HIPAA Privacy Rule does not trump state law-required reporting. You know you have to keep protected health information (PHI) under wraps, but it can be easy to fall into the trap of simply denying any kind of disclosure. However, in some cases, not making a required or permissible disclosure can get you into just as much trouble as making a prohibited disclosure. Here are four prevalent myths regarding PHI disclosures under HIPAA: Yes, Treatment-Related Disclosures are Okay Myth 1: HIPAA prevents or limits healthcare providers from sharing PHI between each other to provide care for a patient. Reality: This is not true. HIPAA allows the disclosure of health information for treatment purposes. In addition, HIPAA does not require a business associate agreement [BAA] in order for a provider to share health information for the purpose of treating a patient. In fact, the HIPAA treatment disclosure exception is so broad that it applies to disclosures between healthcare providers AND the “coordination or management of health care” by a provider and a third party. Provide Broad Access to Your Patients Myth 2: Patients do not have an unfettered right to access their entire medical record. Reality: If you (like other providers) feel that your practice, not the patient, has ownership of the patient’s PHI and you have no obligation to give the patient unrestricted access, you’re wrong. And this opinion has led to more than one HHS Office for Civil Rights (OCR) investigation. You must allow individuals to request access to their own records, for a reasonable cost-based fee, and you no longer have a 30-day extension for offsite data. Additionally, you must also furnish laboratory information to the patient or his authorized representative. HIPAA gives patients broad rights to access their health information and healthcare providers are required to honor patient requests. Denial of such access could constitute a HIPAA violation. Patients are also not required to fill out an Authorization for Release of Records when requesting their own healthcare information. Caveat: There are a few exceptions to patient access rights under HIPAA. These include exceptions for psychotherapy notes, as well as health information for civil, criminal or administrative proceedings. Keep Health & Safety Threats in Mind Myth 3: HIPAA prohibits disclosure of PHI, even if that disclosure might minimize a threat to health or safety. Reality: HIPAA allows the disclosure of health information to minimize an imminent threat to health or safety of an individual or of the public. You can disclose PHI to persons reasonably able to prevent or lessen the threat. HIPAA also permits CEs to disclose PHI to law enforcement authorities to identify or apprehend an individual where it appears from all the circumstances that the individual has escaped from a correctional institution or from lawful custody. Additionally, you can disclose PHI to law enforcement when an individual makes a statement admitting participation in a violent crime that the [CE] reasonably believes may have resulted in serious physical harm to the victim. What’s more: And according to OCR, HIPAA allows disclosures of health information to help with public health and safety issues to: Beware: Keep in mind, however, that HIPAA has some key exceptions to this disclosure for mental health counselors, and your state law may further restrict the extent of these disclosure exceptions. Comply with Your State’s Legally Mandated Disclosures Myth 4: Complying with state laws that require certain disclosures violates the HIPAA Privacy Rule. Reality: The HIPAA Privacy Rule actually contains an exception specifically involving disclosures required by state law. Common state-law disclosure obligations include reporting cases of child abuse, reporting cases of vulnerable adult abuse, and reporting to law enforcement if an individual has certain types of wounds like a bullet wound. HIPAA’s “required by state law” disclosure exception makes reviewing and understanding your state’s mandatory reporting laws absolutely essential. Focusing only on the federal HIPAA regulations to inform your disclosure obligations is a mistake. Bottom line: Learning the types of health information disclosures that HIPAA prohibits and encourages will facilitate the proper flow of information, improve patient experience, and help avoid costly government investigations and fines.