One of the most common questions I hear is, “Can I send patient information to…” with a plethora of situations and organizations completing that sentence.  Not only is this one of the most common questions, but it is also one of the most fundamental from a patient privacy perspective. I encourage everyone to analyze their unique environment and create a reference guide that captures typical disclosures for your organization.  Include when disclosure is appropriate, inappropriate, and when the Privacy Officer should be consulted.

The reference guide should be developed by analyzing the three types of disclosures of Protected Health Information (“PHI”),

  • Required Disclosures:  The instances in which the PHI must be disclosed include,

    • To individuals when requested for access or an accounting of disclosures; and

    • To the Secretary of U.S. Department of Health and Human Services when conducting a compliance investigation, review, or enforcement action.

  • Permitted Disclosures:  These are situations in which the PHI may be disclosed without the patient’s consent, but you are under no obligation to disclose at all.  Permitted disclosures include,

    • For treatment, payment, and healthcare operations to another covered entity or a business associate with whom you have an executed business associate agreement;

    • With the opportunity to agree or object:  Examples include inclusion in a facility directory, and to family, friends, or others involved in the patient’s care or payment for care;

    • Use or disclosure incidental to a disclosure that is otherwise permitted;

    • Public interest and benefit activities, including when required by statute, regulation or court order, for public health activities, victims of abuse, neglect or domestic violence, for health oversight activities, for law enforcement purposes, and several others (find the full list here); and

    • In a limited data set, which is data set which has specified direct identifiers removed for research, operations or public health purposes.

  • Authorized Disclosures:  Authorized disclosures include any disclosure that is not required or permitted.  These disclosures can only be made pursuant to a patient’s authorization.  Patient’s have wide deference in deciding what disclosures to authorize and duly authorized disclosures must be made unless it will bring harm to the patient.  Authorization must include specific items, such as,

    • Be in plain language;

    • Be specific about the information to be disclosed;

    • Identify who is disclosing and receiving;

    • Include a time or event for expiration; and

    • Permit the authorization to be revoked in writing.

While the healthcare industry becomes more complex by the day, all disclosures will still fit into one of these three categories. If it is not permitted or required, it must be authorized by the patient.  By placing typical disclosures within your organization into one of these three categories, you will be able to answer the question of whether you may send the patient information or not. For any atypical disclosures, that do not fit neatly into one of these groups, consult your Privacy Officer for the final determination.