According to the US Department of Human Services (HHS), healthcare professionals can share HIPAA-protected health information (HIPAA PHI) with one another without written content in several circumstances. Such treatment communications may occur orally, in writing, by phone, fax, email, or otherwise. More specifically, the HIPAA Privacy Rule allows covered healthcare providers to share protected health information for treatment purposes without patient authorization, as long as they use reasonable safeguards. This article will give several examples of the circumstances under which HIPAA PHI can be shared, and review reasonable safeguards. Also, it bears mentioning that the information below is not necessarily relevant if the client is a child.
Allowed Psychotherapy Circumstances
The following is a sample list of circumstances in which sharing HIPAA PHI is allowed without written consent according to the HIPAA Privacy Rule:
- A psychologist may relay the results of a patient’s psychological testing report to a social worker via phone, fax, or digitally through a HIPAA-compliant e-consult system or an electronic health record.
- A counselor might send a copy of a client’s progress report to a specialist who is scheduled to consult using surface mail, fax, or other secured digital communication channels.
- A chemical dependency treatment facility could fax or use a more advanced digital communication system to send a patient’s healthcare directives to a nursing home where the patient is being moved.
- Over the phone, a healthcare professional might discuss a patient’s situation with an ER doctor who is providing emergency care.
- A psychologist might verbally discuss a patient’s treatment plan with a nurse practitioner participating in the patient’s care.
- A psychiatrist might use email to consult with another physician about a patient’s condition.
- A hospital can share the medical details of an organ donor with another hospital caring for the organ recipient.
- The following section will outline the conditions under which the use of reasonable safeguards would allow the sharing of HIPAA PHI.
What Are Reasonable Safeguards?
The Privacy Rule mandates that healthcare providers covered under it must utilize reasonable safeguards to protect the information from misuse or unauthorized disclosure during these communications. These precautions may differ based on the method of communication.
- For instance, when faxing sensitive health information to an unfamiliar telephone number, a reasonable precaution might involve the provider first verifying the fax number with the recipient.
- Similarly, to prevent misdirection of information, frequently dialed numbers might be pre-programmed into the fax machine by the provider. If a doctor discusses patient health information with another provider in a public setting, they could reasonably protect it by being seated in a relatively private area and speaking softly.
HIPAA’S Minimum Necessary Rule
The Minimum Necessary Rule is a key protection of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. This principle requires covered entities and their business associates to make reasonable efforts to use, disclose, and request only the minimum amount of HIPAA PHI needed to accomplish the intended purpose of the use, disclosure, or request. In practice, the covered entity should only share some of a patient’s health information if only a small amount is relevant to the task. For example, if a healthcare provider shares information for billing purposes, they would only share the minimum necessary HIPAA PHI required for that specific billing process.
Each covered entity is responsible for developing and implementing policies that reasonably limit its disclosures and requests to the minimum necessary. Covered entities must also identify what constitutes “minimum necessary” for their common uses and disclosures.
However, it’s important to note that this rule doesn’t limit the amount of health information that doctors, hospitals, and other healthcare providers can use for treatment. The Privacy Rule recognizes that doctors, other healthcare providers, and health plans need the flexibility to use and share health information to optimize patient care and manage their businesses.
Exceptions to the Minimum Necessary Rule
There are several exceptions to the Minimum Necessary Rule. The most notable exceptions include the following:
- Disclosures to or requests by a healthcare provider for treatment.
- Disclosures to the patient who is the subject of the information.
- Uses or disclosures made with the individual’s authorization.
- Uses or disclosures required for compliance with the HIPAA Administrative Simplification Rules.
- Disclosures to the Department of Health and Human Services (HHS) for enforcement of the Privacy Rule.
Other HIPAA Compliance Issues
Providers and their staff must also be compliant with many other HIPAA regulations related to privacy and security when sharing HIPAA PHI with one another.
The following examples illustrate some situations worth consideration:
- An office manager using the text messaging software in their smartphone to text the provider that a client or patient has arrived. However, this in-office communication includes HIPAA PHI. Text messaging software built into today’s phones is not HIPAA-compliant. Rather, all healthcare practices, including counselors, therapists, nurses, administrative staff, assistants, or anyone else privy to information about a client or patient, must use HIPAA-compliant software at all times. Furthermore, Business Associate Agreements must be obtained from all software vendors to avoid legal entanglements, regular HIPAA risk assessments must be conducted, and all documentation must be in place.
- A hospital social worker emails a summary note to the nursing staff. They use an unpaid account (i.e., Gmail, Hotmail, or YAHOO) for the transmission. Unless informed consent is obtained for email, using public systems to communicate about clients or patients is in violation of federal law.
- A counselor refuses to share HIPAA PHI with a client who has made a written request for their records. Such refusals have become a target for HIPAA enforcement by the Office for Civil Rights. Clients and patients have very specific rights to access their records.
- A nurse practitioner (NP) sets up a private practice in a rural area to serve people in need. The NP purchases practice management software from a family friend who is just starting a new, supposedly HIPAA-compliant business. There is a security breach. The company filed for bankruptcy and dissolution, leaving the NP in the lurch with patients whose privacy was compromised. The nurse’s responsibility was to buy practice management software from a reputable company.
- An addictions counselor was introduced to a recovery app that offers many features of potential benefit to clients. The new app soon became the addiction counselor’s favorite recommendation for the majority of people on their caseload. The counselor neglected to follow best practices when vetting the app to protect HIPAA PHI.
- A clinician accepted employment from a large healthcare insurance company, only to learn that the company was purchasing HIPAA PHI about their insurance clients. The clinician didn’t know what to do but felt uneasy about being involved in this practice.
As you can see, the list of possible HIPAA violations beyond obtaining written consent is extensive. I highly recommend visiting the US Department of Health & Human Services website or the official page detailing the HIPAA Privacy Rule for the most current and comprehensive explanations. Remember, while the Telehealth.org blog post is designed to provide a general overview, it should not be taken as legal advice or a definitive interpretation of the law. Always consult a qualified legal professional if you have specific concerns or questions about applying HIPAA PHI rules and regulations to your practice.
I have tried to explain the HIPAA Privacy Rule clearly yet succinctly, referring directly to the original source material and offering behavioral examples to help explain documents largely written for the medical community. I may have misinterpreted or omitted relevant information for some practices during that process. Laws and regulations such as HIPAA can be complex and often updated, and the specific requirements may vary based on your individual situation or organization. Reviewing the original source material is crucial for the most accurate and detailed information before you apply it to your circumstance.
Advanced Telehealth Regulations & Ethical Issues: Best Practices & Informed Consent
Essentials of practice guidelines published by the leading professional associations, explained with a focus on what-to-do rather than theory that leaves you empty-handed.
Telehealth Courtroom Realities: How to Stay Out of Legal Hot Water
Developed by a senior litigating telehealth attorney for the defense, this eye-opening telehealth training experience will help the clinician avoid the harsh realities of a courtroom.
Telehealth Law & Ethical Course Bundle
This Telehealth Legal & Ethical Course Bundle provides the most important risk management and telehealth compliance training available anywhere to help meed telehealth, regardless of the size of your telehealth services.