Originally passed by Congress in 1996, the Health Insurance Portability and Accountability Act (HIPPA) is designed to protect the privacy of healthcare patients by setting certain rules and regulations that physicians and other covered entities must follow. HIPAA has undoubtedly helped the world of modern-day medicine, as patients can rest assured knowing that their information is safe. But many covered entities are refraining from sharing data, even when it is allowed by HIPAA.

While it's true that certain HIPAA restricts prevent covered entities from transmitting or sharing the Protected Health Information (PHI) of patients without the respective patient's consent, there are instances in which it's acceptable to share information.

In a recent blog post on Health IT Buzz, the Office of the National Coordinator for Health Information Technology (ONC) explained that some healthcare providers are not sharing PHI due to internal policies and procedures, even though it is allowed under HIPAA.

Some providers are not sharing PHI due to their health care organization’s policies, procedures, or protocols, even if the sharing is permitted under HIPAA, or because laws in the provider’s state apply in addition to HIPAA,” explained Lucia Savage, J.D., Chief Privacy Officer and

Aja Brooks, J.D., Privacy Analyst in the post. “Interestingly, this lack of exchange of PHI runs contrary to consumer perception, with research demonstrating that patients assume their PHI is automatically shared between their treating physicians.”

So, when is a covered entity allowed to disclose a patient's PHI without their consent? There are several instances in which it is acceptable, one of which is when the disclosure is needed for patient care. If a patient requires specialized treatment, for instance, information may be given to a surgeon or specialist for the purpose of treating the patient.

Another instance in which it is okay to disclose PHI without the patient's consent is when the information is sought by law enforcement. If the police believe a child is being abused in their home, for instance, they may seek medical records of the child, in which case consent (by the parent) is not required.

You can learn more about permissible use of PHI and when it's acceptable to disclose PHI without the patient's consent by accessing the ONC's new fact sheet here. Titled “Permitted Uses and Disclosures: Exchange for Health Care Operations,” this 4-page fact sheet explains when it's acceptable to disclose PHI without the patient's consent and when it is prohibited.

Subscribe to our mailing list

* indicates required