I recently heard this phrase and wondered what is meant by “HIPAA permissions?” HIPAA, or the Health Insurance Portability and Affordability Act, creates both obligations and rights for “covered entities.” I think what people are talking about when they say, “HIPAA permissions” are the several rights that HIPAA conveys on covered entities to use and disclose “Protected Health Information” (PHI) without having to obtain a signed authorization from the patient or insurance enrollee.
HIPAA Privacy and Security Rule Fundamentals
Before diving into the HIPAA permissions, it is necessary to define the term “covered entity.” As a health and wellness lawyer, I can’t tell you how many times in my legal career that I have encountered people who assume HIPAA applies to everyone and everything. It doesn’t. Not even close. HIPAA applies only to “covered entities,” of which there are three types:
- Health plans
- Health care clearinghouses; and;
- Health care providers who conduct “standard transactions.”
HIPAA security rules, and some privacy rules, also apply to “Business Associates” of covered entities, which are contractors who perform services for covered entities and need access to PHI to perform those services (i.e., they are NOT employees of the covered entity). See 45 CFR § 160.103 (definition of “Business Associate”).
For purposes of this blog, we will focus on covered entities. The one type of covered entity that confuses people the most is “health care provider.” To be subject to HIPAA privacy and security regulation compliance, the provider must transmit health information in electronic form in connection with a transaction covered by HIPAA. 45 CFR § 160.103 (definition of “covered entity”).
What are Standard Transactions?
According to the Centers for Medicare and Medicaid Services (CMS), standard transactions are standardized specifications for electronic transactions used in the electronic exchange of health care data. The adopted transactions include:
- Health care claim X12N 837 transaction
- Health care claim payment advice X12N 835 transaction
- Health care claim status request/notification X12N 276/277 transaction
- Eligibility, coverage, or benefit inquiry/information X12N 270/271 transaction
- Benefit enrollment and maintenance X12N 834 transaction
- Health care service review information X12N 278 transaction
- Payment order/remittance advice X12N 820 transaction
CMS requires covered entities to use these adopted standards when conducting electronic transactions.
Many health and wellness providers do not conduct standard transactions because they are cash-based and don’t file insurance claims. As a result, most alternative care, functional medicine, integrative health, holistic health and wellness providers do not qualify as a HIPAA covered entity and therefore are not subject to HIPAA privacy and security rule compliance. This surprises many health and wellness providers. Nevertheless, many health and wellness providers choose to adopt HIPAA privacy and security standards as a best practice, including asking clients or patients to sign a HIPAA authorization to release PHI to third parties, even though one may not be needed.
Permitted Uses under HIPAA
Regardless of whether you are subject to HIPAA privacy and security rule compliance or choose to adopt HIPAA standards voluntarily, it is important to be aware of those circumstances when a client or patient authorization is not needed in advance to use and disclose PHI. Those HIPAA permissions are as follows:
- Disclosures to Patients. Covered entities can disclose to patients the patient’s own PHI. A patient does not need to sign a HIPAA authorization to get access to their own PHI. 45 CFR § 164.502(a)(1)(i)
- TPO Uses and Disclosures. Covered entities can use and disclose PHI for purposes of treatment, payment, or healthcare operations of the covered entity. For example, covered entities can share PHI with other healthcare professionals who are treating the patient, without getting the patient’s prior authorization. Covered entities can also share PHI with a patient’s health insurer so that the provider can get paid for the services. Finally, covered entities can use and disclose a patient’s PHI to help improve quality of care, alert patients to services in which they might be interested, or defend themselves in a lawsuit. None of these uses and disclosures require a patient’s written permission before using the PHI in those ways. 45 CFR § 164.502(a)(1)(ii).
- Disclosures to Family and Friends when Good Judgment Calls For It. Most of the time patients have the right to give permission to covered entities to talk to their family and friends about the patient’s health. But, when the patient is unconscious or otherwise unable to communicate, a covered entity may use their good judgment and decide without the patient’s advance written permission to talk to the patient’s family and friends. 45 CFR § 164.502(a)(1)(v).
- Incidental Uses and Disclosures. Sometimes it’s almost impossible to shield PHI from being used or disclosed, despite a covered entity’s best efforts. Even if a covered entity is careful to hold conversations about a patient in private, people may still overhear, for example. These are incidental uses and disclosures of PHI and do not require the covered entity to obtain prior written authorization from the patient. 45 CFR § 164.502(a)(1)(iii).
- Disclosures for the Benefit of the Public Interest. Sometimes covered entities must disclose PHI to the government because the safety and health of others might be at risk. So, disclosures to public health agencies, law enforcement agencies or other government agencies for purposes of compliance with the law may occur without the patient’s prior permission. 45 CFR § 164.502(a)(1)(vi).
- Limited Data Set. HIPAA allows covered entities to disclose PHI for purposes of research, public health or healthcare operations without a patient’s written permission if the covered entity has entered into a “Data Use Agreement” and discloses only a “Limited Data Set.” Limited Data Sets exclude certain patient identifiers, such as the patient’s name, address, telephone number, email address, social security number, license numbers, IP address, biometric identifiers, to name a few of the exclusions. The Data Use Agreement spells out exactly how the recipient of the PHI can use the PHI and requires the recipient to promise to keep the PHI confidential and secure 45 CFR § 164.514(e)(1).
Even though many health and wellness providers are not subject to HIPAA compliance, it is still a good idea to understand HIPAA permitted uses and disclosures and to adopt HIPAA standards when possible. Health and wellness providers who do not bill insurance may not be subject to rigorous security and breach rules, but they can give their clients peace of mind by voluntarily adopting these standards. The Center for Health and Wellness Law, LLC is here to help health and wellness providers succeed in delivering their wellness services in the most compliant and sensible way possible.