The key difference between "use" and "disclosure" of PHI lies in whether the information is shared internally within the same organization (use) or with external entities (disclosure).
Protected health information (PHI) refers to any health information that can be used to identify an individual and is linked to their health status, care, or payment for healthcare services. This includes personal details like names, addresses, medical records, treatment plans, test results, and billing information.
The HIPAA Privacy Rule “requires appropriate safeguards to protect the privacy of protected health information and sets limits and conditions on the uses and disclosures that may be made of such information without an individual’s authorization.” To better understand how PHI is handled, and adhere to HIPAA regulations, covered entities must distinguish between its "use" and "disclosure," as both actions are subject to different regulations and guidelines under HIPAA
The term "use" refers to the internal handling, sharing, and accessing of PHI within the same covered entity or organization.
For example, a doctor may "use" a patient’s PHI to make a diagnosis or treatment decision. Similarly, a hospital may "use" patient information to assess the quality of care provided, track healthcare outcomes, or train new staff members. Essentially, any time PHI is used internally for the purposes of care, treatment, payment, or operational activities, it is considered a "use."
See also: HIPAA Compliant Email: The Definitive Guide
In contrast, "disclosure" refers to the sharing of PHI with someone outside of the covered entity or organization that holds the information. A disclosure involves providing access to PHI to external individuals or entities for various purposes, such as treatment, payment, or legal requirements.
For example:
Unlike "use," which remains within the organization, "disclosure" involves communication of PHI to external parties, and it typically requires the patient’s consent or authorization, except in certain legal circumstances.
Go deeper: What is PHI disclosure?
Yes, PHI can be used within the healthcare organization for treatment, payment, and healthcare operations without patient consent, as allowed under HIPAA regulations. However, for disclosures outside the organization, patient consent is typically required unless specific legal exceptions apply.
Patients can protect their PHI by understanding their rights under HIPAA, such as the right to access their health information, request corrections, and be informed about how their PHI is used and disclosed. They should also be aware of any instances where their consent may be required for disclosures.
Yes, a patient can revoke consent for the use or disclosure of their PHI at any time. However, this revocation does not apply retroactively and cannot affect PHI that has already been used or disclosed based on prior consent.
Read also: What to do when an individual revokes authorization