Health Information Management

HIPAA Q&A: Diagnostic test results

HIM-HIPAA Insider, November 9, 2009

Q. Does a provider need patient authorization to release diagnostic test results, such as laboratory reports, to the patient’s employer if the employer maintains a self-funded plan or is a health insurance company that provides coverage for its employees?

Authorization is not necessary if the PHI is not specially protected by federal or state law. The test results are probably necessary for payment purposes. The employer, acting as the self-funded plan, and the insurance company are both covered entities and may receive an employee patient’s PHI.

However, they must disclose PHI internally only as appropriate and necessary when acting as covered entities. Providers may require patients to sign an authorization before releasing PHI in these situations, but the HIPAA privacy rule does not require this.

Editor’s note: Chris Apgar, CISSP, answered this question. This is not legal advice. Consult your attorney regarding legal matters.

Most Popular