In a new fact sheet, the U.S. Department of Health and Human Services (HHS) clarifies when a covered entity (CE) may use and disclose a patient’s health information without prior authorization from the patient.

CEs include hospitals and other providers, health plans, and health care clearinghouses. Under the Health Insurance Portability and Accountability Act (HIPAA), CEs must follow strict guidelines to ensure the privacy and security of protected health information (PHI).

The updated guidance states that CEs are not required to receive prior authorization from the patient when the use and disclosure of PHI is for treatment of the patient or quality and other health care operations. When another CE requests PHI for its own health care operations, the disclosing CE may provide the PHI if the request meets three conditions:

  • Both the disclosing CE and the recipient CE have a current or past relationship with the patient.
  • The PHI requested is associated with that relationship.
  • The disclosing CE limits the information transmitted to only what is necessary for the health care operations in question.

The document also provides examples of treatment and health care operations. For example, sharing of PHI among hospitals for quality improvement activities would be considered health care operations.

Contact Director of Policy Erin O’Malley at eomalley@essentialhospitals.org or 202.585.0127 with questions.