Q&A: Disclosing PHI to providers

Q. A physician’s office called our office about a mutual patient to inquire the date the patient was last seen in our office for Medicare billing purposes. How are we supposed to know that they are in fact who they have identified themselves as? Are we allowed to provide this information without the patient adding this physician office to the disclosure form? If so, what information and to whom may we disclose without a disclosure on file?

A. The Privacy Rule permits a CE to share protected health information with another CE for that CE’s business operations if both entities have a relationship with the patient. You do not need the patient’s authorization or consent to disclose this information. If the caller is unknown to you, it would be reasonable to ask for the office’s number, so you can return the call after looking up the information. The Privacy Rule does not limit the information that may be shared for another CE’s business operations, but you should apply the “minimum necessary” rule and release the minimum amount of information needed to meet the requester’s needs.

Editor’s note: This question was answered by Mary D. Brandt, MBA, RHIA, CHE, CHPS. Brandt is a healthcare consultant specializing in healthcare regulatory compliance and operations improvement. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Opinions expressed are that of the author and do not represent HCPro or ACDIS. Email your questions to Editor Nicole Votta at nvotta@hcpro.com.