What are non-routine disclosures of PHI under HIPAA?

Non-routine disclosures refer to the instances where protected health information (PHI) is shared for unique or unexpected situations. These disclosures require special consideration before information is shared. 

What are non-routine disclosures? 

Unlike routine disclosures designed to support healthcare continuity and operations, non-routine disclosures are not linked to a patient's immediate care or organizational needs. These could include the uses of PHI for marketing which are not as frequent. 

According to the HHS summary of the Privacy Rule, “ For non-routine, non-recurring disclosures, or requests for disclosures that it makes, covered entities must develop criteria designed to limit disclosures to the information reasonably necessary to accomplish the purpose of the disclosure and review each of these requests individually by the established criteria.” 

As these disclosures are not common, patient consent is usually required before information is shared. Other disclosures like those to law enforcement or public health authorities, on the other hand, are examples of non-routine disclosures that do not require patient consent. 

Non-routine disclosures and the minimum necessary standard

The minimum necessary standard requires covered entities to make reasonable efforts to limit the disclosure of PHI to the least amount required. As NYU Langone states, “...reasonable efforts will be made to limit the amount of PHI to the minimum necessary to accomplish the intended purpose of the Use or Disclosure (i.e., the minimum necessary standard)...”. Non-routine disclosures often involve sharing sensitive information for less predictable purposes. 

These disclosures usually require careful assessment to determine exactly what information is relevant and necessary for the intended purpose. The failure to apply this standard can lead to the disclosure of too much information that could compromise patient privacy. 

Best practices for the secure transmission of PHI for non-routine purposes

The minimum necessary standard

• Limit the information shared to what is necessary for the specific purpose of the request. 
• Attach only the specific parts of records that can be justified and minimize the chances of unnecessary exposure. 
  
  

Use HIPAA compliant email

• Use secure HIPAA compliant email platforms like Paubox for all communications especially non-routine communications. 
  
  

Confirm the recipients' identity and authority

• Before sharing PHI, make sure to verify that the recipient is authorized to receive information and that the email is sent to the right inbox. 
  
  

Mark emails as confidential

• Label emails with PHI with clear confidentiality warnings. 
• Include reminders that the information is intended for only authored recipients. 
  
  

Avoid personal devices when possible

• If PHI is transmitted by email, use only devices approved by the organization with encrypted data storage.
• Personal devices can lack the sufficient protections necessary to increase the likelihood of unintentional breaches. 
  
  

FAQs

What is HIPAA? 

The Health Insurance Portability and Accountability Act is a law designed to protect the medical information of individuals. 

What is protected health information? 

Any data about a patient's health, treatment, or payment that can identify them like records or insurance information. 

What are TPO disclosures of PHI? 

Treatment, payment, or healthcare operations are the main reasons providers can share PHI without patient permission.