by Kim Stanger
Republished with permission from Idaho Medical Group Management Association (MGMA). Original article appeared in Idaho MGMA’s September 2019 e-newsletter.
Question: May I share records with another healthcare provider without the patient’s authorization?
Answer: It depends on the purpose. If the disclosure is for purposes of the patient’s treatment, including continuation of care, then you may disclose the information without the patient’s authorization or consent unless you have agreed otherwise with the patient. (See 45 CFR 164.522(a)). The HIPAA privacy rule states, “[a] covered entity may disclose protected health information for treatment activities of a health care provider.” (45 CFR 164.506(c)(2)).
Treatment means the provision, coordination, or management of health care and related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party; consultation between health care providers relating to a patient; or the referral of a patient for health care from one health care provider to another.
(45 CFR 164.501). The Office for Civil Rights (“OCR”) issued the following relevant FAQs:
Does the HIPAA Privacy Rule permit doctors, nurses, and other health care providers to share patient health information for treatment purposes without the patient’s authorization?
Answer:
Yes. The Privacy Rule allows those doctors, nurses, hospitals, laboratory technicians, and other health care providers that are covered entities to use or disclose protected health information, such as X-rays, laboratory and pathology reports, diagnoses, and other medical information for treatment purposes without the patient’s authorization. This includes sharing the information to consult with other providers, including providers who are not covered entities, to treat a different patient, or to refer the patient. See 45 CFR 164.506.
Are health care providers restricted from consulting with other providers about a patient’s condition without the patient’s written authorization?
Answer:
No. Consulting with another health care provider about a patient is within the HIPAA Privacy Rule’s definition of “treatment” and, therefore, is permissible. In addition, a health care provider (or other covered entity) is expressly permitted to disclose protected health information about an individual to a health care provider for that provider’s treatment of the individual. See 45 CFR 164.506.
Does a physician need a patient’s written authorization to send a copy of the patient’s medical record to a specialist or other health care provider who will treat the patient?
Answer:
No. The HIPAA Privacy Rule permits a health care provider to disclose protected health information about an individual, without the individual’s authorization, to another health care provider for that provider’s treatment of the individual. See 45 CFR 164.506 and the definition of “treatment” at 45 CFR 164.501.
Of course, the foregoing rules simply allow you to share the information; it does not require you to share the information without the patient’s consent. Accordingly, you may adopt a policy of requiring patient consent before providing such records. Just remember: what goes around comes around, so others may reciprocate by refusing to provide records to you without the patient’s consent, which may inhibit effective care. Also, remember that if a patient requests that you transfer the records to another provider or third party, you generally must do so; failure to comply may subject you to HIPAA sanctions as well as Board of Medicine discipline. (See 45 CFR 164.524; IDAPA 22.01.01.100.03.g).