HIPAA has specific guidelines on who you can share patient information with.
Permitted Disclosure With Consent
Medical providers are permitted to share PHI with anyone the patient authorizes. You should have documentation in the patient’s chart on who the patient authorizes you to share their information with. Patients have the right to stipulate what extent of information you share with the individual(s), the time frame you are permitted to share their information, and they can revoke this authorization at any time. Keep that documentation up to date so that everyone in your office can refer back to this when there is a request for patient information. If they are not on the list, you may not share information with them unless (1) they have a signed letter/form from the patient or (2) if they have the power of attorney.
You are permitted to disclose patient information with clinical registries. Patients have a right to ask you not to share their information with registries. States may require disclosure of patient information for prescription drug registries. See below on required disclosures for more information.
Permitted Disclosure Without Consent
Medical providers are permitted to share patient information without the patient’s consent in a few cases.
You are allowed to share patient information with other providers that are involved with the treatment of the patient. You are not required to share information. Before you share patient information, verify that who you are sharing the information with is part of their care team. Patients have the right to tell you that you may not share information with other members of their care team. Create an office policy as to whether you automatically respond to requests from members of the care team or if you will reach out to patients for permission before sharing information. You should also verify that your state laws allow you to share information in these cases without patient consent.
You are allowed to share patient information with health plans. Part of the form you should have patients sign before beginning care is granting you permission to share their information with their health plan. If the patient’s insurance company audits you for claims, you are permitted to share claims and documentation. However, if a patient pays for services without utilizing their insurance company (even if all fees go towards co-payments, co-insurance or deductibles) and requests that you not share the claim to the insurance company, you are not permitted to share the records for those visits. This is a rare occurrence.
Cost of Improper Patient Disclosure
If you disclose patient information without consent, the patient’s right to privacy has been violated. St. Joseph’s Medical Center paid $80,000 to OCR after photos and information about the facility’s patients were shared without the patients consent. $853,000 was awarded to a patient when her PHI was shared with an ex-boyfriend (Byrne v. Avery Center for Obstetrics & Gynecology, P.C.).
Required Disclosures
You are required to share patient information with the patient. This is stipulated under the Right of Access Rule (https://tldsystems.com/understanding-hipaa-right-access-rule).
You are required to share patient information with anyone the patient directs you to share information with. Get all patient directed disclosures in writing for your records to prevent the patient from later claiming that they did not give you authorization.
You are required to share patient information when you receive a subpoena except in the case of prosecution related to reproductive healthcare. If your records include details on reproductive health, you should get an attestation that the information will not be used for investigating or prosecuting an individual for receiving lawful reproductive health care. It is always advisable to consult with your healthcare attorney to ensure that you are following federal and state regulations related to the privacy of patient records.
States may require that you share information with the state prescription drug registry. If your state has a narcotic prescription drug registry, then it is likely that your state requires you to check the registry to make sure that the patient has not received the same prescription from another doctor. This is intended to fight the opioid epidemic. When a patient receives a prescription for narcotics, the prescription needs to be reported to the state prescription registry. Typically, the reporting is done by the pharmacy, but your state may also require you to report it. Check with a healthcare attorney in your state to find your regulations. Or you can go to your state’s prescription drug registry website.
Read Comments