Where and How can you disclose PHI??

HIPPA establishes civil and criminal penalties for covered entities that misuse Personal Health Information (PHI).

1. Civil Penalties – fines of up to $100 for each violation of a requirement per individual to a maximum of $25,000 for violations of any single requirement in a calendar year;
2. Criminal Penalties for "Wrongful Disclosure:"
   a) Knowingly releasing patient information can result in a one year jail sentence and a $50,000.00 fine;
   b) Gaining access to health information under false pretenses can result in a five year jail sentence and a $100,000.00 fine;
   c) Releasing patient information with harmful intent or selling the information can lead to a 10 year jail sentence and a $250,000.00 fine.

PHI may be used/disclosed without authorization but with patient agreement:

1. To maintain a facility's patient directory;
2. To inform family member or other identified person involved in patient's care or notify them on patient location , condition or death;
3. To inform appropriate agencies during disaster relief.

PHI may be used/disclosed without patient agreement when there is an overriding public interest:

1. Public Health activities related to disease prevention or control;
2. To report victims of abuse, neglect or domestic violence;
3. Health oversight activities such as audits, legal investigations, licensure or for certain law enforcement purposes or government functions;
4. For coroners, medical examiners, funeral directors, tissue/organ donations or research;
5. To avert a serious threat to health and safety;
6. Court orders and subpoenas.