HIPAA Overview – Privacy & Disclosure Guidelines

Permitted Uses & Disclosures of PHI

When uncertain, always escalate to a higher-ranking medical or administrative staff member.

HIPAA permits, but does not require healthcare providers to use and disclose Protected Health Information (PHI) without patient authorisation in specific cases:

Disclosure to the Individual

  • Patients have the right to access their own PHI and request disclosures.
  • Covered entities must comply with these requests when legally applicable.

Treatment, Payment, and Healthcare Operations

  • Sharing PHI is permitted when it directly supports:
    • Diagnosis or treatment
    • Insurance claims and billing
    • Internal hospital operations (e.g., quality review, case management)
  • A patient’s verbal agreement or clearly implied consent (e.g., nodding when asked) may allow disclosure of limited PHI.
  • This is often used when family or friends are present during care.

Incidental Disclosures

  • Limited, unintentional sharing that occurs as a byproduct of permitted use (e.g., being overheard in a busy ER) is allowable under proper safeguards.

Limited Data Sets (for Research & Public Health)

  • PHI may be used in de-identified form for:
    • Public health reporting
    • Health system improvement
    • Research (under specific privacy agreements)

Public Interest & National Priority Exceptions

HIPAA allows disclosure without consent for 12 recognised national priorities:

  1. When Required by Law
    (e.g., court orders, statutes, subpoenas)
  2. Public Health Activities
    (e.g., disease tracking, immunizations, FDA reporting)
  3. Victims of Abuse, Neglect, or Domestic Violence
  4. Health Oversight Activities
    (e.g., audits, investigations, licensure checks)
  5. Judicial & Administrative Proceedings
  6. Law Enforcement Purposes
    Permitted under certain conditions:
    • Legal mandates (e.g., warrants, subpoenas)
    • Locating fugitives, suspects, or missing persons
    • Identifying crime victims (with proper requests)
    • Reporting criminal deaths or on-premises crime
    • Medical emergencies off-premises related to crime
  7. Deceased Individuals
    For ID, autopsy, or next-of-kin notification
  8. Organ, Eye, or Tissue Donation
  9. Approved Research
    With proper privacy safeguards
  10. Serious Threat to Health or Safety
  11. Essential Government Functions
    (e.g., military, national security, presidential protection)
  12. Workers’ Compensation Claims

Reminder for Roleplay:

  • Avoid “powergaming” by withholding or disclosing patient info unrealistically.
  • Use /me to reflect your character’s compliance with HIPAA (e.g., “/me Dr. Walker checks ID before releasing any documents”).
  • Bring in senior staff or legal advisors ICly if a situation seems legally grey.