Physician Practice

Q&A: You've got questions! We've got answers!

Physician Practice Insider, February 9, 2016

Submit your questions to Associate Editor Nicole Votta at and we will work with our experts to provide you with the information you need.

Q: If an unaffiliated healthcare entity or practitioner requests protected health information (PHI) on a patient previously treated at our facility who is now being treated by the requestor, can we release this PHI without patient authorization? Our facility did not coordinate the visit or refer the patient to the requestor. The patient sought treatment there of his/her own accord. Would this fall under treatment, payment, and healthcare operations (TPO)?

A: The disclosure would fall under TPO. HIPAA does not require patient authorization for disclosures to other treating healthcare entities or practitioners for the purposes of TPO. It’s a good idea to pay attention to state privacy laws and other federal privacy laws, such as 42 CFR Part 2, if the PHI to be disclosed falls into the category of specially PHI that requires, pursuant to state or other federal law, you obtain authorization from the patient before disclosing the PHI. 

You can adopt a practice requiring other practitioners or healthcare entities to obtain authorization from the patient before disclosing the PHI. This practice would be more stringent than HIPAA and is allowed. It is important not to view the more stringent practices as a HIPAA mandate.

Editor’s note: Chris Apgar CISSP, president of Apgar and Associates in Portland, Oregon, answered this question for HCPro’s Briefings on HIPAA newsletter. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions.

Most Popular