The major exception to the need for specific authorization for the release of PHI
is that medical care providers may release information to other providers and
entities who are participating in the patient's care, and to business that provide
services for those providers. Physicians do not need a specific authorization to
share information with specialty consultants they talk to, with labs performing
medical testing, or with a billing service who prepares the physicians' bills.
These business that provide services to the medical care providers have to
agree to protect the patient's information in the same way that the provider
must protect it. This agreement is documented in a HIPAA business association
agreement. Determining which outside businesses and consultants may share
information under a business associate agreement and how to enforce these
agreements has occupied the time of countless medical care attorneys.
HIPAA does not preempt state laws that provide for access to medical records
in legal proceedings and for public health and safety. HIPAA allows reporting of
communicable diseases, child abuse, violent injuries, and other mandatory
public health reports, as well as to prevent crimes by the patient. [
Privacy Rule and Public Health - Guidance from CDC and the U.S. Department
of Health and Human Services, MMWR 2003;52(Supl)
It also allows the
discovery of information in legal trials when ordered by the court. Thus a
hospital defending a medical malpractice lawsuit would have access to the
patient's medical records as ordered by the court or as available under other
Not surprisingly, HHS excepts its own access to medical information from both
the patient authorization requirement and the minimal necessary requirement.
This allows the federal government access to medical records to audit for
billing fraud, compliance with the Medicare/Medicaid quality assurance rules,
and so it assure audit compliance with the HIPAA privacy rule.
HIPAA allows medical information to be released when necessary to identify
patients. In one case, a woman without identification was struck by a car and
brought into the hospital in a coma. Her picture and medical condition were
released to the press to try to find any relatives or others who could identify
her. More generally, HIPAA allows the release of information without the
patient's authorization when, in the medical care providers' best judgment, it is
in the patient's interest. Despite this language, medical care providers are very
reluctant to release information unless it is clearly allowed by HIPAA. In some
cases, hospitals have refused to tell relatives if a patient is in the hospital
because the hospital believed that it would violate HIPAA. While this was
never the intent of HIPAA, this confusion will continue until HHS gives more
detailed information about what the regulations mean in specific situations.