HIPAA Privacy Rules limit the use and disclosure of protected health information by health plans, health care providers and health care clearinghouses (Covered Entities).
Protected Health Information (PHI) is personally identifiable health information created or received by a Covered Entity for purposes of treatment or payment of health care. Covered Entities may use and disclose PHI for treatment, payment or health care operations. Any other use or disclosure requires the Covered Entity to enter into a business associate contract or obtain the patient’s written authorization.
Organizations that are not directly regulated by HIPAA are required to enter into a business associate contract when they require access to PHI to perform services on behalf of a Covered Entity. When an organization enters into a business associate contract, it agrees to comply with many HIPAA Privacy administrative requirements imposed on Covered Entities. For example, brokers securing malpractice insurance on behalf of physicians have been asked to sign a business associate contract.
Although workers’ compensation and short-term disability insurance carriers are not regulated by HIPAA, these carriers must obtain the applicant’s written authorization before a health care provider can release PHI to the carrier. Some carriers are routinely requiring that all applicants sign an authorization. An authorization provided pursuant to the HIPAA Privacy Rules cannot be incorporated into any other document. Generally, information released to a third party under a written authorization is no longer protected by the HIPAA.