There is a 3 pronged test to determine whether you can use or share PHI:
- Is the disclosure for treatment, payment or health care operations purposes?
- If not, do you have authorization from the patient?
- If not, is there another legal requirement for disclosure?
If you answer “yes” to any of the questions above, then you may share PHI both within and outside the Covered Entity. If the answer is “no” to any of the questions above, do not share the PHI without contacting your Privacy Officer. Records must be kept only of those disclosures outside of the Stanford Affiliated Covered Entity compelled by law as well as any disclosures that are not permitted under the Privacy Rule.
Even if use or disclosure of PHI is permitted under the Privacy Rule, care must be taken to:
- Eliminate all of the personal identifiers which are not essential to the purpose for which the PHI is being used or disclosed.
- Use or disclose only the minimum necessary amount of PHI necessary to satisfy the purpose of the use or disclosure.
Example 1: You are part of the School of Medicine. You want to ask a researcher outside of the School to help you analyze some data. First, check to see if you have an authorization from the patient. If you do, you may share the information once you have eliminated all identifiers from the data that are not necessary for the assistance you seek. If you do not have authorization, you should eliminate all personal identifiers from the information.
Example 2: You are part of the School of Medicine and are in the café talking about your research with a colleague from the School of Engineering lab across the hall. In the course of your conversation you want to share a picture showing the artificial limb on one of the subjects of your study. Without authorization, you may talk about the subject and show the photo so long as you do not refer to the subject by name, you cover up the subject’s face in the photo, and you eliminate all other personal identifiers listed above. Do not share any PHI about your research population without authorization and without ensuring it is the minimum necessary for the purpose of the disclosure.
Example 3: You are part of the School of Medicine. You get a request for information from the private physician of one of the subjects in your research study on heart disease. She has been diagnosed with cancer unrelated to your project. You may share PHI gathered in your research records with a private doctor to the extent necessary for the patient’s treatment.