The rules and regulations of HIPAA can be confusing and overwhelming. What information can be shared legally?

To help you know your rights, we put together a thorough guide to help you decode the HIPAA to ensure you and your loved one's medical information is kept safe. 

Key Takeaways 

• The healthcare industry uses HIPAA to determine what medical information can be shared, when and with whom. 

• Protected health information (PHI) is shared when consent is given or if the patient cannot make their decisions, such as during an emergency or when legal authorities need the information. 

• The most common type of HIPAA violation is sharing PHI without getting consent.

  
  

What HIPAA Information Can Be Shared?

The HIPAA has a "minimum necessary" rule that guides how much information can be shared. 

Errand Jackson from Jackson Healthcare LLP Lawyers explains:

“HIPAA mandates that a medical practice only share the minimum necessary health information about a patient.” 

She continues with an example, stating:

“If you have a medical team of five providers and only one is treating the patient, it’s important to remember that everyone in the practice shouldn’t have access to that patient’s records.”

This means they do not have to share the patient's entire medical history, only information relevant to the current case. 

This is especially important when the patient is incapacitated due to emergencies and can’t give consent. During this time, doctors must also share medical information on a need-to-know basis using their professional judgment.

Determining what HIPAA information can be shared depends on the purpose for which it’s used. For example, if the information is for research purposes, only relevant information to the study is shared to ensure the results are unbiased. 

When it comes to patient billing, the finance department does not need to have the patient's entire medical history. They only need up-to-date information, like current treatments. This rule minimizes unnecessary use of PHI and safeguard it. 

Understanding HIPAA's Privacy Rule

The HIPAA is a way to protect patient's confidential medical information and make doctors and other healthcare professionals responsible for safeguarding it. The HIPAA is intended to improve doctor-patient confidentiality and reduce medical fraud and other abuse.  

The healthcare industry uses HIPPA to determine what medical information can be shared, when and with whom. 

The rules state that medical information can only be shared with third parties with consent, and without consent if they’re a legitimate exception. So, even if the patient is your elderly parent, without their consent, you legally do not need access to their medical information unless there are exceptions met. 

Protected medical information, also known as Protected Health Information (PHI), includes anything from information confided to their doctor, medication plans and treatment, X-rays, lab results, blood tests, and other information relating to the patient's health. 

Regardless of whether the doctor obtained the medical information verbally, in writing or through other methods, they’re legally bound to keep your information to themselves.

This includes all aspects of patient information, including billing records and other personal information. Hospitals and other organizations are also accountable to the security rules set out by HIPAA. This means they must ensure to take all adequate measures to protect a patient's information from a data breach, otherwise, they face expensive fines.   

When Can HIPAA Information Be Shared?

There are times when HIPPA information is legally shared even without consent. We'll explore these instances in more depth below. 

When Providing Treatment

Doctors can share PHI information while they provide treatment to a patient. They can share this information with other doctors and health professionals who treat the patient. 

This ensures the team knows what's happening with treatment. Suppose the patient is present and presents no objections. In that case, doctors can share information like medication dosage and other important information with third parties like family members or whoever is at the medical appointment with the patient. 

During Payment Processes

Regarding payment processes like hospital billing, payment plans and claiming with medical insurance, no payments can be made unless the patient's PHI is shared with the relevant departments. 

That’s why patients' medical information can be shared with businesses' financial departments or medical insurance companies. This information can also be shared with family members if the patient is present and does not object. 

For example, a son may bring his father to the hospital and have a question regarding payment options. During this scenario, the patient's information can be legally shared.  

For Healthcare Operations 

For a hospital, clinic, or medical facility to provide the best service and care, they need to have your PHI. 

Healthcare operations describe how the facility runs on a day-to-day basis. This includes all clinical care, leadership, administrative, financial, and legal practices that create excellent customer service. 

To do this, they need your PHI to ensure billing and medical insurance claims are correct and that the right patient is getting the prescribed medication. Healthcare operations keep medical facilities running smoothly and ensure you get the best care and treatment. 

For Research Purposes   

The HIPAA allows healthcare providers to share PHI for research purposes, but only if they receive consent, legal permission, or a waiver of authorization from the data subject before the compliance deadline. 

The HIPAA also rules that the consent must be in writing because verbal consent is insufficient. However, before doctors and other healthcare providers can share your information for research purposes, they must meet requirements. 

Legal Authorities Without Consent

There are times when doctors do not need consent from patients to share their information, especially if the doctor finds medical signs of abuse or neglect in children, adults or elderly patients. 

Should this happen, doctors are responsible for reporting these findings to the relevant authorities and protective services. Other examples may be when patients suffer from a stroke or condition that makes them unable to drive, so doctors will need to share this information with the Department of Motor Vehicles. 

Lastly, during events like pandemics, doctors must share important health information with public health agencies. No consent is needed.

During a Health Emergency Without Consent

Doctors can share PHI during emergencies without consent because it is in the patient's best interest. Let's say, for example, a patient is brought into the hospital because of an emergency but no longer has the capacity to make sound decisions. 

In this case, the doctor will need to share the patient's medical information with family or friends, especially if it concerns treatment going forward. 

When Someone Else Has Power of Attorney Without Consent

When a patient is elderly, they know there may come a time when they cannot make their own medical decisions. This is why they appoint someone they trust with power of attorney over their medical care. 

If something happens, doctors can share medical information with the person who has power of attorney without asking for permission from the patient first. Authorized persons with a power of attorney can also request access to a patient's medical information. 

If you have power of attorney over a loved one's medical care and maintain their health information, we suggest using a family operating system like Trustworthy to keep all your medical documents organized.  

What Can Happen If HIPAA Info Is Shared Illegally?

There are consequences for businesses and healthcare professionals who violate the HIPAA. According to the HIPAA Journal, illegally sharing medical information is the most common violation. Other HIPAA violations include: 

• Sharing of PHI online without consent 

• Failure to implement proper security measures to protect PHI from data breaches 

• Failure to properly dispose of PHI information 

• Failure to conduct risk analysis and other risk preventive strategies

• Failure to notify the affected patients 

  
  

If HIPAA is shared illegally, businesses and individuals can be punished with civil and criminal penalties. Civil penalties can range up to $1.5 million, depending on the nature of the offense. In addition to civil penalties, violators can also receive imprisonment of up to 10 years.     

Affected patients can also report the HIPAA violation within 180 days of it happening to the State Attorney General, Privacy Officer, or Department of Health and Human Services offices. 

However, they cannot sue for a HIPAA violation because there are no private right of action provisions. This means that patients will need other privacy laws to sue the businesses. For a business, this can be damaging, resulting in not only a financial loss but also a damaged reputation and even job loss. 

Frequently Asked Questions (FAQs) 

What cannot be disclosed under HIPAA?

Protected health information (PHI), which includes health records, X-rays, and lab results, cannot be disclosed under HIPAA without consent from the patient under standard circumstances.

What PHI can be disclosed without patient authorization?

Only relevant PHI that’s in the patient's best interest can be disclosed should there be an emergency. 

When can you share protected health information?

Protected health information can be shared if there is consent, the patient is in an emergency situation, they cannot make sound decisions, or there is an authorized person with a power of attorney.