Archive Compliance - Email Archiving Compliance that meets HIPAA, SEC, and FINRA Regulations

Home

Who can access PHI?

So HIPAA is a big noise about patient confidentiality and privacy. It makes heavy work of disclosure and the protection of PHI. There are times when other agencies really need access to PHI, and the HIPAA allows for that. In fact HIPAA says that if another existing law says the PHI can be disclosed, for any reason, then it is allowed. It is generally assumed that existing laws that would touch on HIPAA are common sense enough not to put patient information at risk of disclosure...

There are all sorts of reasons why organizations would want patient records, either unidentified or identified. The obvious one is for a patients treatment. It stands to reason that records will need to be used and consulted in the treatment of a patient. Also in the payment for that treatment. So doctors, hospitals and insurance companies as applicable in each circumstance.

Another instance for disclosure is for public health reasons. This is a big one, as there are a myriad of situations where patient information would be used. For example if a patient contracted a communicable disease or came back from somewhere tropical with something virulent. Public health authorities and maybe even an employer would need to know if it was serious enough.

There are many legal reasons why PHI might be disclosed too. Patient records might be used in judicial proceedings, or law enforcement. The patient may have been a victim of abuse or domestic violence for example. Anybody in law enforcement can request PHI as long as it is relevant to an investigation. The request doesn't even have to be in writing! It stands to reason if a patient is a victim of an assault or car wreck that the police are going to need to access PHI in order to progress an investigation or conviction.

The next logical step from law enforcement is national security, the umbrella term for any intelligence gathering entity in the country. These agencies don't miss a trick to gather information on people if they can. HIPAA pretty much lets these agencies take what they want without question. In essence, HIPAA doesn't apply in the case of national security. These organizations can request any information they like, about any individual, or group they wish if it with the purpose of protecting national security.

Other disclosures could be for funeral directors, workers comp, organ donations, and other related uses. PHI is also used in medical research. Where possible, the records are kept unidentifiable. In things like ongoing studies, PHI will need to contain the details of the patient so they can be monitored over time. These research exercises generally have some kind of oversight that attempts to protect PHI wherever possible.

These are just some of the ways in which PHI can be requested and used without express permission from the patient. However, we all like to believe that just because PHI can be accessed, it doesn't necessarily means they are.