Patient authorization exceptions

Under HIPAA, patient authorization exceptions allow protected health information (PHI) disclosure without consent for treatment, payment, and healthcare operations (TPO); public health reporting; research with safeguards; law enforcement; judicial proceedings; emergencies; preventing serious threats; identifying deceased individuals; workers' compensation; and sharing information with a minor's guardians. 

Understanding HIPAA authorization

According to the HHS, "The covered entity must obtain the individual's authorization, unless the disclosure is otherwise permitted by another provision of the Privacy Rule". HIPAA authorization is a formal, written permission from a patient allowing a covered entity to use or disclose their PHI for specific purposes. A valid authorization must include:

• Description of PHI: Specific health information to be used or disclosed.
• Authorized party: Person or organization authorized to receive the PHI.
• Purpose of disclosure: Reason for sharing the PHI.
• Expiration date: End of the authorization period.
• Signature and date: The patient’s or legal representative’s signature and date.
• Providing a copy: The patient or representative must receive a copy of the signed authorization.

Read more: What is a HIPAA authorization form?

Categories of exceptions:

Permitted uses and disclosures

Treatment, payment, and healthcare operations (TPO)

• Treatment: PHI can be shared among healthcare providers involved in a patient’s care, such as between a primary care physician and a specialist.
• Payment: PHI can be used for billing and payment purposes, including claims processing and coordination of benefits.
• Healthcare operations: PHI can be used for activities related to healthcare quality improvement, such as conducting training programs, compliance audits, and customer service.
  
  

Public health activities

Under HIPAA, PHI can be disclosed without patient authorization for public health activities. That includes reporting diseases and events like births and deaths to public health authorities. Additionally, PHI can be used for public health interventions and surveillance, such as monitoring and controlling the spread of diseases, ensuring timely and effective responses to public health threats.

Research

HIPAA allows PHI to be disclosed for medical research under certain conditions, often requiring approval from an Institutional Review Board (IRB) or Privacy Board. Researchers must ensure that they minimize the privacy risks and the benefits outweigh the risks.

Read more: What are the HIPAA exceptions for research purposes?

Law enforcement purposes

The HHS states that "Covered entities may use and disclose protected health information without individual authorization as required by law (including by statute, regulation, or court orders).". These disclosures must comply with state and federal laws.

Judicial and administrative proceedings

PHI can be disclosed in response to court orders or subpoenas, with certain conditions and limitations. These disclosures should be limited to the scope of the request and follow due process.

Other exceptions

1. Emergencies: In emergency treatment situations, healthcare providers can disclose PHI without patient authorization, but only under conditions where they cannot obtain patient consent in time.
2. Serious threat to health or safety: HIPAA allows PHI disclosure to prevent or lessen a serious threat to the health or safety of the patient or others in situations involving imminent threats. That includes reporting a patient’s intention to harm themselves or others.
3. Deceased individuals: PHI can be used to identify or locate deceased persons, for death investigations, or to notify family members. Information can also be shared with coroners, medical examiners, and funeral directors.
4. Workers' compensation: Healthcare organizations can share PHI for workers' compensation claims as required by law. That allows employers and insurers to process claims and ensure injured workers receive appropriate benefits.
5. Minors: Providers can share PHI with parents or guardians about a minor’s treatment, subject to state laws and specific conditions. However, in some cases, minors may have the right to consent to their treatment without parental involvement.
   
   

Minimum necessary standard

Even when PHI can be disclosed without authorization, the minimum necessary rule applies. Covered entities must make reasonable efforts to use, disclose, or request only the minimum amount of PHI needed for the intended purpose. That ensures that patient privacy is maintained to the greatest extent possible. 

Read more: A guide to HIPAA's minimum necessary standard

FAQs

Can PHI be disclosed to third-party business associates without patient authorization?

Yes, PHI can be disclosed to third-party business associates for services like billing or data analysis, provided there is a signed business associate agreement (BAA) ensuring the associate will safeguard the PHI.

Is patient authorization needed for sharing PHI with social services?

Patient authorization is not required for sharing PHI with social services if it is necessary to protect the patient from harm or to facilitate treatment, care coordination, or case management activities.

Are psychotherapy notes subject to the same authorization requirements as other PHI?

Psychotherapy notes have stricter requirements. They require patient authorization for most uses and disclosures, except for certain treatment, payment, and healthcare operations, or if required by law.