UT-Houston Privacy Office - Frequently Asked Questions

Frequently Asked Questions

Question 1: I use and disclose protected health information in a variety of circumstances. When do I need an authorization?

Question 2: Does a physician need a patient's written authorization to send a copy of the patient's medical record to a specialist or other health care provider who will treat the patient?

Question 3: What elements identify Protected Health Information?

QUESTION 1: I use and disclose protected health information in a variety of circumstances. When do I need an authorization?

ANSWER:
An authorization is needed for most uses and disclosures of protected health information that do not fall within treatment, payment, or health care operations.

There are some public policy disclosures where authorization is not needed. These are:

Disclosures authorized by law.

Disclosures for public health activities. These disclosures are generally to public health authorities or other agencies that are authorized by law to collect or receive such data, like the Bureau of Vital Statistics for birth and death records, or the CDC or Health Department for disease reporting. These disclosures also include adverse event reporting to the FDA. Also, public health disclosures include disclosures to a person who has been exposed to a communicable disease.

Disclosures about an individual whom the provider reasonably believes to be a victim of abuse, neglect, or domestic violence. Such disclosures can be made only to government agencies authorized by law to receive such reports, such as public health authorities; social service or protective services agencies; and law enforcement authorities.

Disclosures to a health oversight agency for activities authorized by law. These disclosures would include audits; civil, administrative, or criminal investigations; inspections; licensure or disciplinary actions; and civil, administrative, or criminal proceedings or actions. Health oversight is necessary to monitor the health care system as a whole; government benefit programs for which health information is relevant to beneficiary eligibility; entities subject to government regulatory programs for which health information is necessary for determining compliance with program standards; or entities subject to civil rights laws for which health information is necessary for determining compliance.

Disclosures pursuant to a judicial or administrative proceeding. The Office of Legal Affairs should be contacted immediately if a department receives a request for records pursuant to a subpoena.

Disclosures for law enforcement purposes, to law enforcement officials, but under several sets of limited circumstances. The Privacy Office should be contacted immediately if law enforcement, including UT-Police, requires PHI.

Disclosures about deceased persons for organ or tissue donation, or to a coroner or funeral director.

Disclosures for research purposes if there is a waiver of authorization approved by the Committee for the Protection of Human Subjects presented.

Disclosures to avert a serious, imminent threat to public safety.

And finally, disclosures for specialized governmental functions (national security, about inmates, about military personnel under special circumstances).

Outside of these disclosures, an authorization must be obtained. Also note that for all of these disclosures, except for child and elder abuse reporting, and national security reporting, the disclosures must be accounted for, so the patient may later on determine who has seen his or her medical record without his or her knowledge.

QUESTION 2: Does a physician need a patient's written authorization to send a copy of the patient's medical record to a specialist or other health care provider who will treat the patient?

ANSWER:
No. The HIPAA Privacy Rule and UTHSC-H Policies and Procedures permit a health care provider to disclose protected health information about an individual, without the individual's authorization, to another health care provider for that provider's treatment of the individual. The provider must use reasonable and appropriate safeguards to ensure the privacy of the information. For example, the provider should verify the address or fax number of the person to receive the information.

QUESTION 3: What elements identify Protected Health Information?

ANSWER:
There are 18 elements that can be used as identifiers. They are listed in the Introductory documents located at http://www.uth.tmc.edu/hipaa/intro.htm.

7000 Fannin, Houston TX 77030, Ste. 2385
Phone: 713.500.3391 Fax 713.500.0326
Created through the UT-H Office of Academic Computing Multimedia Scriptorium