Question 14
UnclassifiedWhich disclosure generally may occur without patient authorization under the HIPAA Privacy Rule?
Correct answer: C
Explanation
Under the HIPAA Privacy Rule, covered entities may use or disclose protected health information for "treatment" without patient authorization. Sharing PHI with another provider for the same patient fits this treatment exception because it supports diagnosis and care coordination.
Why each option is right or wrong
A. Selling patient lists to a marketing firm
B. Disclosing psychotherapy notes to a prospective employer
C. Sharing PHI with another provider for treatment of the same patient
45 C.F.R. § 164.506(a) and (c)(2) permit a covered entity to use or disclose protected health information for treatment without obtaining the patient’s authorization. “Treatment” is defined in 45 C.F.R. § 164.501 to include the provision, coordination, or management of health care by one or more providers, so transmitting PHI to another clinician involved in the same patient’s care falls squarely within this exception.
D. Posting patient names and diagnoses on a public website