Myth or fact? Patients must OK disclosure of medical information

Tanya Albert Henry , Contributing News Writer

Many physicians are under the impression that HIPAA requires them to get a patient’s authorization to disclose protected health information (PHI) for treatment purposes. That is not always true.

Your Powerful Ally

The AMA helps physicians build a better future for medicine, advocating in the courts and on the Hill to remove obstacles to patient care and confront today’s greatest health crises.

Psychotherapy notes—where specific constraints apply—require this. But HIPAA does not require physicians and other health professionals to obtain “authorization or consent from patients to disclose PHI to another clinician or clinical entity for treatment purposes under HIPAA,” according to the latest research from the AMA through its “Debunking Regulatory Myths” series.

This series aims to provide regulatory clarification to physicians and their care teams. It is part of the AMA’s practice transformation efforts and provides physicians and their care teams with resources to reduce guesswork and administrative burdens so their focus can be on streamlining clinical workflow processes, improving patient outcomes and increasing satisfaction.

Related Coverage

Does that regulation really require extra work? Ask the AMA

The HIPAA Privacy Rule allows these disclosures to facilitate patient care, research on the protected health information myth (PDF) shows. Also, the Department of Health and Human Services (HHS) explains that HIPAA tries to balance safeguarding protective health information with not unnecessarily interfering with a patient’s access to quality health care.

“Many individuals expect that their health information will be used and disclosed as necessary to treat them, bill for treatment and, to some extent, operate the covered entity’s health care business,” the HHS website says. “To avoid interfering with an individual’s access to quality health care or the efficient payment for such health care, the Privacy Rule permits a covered entity to use and disclose protected health information—with certain limits and protections—for treatment, payment and health care operations activities.”

The Code of Federal Regulations outlines when covered entities can use or disclose protective health information for treatment, payment or health care operations, including:

  • Its own treatment, payment or health care operations.
  • Treatment activities of a physician or other health professional.
  • Payment activities of the entity that receives the information.
  • If each entity either has or had a relationship with the individual who is the subject of the PHI being requested, the PHI pertains to such relationship and the disclosure is for one of the first two reasons on this list or if it is for health care fraud and abuse detection or compliance.
  • To another covered entity that participates in the organized health care arrangement for any health care operations activities of the organized health care arrangement.

Among other things, AMA policy affirms several key principles that should be consistently implemented to evaluate any proposal regarding patient privacy and the confidentiality of medical information.

Related Coverage

Refining rules on data release can prevent harm to patients

Find out more with the “AMA Debunking Medical Practice Regulatory Myths Learning Series,” which is available on AMA Ed Hub™ and provides regulatory clarification to physicians and their care teams. For each topic completed, a physician can receive CME for a maximum of 0.25 AMA PRA Category 1 Credit™.

The regulatory myth topics include:

Meanwhile, experts have explored the issue during an “AMA STEPS Forward®️ Podcast” episode “Debunking Regulatory Myths.” AMA member Kevin Hopkins, MD, senior physician adviser for practice transformation at the AMA, and Lindsey Carlasare, AMA research and policy manager, talked about the series, discussed common regulatory myths and shared tools for eliminating guesswork and other administrative burdens. Listen on Apple Podcasts or Spotify.

Physicians can submit questions or ideas they have about regulatory myths by emailing the Debunking Regulatory Myths team. The team will do research to  clarify a myth. If something turns out to not be a myth and really is a regulation that puts unnecessary burden on physicians and their teams, the AMA’s advocacy arm can get involved to push for regulatory change.