A covered entity may use and disclose protected health information for its own treatment, payment, and health care operations activities.
A covered entity also may disclose protected health information for the treatment activities of any health care provider, the payment activities of another covered entity and of any health care provider, or the health care operations of another covered entity involving either quality or competency assurance activities or fraud and abuse detection and compliance activities, if both covered entities have or had a relationship with the individual, and the protected health information pertains to the relationship.
- Treatment is the provision, coordination, or management of health care and related services for an individual by one or more health care providers, including consultation between providers regarding a patient, and referral of a patient by one provider to another.
- Payment encompasses activities of a health plan to obtain premiums, determine or fulfill responsibilities for coverage and provision of benefits, and furnish or obtain reimbursement for health care delivered to an individual, and activities of a health care provider to obtain payment or be reimbursed for the provision of health care to an individual.
- Health care operations are any of the following activities:
- quality assessment and improvement activities, including case management and care coordination;
- competency assurance activities, including provider or health plan performance evaluation, credentialing, and accreditation;
- conducting or arranging for medical reviews, audits, or legal services, including fraud and abuse detection and compliance programs;
- specified insurance functions, such as underwriting, risk rating, and reinsuring risk;
- business planning, development, management, and administration; and
- business management and general administrative activities of the entity, including but not limited to de-identifying protected health information, creating a limited data set, and certain fundraising for the benefit of the covered entity.
Psychotherapy Notes
A covered entity must obtain an individual’s authorization to use or disclose psychotherapy notes with the following exceptions:
- The covered entity that originated the notes may use them for treatment.
- A covered entity may use or disclose the psychotherapy notes without an individual’s authorization for its own training, to defend itself in legal proceedings brought by the individual, for HHS investigations or to determine the covered entity’s compliance with the Privacy Rules, to avert a serious and imminent threat to public health or safety, to a health oversight agency for lawful oversight of the originator of the psychotherapy notes, for the lawful activities of a coroner or medical examiner, or as required by law.
From “Summary of the HIPAA Privacy rule” from Department of Health and Human Services’ Office of Civil Rights.
Printer-friendly version