Healthcare providers sometimes mistakenly assume that they cannot contact a patient’s spouse, parents, or other third parties to obtain payment without the patient’s consent. However, HIPAA generally allows healthcare providers to use or disclose protected health information for purposes of obtaining payment without the patient’s consent or authorization unless the provider has agreed otherwise with the patient. (45 CFR §§164.506(a), (c) and 164.524(a)). The Office for Civil Rights (“OCR”) published the following FAQ discussing this rule:
Does the HIPAA Privacy Rule permit a covered entity or its collection agency to communicate with parties other than the patient (e.g., spouses or guardians) regarding payment of a bill?
Answer: Yes. The Privacy Rule permits a covered entity, or a business associate acting on behalf of a covered entity (e.g., a collection agency), to disclose protected health information as necessary to obtain payment for health care, and does not limit to whom such a disclosure may be made.
Therefore, a covered entity, or its business associate, may contact persons other than the individual as necessary to obtain payment for health care services. See 45 CFR 164.506(c) and the definition of “payment” at 45 CFR 164.501. However, the Privacy Rule requires a covered entity, or its business associate, to reasonably limit the amount of information disclosed for such purposes to the minimum necessary, as well as to abide by any reasonable requests for confidential communications and any agreed-to restrictions on the use or disclosure of protected health information. See 45 CFR 164.502(b), 164.514(d), and 164.522.
(https://www.hhs.gov/hipaa/for-professionals/faq/266/does-the-privacy-rule-permit-a-covered-entity-to-communicate-with-other-parties-regarding-a-bill/index.html). Other HIPAA exceptions allow disclosures to personal representatives (45 CFR § 164.502(g)) or to persons involved in the patient’s healthcare or payment for the patient’s healthcare if certain conditions are satisfied. (45 CFR § 164.510).
Providers should review their patient intake documents, notice of privacy practices, and other patient documents to ensure that they have not unwittingly limited their ability to use patient information by agreeing with the patient not to make such disclosures without the patient’s consent or authorization. (See 45 CFR § 164.522(a)). For more information about such limitations, see our article here.
For questions regarding this update, please contact:
Kim C. Stanger
Holland & Hart, 800 W Main Street, Suite 1750, Boise, ID 83702
email: firstname.lastname@example.org, phone: 208-383-3913
This publication is designed to provide general information on pertinent legal topics. The statements made are provided for educational purposes only. They do not constitute legal or financial advice nor do they necessarily reflect the views of Holland & Hart LLP or any of its attorneys other than the author. This publication is not intended to create an attorney-client relationship between you and Holland & Hart LLP. Substantive changes in the law subsequent to the date of this publication might affect the analysis or commentary. Similarly, the analysis may differ depending on the jurisdiction or circumstances. If you have specific questions as to the application of the law to your activities, you should seek the advice of your legal counsel.