Nontreatment uses of patient data are generally handled by administrative staff for purposes like billing or marketing. These administrative purposes require consent and additional safeguards.
Protected health information (PHI) is generally used to provide, coordinate, or manage an individual's healthcare. In this case, PHI serves the function of diagnosis and treatment. Nontreatment uses of PHI on the other hand include further related activities like healthcare operations, marketing, fundraising, and public health reporting.
While nontreatment-related uses of PHI can vary widely they are distinctly differentiated by the provisions within Section 164.506, which defines permissible uses of PHI without patient authorization. An example of this is in the HHS guidance which states, “A covered entity may, without the individual’s authorization…Use or disclose protected health information for its own treatment, payment, and health care operations activities.”
Thus, while treatment-related disclosures and uses are necessary for patient care, payments, and healthcare operations also fall under permissible uses of PHI, although they aren’t directly linked to diagnosis and treatment. These activities, like billing or administrative tasks, are still necessary to support the delivery of healthcare services.
Other nontreatment uses of PHI like marketing however require patient authorization prior to its use as well as the disclosure of the purposes for which the information will be used. These uses are also different from permissible uses as they require additional safeguards.
Regular training and awareness programs:
Encrypted communication:
Establish clear policies for nontreatment uses of PHI:
Limit PHI sharing to the minimum necessary:
Formal permission a patient provides before their PHI can be used or disclosed.
General agreement from the patient allowing for their PHI to be used or shared within specific guidelines.
Any unauthorized uses or releases of PHI that violate HIPAA.