Covered entities must safeguard electronic protected health information. However, HIPAA was not created to place unnecessary barriers to delivering quality health care, so the law allows providers to release information under certain circumstances.
When can ePHI be disclosed?
Answer: Health care providers can disclose ePHI for treatment, payment and operational health care purposes. They can also release information when a patient grants authorization.
Treatment: Doctors can discuss sensitive information with other providers if the sharing of ePHI involves the provision, management or coordination of health care services.
Payment: Covered entities can share ePHI to obtain payment, reimbursement or premiums. They may also disclose sensitive information to fulfill coverage responsibilities and provide benefits for health care services. For example, payment operations may include billing and collection activities, risk adjustments and utilization review.
Health care operations: According to the U.S. Department of Health and Human Services, health care operations involve activities necessary to run the business and may include:
- Quality assessments.
- Improvement activities.
- Competency assurance activities.
- Conducting or arranging medical reviews.
- Certain insurance functions.
- Business planning and development.
- General administrative activities.
Authorizations: For disclosures other than treatments, payments and health care operation purposes, covered entities must obtain patient authorization to share ePHI. An individual can grant authorization by signing a form that contains the right to revoke in writing, specifics about how the covered entity will use or disclose the information, the names of the individuals disclosing and receiving the information, and an expiration date or event. The authorization must have these components for ePHI sharing to be valid.
Penalties related to noncompliance
Under HIPAA, covered entities must have safeguards in place to ensure they do not release ePHI without proper authorization or for reasons other than those permitted by law. Not having preventative policies, not exercising a minimum necessary standard and unauthorized disclosure of ePHI all constitute violations.
Incidental disclosures, such as someone in the waiting room overhearing a private doctor-patient conversation, are not entirely avoidable. As long as the health care providers employ the safeguards mentioned above, the Office of Civil Rights will not penalize them for incidental disclosures that occur during a permissible release of ePHI. Otherwise, covered entities are subject to civil fees, which can range anywhere from $100 to $50,000 per violation.
It's crucial for health care providers to keep track of patient privacy safeguards to ensure they maintain HIPAA compliancy. The HIPAA Help Center Policy Maker module provides a place to house all policies and amend them on an as-needed basis. Employees and auditors alike can access these written procedures to better understand rules and regulations surrounding ePHI.