When Is Protected Health Information Not Protected?

More than anything else, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule is meant to protect patients from unnecessary disclosures of their protected health information (PHI). However, in some circumstances disclosure of PHI is required by law.

These types of disclosures deal with circumstances involving a public policy concern that competes with patients' need for confidentiality of their medical information. Generally, these disclosures touch upon the community's need for order and safety.

First, a quick reminder of just what is considered PHI: Protected health information is individually identifiable health information held by any physician, other health care provider, or payer that is transmitted or maintained in any medium (including oral transmission). The information covered includes any record or information relating to the past, present, or future health, condition, care, or payment of a patient, and extends to PHI that may be contained in paper records, electronic databases, or records and any other patient-specific data in a physician's office.

HIPAA regulations permit disclosures for the following:

  • Public health activities, such as those involving disease control, product recalls, or work-related illnesses;
  • Suspected abuse, neglect, or domestic violence;
  • Health oversight activities of the health care system, government benefit programs, or civil rights law;
  • Judicial or administrative proceedings in response to a court order or subpoena;
  • Law enforcement purposes when the PHI is relevant and material to a criminal investigation;
  • Deceased patients (to coroners, medical examiners, or funeral directors);
  • Organ donation;
  • Research, provided numerous requirements are met; and
  • Governmental functions such as national security or intelligence activities.

For more valuable information, go to TMA's HIPAA Resource Center.

TMA Practice E-tips main page  

Last Updated On

October 06, 2021

Originally Published On

March 23, 2010

Related Content

HIPAA | Risk Management