The Health Insurance Portability and Accountability Act (HIPAA) of 1996 outlines several Rules that covered entities must follow in order to protect the privacy of their patients. This includes the use of technical, physical and administrative safeguards. But many patients – and even some healthcare providers – are confused regarded who exactly is allowed to access Protected Health Information (PHI).
It's important to note that not all patient data/info is considered PHI. As noted by the Department of Health and Human Services (HHS), certain types of patient information in itself isn't necessary Protected Health Information. If it's just the patient's name or their phone number, for instance, it isn't PHI, and therefore doesn't follow the same rules as PHI.
“The relationship with health information is fundamental. Identifying information alone, such as personal names, residential addresses, or phone numbers, would not necessarily be designated as PHI,” wrote the HHS.
The people and entities who are allowed to access Protected Health Information varies depending on the privacy form created by the healthcare provider. Under HIPAA's Privacy Rule, covered entities may only share PHI in the manner in which is outlined by the patient's privacy disclosure form. In other words, the healthcare provider must provide the patient with a document stating exactly how their information will be used and who can access it. This may include doctors, surgeons, nurses, family, relatives, research facilities, etc.
Does this mean healthcare providers are prohibited from sharing PHI outside their practice/office? Not necessarily, but there are a few steps they should follow in order to remain HIPAA-compliant. First and foremost, the healthcare provider must obtain the patient's consent before it can share their Protected Health Information. Secondly, the healthcare provider must creates a Business Associates Agreement with the person or entity receiving or accessing the PHI.
Hopefully, this will give you a better understanding of who's allowed to view Protected Health Information and who's not. Generally speaking, only the individuals and entities outlined in the patient's privacy form are allowed to access their PHI. If a person or entity is not mentioned in this form, the healthcare provider is prohibited from giving them access to the patient's PHI.