IMGMA Q/A: Sharing PHI for Treatment Purposes

by Kim Stanger

Republished with permission from Idaho Medical Group Management Association (MGMA). Original article appeared in Idaho MGMA’s September 2019 e-newsletter.

Question:  May I share records with another healthcare provider without the patient’s authorization?

Answer:  It depends on the purpose.  If the disclosure is for purposes of the patient’s treatment, including continuation of care, then you may disclose the information without the patient’s authorization or consent unless you have agreed otherwise with the patient.  (See 45 CFR 164.522(a)).  The HIPAA privacy rule states, “[a] covered entity may disclose protected health information for treatment activities of a health care provider.”  (45 CFR 164.506(c)(2)). 

Treatment means the provision, coordination, or management of health care and related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party; consultation between health care providers relating to a patient; or the referral of a patient for health care from one health care provider to another.

Read more

Liability of Business Associates for HIPAA Penalties

The HITECH Act extended certain HIPAA obligations to business associates, including those entities that create, receive, maintain or transmit protected health information (“PHI”) on behalf of covered entities. Business associates who fail to comply with their HIPAA obligations may be directly liable for HIPAA penalties ranging from $114 to $57,0511 per violation.

Read more