Privacy Tip of the Week
Covered Entity Disclosure of PHI
Question:
Can a covered entity disclose protected health information to family, friends, or others directly involved in the patient’s or member’s care or payment?
Answer:
HIPAA permits covered entities to disclose certain information to a family member, relative, close friend, or other person identified by the individual. Only the protected health information directly relevant to such person’s involvement with the individual’s care (or payment related to the individual’s health care) may be shared. If the individual is present and has the capacity to make health care decisions, the covered entity may disclose information to those involved in providing care to the individual if the covered entity does any one of the following:
- Obtains the individual’s agreement either orally or in written form;
- Provides the individual with the opportunity to opt out; or reasonably infers from the circumstances, based on the exercise of professional judgment, that the individual does not object.
If an individual objects, the covered entity is prohibited from sharing health information with the patient’s friends or relatives. When the individual is not present, the covered entity may use its best professional judgment and experience with common practice in deciding whether a disclosure is appropriate. A pharmacist, for example, generally may allow a person to act on behalf of the individual to pick up a prescription.
Note: There are special state laws which further restrict some disclosure of mental health and HIV/AIDS PHI to family, friends or others. Please check the state’s preemption matrix at http://www.wvdhhr.org/hipaa/preemption.asp before disclosing such information.
NOTE: Your agency/bureau/department/division may have specific requirements – always check your policies and procedures. If you have questions, contact your Privacy Official.
U.S. Department of Health & Human Services - FAQs
The West Virginia Privacy Office
In 2002, Sonia Chambers, Chair of the West Virginia Health Care Authority, was charged with oversight and coordination of the Executive Branch's HIPAA Project. Currently, the West Virginia State Government Executive Branch has implemented the Health Insurance Portability and Accountability Act of 1996 (HIPAA). HIPAA includes three major provisions: Privacy of Protected Health Information, Standardization of Transaction and Code Sets (TCS), and Security of Protected Health Information (PHI). All three major deadlines are officially passed for HIPAA implementation requirements. The covered entities are now in the process of refining HIPAA practices and desired outcomes through compliance, auditing and monitoring.
An enterprise-wide Privacy Management Team (PMT) was established in September 2005 to promote protection of personally identifiable information (including PHI) while balancing others’ need and right to know. On August 16, 2006, Governor Joe Manchin signed Executive Order No. 6-06 giving the Chair of the West Virginia Health Care Authority the responsibility for protecting the privacy of personally identifiable information collected and maintained by Executive Branch agencies. The West Health Care Authority staffs the team and houses the State Privacy Office for the Executive Branch.
The PMT works in collaboration with the Executive Branch Security Team to realize the benefits of information flows within and across agencies, in conformance with privacy policies and laws. All Executive Branch departments have Privacy Officers participating on the team.