Covered entities must obtain patient authorization to release protected health information. If a covered entity discloses PHI without authorization, these individuals may be in violation of the HIPAA Privacy Rule. However, it is permissible to disclose PHI without patient authorization under the HIPAA Privacy Rule for the following:
- Treatment, payment or health care operation purposes.
- Public interest.
- Benefit activities.
Additionally, under the HIPAA Security Rule, covered entities must ensure all ePHI is protected from unauthorized view by instilling policies and reviewing and modifying those procedures when necessary. Granting unauthorized access to PHI or ePHI is not necessarily intentional. Even accidents can constitute a violation and earn the respective repercussions. As such, detailed knowledge of the Privacy and Security Rules and how to effectively put them into practice is crucial for remaining HIPAA compliant.
How HIPAA Help Center can protect against granting unauthorized access
With information making an increasingly rapid shift to media formats, security is more crucial to compliance than ever. HIPAA Help Center caters to this shift in PHI storage. The Asset Inventory module allows covered entities to create a comprehensive list of their network systems and devices that house sensitive information and also which workforce members are assigned to those tools. Not only does this make managing media containing ePHI more convenient and efficient, but having a catalog of this nature is also required by law.
By logging this information, application users can also take advantage of the Risk Assessment module. This aspect of HIPAA Help Center updates practices on their risk ratings so they can remain aware of how well they comply with the HIPAA Privacy and Security Rules.
Frequently asked questions about granting unauthorized access to medical records:
How might a covered entity accidentally grant unauthorized access to protected health information?
Companies that require pre-employment drug screenings often go through a medical office for the testing. Lab tests of these kind are considered PHI, and covered entities cannot disclose the results to employers unless they have patient authorization. Sending an employer the lab results without patient authorization would result in a HIPAA violation.
Do covered entities have to report a breach of information?
According to the U.S. Department of Health and Human Services, whenever a covered entity grants unauthorized access to PHI or ePHI, it must inform the affected individual and the secretary of breaches of unsecured health information.