Exceptional cases when PHI may be disclosed by healthcare professionals

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) has Privacy Rule to ensure the protection of a patient’s health information. However, there are certain exceptions to the confidentiality:

1. If a state or federal law authorizes medical disclosures, then the HIPAA privacy rule does not apply. For instance, if paternity of a child is contested and a man is refusing to pay child support, a court may order that the man’s medical record containing genetic information be disclosed to determine the paternity of the child.

2. In case of pandemics, Health care professionals would be authorized to disclose health information of persons infected with the disease to public health authorities to control the disease. The HIPAA Privacy Rule, therefore, does not protect a person’s health information when the person has a communicable disease or if the person’s health must be disclosed for public safety reasons.

3. Again, in cases where a health professional believes that the person may harm themselves or someone else, such as threats to commit suicide or to harm another person, the health care professionals can report incidents to the proper authorities and hopefully prevent harm from happening.

4. “Administrative” disclosures are disclosures made to various agencies such as collection agencies when medical bills are unpaid or the U.S. Department of Veteran Affairs so that the agency can determine a veteran’s eligibility for benefits. Other agencies, such as health oversight agencies, may have access to health information for audit and investigative reasons. Additionally, funeral directors, coroners, medical examiners and certain researchers who have institutional board review approval can access health records.