Yes. The Privacy Rule allows covered health care providers to share protected health information for treatment purposes without patient authorization, as long as they use reasonable safeguards when doing so. These treatment communications may occur orally or in writing, by phone, fax, e-mail, or otherwise.
For example:
- A laboratory may fax, or communicate over the phone, a patient’s medical test results to a physician.
- A physician may mail or fax a copy of a patient’s medical record to a specialist who intends to treat the patient.
- A hospital may fax a patient’s health care instructions to a nursing home to which the patient is to be transferred.
- A doctor may discuss a patient’s condition over the phone with an emergency room physician who is providing the patient with emergency care.
- A doctor may orally discuss a patient’s treatment regimen with a nurse who will be involved in the patient’s care.
- A physician may consult with another physician by e-mail about a patient’s condition.
- A hospital may share an organ donor’s medical information with another hospital treating the organ recipient.
The Privacy Rule requires that covered health care providers apply reasonable safeguards when making these communications to protect the information from inappropriate use or disclosure. These safeguards may vary depending on the mode of communication used. For example, when faxing protected health information to a telephone number that is not regularly used, a reasonable safeguard may involve a provider first confirming the fax number with the intended recipient. Similarly, a covered entity may pre-program frequently used numbers directly into the fax machine to avoid misdirecting the information. When discussing patient health information orally with another provider in proximity of others, a doctor may be able to reasonably safeguard the information by lowering his or her voice.