The HIPAA Privacy Rule provisions addressing business associate agreements, and the provisions regulating the ability of individuals to access protected health information, both address the subject of HIPAA confidentiality.
Business Associate Agreements
Business associate agreements are required, binding contracts between covered entities and business associates. These agreements, called BAAs, address the obligations of covered entities and business associates with respect to protected health information. A BAA must be executed by both entities before any PHI may be shared, exchanged, or transmitted between the entities. The agreement outlines how the business associate will protect covered entity-provided PHI, as well as what safeguards the business associate will use to ensure the PHI is not inappropriately disclosed.
The HIPAA Privacy Rule states that the contract or agreement may permit the business associate to use the PHI it receives in its capacity as a business associate, for:
- The proper management and administration of the business associate; and
- Carrying out the legal responsibilities of the business associate.
The business associate may use the PHI for these purposes, if, and only if:
- The business associate obtains reasonable assurances from the person to whom the information is disclosed that it will be held confidentially and used or further disclosed only as required by law or for the purposes for which it was disclosed to the person; and
- The person notifies the business associate of any instances of which it is aware in which the confidentiality of the information has been breached.
Ability of Individuals to Access PHI
The HIPAA Privacy Rule provides that individuals have a right of access to inspect and obtain a copy of protected health information contained in their medical records. In some instances, a covered entity may deny individual access, without having to provide the individual an opportunity to have that denial decision reviewed.
Unreviewable grounds for denial exist, in part, to foster HIPAA confidentiality. For example, a covered entity may deny access if the protected health information was obtained by someone other than a healthcare provider under a promise of confidentiality, and the access requested would be reasonably likely to reveal the source of the information. This provision exists to allow non-healthcare providers to confidentially transmit information to covered entities without the non-healthcare provider having to fear that he or she will be revealed as the source of the information.
When Does HIPAA Confidentiality Not Apply?
In a number of circumstances, HIPAA permits healthcare providers to disclose protected health information. For example, the Privacy Rule permits doctors or other healthcare practitioners to share information that is directly relevant to the involvement of a spouse, family members, friends, or other people identified by a patient. If the patient has the capacity to make healthcare decisions, the doctor may discuss this information with the family or others present if the patient agrees or, when given the opportunity, does not object. Even when the patient is not present or it is not practical to ask the patient’s permission because of emergency or incapacity, a doctor may share this information with family members or friends when, in exercising professional judgment, the doctor determines that doing so would be in the best interest of the patient.
A covered entity may also:
- Disclose PHI to a law enforcement official who is reasonably able to prevent or lessen a serious and imminent threat to the health or safety of an individual or the public.
- Report PHI that the covered entity in good faith believes to be evidence of a crime that occurred on the premises of the covered entity.
- Divulge PHI to law enforcement to alert law enforcement to an individual’s death, where there is a suspicion that the death resulted from criminal conduct.
In some instances, a healthcare provider must divulge PHI. For example, healthcare providers who notice medical signs of child, adult, or elder mistreatment, abuse, or neglect, must normally report such information to protective services or to the police.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article