HIPAA home page | Guidance (FAQ) | Working@Yale article

Can You Keep A Secret?
HIPAA Privacy and You

Disclosing patient information

Most of us now automatically think twice before disclosing patient information. Routine releases of information prior to HIPAA now may require that a HIPAA authorization form be signed. Below we discuss some of the more common questions that arise related to releasing PHI.

“A parent asked me to send a copy of her child’s records directly to a daycare center. Can I send it?”
No. HIPAA does not allow for verbal authorization for release to a third party. In this case, the parent can either sign an authorization form or the records can be given to the parent who then gives them to the daycare center. While a patient, or their representative such as a parent, can give PHI to whomever they chose, we are limited in who we can give the information to without a HIPAA authorization.

“A letter was received from an attorney requesting a complete copy of a patient’s medical record citing an upcoming court case. Can the information be sent?”
No. Although the attorney’s letter would imply that the patient has authorized the release, we would still need an authorization form signed by the patient or a court order for the records. Alternatively, the records could be provided directly to the patient as described above.

“A local physician’s office calls looking for information on their patient who was referred to your clinic. Can the diagnosis be sent?”
Yes. Information can be shared between clinicians who are involved with the patient’s care without an authorization.

“A Yale faculty member has asked to review records to identify participants for her study. Can I give her the keys to the files?”
No. Research access to PHI for recruitment of study participants requires either a patient’s authorization or an IRB approved waiver of authorization. The investigator must provide copies of these documents along with the IRB approval letter prior to review of the records.

“Internal auditors are asking for access to our records. I told them that they couldn’t see them because of HIPAA.”
Activities related to health care operations such as audits, accreditation, and credentialing are allowed under HIPAA without a patient’s authorization. Outside auditors may also access the information when the have signed a business associate agreement.

Other questions about authorizations?
Any questions you may have about releasing PHI can be sent to the Privacy Office at hipaa@yale.edu or 436-3650. You can find copies of our authorization policy and forms at http://www.hipaa.yale.edu/

 

Top of page.
     
Yale University.  
HIPAA at Yale Home.