A covered entity may disclose protected health information without patient authorization for purposes of treatment, payment, or health care operations. These include:
Must the patient authorize every release of PHI?
- A covered entity may use or disclose PHI for its own treatment, payment, or health care operations.
- A covered entity may disclose PHI for treatment activities of a health care provider.
- A covered entity may disclose PHI to another covered entity or a health care provider for the payment activities of the entity that receives the information.
- A covered entity may disclose PHI to another covered entity for health care operations activities of the entity that receives the information, if each entity either has or had a relationship with the individual who is the subject of the PHI being requested, the protected health information pertains to such relationship, and the disclosure is (i) For a purpose listed in paragraph (1) or (2) of the definition of health care operations under ยง 164.501; or (ii) For the purpose of health care fraud and abuse detection or compliance.
- A covered entity that participates in an organized health care arrangement may
- disclose PHI about an individual to another covered entity that participates in the organized health care arrangement for any health care operations activities of the organized health care arrangement.
HIPAA Privacy
Who must comply with HIPAA privacy standards?
Do state privacy laws override HIPAA?
What is Protected Health Information (PHI)?
May I share de-identified health information?
Must the patient authorize every release of PHI?
