More than anything else, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule is meant to protect patients from unnecessary disclosures of their protected health information (PHI). However, in some circumstances disclosure of PHI is required by law.
These types of disclosures deal with circumstances involving a public policy concern that competes with patients' need for confidentiality of their medical information. Generally, these disclosures touch upon the community's need for order and safety.
First, a quick reminder of just what is considered PHI: Protected health information is individually identifiable health information held by any physician, other health care provider, or payer that is transmitted or maintained in any medium (including oral transmission). The information covered includes any record or information relating to the past, present, or future health, condition, care, or payment of a patient, and extends to PHI that may be contained in paper records, electronic databases, or records and any other patient-specific data in a physician's office.
HIPAA regulations permit disclosures for the following:
- Public health activities, such as those involving disease control, product recalls, or work-related illnesses;
- Suspected abuse, neglect, or domestic violence;
- Health oversight activities of the health care system, government benefit programs, or civil rights law;
- Judicial or administrative proceedings in response to a court order or subpoena;
- Law enforcement purposes when the PHI is relevant and material to a criminal investigation;
- Deceased patients (to coroners, medical examiners, or funeral directors);
- Organ donation;
- Research, provided numerous requirements are met; and
- Governmental functions such as national security or intelligence activities.
For more valuable information, go to TMA's HIPAA Resource Center.
Content Reviewed: 3/2/07
TMA Practice E-tips main page