Part 2: Permissible Disclosures under the HIPAA Privacy Rule

Part 2: Permissible Disclosures under the HIPAA Privacy Rule

People on different devicesPart 2: Permissible Disclosures under the HIPAA Privacy Rule

Last week, in the first part of our multi-part HIPAA article series, we said that under the Privacy Rule policies and procedures must be in place to ensure that patient health information is protected. Questions often arise when determining how to best protect and secure patient health information with policies and procedures that are acceptable under the Privacy Rule.

Part 2 of our article series will take a closer look at some common permissible uses and disclosures under the Privacy Rule to answer the following questions:

  • What are some common uses and disclosures that are permitted under the Privacy Rule?
  • Could these common disclosures result in a breach?
  • Do you have policies and procedures in place to address these uses and disclosures?

A Major Goal of the Privacy Rule

According to the U.S. Department of Health & Human Services (HHS) "a major goal of the Privacy Rule is to assure that individuals' health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public's health and well-being." HHS goes on to say that "the Rule strikes a balance that permits important uses of information, while protecting the privacy of people who seek care and heeling." Additionally, "given that the health care marketplace is diverse, the Rule is designed to be flexible and comprehensive to cover the variety of uses and disclosures that need to be addressed."

Permissible Disclosures

Under the HIPAA Privacy Rule, there are "purposes or situations" when you are "permitted, but not required, to disclose protected health information, without an individual's authorization." While some of these "purposes or situations" may at first sound straight forward, when it comes to ensuring that patient health information is adequately protected, there are often questions that can be answered and security incidents avoided with policies and procedures.

To illustrate how policies and procedures answer questions and help avoid potential security incidents, we will take a closer look at two common disclosures, treatment and payment.


Doctors and/or Hospitals (that are covered entities) may share information freely with one another for treatment reasons. HHS provides the following examples:

  • "A primary care provider may send a copy of an individual's medical record to a specialist who needs the information to treat the individual."
  • "A hospital may send a patient's health care instructions to a nursing home to which the patient is transferred."

A question we are occasionally asked regarding treatment disclosures is what about the primary care provider that wants an opinion from another non-treating provider? Is this acceptable under the HIPAA Privacy Rule?

Fortunately, HHS provides a general answer to this question:

Yes. The Privacy Rule allows those doctors, nurses, hospitals, laboratory technicians, and other health care providers that are covered entities to use or disclose protected health information, such as X-rays, laboratory and pathology reports, diagnoses, and other medical information for treatment purposes without the patient's authorization. This includes sharing the information to consult with other providers, including providers who are not covered entities, to treat a different patient, or to refer the patient.

With technology offering the potential for immediate access, let's take a look at this permissible disclosure for "treatment" purposes and how it could very easily lead to a breach if adequate policies and procedures aren't in place:

  • A Primary care physician sends a non-treating provider a text message regarding treatment of a patient. The Non-treating provider receives message on an unencrypted cell phone.
  • While at a gym, the non-treating provider leaves cell phone "locked up" in the car.
  • Unsuspectingly, a thief breaks into non-treating provider's car and steals the unencrypted cell phone containing the patient's treatment information.

Now, all of the sudden this disclosure that may have been permissible under the HIPAA Privacy Rule if reasonable policies and procedures are in place, just became a suspected breach.

In our next article of this series, we will discuss some recommendations for implementing policies and procedures to properly safeguard mobile devices.


Patients' information may also be released without their authorization to insurance companies in order to receive payment for services provided. HHS provides the following examples:

  • "A physician may send an individual's health plan coverage information to a laboratory who needs the information to bill for services it provided to the physician with respect to the individual."
  • "A hospital emergency department may give a patient's payment information to an ambulance service provider that transported the patient to the hospital in order for the ambulance provider to bill for its treatment."

Now, let's look at how this common disclosure could lead to a potential breach.

  • Your practice shares expenses within a group but each provider is independent.
  • One of the providers is questioning recent collections activities and decides to access another provider's patient payment records.
  • The provider didn't authorize the other provider to access the patient records that were accessed by the non-treating provider.

Could this be a potential breach? Yes and no. Under the HIPAA Privacy Rule covered entities are allowed to share PHI for treatment, payment, and health care operations (TPO). However, the covered entity with whom PHI is shared with for health care operations purposes, must have a relationship with the patient. Unless there is an organized health care arrangement (OHCA) between the covered entities which allows physicians who have no relationship with a patient to access PHI of patients for TPO purposes, without a business associate agreement (BAA) and with a single Notice of Privacy Practices (NPP).

If your practice shares office space with other independent providers it would be a good idea to have policies and procedures in place to address these types of disclosures.


These are just a few examples of possible disclosures your policies and procedures must address. Remember, "the Rule is designed to be flexible and comprehensive to cover the variety of uses and disclosures that need to be addressed." Next week, we will dive into some key elements to consider when implementing "flexible and comprehensive" policies and procedures that adequately safeguard patient health information.

If you have any questions or concerns about the HIPAA Privacy Rule including permissible uses and disclosures, please feel free to comment below, send us an email at, or reach us toll-free at 855-427-0427.