When can a patient authorize or restrict the use of their PHI?
Peggy is working in Dr. Smith’s office when she receives a
request for the disclosure of a patient’s PHI (protected health information).
The request is being made by Worker’s Compensation, but she does not have a
prior written authorization from the patient authorizing the disclosure of
their PHI to Worker’s Compensation. In this situation, Peggy would not need
prior authorization from the patient to disclose PHI to Worker’s Compensation. The Privacy Rule permits covered entities
to disclose PHI to workers’ compensation insurers, state administrators,
employers, and other persons or entities involved in workers’ compensation
systems, without the individual’s authorization. A covered entity must
still follow the minimum necessary standard in these situations.
So how do you
know when to disclose PHI without prior written authorization and when do you
need prior written authorization?
The HIPAA Privacy Rule requires patient authorization for
non-TPO (treatment, payment, and healthcare operations) uses and disclosures of
PHI. An authorization is a customized document that gives covered entities
permission to use specified PHI for specified purposes, which are generally
other than TPO, or to disclose PHI to a third party specified by the
individual.
There are occasions when a covered entity may disclose
patient PHI without their prior approval:
- Any disclosure made for TPO reasons
- Domestic violence, abuse, or neglect, as well as cases of child abuse or neglect
- Court order or subpoena
- Use or disclosure for public health reasons to the proper authorities
- Use or disclosure required by law to law enforcement for criminal investigation
- Use or disclosure required by law to report cases of suspicious deaths or suspected crime victims
It is also written into the HIPAA Privacy Rule that a
patient may restrict the use and disclosure of their PHI. Healthcare providers
must permit this request but do not have to agree with the requested
restriction. If the healthcare provider does agree to a restriction, it may
cause some obvious undesirable outcomes. Such problems include, but are not
limited to, problems with treating a patient, billing the patient’s insurance,
and other challenges. All written PHI restriction requests should be documented
and kept on file.
When it comes to disclosing a patients PHI, there are
variables that factor into that decision. It is important that all employees in
your office have an understanding of this vital HIPAA Privacy Rule policy.
For more information on this and other related topics, including
HIPAA, HR, OSHA, and Medicare, please email support@hcsiinc.com
or visit our web site at http://www.hcsiinc.com
No comments:
Post a Comment