HIPAA Resources

Disclosing Insurance Information to a Referred Provider


Welcome to a Bite-Size HIPAA® Q&A article, where we answer your questions about how HIPAA applies to your dental practice. We recently received the following email in our Bite-Size HIPAA® Q&A inbox. It is actually a two-part question. The writer says:

“Hey, Todd. We recently had a patient get pretty angry with us when we shared his insurance information with the endodontist we referred him to. Apparently, he was looking to take advantage of a discount offered by the endodontist for patients who self-pay. The procedure was submitted to his insurance instead. He was clearly frustrated at the situation and stated that we had violated HIPAA by sharing his insurance information without his permission. Was this, in fact, a HIPAA violation? The patient then asked us to not share his insurance information in the future. Is that something we need to agree to?”

Is It PHI?

Thank you for this question! It allows us to discuss a couple specifics in the law. Let’s see how HIPAA would specifically relate to the question about disclosing billing and payment details to another provider during the referral process. First things first, is the disclosed information protected health information? Remember, PHI is any information that relates to either an individual’s health or their payment for health care, and that contains information that could reasonably be used to identify the Individual. So, yes, a patient’s insurance information is clearly PHI and HIPAA is applicable.

Three Exceptions

Next, let's figure out if HIPAA allows the disclosure. Remember our basic rule is that you cannot disclose PHI without patient authorization, unless there is a specific permitted disclosure rule that applies. The most common permitted disclosures are disclosures for treatment purposes, billing purposes, and healthcare operations, so we check there first. This practice has correctly identified that this disclosure was for billing purposes, so it seems like it would qualify as a permitted disclosure, but it was not for their own billing purposes - it was for the referred provider. Let's see if that distinction makes a difference. Digging into the implementation specifications for Treatment and Payment disclosures found in section 164.506(c) of the HIPAA law, we can see that this section states a covered entity may use or disclose protected health information:

  1. for its own treatment, payment, or health care operations;
  2. to another health care provider for treatment activities; or
  3. to another covered entity for the payment activities of such other entity.

The facts of this scenario fall squarely in number three - the practice disclosed billing information to the other provider for its payment practices - so this disclosure was permitted under the law. The second question asked is whether the practice must now limit disclosing this information after the patient has asked them to.


In section 164.522, we see that patients can request that a practice restrict sharing PHI that it normally could share - and that in most cases the practice can choose whether or not to agree to the restriction. The only time a practice must agree to a restriction on sharing is if it deals with payment information and the patient has already paid in full for the service.  Otherwise, the practice has a choice. It can refuse the patient’s request and deal with the fallout, or it can agree to the restriction and then be bound to this agreement. In this case, the restriction request is for payment information, so the provider would be required to agree to the restriction, so long as the patient has paid for the services in full.

However, it isn’t clear if the patient will self-pay with this provider or only the specialist. If it’s only the specialist, then the patient should really make the restriction request with them, not the referring dentist. Ultimately, if another provider requests payment information for a common patient, HIPAA would not require you to confirm with the other provider whether they have already been paid. In the end, I think the provider could reject this request since it is for another provider’s payment process.


To summarize - this practice has not violated HIPAA in this situation, but it needs to determine how it will handle the patient’s restriction request. We have a sample procedure in Bite-Size HIPAA®, addressing patient restriction requests. We generally advise practices to politely decline restriction requests if possible, due to the difficulty in documenting and managing a bunch of one-off restrictions - but ultimately each practice needs to decide how they want to handle them. If you do agree to grant a restriction, make sure you have a plan on how to implement the restriction, because if you fail to restrict the disclosure it would be a reportable breach.

Have a HIPAA Question?

If you have a HIPAA question related to the day-to-day operations of your dental practice, feel free to send it my way. My email address is todd(at)bitesizehipaa(dot)com. I can’t promise I’ll be able to get to every question submitted – but I’ll do my best to find the most applicable ones to address in future Bite-Size HIPAA® Q&As.

Todd Baker

Todd Baker, JD, CIPP

HIPAA & Privacy Attorney

Todd Baker is a uniquely qualified attorney with extensive experience regarding the intersection of HIPAA and technology. Todd earned his undergraduate degree in business at Boise State University and completed his law degree at the University of Virginia School of Law.

Content Tags

HIPAA education, compliance, and accountability created specifically for dental practices.

If you haven’t made HIPAA a priority yet, start today. Give us a little bit of your time and we’ll teach you about the HIPAA law, why it exists, and how ‐if done right ‐you can protect your patients and your practice from a variety of very real threats that inherently exist in today’s dentistry.