Does HIPAA require me to get a written patient authorization before I can disclose any patient information to anyone?
No. You don't need patient authorization to disclose information for “treatment, payment, or some health care operations" purposes.
What does “Treatment” include?
Treatment includes direct services such as psychotherapy, case management, assessment, and medication visits. It also includes consulting with other medical professionals, and making referrals.
What about doing group psychotherapy, where private information might be revealed to other patients or family members?
This would be considered treatment, and a patient authorization would not be required by HIPAA for TPO purposes.
What does “Payment” include?
Payment includes the activities necessary for the provider or clinic to be paid for services. This includes billing, collections, eligibility determination, and utilization review.
What if the insurance company asks for my psychotherapy notes?
Psychotherapy notes may contain very personal information, and HIPAA makes a specific exception for them. Before psychotherapy notes can be disclosed, the patient needs to provide a signed, valid, HIPAA compliant authorization, which specifically refers to the psychotherapy notes.
What do “Operations” include?
Operations are the activities needed to manage, maintain, and improve services. This would include patient satisfaction surveys, chart audits for quality control, handling grievances, mandated reports to the State, and activities to maintain accreditation and to measure provider and program effectiveness.