization must state that payment is involved.
PHI Sales and Licensing: A covered entity may not sell PHI without the individual’s authorization (including the licensing of PHI). A sale is a disclosure of PHI in which the covered entity directly or indirectly receives payment from the recipient of the PHI. The Privacy Rules identifies certain actions that do not constitute “sale of PHI” and therefore do not require an individual’s authorization. For example, the sale or merger of a covered entity’s practice falls into this category.
Research: Special rules apply with regard to clinical research, bio-specimen banking and all other forms of research not involving psychotherapy notes. In some circumstances, patient authorization is required.