When May We Disclose PHI to Others?
Question: I am a physician who lives in a popular vacation destination area, so some of my patients are from out of town. Recently, a friend of one of my out of town patients came with her to a visit and asked questions about the treatment. There is no written authorization for this person to receive protected health information. Will I violate HIPAA if I answer a friend’s questions without written permission from the patient?
Answer: No, as long as it’s clear to you that the patient wants you to disclose information to the friend. The fundamental rule about disclosing a patient’s protected health information (PHI) is that the patient decides. If you are unsure about the patient’s wishes, ask them. You do NOT need to get written permission. You should document that you asked them, and put it in your clinical notes that the patient told you it was ok to speak to the friend.
Be sure to remember the minimum necessary standard. This simply means to disclose only the minimum amount of information necessary for the specific situation.
Question: I manage an office for a general surgery practice. I received a call from a nearby yoga center where one of our patients is taking classes to help her recover. The yoga center is asking for protected health information about our patient to help them make decisions about the best yoga therapy for her. May I disclose information about our patient to the yoga center without the patient’s consent?
Answer: If the yoga center is a covered entity, you may give them protected health information without the patient’s authorization if it’s for the purpose of treatment. Remember a covered entity is a health care provider, health plan or health care clearinghouse; and in the case of providers, is one that transmits health information in electronic form in connection with a HIPAA transaction – the transmission of information to carry out financial or administrative activities related to health care, e.g., sending a health insurance claim for payment.
In conclusion, find out if the yoga center is a covered entity and if it is, ask them to submit their request in writing so you have it documented (fax or email is fine) NOTE, you are not asking for a HIPAA “authorization”, because the patient does not need to authorize covered entity to covered entity disclosures – you are simply asking them to put their request in writing; if the yoga center is NOT a covered entity, let them know you will need a valid HIPAA authorization from the patient first. If the patient wants you to disclose information, they have a right to ask you to do so, and you should comply with the patient’s request.
Patient Right of Access
Question: A patient we treated several months ago has recently emailed us and asked for their medical records to be sent to a third party medical records app. We are extremely busy and this will take some time to pull together. Are we required to provide the medical records as they requested? Some of the records are in paper form, and some are electronic. May we charge the patient for the cost of our time and copying?
Answer: Yes, this is required by HIPAA. Access to one’s own medical information is an individual right and a health care provider is required to send the records within 30 days (unless state regulation is more stringent), and may have up to 30 additional days if necessary, if it notifies the individual in writing of the delay. The records should be provided in the format the patient requests.
Regarding your costs:
- If the patient is the one making the request and they are asking for their “designated record set”, you must follow the HIPAA “patient access rate” set forth in the Code of Federal Regulations, Section 164.524 – this is basically a “reasonable cost based fee” only for labor, supplies, e.g., a USB drive if the request is for electronic format, postage if they request it be mailed, and preparation of an explanation or summary, if agreed to by the patient. However, if state law sets a lower rate, state law must be followed.
- If the patient requests their PHI maintained in an EHR be transmitted electronically to a third party, fees set by state law of the state where the health care provider is located apply.
- For a more detailed explanation of Right of Access fees under HIPAA see A Current Simple Guide to Right of Access.
The HIPAA E-Tool® Can Answer Your Questions
At The HIPAA E-Tool® we hear so many everyday questions from people managing busy practices and working in larger health care systems. They don’t always have time to call their compliance officer or look up the answers. If you have questions and need answers, let us know.