Myth or fact? Patients must OK disclosure of medical information

Many physicians are under the impression that HIPAA requires them to get a patient’s authorization to disclose protected health information (PHI) for treatment purposes. That is not always true.

Psychotherapy notes—where specific constraints apply—require this. But HIPAA does not require physicians and other health professionals to obtain “authorization or consent from patients to disclose PHI to another clinician or clinical entity for treatment purposes under HIPAA,” according to the latest research from the AMA through its “Debunking Regulatory Myths” series.

This series aims to provide regulatory clarification to physicians and their care teams. It is part of the AMA’s practice transformation efforts and provides physicians and their care teams with resources to reduce guesswork and administrative burdens so their focus can be on streamlining clinical workflow processes, improving patient outcomes and increasing satisfaction.

The HIPAA Privacy Rule allows these disclosures to facilitate patient care, research on the protected health information myth (PDF) shows. Also, the Department of Health and Human Services (HHS) explains that HIPAA tries to balance safeguarding protective health information with not unnecessarily interfering with a patient’s access to quality health care.

“Many individuals expect that their health information will be used and disclosed as necessary to treat them, bill for treatment and, to some extent, operate the covered entity’s health care business,” the HHS website says. “To avoid interfering with an individual’s access to quality health care or the efficient payment for such health care, the Privacy Rule permits a covered entity to use and disclose protected health information—with certain limits and protections—for treatment, payment and health care operations activities.”

The Code of Federal Regulations outlines when covered entities can use or disclose protective health information for treatment, payment or health care operations, including:

• Its own treatment, payment or health care operations.
• Treatment activities of a physician or other health professional.
• Payment activities of the entity that receives the information.
• If each entity either has or had a relationship with the individual who is the subject of the PHI being requested, the PHI pertains to such relationship and the disclosure is for one of the first two reasons on this list or if it is for health care fraud and abuse detection or compliance.
• To another covered entity that participates in the organized health care arrangement for any health care operations activities of the organized health care arrangement.

Among other things, AMA policy affirms several key principles that should be consistently implemented to evaluate any proposal regarding patient privacy and the confidentiality of medical information.

Find out more with the “AMA Debunking Medical Practice Regulatory Myths Learning Series,” which is available on AMA Ed Hub™ and provides regulatory clarification to physicians and their care teams. For each topic completed, a physician can receive CME for a maximum of 0.25 AMA PRA Category 1 Credit™.

The regulatory myth topics include:

• “Are Clinical Support Staff Required to Log Out of EHR Between Documentation?”
• “Are Verbal Orders Prohibited?”
• “Can Physicians Bill for Both Preventive and Evaluation and Management (E/M) Services During the Same Visit?” 
• “Are Physicians Prohibited from Responding to Online Patient Reviews?” 
• “Are Physicians Required to Document Time Spent on Each Task Associated With an Outpatient Visit?”

Meanwhile, experts have explored the issue during an “AMA STEPS Forward^®️ Podcast” episode “Debunking Regulatory Myths.” AMA member Kevin Hopkins, MD, senior physician adviser for practice transformation at the AMA, and Lindsey Carlasare, AMA research and policy manager, talked about the series, discussed common regulatory myths and shared tools for eliminating guesswork and other administrative burdens. Listen on Apple Podcasts or Spotify.

Physicians can submit questions or ideas they have about regulatory myths by emailing the Debunking Regulatory Myths team. The team will do research to  clarify a myth. If something turns out to not be a myth and really is a regulation that puts unnecessary burden on physicians and their teams, the AMA’s advocacy arm can get involved to push for regulatory change.