The Health Insurance Portability and Accountability Act (HIPAA) found in 45 Code of Federal Regulations (CFR) § 160, defines protected health information or “PHI” as any “individually identifiable health information that is electronically transmitted, stored or maintained in any other form.” While it is generally understood that PHI is not to be shared without an individual’s authorization, many would be surprised to learn there are exceptions to this rule.
Protected Health Information, outside of a healthcare context, may be disclosed if it relates to matters of national interest or public concern. But of course, a “balancing test” must be performed to determine whether the public policy or interest outweighs the need for individual privacy in particular situations. The U.S. Department of Health and Human Services acknowledges roughly 12 exceptions in which PHI may be disclosed without prior authorization.
If permissible under one of the recognized exceptions, a covered entity may use and share PHI without an individual’s authorization to act in accordance with a state or federal law or a court order. As an example, a patient advocate would fall under this exception. An internal patient advocate is a person hired by a healthcare facility to advocate and monitor patients receiving care in that facility. North Carolina requires that an internal patient advocate be granted, even without patient consent, access to routine reports and other confidential information necessary to act as an advocate for the patient and monitor the patient’s well-being. N.C. G.S. §122C-53(g).
Similarly, covered entities may disclose PHI to the proper government authorities to the extent necessary to “protect victims of abuse, neglect, or domestic violence.” Additionally, PHI can be disclosed without prior authorization “during the process of judicial or administrative proceedings and may be shared in response to a subpoena.”
Under the law enforcement exception, covered entities are only allowed to share unauthorized PHI with law enforcement agencies within six specific circumstances:
- to comply with a court order, warrant, or subpoena;
- to identify a suspect, fugitive, material witness, or missing person;
- to respond to a law enforcement officer’s request for information about a victim of a crime;
- to alert law enforcement of a person’s death, if the covered entity believes criminal activity caused the death;
- to notify law enforcement of a covered entity’s belief that PHI is evidence of a crime that occurred on its premises; or
- disclosure by a covered health care provider in a medical emergency not occurring on its premises, when necessary to inform law enforcement about the commission and nature of a crime, the location of the crime or victims, and the perpetrator of the crime.
Another example of disclosure would be for a covered entity’s research purposes. Covered entities are allowed to disclose patients’ PHI for purposes of research, development, and public health oversight after the covered entity meets certain documentary requirements. The Public Health Activities Exception highlights the government’s and healthcare systems’ interest in preventing or controlling disease, injury, and disabilities. Therefore, PHI may be released to government agencies like the Federal Food and Drug Administration (FDA) to assist those at the forefront of public health research and policy.
For more specific information on HIPAA and PHI, please contact our office.
Revolution Law Group is located in Greensboro, NC, and serves individuals and small businesses throughout the Triad and surrounding areas. To contact us please visit Revolution.law or call 336-333-7907.
The information included here is for informational purposes only, is not exhaustive of all considerations when creating documents, is not intended to be legal advice, and should not be relied upon for that purpose. We strongly recommend you consult with an attorney and do not attempt to create your own documents.