HIPAA Times news | Concise, reliable news and insights on HIPAA compliance and regulations

Can you sell PHI?

Written by Tshedimoso Makhene | Dec 31, 2024 12:31:22 AM

Selling protected health information (PHI) is a sensitive topic that has legal, ethical, and practical concerns. Under the Health Insurance Portability and Accountability Act (HIPAA), the sale of PHI is strictly regulated, and unauthorized transactions can lead to severe penalties.

 

What HIPAA says about selling PHI

According to the U.S. Department of Human and Health Services (HHS), “The Privacy Rule prohibits you from selling PHI unless you obtain an authorization stating that you will receive remuneration from making the disclosure.”

 

Key points about selling PHI

Written authorization

Covered entities and business associates must obtain explicit, written consent from the individual whose information is being sold. This authorization must detail:

  • The purpose of the sale.
  • The recipient of the PHI.
  • The specific information to be disclosed.

 

Fair compensation vs. profit

HIPAA allows for cost-based remuneration in cases where PHI is disclosed. For example, charging for the labor involved in transferring records is acceptable. However, transactions aiming for profit are not permitted under the law.

 

Best practices for compliance

  • Understand HIPAA regulations: Ensure your organization is well-versed in HIPAA rules and exceptions.
  • Obtain consent: When in doubt, secure written authorization before disclosing PHI.
  • Implement safeguards: Use robust data protection measures to prevent unauthorized access or misuse of PHI.
  • Seek legal advice: Consult legal or compliance experts to navigate complex situations involving PHI.

See also: HIPAA Compliant Email: The Definitive Guide

 

FAQs

What is considered the sale of PHI under HIPAA?

The sale of PHI involves disclosing PHI in exchange for direct or indirect payment or remuneration. This includes any transaction where PHI is exchanged for monetary or non-monetary value.

 

How can organizations ensure compliance with HIPAA when handling PHI?

Organizations should understand HIPAA regulations, implement robust safeguards, obtain written authorization when necessary, and seek legal advice to navigate complex scenarios.
View full post