HIPAA Tip: When It's OK to Share
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that sets rules about who can look at and receive an individual’s health information.
“Covered entities” that must follow the HIPAA regulations include health plans, most healthcare providers, and healthcare clearinghouses. Business associates of covered entities also must follow parts of the HIPAA regulations.
“Business associates” are generally contractors, subcontractors, and other outside persons and companies that need to be able to access individual health records held by a covered entity to provide a service. Examples of business associates include:
- Billing companies
- Companies that help administer health plans
- Lawyers, accountants, and IT specialists
- Data management companies
These covered entities and business associates must follow HIPAA regulations or face heavy fines and other penalties.
Generally, a covered entity cannot use or share an individual’s health information without written permission, unless the law allows for it.
Examples of when a provider can share patient information without written consent include:
- When the information is necessary to provide treatment.
- When not disclosing it would interfere with a disaster relief organization’s ability to respond to an emergency.
- As necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public.
- To relay information about a patient’s location in the facility and general condition.
Providers also may share patient information to the extent necessary to seek payment for services rendered.