The HIPAA Rules provide federal protections for patient health information held by Covered Entities (CEs) and Business Associates (BAs). HIPAA gives patients many rights with respect to their health information.
The Guide (especially Chapter 2) [PDF - 493 KB] provides details on the HIPAA Privacy, Security, and Breach Notification Rules, such as:
Under the HIPAA Privacy Rule, you have responsibilities to patients, which include:
Many people don’t realize that the Health Insurance Portability and Accountability Act (HIPAA) actually enables information sharing. HIPAA (specifically the HIPAA Privacy Rule) defines the circumstances in which a Covered Entity (CE) may use or disclose an individual’s Protected Health Information (PHI). HIPAA provides many pathways for permissibly exchanging PHI, which are commonly referred to as HIPAA Permitted Uses and Disclosures.
Permitted Uses and Disclosures are situations in which a CE, is permitted, but not required, to use and disclose PHI, without first having to obtain a written authorization from the patient. The circumstances for which this information may be shared, must meet specific criteria and the minimum necessary rule applies. Instances when a patient’s authorization is not required are listed in the provider’s HIPAA Notice of Privacy Practices.
In general, a CE may only use or disclose PHI if either (1) the HIPAA Privacy Rule specifically permits or requires it; or (2) the individual who is the subject of the information provides a written authorization. The first type of scenarios are referred to as “Permitted Uses.”
Expand the sections below to learn more about types of Permitted Uses: Health Care Operations and Treatment.
Under HIPAA, a covered entity provider can disclose PHI to another covered entity provider for the treatment activities of the recipient health care provider, without needing patient consent or authorization. (45 CFR 164.506(c)(2).) Treatment (45 CFR 164.501) is broadly defined. It includes not only what we think of as traditional treatment and diagnosis, but also making and receiving referrals; coordination or management of health care and related services by a provider, even through a hired third party (for example, a nutritionist); and several other functions.
Note: The information here is not intended to serve as legal advice nor should it substitute for legal counsel. The information presented is not exhaustive, and readers are encouraged to seek additional guidance to supplement the information contained herein.
Under the HIPAA Privacy Rule (45 CFR 164.501), CEs can use and disclose PHI to another CE or that CE’s Business Associate (BA) for the following health care operations activities without needing patient consent or authorization:
Before a CE can share PHI with another CE for one of the reasons noted above, the following three requirements must also be met: