Understanding Use and Disclosure Guidelines

Looking at Use and Disclosure Guidelines, we need to understand when we can disclose PHI and when we are required to obtain an authorization from the individual. One objective of HIPAA is to allow the transfer of healthcare information electronically, to flow more easily while still protecting your patient’s health and personal information from security threats or breaches.

Let’s review the use and disclosure guidelines. Under the HIPAA Privacy Rule, we may use and disclose PHI without patient written authorization for the purposes of treatment, payment, and healthcare operations.

Treatment is the provision, coordination, and/or management of a patient’s condition through diagnostic testing, referral for services in another specialty, and consultations between providers.

Payment refers to the activities of reimbursement for services, communication with insurers, or others involved in the reimbursement process. This area also includes eligibility verification, billing, and collection.

Healthcare Operations pertains to all of the other areas including quality assurance activities, residency in medical school programs, audit programs for compliance, training programs for Allied Health, business planning, and development to define just a few.

There are other situations in which information may be used or disclosed without the patient’s authorization. Some of these include workers’ compensation, law enforcement, victims of abuse, health oversight activities, and public health activities as well.

Under the HIPAA Privacy Rule, organizations must obtain the patient’s signature for any use or disclosure outside of treatment, payment, and healthcare operations unless it is specifically identified as an area of exception.

Specific authorizations from the patient are required for disclosure of psychotherapy notes, marketing, fundraising, and research.

The HIPAA Privacy Rule is not intended to prohibit the patient’s treatment team from talking to each other and/or to their patients directly. Of course, others outside the treatment team may be present during these discussions. To avoid sharing patient information with those not involved, it is possible that minor amounts of patient information might be disclosed to people near, or patient care is being delivered or coordinated. This is referred to as an Incidental Disclosure. Privacy principles do not prohibit an incidental disclosure of patient information, as long as reasonable safeguards are taken to minimize this disclosure. What is reasonable, depends on the situation. Reasonable safeguards for preventing incidental disclosures could include:

– Keeping patient information to a minimum on your end of a phone call (while talking with a patient at a front desk over the phone). Ask your patient questions that identify themselves only repeating personal information back to verify.
– You could also reduce unnecessary incidental disclosures during your check-in process by eliminating paper and communicating in a low voice, asking for identification.
– And do not discuss patient information in public areas.
– Keep voices low when discussing any patient issues amongst your team and also consider using screen filters or positioning workstations away from the patient.

Minimum Necessary and Need to Know:

When it comes to disclosing patient information, you must only disclose minimal information that is deemed necessary in providing care. The PHI you need to do your job is called Minimum Necessary. It is information you need to know to do your job. Despite safeguards and controls to minimize access, we know that PHI surrounds us. If you come in contact with a patient’s PHI, but your job does not require it, you should not discuss or use this information.

Implementing the Minimum Necessary Standard:

– Determine which information is needed for different roles and responsibilities.
– Make sure employees receive training on the types of information they are permitted to access and share with or without an authorization.
– Set up alerts and notify the compliance team or offices of unauthorized attempts to access PHI
– Document any actions taken in response to cases of unauthorized access, or of anyone accessing information that is necessary.