HIPAA FAQ – Treatment, Payment, and Health Care Operations Disclosures
Yes. The HIPAA Privacy Rule permits a covered entity to disclose protected health information (PHI) both for its own payment purposes, as well as for the payment purposes of another covered entity that receives the information. See 45 CFR 164.506(c)(3). The Privacy Rule defines “payment” to include activities to determine eligibility or coverage of enrollees. See the definition of “payment” at 45 CFR 164.501, paragraph (2)(i). Thus, a Medicaid State agency and a Medicare Advantage plan may disclose to each other PHI about their enrollees to identify those enrollees that are dually eligible under both plans. Such disclosures must comport with the Privacy Rule’s minimum necessary standard, where applicable. See 45 CFR 164.502(b), 164.514(d). In general, an electronic inquiry and response from one health plan to another to obtain information regarding the eligibility of an enrollee to receive health care must be done using the HIPAA standard transaction for eligibility (X12N 270/271 transaction). Where the disclosures between the State Medicaid agency and the Medicare Advantage plan are conducted using the standard, the Privacy Rule’s minimum necessary requirements do not apply to the disclosures of the data elements required or situationally required by the standard transaction. In contrast, where the disclosures are made outside of a standard transaction, both the Medicare Advantage plan in its request for PHI, as well as the State Medicaid agency in its response, must make reasonable efforts to limit the PHI requested and disclosed to the minimum necessary PHI for the purpose of identifying dually eligible enrollees. Because the Medicare Advantage plan must limit its request to the minimum necessary PHI to identify dually eligible enrollees, the State Medicaid agency may rely, if reasonable, on that request for PHI as satisfying the minimum necessary requirement for these purposes. See 45 CFR 164.514(d)(3)(iii).
Yes. The Privacy Rule allows covered health care providers to share protected health information for treatment purposes without patient authorization, as long as they use reasonable safeguards when doing so. These treatment communications may occur orally or in writing, by phone, fax, email, or otherwise.
For example:
- A laboratory may fax, or communicate over the phone, a patient’s medical test results to a physician.
- A physician may mail or fax a copy of a patient’s medical record to a specialist who intends to treat the patient.
- A hospital may fax a patient’s health care instructions to a nursing home to which the patient is to be transferred.
- A doctor may discuss a patient’s condition over the phone with an emergency room physician who is providing the patient with emergency care.
- A doctor may orally discuss a patient’s treatment regimen with a nurse who will be involved in the patient’s care.
- A physician may consult with another physician by e-mail about a patient’s condition.
- A hospital may share an organ donor’s medical information with another hospital treating the organ recipient.
The Privacy Rule requires that covered health care providers apply reasonable safeguards when making these communications to protect the information from inappropriate use or disclosure. These safeguards may vary depending on the mode of communication used. For example, when faxing protected health information to a telephone number that is not regularly used, a reasonable safeguard may involve a provider first confirming the fax number with the intended recipient. Similarly, a covered entity may pre-program frequently used numbers directly into the fax machine to avoid misdirecting the information. When discussing patient health information orally with another provider in proximity of others, a doctor may be able to reasonably safeguard the information by lowering his or her voice.
Yes. The Privacy Rule permits State Medicaid agencies to disclose protected health information, such as prescription numbers, to pharmaceutical manufacturers and third party data vendors that assist the pharmaceutical manufacturers, for purposes of validating claims submitted under the Medicaid Drug Rebate program. Because the amount of the rebate is based on drug utilization by individual enrollees, such disclosures are permitted as part of a State Medicaid agency’s payment activities. See 45 CFR 164.502(a)(1)(ii) and the definition of “payment” at 45 CFR 164.501.
A business associate agreement is not required to make these disclosures. State Medicaid agencies are required by law to disclose certain information to drug manufacturers as part of the drug rebate program. To the extent that the law requires a disclosure, the minimum necessary standard does not apply. (See 45 CFR 164.512(a) for further information and limitations on disclosures required by law.) To the extent that protected health information is disclosed for payment purposes but not pursuant to a legal requirement, the State Medicaid agency must make reasonable efforts to limit that information to that which is the minimum necessary to adjudicate the rebate claims. See 45 CFR 164.502(b) and 164.514(d) for more information on the minimum necessary standard.
Yes. The Privacy Rule permits a health plan to disclose protected health information, such as prescription numbers, to a pharmaceutical manufacturer for purposes of adjudicating claims submitted under a drug rebate contract. Because the amount of the rebate is based on drug utilization by individual enrollees, such disclosures are permitted as part of a covered entity’s payment activities. See 45 CFR 164.502(a)(1)(ii) and the definition of “payment” at 45 CFR 164.501.
A business associate agreement is not required to make these disclosures. However, a health plan must make reasonable efforts to limit the information disclosed to that which is the minimum necessary to adjudicate claims under the contract. See 45 CFR 164.502(b) and 164.514(d) for more information on the minimum necessary standard.
The Privacy Rule permits a covered health care provider to disclose information for “health care operations” purposes, subject to certain requirements. Disclosures by a covered health care provider to a professional liability insurer or a similar entity for the purpose of obtaining or maintaining medical liability coverage or for the purpose of obtaining benefits from such insurance, including the reporting of adverse events, fall within “business management and general administrative activities” under the definition of “health care operations.” Therefore, a covered health care provider may disclose individually identifiable health information to a professional liability insurer to the same extent as the provider is able to disclose such information for other health care operations purposes.
See 45 CFR 164.502(a)(1)(ii) and the definition of “health care operations” at 45 CFR 164.501.
Yes. The HIPAA Privacy Rule permits an ambulance service or other health care provider to disclose protected health information about an individual, without the individual’s authorization, to another health care provider, such as a hospital, for that provider’s treatment of the individual. See 45 CFR 164.506 and the definition of “treatment” at 45 CFR 164.501.
Yes. The HIPAA Privacy Rule permits a health care provider to disclose protected health information about an individual, without the individual’s authorization, to another health care provider for that provider’s treatment or payment purposes, as well as to another covered entity for certain health care operations of that entity. See 45 CFR 164.506 and the definitions of “treatment,” “payment,” and “health care operations” at 45 CFR 164.501.
No. The HIPAA Privacy Rule permits a health care provider to disclose protected health information about an individual, without the individual’s authorization, to another health care provider for that provider’s treatment of the individual. See 45 CFR 164.506 and the definition of “treatment” at 45 CFR 164.501.
Yes. The disclosure of protected health information by an eye doctor to a distributor of contact lenses for the purpose of confirming a contact lens prescription is a treatment disclosure, and is permitted under the Privacy Rule at 45 CFR 164.506.
The Privacy Rule permits covered entities to continue to use the services of debt collection agencies. Debt collection is recognized as a payment activity within the “payment” definition. See the definition of “payment” at 45 CFR 164.501. Through a business associate arrangement, the covered entity may engage a debt collection agency to perform this function on its behalf. Disclosures to collection agencies are governed by other provisions of the Privacy Rule, such as the business associate and minimum necessary requirements.
The Department is not aware of any conflict between the Privacy Rule and the Fair Debt Collection Practices Act. Where a use or disclosure of protected health information is necessary for the covered entity to fulfill a legal duty, the Privacy Rule would permit such use or disclosure as required by law.
No. The Privacy Rule’s definition of “payment” includes disclosures to consumer reporting agencies. These disclosures, however, are limited to the following protected health information about the individual: name and address; date of birth; social security number; payment history; and account number. In addition, disclosure of the name and address of the health care provider or health plan making the report is allowed. The covered entity may perform this payment activity directly, or may carry out this function through a third party, such as a collection agency, under a business associate arrangement.
The Privacy Rule permits uses and disclosures by the covered entity or its business associate as may be required by the Fair Credit Reporting Act (FCRA) or other law. Therefore, the Department does not believe there is a conflict between the Privacy Rule and legal duties imposed on data furnishers by FCRA.
Yes. The Privacy Rule permits a covered entity, or a business associate acting on behalf of a covered entity (e.g., a collection agency), to disclose protected health information as necessary to obtain payment for health care, and does not limit to whom such a disclosure may be made.
Therefore, a covered entity, or its business associate, may contact persons other than the individual as necessary to obtain payment for health care services. See 45 CFR 164.506(c) and the definition of “payment” at 45 CFR 164.501. However, the Privacy Rule requires a covered entity, or its business associate, to reasonably limit the amount of information disclosed for such purposes to the minimum necessary, as well as to abide by any reasonable requests for confidential communications and any agreed-to restrictions on the use or disclosure of protected health information. See 45 CFR 164.502(b), 164.514(d), and 164.522.
Yes, the HIPAA Privacy Rule permits a provider to disclose protected health information to a health plan for the quality-related health care operations of the health plan, provided that the health plan has or had a relationship with the individual who is the subject of the information, and the protected health information requested pertains to the relationship. See 45 CFR 164.506(c)(4). Thus, a provider may disclose protected health information to a health plan for the plan’s Health Plan Employer Data and Information Set (HEDIS) purposes, so long as the period for which information is needed overlaps with the period for which the individual is or was enrolled in the health plan.
No. A pharmacist may provide advice to customers about over-the-counter medicines. The Privacy Rule permits a covered entity to disclose protected health information about an individual to the individual. See 45 CFR 164.502(a)(1)(i).
No. Consulting with another health care provider about a patient is within the HIPAA Privacy Rule’s definition of “treatment” and, therefore, is permissible. In addition, a health care provider (or other covered entity) is expressly permitted to disclose protected health information about an individual to a health care provider for that provider’s treatment of the individual. See 45 CFR 164.506.
Yes. The HIPAA Privacy Rule does not require covered entities to obtain an individual’s consent prior to using or disclosing protected health information about him or her for treatment, payment, or health care operations.
Yes. The pharmacist is using the protected health information for treatment purposes, and the HIPAA Privacy Rule does not require covered entities to obtain an individual’s consent prior to using or disclosing protected health information about him or her for treatment, payment, or health care operations.
The Privacy Rule relates to uses and disclosures of protected health information, not to whether a patient consents to the health care itself. As such, the Privacy Rule does not affect informed consent for treatment, which is addressed by State law.
- Does HIPAA permit health care providers who are HIPAA covered entities to collect criminal justice data, such as data on arrests, jail days, and utilization of 911 services, and link the criminal justice data to their health data, for purposes of improving treatment and care coordination?
HIPAA does not limit the types of data that providers may seek or obtain about individual patients for treatment purposes. Treatment includes “the provision, coordination, or management of health care and related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party; consultation between health care providers relating to a patient; or the referral of a patient for health care from one health care provider to another.” 45 CFR 164.501. Other standards, such as professional ethics rules or state law, may address the scope of health care providers’ independent investigations and data collection pertaining to patients. Once a HIPAA covered provider obtains criminal justice data about an individual for treatment purposes, or otherwise combines the data with its PHI, the data held by the HIPAA covered entity is considered protected health information (PHI) and the HIPAA Rules would apply to protect the data.
- Is criminal justice data protected health information (PHI) under HIPAA?
In some circumstances, yes. To the extent that criminal justice data is maintained by a HIPAA covered entity or its business associate and relates to the past, present, or future physical or mental health or condition of an individual or the provision of or payment for health care to an individual, it is PHI. For example, when a covered health care provider receives criminal justice data, either directly from the individual or from another source, in order to help inform the treatment and services that the provider will provide to that individual, or otherwise links the criminal justice data with its patient information, it is PHI.
- Does HIPAA permit health care providers to disclose PHI that includes criminal justice data on individuals to other treating providers without obtaining an authorization from the individuals?
Yes, HIPAA permits a covered health care provider to disclose PHI for treatment purposes to other providers without having to first obtain an authorization from the individuals. This may include the disclosure of PHI for purposes of coordinating an individual’s care with other treatment facilities or emergency medical technicians (EMTs).
- Does HIPAA permit multiple health care providers who are seeking to collect individuals’ criminal justice data and link it to the individuals’ health data to engage the services of or work with a third-party to do this on their behalf?
Yes. Multiple covered health care providers can contract with a third party to perform data aggregation and linkage services on their behalf, as long as the providers enter into a HIPAA-compliant business associate agreement (BAA) with the third party, and so long as the aggregation is for purposes permitted under HIPAA. (Such third parties are considered to be “business associates” (BAs) under HIPAA and have direct compliance obligations with certain aspects of the HIPAA Rules.) In these cases, the participating providers may enter into one, common business associate agreement with the third party.
The BAA then governs the subsequent uses and disclosures that the BA may make with the data. For example, the BA may be authorized by its BAA to share the PHI on behalf of the participating providers with each other or other providers for treatment purposes, including care coordination, or, subject to certain conditions, for health care operations purposes. For more information on exchanging PHI for treatment or health care operations purposes, please see:
Permitted Uses and Disclosures: Exchange for Treatment
www.healthit.gov/sites/default/files/exchange_treatment.pdf – PDF
Permitted Uses and Disclosures: Exchange for Health Care Operations
https://www.healthit.gov/sites/default/files/exchange_health_care_ops.pdf – PDF
- Does HIPAA permit a health care provider to share the PHI of an individual that may include criminal justice data with a law enforcement official who has the individual in custody and is looking to ensure the individual is seen by the proper treatment facility?
A covered entity is permitted to disclose PHI in response to a request by a law enforcement official having lawful custody of an individual if the official represents that such PHI is needed to provide health care to the individual or for the health and safety of the individual. For more information on permitted disclosures to law enforcement under HIPAA, see OCR’s guidance on sharing protected health information with law enforcement:
While HIPAA permits the disclosure of protected health information to law enforcement in these defined circumstances, other Federal and State laws may impose greater restrictions on the release of certain information, such as substance use disorder information, to law enforcement.
- Does HIPAA permit health care providers to disclose PHI that includes criminal justice data to other public or private-sector entities providing social services (such as housing, income support, job training)?
In specified circumstances, yes. For example:
- A covered entity may disclose PHI for treatment of the individual without having to obtain the authorization of the individual. Treatment includes the coordination of health care or related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party. Thus, health care providers who believe that disclosures to certain social service entities are a necessary component of or may help further the individual’s health care may disclose the minimum necessary PHI to such entities for treatment purposes without the individual’s authorization. For example, a provider may disclose PHI about a patient needing health care supportive housing to a service agency that arranges such services for individuals.
- A covered entity may also disclose PHI to such entities with an authorization signed by the individual. HIPAA permits authorizations that refer to a class of persons who may receive or use the PHI. Thus, providers could in one authorization identify a broad range of social services entities that may receive the PHI if the individual agrees. For example, an authorization could indicate that PHI will be disclosed to “social services providers” for purposes of “housing, public benefits, counseling, and job readiness.”
- Does HIPAA restrict the ability of law enforcement officials to use or disclose data they maintain on health or mental health indicators to help inform incident response (g., to ensure officers are prepared to stabilize individuals and/or to support diversion)?
In general, no. Most state and local police or other law enforcement agencies are not covered by HIPAA and thus, are not subject to HIPAA’s use and disclosure rules. HIPAA, however, does apply to the disclosure of health information by most health providers to law enforcement. For more information, see OCR’s HIPAA Guide for Law Enforcement at:
While HIPAA does not generally apply to use or disclosure of the data by law enforcement officials, other Federal and State laws may apply.
- In the context of pre-arrest diversion, when does HIPAA permit a health care provider to share PHI with a law enforcement official without an individual’s authorization?
Calls for service dealing with attempted suicide or a mental health complaint. Sometimes a family will call 911 for law enforcement response for a family member in a mental health crisis. Other times, a business owner or a bystander calls to report unusual behavior (which often is an individual in crisis) and responding officers would benefit from knowing if the individual has a mental health condition. This type of information may enable officers to employ crisis intervention and de-escalation techniques that could reduce the likelihood of injury to both officers and individuals in a mental health crisis.
- HIPAA permits a health care provider to share PHI with law enforcement, in conformance with other applicable laws and ethics rules, in order to “prevent or lessen a serious and imminent threat to the health or safety of an individual or the public.” 45 CFR 164.512(j). For example, if an individual makes a credible threat to inflict serious and imminent bodily harm, such as threatening to commit suicide, a provider may share with law enforcement the information needed to intervene. The provider may rely on a credible representation from a person with apparent knowledge of the situation or authority, such as a law enforcement official, when determining that the disclosure permission applies. See: http://www.hhs.gov/hipaa/for-professionals/faq/505/what-does-the-privacy-rule-allow-covered-entities-to-disclose-to-law-enforcement-officials/index.html.
Other general calls: An officer is trying to determine whether an individual has a mental illness, substance abuse problem, or both, and needs to gain information about his or her condition in order to decide whether jail, emergency room, or some other program is needed.
If the individual is in lawful custody, a health care provider may disclose PHI to law enforcement pursuant to 45 CFR 164.512(k)(5) if the official represents that the information is needed to provide health care to the individual or to provide for the individual’s health and safety or the health and safety of the officers.
If the individual is not in lawful custody (see 45 CFR 164.512(k)(5)), nor is a threat to self or others (see 45 CFR 164.512(j)), these provisions would not apply and the provider would need to obtain an authorization from the individual before disclosing PHI to law enforcement, unless another HIPAA provision applies (e.g., escaped inmate, apprehension of an admitted perpetrator of violent crime, etc.). See http://www.hhs.gov/hipaa/for-professionals/faq/505/what-does-the-privacy-rule-allow-covered-entities-to-disclose-to-law-enforcement-officials/index.html for additional provisions that may apply depending on the particular situation.
We note that substance use disorder treatment information may be subject to additional protections under 42 CFR part 2.
- When is an individual, other than an inmate, considered to be within the “lawful custody” of law enforcement for purposes of 45 CFR 164.512(k)(5) of the HIPAA Privacy Rule? Is “lawful custody” limited to arrest and imminent arrest or does it apply to situations where an individual may be under the care or control of an officer, but not under arrest?
For purposes of the scope of permitted disclosures of PHI to law enforcement in custodial situations under 45 CFR 164.512(k)(5), HIPAA does not define the precise boundaries of “other persons in lawful custody.” As defined in HIPAA at 45 CFR 164.501, the term includes, but is not limited to: juvenile offenders adjudicated delinquent, non-citizens detained awaiting deportation, persons committed to mental institutions through the criminal justice system, witnesses, or others awaiting charges or trial. In addition to these defined situations, lawful custody also includes those situations where an individual is under the care or control of an officer. This includes instances where an individual has been arrested, as well as situations where the individual has been detained by law enforcement and is not free to go, but is not under formal arrest. For example, this would include situations when an officer has detained an individual and seeks to determine whether diversion is appropriate. Lawful custody does not encompass pretrial release, probation, or parole.
- Does HIPAA restrict a covered entity’s disclosure of PHI for treatment purposes to only those health care providers that are themselves covered by HIPAA?
No. A covered entity is permitted to disclose PHI for treatment purposes to any health care provider, including those that are not covered by HIPAA. In addition, HIPAA permits a covered health care provider to disclose PHI for the treatment of an individual to a third party, such as a social service agency, that is involved in the coordination or management of health care of that individual.
The overlap among common usages of the terms “treatment,” “healthcare operations,” and “marketing” is unavoidable. For instance, in recommending treatments, providers and health plans sometimes advise patients to purchase goods and services. Similarly, when a health plan explains to its members the benefits it provides, it too is encouraging the use or purchase of goods and services.
The HIPAA Privacy Rule defines these terms specifically, so they can be distinguished. For example, the Privacy Rule excludes treatment communications and certain health care operations activities from the definition of “marketing.” If a communication falls under one of the definition’s exceptions, the marketing rules do not apply. In these cases, covered entities may engage in the activity without first obtaining an authorization. See the fact sheet on this web site about marketing, as well as the definition of “marketing” at 45 CFR 164.501,for more information.
However, if a health care operation communication does not fall within one of these specific exceptions to the marketing definition, and the communication falls under the definition of “marketing,” the Privacy Rule’s provisions restricting the use or disclosure of protected health information for marketing purposes will apply. For these marketing communications, the individual’s authorization is required before a covered entity may use or disclose protected health information.
Yes. Where a covered entity is a party to a legal proceeding, such as a plaintiff or defendant, the covered entity may use or disclose protected health information for purposes of the litigation as part of its health care operations. The definition of “health care operations” at 45 CFR 164.501 includes a covered entity’s activities of conducting or arranging for legal services to the extent such activities are related to the covered entity’s covered functions (i.e., those functions that make the entity a health plan, health care provider, or health care clearinghouse). Thus, for example, a covered entity that is a defendant in a malpractice action, or a plaintiff in a suit to obtain payment, may use or disclose protected health information for such litigation as part of its health care operations.
The covered entity, however, must make reasonable efforts to limit such uses and disclosures to the minimum necessary to accomplish the intended purpose. See 45 CFR 164.502(b), 164.514(d). In most cases, the covered entity will share protected health information for litigation purposes with its lawyer, who is either a workforce member or a business associate. In these cases, the Privacy Rule permits a covered entity to reasonably rely on the representations of a lawyer who is a business associate or workforce member that the information requested is the minimum necessary for the stated purpose. See 45 CFR 164.514(d)(3)(iii)(C). A covered entity’s minimum necessary policies and procedures may provide for such reasonable reliance on the lawyer’s requests for protected health information needed in the course of providing legal services to the covered entity.
In disclosing protected health information for litigation purposes, the lawyer who is a workforce member of the covered entity must make reasonable efforts to limit the protected health information disclosed to the minimum necessary for the purpose of the disclosure. Similarly, a lawyer who is a business associate must apply the minimum necessary standard to its disclosures, as the business associate contract may not authorize the business associate to further use or disclose protected health information in a manner that would violate the HIPAA Privacy Rule if done by the covered entity. Depending on the circumstances, this could involve de-identifying the information or stripping direct identifiers from the information to protect the privacy of individuals, and may in some cases limit disclosures more significantly than would be required to meet a “relevance” standard. Further, whether as workforce members or business associates, lawyers may consider availing themselves of the protections routinely afforded to similarly confidential information within the litigation forum, such as protective orders on the use of the information in public portions of the proceedings.
Yes. Disclosures of protected health information in a group therapy setting are treatment disclosures and, thus, may be made without an individual’s authorization. Furthermore, the HIPAA Privacy Rule generally permits a covered entity to disclose protected health information to a family member or other person involved in the individual’s care. Where the individual is present during the disclosure, the covered entity may disclose protected health information if it is reasonable to infer from the circumstances that the individual does not object to the disclosure. Absent countervailing circumstances, the individual’s agreement to participate in group therapy or family discussions is a good basis for inferring the individual’s agreement.
Generally, no. The HIPAA Privacy Rule applies to health plans, health care clearinghouses, and health care providers that conduct covered transactions. The functions a HIO typically performs do not make it a health plan, health care clearinghouse, or covered health care provider. Thus, a HIO is generally not a HIPAA covered entity. However, a HIO that performs certain functions or activities on behalf of, or provides certain services to, a covered entity which require access to PHI would be a business associate under the Privacy Rule. See 45 CFR § 160.103 (definition of “business associate”). HIPAA covered entities must enter into contracts or other agreements with their business associates that require the business associates to safeguard and appropriately protect the privacy of protected health information. See 45 CFR §§ 164.502(e), 164.504(e). (See also the relevant business associate requirements in the HIPAA Security Rule at 45 CFR §§ 164.308(b), 164.314(a).) For instance, a HIO that manages the exchange of PHI through a network on behalf of multiple covered health care providers is a business associate of the covered providers, and thus, one or more business associate agreements would need to be in place between the covered providers and the HIO.
Yes, if the doctor is a “covered entity” under the HIPAA Privacy Rule. A doctor, who conducts certain financial and administrative transactions electronically, such as electronically billing Medicare or other payers for health care services, is considered a covered health care provider. The HIPAA Privacy Rule limits how a covered health care provider may use or disclose protected health information. The HIPAA Privacy Rule allows a covered health care provider to use or disclose protected health information (other than psychotherapy notes), including family history information, for treatment, payment, and health care operation purposes without obtaining the individual’s written authorization or other agreement. The HIPAA Privacy Rule also generally allows covered entities to disclose protected health information without obtaining the individual’s written authorization or other agreement for certain purposes to benefit the public, for example, circumstances that involve public health research or health oversight activities.
When a covered health care provider, in the course of treating an individual, collects or otherwise obtains an individual’s family medical history, this information becomes part of the individual’s medical record and is treated as “protected health information” about the individual. Thus, the individual (and not the family members included in the medical history) may exercise the rights under the HIPAA Privacy Rule to this information in the same fashion as any other information in the medical record, including the right of access, amendment, and the ability to authorize disclosure to others.
Yes. The HIPAA Privacy Rule permits a covered health care provider to use or disclose protected health information for treatment purposes. While in most cases, the treatment will be provided to the individual, the HIPAA Privacy Rule does allow the information to be used or disclosed for the treatment of others. Thus, the Rule does permit a doctor to disclose protected health information about a patient to another health care provider for the purpose of treating another patient (e.g., to assist the other health care provider with treating a family member of the doctor’s patient). For example, an individual’s doctor can provide information to the doctor of the individual’s family member about the individual’s adverse reactions to anesthetics prior to the family member undergoing surgery. These uses and disclosures are permitted without the individual’s written authorization or other agreement with the exception of disclosures of psychotherapy notes, which requires the written authorization of the individual.
However, the HIPAA Privacy Rule permits but does not require a covered health care provider to disclose the requested protected health information. Thus, the doctor with the protected health information may decline to share the information even if the Rule would allow it. The HIPAA Privacy Rule may also impose other limitations on these disclosures. Under 45 CFR § 164.522, individuals have the right to request additional restrictions on the use or disclosure of protected health information for treatment, payment, or health care operations purposes. If the health care provider has agreed to the requested restriction, then the doctor is bound by that agreement and (except in emergency treatment situations) would not be permitted to share the information. However, the health care provider maintaining the records does not have to agree to the requested restriction. For example, an individual who has obtained a genetic test may request that the health care provider not use or disclose the test results. If the health care provider agrees to the restriction, the information could not be shared with providers treating other family members who are seeking to identify their own genetic health risks.
Yes. A pharmacist may use professional judgment and experience with common practice to make reasonable inferences of the patient’s best interest in allowing a person, other that the patient, to pick up a prescription. See 45 CFR 164.510(b). For example, the fact that a relative or friend arrives at a pharmacy and asks to pick up a specific prescription for an individual effectively verifies that he or she is involved in the individual’s care, and the HIPAA Privacy Rule allows the pharmacist to give the filled prescription to the relative or friend. The individual does not need to provide the pharmacist with the names of such persons in advance.
“Payment” is broadly defined as activities by health plans or health care providers to obtain premiums or obtain or provide reimbursements for the provision of health care. The activities specified are by way of example and are not intended to be an exclusive listing. Billing, claims management, collection activities and related data processing are expressly included in the definition of “payment.” See the definition of “payment” at 45 CFR 164.501.
Obtaining information about the location of the individual is a routine activity to facilitate the collection of amounts owed and the management of accounts receivable, and, therefore, would constitute a payment activity. See 45 CFR 164.501. The covered entity and its business associate would also have to comply with any limitations placed on location information services by the Fair Debt Collection Practices Act (Federal Trade Commission).
No, when a covered health care provider uses an interpreter to communicate with an individual, the individual’s authorization is not required when the provider meets the conditions below. Covered entities may use and disclose protected health information for treatment, payment and health care operations without an individual’s authorization, 45 CFR 164.506(c). A covered health care provider might use interpreter services to communicate with patients who speak a language other than English or who are deaf or hard of hearing, and provision of interpreter services usually will be a health care operations function of the covered entity as defined at 45 CFR 164.501.
When using interpreter services, a covered entity may use and disclose protected health information regarding an individual without an individual’s authorization as a health care operation, in accordance with the Privacy Rule, in the following ways:
- When the interpreter is a member of the covered entity’s workforce (i.e., a bilingual employee, a contract interpreter on staff, or a volunteer) as defined at 45 CFR 160.103;
- When a covered entity engages the services of a person or entity, who is not a workforce member, to perform interpreter services on its behalf, as a business associate, as defined at 45 CFR 160.103. A covered entity may disclose protected health information as necessary for the business associate to provide interpreter services on the covered entity’s behalf, subject to certain written satisfactory assurances set forth in 45 CFR 164.504(e). For instance, many providers including those that are recipients of federal financial assistance and are required under Title VI of the Civil Rights Act of 1964 to take reasonable steps to provide meaningful access to persons with limited English proficiency — will have contractual arrangements with private commercial companies, community-based organizations, or telephone interpreter service lines to provide such language services. If a covered entity has an ongoing contractual relationship with an interpreter service, that service arrangement should comply with the Privacy Rule business associate agreement requirements.
In addition, a covered health care provider may, without the individual’s authorization, use or disclose protected health information to the patient’s family member, close friend, or any other person identified by the individual as his or her interpreter for a particular healthcare encounter. In these situations, that interpreter is not a business associate of the health care provider. As with other disclosures to family members, friends or other persons identified by an individual as involved in his or her care, when the individual is present, the covered entity may obtain the individual’s agreement or reasonably infer, based on the exercise of professional judgment, that the individual does not object to the disclosure of protected health information to the interpreter. 45 CFR 164.510(b)(2).
For example, if a covered health care provider encounters a patient who speaks a language for which the provider has no employee, volunteer member of the workforce or contractor who can competently interpret, but then is able to identify a telephone interpreter service to communicate with the patient, the provider may contact the telephone interpreter service and identify the language used by the patient, so that the interpreter may explain to the patient that the interpreter is available to assist the patient in communicating with the provider. If the provider reasonably concludes that the patient has chosen to be assisted by the interpreter, and, by the patient’s willingness to continue the health care encounter using the interpreter, reasonably infers that the individual does not object to the disclosure, protected health information may be disclosed in accordance with 45 CFR 164.510(b) without a business associate contract.
Organizations that are subject to both HIPAA and Title VI must comply with the requirements of both laws, though not all HIPAA covered entities are recipients of federal financial assistance and thus, required to comply with Title VI; and not all recipients of federal financial assistance are also HIPAA covered entities, subject to the Privacy Rule. For information about the obligation of recipients of federal financial assistance to take reasonable steps to provide meaningful access to persons who are limited English proficient, see Guidance to Federal Financial Assistance Recipients Regarding Title VI Prohibition Against National Origin Discrimination Affecting Limited English Proficient Persons. This guidance includes information for recipients of federal financial assistance about important considerations for determining the competency of interpreters, such as their understanding of applicable confidentiality requirements, that should be taken into account when using interpreters arranged by the provider or when individuals elect to use friends, family or others as interpreters. HIPAA covered entities may also be required to comply with the Americans with Disabilities Act and/or Section 504 of the Rehabilitation Act of 1973, both of which have requirements for the provision of sign language and oral interpreters for people who are deaf or hard of hearing.
In general, and as explained below, the Privacy Rule permits a covered health care provider (covered provider), without the individual’s written authorization, to disclose protected health information to a medical device company representative (medical device company) for the covered provider’s own treatment, payment, or health care operation purposes (45 CFR 164.506(c)(1)), or for the treatment or payment purposes of a medical device company that is also a health care provider (45 CFR 164.506(c)(2), (3)). Additionally, the public health provisions of the Privacy Rule permit a covered provider to make disclosures, without an authorization, to a medical device company or other person that is subject to the jurisdiction of the Food and Drug Administration (FDA) for activities related to the quality, safety, or effectiveness of an FDA-regulated product or activity for which the person has responsibility. See 45 CFR 164.512(b)(1)(iii) and the frequently asked questions on public health disclosures for more information.
In certain situations, a covered health care provider may disclose protected health information to a medical device company without an individual’s written authorization only if the medical device company is a health care provider as defined by the Rule. A medical device company meets the Privacy Rule’s definition of “health care provider” if it furnishes, bills, or is paid for “health care” in the normal course of business. “Health care” under the Rule means care, services or supplies related to the health of an individual. Thus, a device manufacturer is a health care provider under the Privacy Rule if it needs protected health information to counsel a surgeon on or determine the appropriate size or type of prosthesis for the surgeon to use during a patient’s surgery, or otherwise assists the doctor in adjusting a device for a particular patient. Similarly, when a device company needs protected health information to provide support and guidance to a patient, or to a doctor with respect to a particular patient, regarding the proper use or insertion of the device, it is providing “health care” and, therefore, is a health care provider when engaged in these services. See 65 FR 82569. By contrast, a medical device company is not providing “health care” if it simply sells its appropriately labeled products to another entity for that entity to use or dispense to individuals.
The following are some examples of circumstances in which a covered provider may share protected health information with a medical device company, without the individual’s authorization:
- A covered provider may disclose protected health information needed for an orthopaedic device manufacturer or its representative to determine and deliver the appropriate range of sizes of a prosthesis for the surgeon to use during a particular patient’s surgery. (This would be a treatment disclosure to the device company as a health care provider. Exchanges of protected health information between health care providers for treatment of the individual are not subject to the minimum necessary standards. 45 CFR 164.502(b).)
- The device manufacturer or its representative may be present in the operating room, as requested by the surgeon, to provide support and guidance regarding the appropriate use, implantation, calibration or adjustment of a medical device for that particular patient. (This would be treatment by the device company as a health care provider. As noted in the prior example, treatment disclosures between health care providers are not subject to the minimum necessary standards.)
- A covered provider may allow a representative of a medical device manufacturer to view protected health information, such as films or patient records, to provide consultation, advice or assistance where the provider, in her professional judgment, believes that this will assist with a particular patient’s treatment. (This would also be a treatment disclosure and minimum necessary would not apply.)
- A covered provider may share protected health information with a medical device company as necessary for the device company to receive payment for the health care it provides. (This would be a disclosure for payment of a health care provider and subject to minimum necessary standards.)
- A covered provider may disclose protected health information to a medical device manufacturer that is subject to FDA jurisdiction to report an adverse event, to track an FDA-regulated product, or other purposes related to the quality, safety, or effectiveness of the FDA-regulated product. (This would be a public health disclosure and subject to minimum necessary standards.)
A business associate agreement would not usually be required for the disclosures noted above. For example, a business associate agreement would not be needed for disclosures between health care providers for the treatment of the individual (45 CFR 164.502(e)(1)(ii)(A)). Likewise, a medical device company would not be a business associate of a covered provider with respect to public health disclosures to a device company that is subject to FDA jurisdiction or disclosures to a device company as a health care provider for that company’s payment purposes, as in neither case is the device company performing a function or activity on behalf of, nor providing a specified service to, the covered provider. See 45 CFR 160.103. In other circumstances, however, a business associate agreement may be required even if the disclosure were permitted without an authorization. For example, a business associate agreement would be required if a covered entity asked the medical device company to provide an estimate of the cost savings it might expect from the use of a particular medical device; and to do so, the device company needed access to the covered entity’s protected health information. In this case, the medical device company is performing a health care operations function (business planning and development) on behalf of the covered provider, which requires a business associate agreement even though the disclosure is permitted without an authorization.
No. However, a covered entity must ensure through its contract with the business associate that the business associate’s uses and disclosures of protected health information and other actions are consistent with the covered entity’s privacy policies, as stated in covered entity’s notice. Also, a covered entity may use a business associate to distribute its notice to individuals.