Given the number of complaints being submitted to the Office for Civil Rights (OCR), the HIPAA enforcement arm of the US federal government, many healthcare professionals lack clarity about the dictates of the HIPAA Privacy Rule concerning the use and disclosure of Protected Health Information (PHI). When healthcare providers, or their employees, fail to follow these guidelines, it is a finable offense. To provide guidance, the correct use and disclosure of PHI are discussed below.
When is it Permitted to Use and Disclose PHI?
HIPAA regulates when covered entities are permitted to use and disclose protected health information (PHI) without prior patient authorization. PHI can be disclosed for the purposes of treatment, payment, or healthcare operations by:
- providers for treatment
- covered entities for payment
- covered entities that have a relationship with the patient for certain healthcare operations such as quality improvement, credentialing, and compliance.
What is Considered Treatment, Payment, or Healthcare Operations?
Treatment is the provision, coordination, or management of healthcare and related services for an individual by a healthcare provider. Payment consists of health plan activities to obtain premiums, determine or fulfill responsibilities for coverage and provision of benefits, and furnish or obtain reimbursement for healthcare delivered to an individual. Payment also includes the activities of a healthcare provider to obtain payment or be reimbursed for the provision of healthcare to an individual. Healthcare operations include any of the following activities:
- Quality assessment and improvement activities, including case management and care coordination;
- Competency assurance activities, including provider or health plan performance evaluation, credentialing, and accreditation;
- Conducting or arranging for medical reviews, audits, or legal services, including fraud and abuse detection and compliance programs;
- Specified insurance functions, such as underwriting, risk rating, and reinsuring risk;
- Business planning, development, management, and administration; and
- Business management and general administrative activities of the entity.
Psychotherapy Notes Disclosures
When disclosing psychotherapy notes to other entities for treatment, payment, or healthcare operations, it is required first to receive written patient consent to do so. Clinicians will want to be sure to know the recent Open Notes Rule and how it applies to their practices.
Other Permitted Disclosures of PHI
The Privacy Rule also permits the use and disclosure of PHI for public interest purposes and benefit activity purposes. This includes:
- When required by law
- When needed for public health activities
- For law enforcement purposes
- Research purposes (under certain circumstances)
- When there is a serious threat to health or safety
- For essential government functions
- For workers’ compensation purposes
Need assistance with HIPAA compliance? Compliancy Group can help! They help you achieve HIPAA compliance, with Compliance Coaches® guiding you through the entire process. Find out more about the HIPAA Seal of Compliance® and Compliancy Group. Get HIPAA compliant today!
Introduction to Telehealth Theory & Practice
Enjoy a fast-moving overview of telebehavioral and telemental health. Understand the key points related to telehealth clinical, legal, ethical, technology, reimbursement, social media and other pivotal issues.