When Can PHI Be Released without Authorization?
The major exception to the need for specific authorization for the release of PHI is that medical care providers may release information to other providers and entities who are participating in the patient's care, and to business that provide services for those providers. Physicians do not need a specific authorization to share information with specialty consultants they talk to, with labs performing medical testing, or with a billing service who prepares the physicians' bills. These business that provide services to the medical care providers have to agree to protect the patient's information in the same way that the provider must protect it. This agreement is documented in a HIPAA business association agreement. Determining which outside businesses and consultants may share information under a business associate agreement and how to enforce these agreements has occupied the time of countless medical care attorneys.
HIPAA does not preempt state laws that provide for access to medical records in legal proceedings and for public health and safety. HIPAA allows reporting of communicable diseases, child abuse, violent injuries, and other mandatory public health reports, as well as to prevent crimes by the patient. [ HIPAA Privacy Rule and Public Health - Guidance from CDC and the U.S. Department of Health and Human Services, MMWR 2003;52(Supl) It also allows the discovery of information in legal trials when ordered by the court. Thus a hospital defending a medical malpractice lawsuit would have access to the patient's medical records as ordered by the court or as available under other state laws.
Not surprisingly, HHS excepts its own access to medical information from both the patient authorization requirement and the minimal necessary requirement. This allows the federal government access to medical records to audit for billing fraud, compliance with the Medicare/Medicaid quality assurance rules, and so it assure audit compliance with the HIPAA privacy rule.
HIPAA allows medical information to be released when necessary to identify patients. In one case, a woman without identification was struck by a car and brought into the hospital in a coma. Her picture and medical condition were released to the press to try to find any relatives or others who could identify her. More generally, HIPAA allows the release of information without the patient's authorization when, in the medical care providers' best judgment, it is in the patient's interest. Despite this language, medical care providers are very reluctant to release information unless it is clearly allowed by HIPAA. In some cases, hospitals have refused to tell relatives if a patient is in the hospital because the hospital believed that it would violate HIPAA. While this was never the intent of HIPAA, this confusion will continue until HHS gives more detailed information about what the regulations mean in specific situations.