Exceptions to Privacy- Protected Health Information

Exceptions to Privacy- Protected Health Information

Are you HIPAA compliant? Are you sure?

There are situations that you can use or disclose Protected Health Information and you do not need a signed authorization to do so. Patients (or in some cases their caregivers) always have the Right of Access.

Next, there are what are known as T-P-O exceptions. They are:

TREATMENT – Dental offices can communicate/ coordinate treatment with other healthcare providers for the care of a common patient, dentists can communicate with other healthcare providers regarding a patients, or refer patients to other providers without a written authorization from the patient/caregiver.

PAYMENT – Dental offices are allowed to communicate PHI to obtain payment or be reimbursed for their services (keeping in mind, of course, the minimum necessary principle). Keep this mind this exception will not apply in the event that a patient pays for their treatment (in full, out of pocket) and has provided you a written restriction prohibiting you for disclosing treatment provided to their insurance company (outside of government-funded programs). Common payment activities which include, but are not limited to:

  • Determining eligibility or coverage under a plan and adjudicating claims;
  • Billing and collection activities; and
  • Disclosures to consumer reporting agencies (limited to specified identifying information about the individual, his or her payment history, and identifying information about the covered entity).

OPERATIONS (Healthcare Operations) – certain administrative, financial, legal, and quality improvement activities of a covered entity that are necessary to run its business and to support the core functions of treatment and payment. These activities include:

  • Conducting quality assessment and improvement activities, population-based activities relating to improving health or reducing health care costs, and case management and care coordination;
  • Reviewing the competence or qualifications of health care professionals, evaluating provider and health plan performance, training health care and non-health care professionals, accreditation, certification, licensing, or credentialing activities;
  • Conducting or arranging for medical review, legal, and auditing services, including fraud and abuse detection and compliance programs;
  • Business planning and development, such as conducting cost-management and planning analyses related to managing and operating the entity; and
  • Business management and general administrative activities, including those related to implementing and complying with federal and state privacy and information security regulations, customer service, resolution of internal grievances, sale or transfer of assets, creating de-identified health information or a limited data set, and fundraising for the benefit of the covered entity.

     Other situations where you can (in some cases shall) disclose Protected Health Information without a written authorization include:

  1. When required by law (receipt of subpoena)
  2. Public Health Activities (diagnosis of infectious disease reporting to public health)
  3. Victims of abuse, neglect, or domestic violence (dentists and staff are mandatory reporters)
  4. Health Oversight Activities (regulatory board authority)
  5. Legal Proceedings (testimony)
  6. Law Enforcement Purposes (to identify a suspect or victim of a crime)
  7. Decedents (records to medical examiner)

     As you can see there are a lot of situations that allow for the use or disclosure of PHI without written authorization. While there is a lot of latitude is it easy to run afoul and violate HIPAA by mistake. If you are not absolutely certain you can use or disclose PHI you should consult your written policies and/or compliance advisors BEFORE using PHI or making the disclosure.

Make today your greatest ever!

- Tink


Duane Tinker (aka The Toothcop)
Chief Consultant 
Dental Compliance Specialists

Dental Compliance Specialists helps make dental offices safer for patients, dentists and their employees. We help our clients develop and maintain their compliance programs including OSHA/Infection Control, HIPAA, DEA regulations and prescribing practices, Radiation Safety, OIG/Medicaid Compliance, Record Auditing, and more by providing actionable systems, easy-to-use tools, robust training, and accountability. Most of our clients have never been in trouble and want to keep it that way. Sometimes, though, dentists call when they are in trouble. In either case, we are there to make a meaningful difference. If you need help call us at 817-755-0035.

Previous Article Next Article