Exceptions to Privacy- Protected Health Information

Are you HIPAA compliant? Are you sure?

There are situations that you can use or disclose Protected Health Information and you do not need a signed authorization to do so. As we previously discussed, patients (or in some cases their caregivers) always have the Right of Access.

Next, there are what are known as T-P-O exceptions. They are:

TREATMENT – Dental offices can communicate/ coordinate treatment with other healthcare providers for the care of a common patient, dentists can communicate with other healthcare providers regarding a patients, or refer patients to other providers without a written authorization from the patient/caregiver.

PAYMENT – Dental offices are allowed to communicate PHI to obtain payment or be reimbursed for their services (keeping in mind, of course, the minimum necessary principle). Keep this mind this exception will not apply in the event that a patient pays for their treatment (in full, out of pocket) and has provided you a written restriction prohibiting you for disclosing treatment provided to their insurance company (outside of government-funded programs). Common payment activities which include, but are not limited to:

  • Determining eligibility or coverage under a plan and adjudicating claims;
  • Billing and collection activities; and
  • Disclosures to consumer reporting agencies (limited to specified identifying information about the individual, his or her payment history, and identifying information about the covered entity).

OPERATIONS (Healthcare Operations) – certain administrative, financial, legal, and quality improvement activities of a covered entity that are necessary to run its business and to support the core functions of treatment and payment. These activities include:

  • Conducting quality assessment and improvement activities, population-based activities relating to improving health or reducing health care costs, and case management and care coordination;
  • Reviewing the competence or qualifications of health care professionals, evaluating provider and health plan performance, training health care and non-health care professionals, accreditation, certification, licensing, or credentialing activities;
  • Conducting or arranging for medical review, legal, and auditing services, including fraud and abuse detection and compliance programs;
  • Business planning and development, such as conducting cost-management and planning analyses related to managing and operating the entity; and
  • Business management and general administrative activities, including those related to implementing and complying with federal and state privacy and information security regulations, customer service, resolution of internal grievances, sale or transfer of assets, creating de-identified health information or a limited data set, and fundraising for the benefit of the covered entity.

Other situations where you can (in some cases shall) disclose Protected Health Information without a written authorization include:

  1. When required by law (receipt of subpoena)
  2. Public Health Activities (diagnosis of infectious disease reporting to public health)
  3. Victims of abuse, neglect, or domestic violence (dentists and staff are mandatory reporters)
  4. Health Oversight Activities (regulatory board authority)
  5. Legal Proceedings (testimony)
  6. Law Enforcement Purposes (to identify a suspect or victim of a crime)
  7. Decedents (records to medical examiner)

As you can see there are a lot of situations that allow for the use or disclosure of PHI without written authorization. While there is a lot of latitude is it easy to run afoul and violate HIPAA by mistake. If you are not absolutely certain you can use or disclose PHI you should consult your written policies and/or compliance advisors BEFORE using PHI or making the disclosure.

Dental Compliance Specialists, LLC is the Premier Dental Health Compliance and Quality Assurance provider in the country. We help Dentists develop and maintain compliance programs with the goal of keeping them out of the regulatory limelight. We have in-office and virtual programs all catered to the Provider’s specific needs. Dental Healthcare Compliance includes: DEA, ICE/Homeland Security, OIG, OSHA, HIPAA, Infection Control, Auditing and Monitoring, Record Auditing, employee training, Radiology Compliance, Medicaid Compliance and more…It’s not just about OSHA anymore!