Friday, October 2, 2015

HIPAA and Patient Authorizations

When can a patient authorize or restrict the use of their PHI?

Peggy is working in Dr. Smith’s office when she receives a request for the disclosure of a patient’s PHI (protected health information). The request is being made by Worker’s Compensation, but she does not have a prior written authorization from the patient authorizing the disclosure of their PHI to Worker’s Compensation. In this situation, Peggy would not need prior authorization from the patient to disclose PHI to Worker’s Compensation. The Privacy Rule permits covered entities to disclose PHI to workers’ compensation insurers, state administrators, employers, and other persons or entities involved in workers’ compensation systems, without the individual’s authorization. A covered entity must still follow the minimum necessary standard in these situations.

So how do you know when to disclose PHI without prior written authorization and when do you need prior written authorization?

The HIPAA Privacy Rule requires patient authorization for non-TPO (treatment, payment, and healthcare operations) uses and disclosures of PHI. An authorization is a customized document that gives covered entities permission to use specified PHI for specified purposes, which are generally other than TPO, or to disclose PHI to a third party specified by the individual.

There are occasions when a covered entity may disclose patient PHI without their prior approval:

  • Any disclosure made for TPO reasons
  • Domestic violence, abuse, or neglect, as well as cases of child abuse or neglect
  • Court order or subpoena
  • Use or disclosure for public health reasons to the proper authorities
  • Use or disclosure required by law to law enforcement for criminal investigation
  • Use or disclosure required by law to report cases of suspicious deaths or suspected crime victims

It is also written into the HIPAA Privacy Rule that a patient may restrict the use and disclosure of their PHI. Healthcare providers must permit this request but do not have to agree with the requested restriction. If the healthcare provider does agree to a restriction, it may cause some obvious undesirable outcomes. Such problems include, but are not limited to, problems with treating a patient, billing the patient’s insurance, and other challenges. All written PHI restriction requests should be documented and kept on file.

When it comes to disclosing a patients PHI, there are variables that factor into that decision. It is important that all employees in your office have an understanding of this vital HIPAA Privacy Rule policy.

For more information on this and other related topics, including HIPAA, HR, OSHA, and Medicare, please email or visit our web site at