PHI Disclosure Best Practices
All health practitioners, whether hospital workers or insurance providers, must comply with HIPAA privacy rules regarding the security of the patient's health data.
HIPAA compliance ensures that healthcare providers never allow sensitive data breaches of patient records. However, being an industry expert doesn't necessarily mean you understand everything you must do to comply with Protected Health Information (PHI) best practices.
This article addresses exactly that. After reading it, you should have a better understanding of PHI disclosure best practices.
Highlights
- Health practitioners must follow HIPAA privacy rules to ensure patient data security and prevent breaches.
- PHI disclosure involves transmitting health information to those outside covered entities under specific conditions.
- Disclosure is allowed without individual consent for legal requirements, public health, work-related health, abuse reporting, health oversight, research, death-related situations, and law enforcement.
- Covered entities must disclose PHI when individuals request their own information or the Department of Health and Human Services (HHS) needs it for review or compliance investigations.
- Entities must not sell patient data unless it's for treatment, payment, public health initiatives, research, certain business activities, or when legally mandated.
- PHI should not be disclosed to insurance companies for underwriting except to determine coverage, premiums, or benefits.
- Technology like iDox.ai can help protect PHI, allowing entities to securely comply with privacy requirements and automate HIPAA compliance assessments.
What Is PHI Disclosure?
PHI, or protected health information, is ‘individually identifiable health information’ held or transmitted by the healthcare industry. This includes hospitals, insurance companies, and other HIPAA Privacy Rule-covered entities. Therefore, PHI disclosure refers to transmitting this information to individuals or organizations outside the covered entities.
The disclosure of PHI may also occur when healthcare services share the information with a non-health department within a hybrid entity. If a must, PHI disclosure should happen under certain conditions, which, in this case, are called best practices to maintain confidentiality.
The whole idea is to prevent the leaking of personally identifiable information, and a lot of a person's healthcare data, like their medical information and birth date, can help identify them.
If, for some reason, unauthorized individuals access medical records, they could expose the information to the public and compromise the privacy of the affected individual. Criminals may use it to steal identities and defraud hard-earned cash.
When Is PHI Disclosure Permitted?
In some instances, the HIPAA Privacy Rule allows entities to disclose health-related information without authorization or permission from the concerned individual. Here are some of those circumstances:
1. Requirement by Law
Covered entities may disclose PHI in accordance with specific regulations, court orders, and statutes. This could also be an administrative tribunal request or subpoena. They don't require the individual’s consent.
2. Public Health Activities
Public health authorities may require unauthorized PHI disclosure for injury control, disease prevention, or disability management. Entities may also disclose PHI to government authorities as part of reports about child abuse and neglect.
3. Work-Related Health
Employers may request PHI without the concerned individual’s authorization whenever there is a work-related injury or illness. This usually requires a business associate agreement (BAA).
Regulations supporting such sharing include the Mine Safety and Health Administration (MHSA), Occupational Safety and Health Administration (OSHA), and similar state laws.
4. To Report Abuse, Neglect, or Domestic Violence
PHI disclosure is also necessary when an entity informs government authorities about neglect, abuse, or domestic violence victims.
5. Health Oversight
The unauthorized disclosure of PHI is also necessary to enable government benefit programs and oversight agencies to oversee the healthcare system effectively.
6. Research
Entities may disclose patient information for research purposes. However, the requesting individual entity must specify that they seek information for research and no other purpose.
7. Circumstances Relating to a Deceased Individual
Funeral directors, coroners, or medical examiners may request protected health information to perform lawful functions, determine the cause of death, or identify the diseased person. Covered entities must provide privileged information in these circumstances.
8. Law Enforcement
Law enforcement officials may request protected health information. Covered entities cannot decline requests related to law enforcement under the following six circumstances:
- As required by law through court orders, subpoenas, or court warrants
- For suspect, material witness, fugitive, or missing person identification
- Request by a law enforcement official for information on a victim of crime
- To alert law enforcement of the death of a person through crime
- As evidence of a crime that occurred on the premises of the covered entity
Who Can Request for PHI Disclosure?
The HIPAA Privacy Rule mandates PHI disclosure under two circumstances:
Individual Requests
A covered entity must disclose PHI to an individual (or their representative) when they request it or want the information used to make an accounting of procedures. It gives individuals control over their PHI.
Involvement of the Department of Health and Human Services
Disclosure of PHI is a must where there is a review, enforcement action, or compliance investigation by the Department of Health and Human Services (HHS). With that, it is possible to protect the privacy of all health information.
What to Avoid in Disclosure of PHI
There are several things to avoid in PHI disclosure. Organizations must follow strict guidelines to protect the privacy of their clients (the patients). To prevent the disclosure of data without proper authorization, entities must avoid the following:
1. Selling Patient Data
Covered entities cannot sell patient data unless under given circumstances. Of course, selling involves PHI disclosure followed by direct or indirect compensation of the entity involved. While all entities must adhere to these requirements, they may sell health information for the following purposes:
- Treatment and payment
- Public health
- Research
- Sale, merger, consolidation, and transfer of a covered entity
- Disclosure to individuals
- Disclosures sanctioned by the law
- Business associates acting on behalf of a covered entity
2. Genetic Information and Underwriting
Generally, entities may not disclose PHI to insurance companies to underwrite health plans. Exceptions to this requirement include instances when the information would determine:
- Change in coverage, deductibles, and benefits
- Premiums or amounts of contributions
- The exclusion of pre-existing conditions
- All activities in creating, replacing, or renewing benefits or health insurance
Protect Your PHI Using Technology
Technology has made it easier for entities to protect the privacy of their clients. It makes it possible to keep critical data away from prying eyes. Using technology, organizations can present themselves as trustworthy.
An example of such technology is iDox.ai. The Data Discovery Platform enables HIPAA-covered entities to access sensitive data while complying safely and securely with privacy requirements.
Users can quickly and easily discover, redact, and eliminate liable, sensitive data within their ecosystems.
Our automated HIPAA compliance system is great for risk assessments and evaluating compliance. You can easily take control of sensitive patient information one file at a time and prevent its leakage in good time.
Reach out to us today to learn more about how our tool can help your team.