Submit your HIPAA questions to Edito r John Castelluccio at firstname.lastname@example.org  and we will work with our experts to provide the information you need.
Q: The hospital where I work uses a large radiology group for radiology interpretations, for which the group bills the hospital. Both are covered entities (CE).
The hospital provides the group with an electronic data feed of all demographic information needed for billing on patients admitted to the hospital. The feed transmits information about all patients, because it is impossible to know at admission which patients will need radiology services. The group uses the demographic data to prepare interpretative radiology reports and then bills us for the professional services. Should either party be concerned about unauthorized disclosure or is it okay to provide the additional patient information because the stream is needed for group’s payment activity?
A: Since you cannot predict which patients will need radiology services, it is reasonable to provide the demographic data feed on all patients to support patient care. The hospital should have a business associate agreement with the radiology group that requires the group to maintain this information securely and destroy it when it is no longer needed.
Editor’s note: Mary Brandt, MBA, RHIA, CHE, CHPS, vice president of health information, Central Texas Division, Baylor Scott & White Health in Temple, Texas, answered this question for HCPro’s Briefings on HIPAA .  This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions.