HIPAA Handbooks

  • Privacy and security training for new and seasoned staff
  • 11 staff/setting focus areas
  • Education on protecting PHI
  • New HITECH Act changes
  • Discounts on bulk purchases



  • Role-based training using real-life case scenarios
  • Test-your-knowledge exercises with remediation
  • Post-course test to document staff participation


Other HIPAA Resources

  • Hot-topic audio conferences
  • Books on privacy and security
  • Newsletters
  • e-Newsletter
  • Videos



HIPAA Q&A: Sharing demographic patient data with a BA

Email This Post Print This Post

Submit your HIPAA questions to Editoquestionr John Castelluccio at jcastelluccio@hcpro.com and we will work with our experts to provide the information you need.

Q: The hospital where I work uses a large radiology group for radiology interpretations, for which the group bills the hospital. Both are covered entities (CE).

The hospital provides the group with an electronic data feed of all demographic information needed for billing on patients admitted to the hospital. The feed transmits information about all patients, because it is impossible to know at admission which patients will need radiology services. The group uses the demographic data to prepare interpretative radiology reports and then bills us for the professional services. Should either party be concerned about unauthorized disclosure or is it okay to provide the additional patient information because the stream is needed for group’s payment activity?

A: Since you cannot predict which patients will need radiology services, it is reasonable to provide the demographic data feed on all patients to support patient care. The hospital should have a business associate agreement with the radiology group that requires the group to maintain this information securely and destroy it when it is no longer needed.

Editor’s note: Mary Brandt, MBA, RHIA, CHE, CHPS, vice president of health information, Central Texas Division, Baylor Scott & White Health in Temple, Texas, answered this question for HCPro’s Briefings on HIPAA. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions.


  1. Jeff says:

    This answer seems wrong to me, or possibly incomplete. What’s the reason for the HIPAA disclosure without an authorization for patients–which surely must be a significant number–who don’t need radiology services? Certainly not treatment, because they didn’t receive treatment from the radiology clinic. And if not treatment, how does this satisfy minimum necessary?

  2. John Castelluccio says:

    Hi Jeff, thanks for your question. I will reach out to Mary Brandt and see if she can provide any clarification on this.

Leave a Reply