30 Journal of Regulatory Compliance Vol. I
treatment, 47 payment, 48 and health care operations49 activities, 50 as well as
certain public benefit activities. 51
As an example of this first rule, a covered general practitioner (GP) who
wishes to consult with a specialist in order to treat a patient may disclose PHI
to the specialist and the Privacy Rule does not require the patient to give the
GP prior authorization for the disclosure. 52 Likewise, a covered hospital that
treats a patient may send a bill to the patient’s insurer to obtain payment for
hospital services rendered without the patient’s prior authorization. 53
Similarly, a teaching physician employed by a covered academic medical
center may involve medical students, interns, residents, and fellows in patient
care, without prior authorization from the patients who are receiving such
care, to enable the students and residents to learn to practice medicine. 54 By
still further example, a covered entity that is required by state or other law to
disclose PHI to another individual or entity may do so without patient
authorization. 55 By final illustrative example, a covered entity may disclose
47. The Privacy Rule defines treatment as “the provision, coordination, or management
of health care and related services by one or more health care providers, including the
coordination or management of health care by a health care provider with a third party;
consultation between health care providers relating to a patient; or the referral of a patient for
health care from one health care provider to another.” 45 C.F.R. § 164.501 (2016).
48. The Privacy Rule defines payment as the activities “undertaken by a health plan to
obtain premiums or to determine or fulfill its responsibility for coverage and provision of
benefits under the health plan” as well as the activities of a “health care provider or health plan
to obtain or provide reimbursement for the provision of health care.” Id. § 164.501.
49. The Privacy Rule defines health care operations with respect to a list of activities that
are related to a covered entity’s covered functions. See id. (defining health care operations).
These activities include, but are not limited to, conducting quality assessment and
improvement activities, conducting training programs in which medical and other health care
students learn to practice health care under supervision, and arranging for the provision of
legal services. See id.
50. See id. § 164.506(c)( 1) (permitting a covered entity to use or disclose PHI for its own
treatment, payment, or health care operations).
51. Covered entities may use and disclose PHI for twelve different public policy activities
without the prior written authorization of the individual who is the subject of the information.
See id. § 164.512(a)-(l). These public policy activities include, but are not limited to, uses and
disclosures required by law, uses and disclosures for public health activities, disclosures for
law enforcement activities, uses and disclosures for research, and disclosures for workers’
compensation activities. See id. § 164.512(a), (c), (f), ( i), and (l).
52. See id. § 164.501 (“Treatment means. . .consultation[s] between health care providers
relating to a patient”).
53. See id. (“Payment means...[t]he activities undertaken by...[a] health care
provider. . .to obtain. . .reimbursement for the provision of health care.”) (permitting a covered
entity to disclose PHI for its own payment activities).
54. See id. (“Health care operations means. . .conducting training programs in which
students, trainees, or practitioners in areas of health care learn under supervision to practice or
improve their skills as health care providers.”).
55. See id. § 164.512(a) (“ A covered entity may use or disclose protected health
information to the extent that such use or disclosure is required by law and the use or disclosure