The answers to these questions vary depending upon what type of covered entity you are, specific details of your situation, etc. I can answer this from a high-level, but I still recommend that you obtain outside HIPAA expertise from an attorney or HIPAA consultant. The August 2002 updates to the Privacy Rule includes that consents from patients are no longer required. However, authorizations for use and disclosure of protected health information must be obtained from patients, except in the following cases:
- use and disclosure during healthcare treatment, payment and operations
- those allowing opportunity to agree or object
- if use or disclosure is exempted under the rule
- if use or disclosure is required under the rule (for example, to the individual, to the DHHS Secretary, etc.)
There are many other factors to consider, such as whether or not you already have a relationship (e.g., business associate or healthcare services) with the other practice along with what type of service is being transferred (e.g., psychotherapy notes, general healthcare information, etc.) There's a chance that you will not need to have another authorization signed unless the patient's new provider is performing activities (e.g., marketing, research, etc.) that specifically require an authorization for which you did not previously perform.
Bottom line, the Privacy Rule is quite complicated and only outside expertise can get involved and understand your particular situation well enough to make sure you're doing things correctly. It may be expensive in the short-term, but outside expertise will provide value and will save you time, effort and money in the long-term.
I would like to express my deep appreciation to Becky Herold, Senior Security Architect at QinetiQ Trusted Information Management, Inc., for her expertise on this particular issue.
For more information on this topic, visit these other SearchSecurity.com resources:
News & Analysis: HIPAA privacy changes trickle down to IT
News & Analysis: Experts answer users' HIPAA questions
Best Web Links: Securing healthcare/health services
This was first published in October 2002