Nontreatment uses of patient data are generally handled by administrative staff for purposes like billing or marketing. These administrative purposes require consent and additional safeguards.
How HIPAA governs the use of PHI for nontreatment purposes
Protected health information (PHI) is generally used to provide, coordinate, or manage an individual's healthcare. In this case, PHI serves the function of diagnosis and treatment. Nontreatment uses of PHI on the other hand include further related activities like healthcare operations, marketing, fundraising, and public health reporting.
While nontreatment-related uses of PHI can vary widely they are distinctly differentiated by the provisions within Section 164.506, which defines permissible uses of PHI without patient authorization. An example of this is in the HHS guidance which states, “A covered entity may, without the individual’s authorization…Use or disclose protected health information for its own treatment, payment, and health care operations activities.”
Thus, while treatment-related disclosures and uses are necessary for patient care, payments, and healthcare operations also fall under permissible uses of PHI, although they aren’t directly linked to diagnosis and treatment. These activities, like billing or administrative tasks, are still necessary to support the delivery of healthcare services.
Other nontreatment uses of PHI like marketing however require patient authorization prior to its use as well as the disclosure of the purposes for which the information will be used. These uses are also different from permissible uses as they require additional safeguards.
Best practices using PHI for nontreatment purposes
Regular training and awareness programs:
- Provide ongoing training for all employees centered around the need to protect PHI and focus on handling this information in marketing and administrative tasks.
Encrypted communication:
- Make use of secure and encrypted methods of communication, like HIPAA compliant email to share PHI.
- Train administrative staff on secure email practices and how to safely include PHI in emails.
Establish clear policies for nontreatment uses of PHI:
- Develop policies outlining the acceptable uses and disclosures of PHI for nontreatment purposes.
Limit PHI sharing to the minimum necessary:
- Always apply the minimum necessary standards so that the applicable information is shared.
FAQs
What are patient authorizations?
Formal permission a patient provides before their PHI can be used or disclosed.
What is consent?
General agreement from the patient allowing for their PHI to be used or shared within specific guidelines.
What are impermissible disclosures of PHI?
Any unauthorized uses or releases of PHI that violate HIPAA.