Information can be shared without violating HIPAA when the disclosure is permitted by the HIPAA Privacy Rule, the information is not protected health information, or a valid HIPAA authorization supports the disclosure.
Information That Is Not Protected Health Information
Information is not protected health information when it does not identify an individual and does not provide a reasonable basis to identify the individual. De-identified health information is not protected health information when it meets an accepted HIPAA de-identification method and the remaining details do not allow reidentification.
HIPAA Permitted Uses And Disclosures
The HIPAA Privacy Rule permits uses and disclosures of protected health information for treatment, payment, and health care operations without patient authorization. Organizations may also use or disclose protected health information without authorization for specific public interest purposes permitted by the HIPAA Privacy Rule, including disclosures required by law, public health activities, health oversight activities, judicial and administrative proceedings under defined conditions, and certain law enforcement purposes under defined conditions.
Disclosures To The Individual And Personal Representatives
The HIPAA Privacy Rule permits disclosures of protected health information to the individual. Disclosures to a personal representative are permitted when the person has authority under applicable law to act for the individual in matters related to health care.
Facility Directory And Notification Disclosures
A HIPAA Covered Entity may include a patient in a facility directory and disclose limited directory information when the HIPAA Privacy Rule conditions are met and the individual has been informed and given an opportunity to agree or object when required. A HIPAA Covered Entity may also disclose information to notify family members, a personal representative, or others responsible for the individual’s care or payment for care when the HIPAA Privacy Rule conditions are met.
Minimum Necessary And Safeguards
The HIPAA Minimum Necessary Rule limits the amount of protected health information used, disclosed, or requested to the minimum necessary to accomplish the intended purpose when the rule applies. Administrative, technical, and physical safeguards required by the HIPAA Security Rule support lawful disclosures by reducing access and transmission errors that can create impermissible disclosures.
Workforce Training And Disclosure Control
All workforce members must receive HIPAA training. Annual HIPAA training is industry best practice. Training on HIPAA rules and regulations provides a foundation for workforce understanding before instruction on internal policies and procedures.
Business Associate Responsibilities
A HIPAA Business Associate may share protected health information without violating HIPAA only when the disclosure is permitted by the HIPAA Privacy Rule, authorized by the HIPAA Covered Entity, and consistent with the Business Associate Agreement. All staff in a HIPAA Business Associate must receive HIPAA training. All staff must receive security awareness training. Staff with access to protected health information must receive HIPAA training. Annual HIPAA training is industry best practice.