Keeping Your DMT Compliant

Like any other entity handling patients' protected health information (PHI), a diagnostic management team (DMT) must comply with the Health Insurance Portability and Accountability Act (HIPAA). This Q&A covers HIPAA considerations specific to DMTs handling PHI in consultation for patient treatment, along with practical compliance recommendations for providers working with a DMT on an everyday basis.

The HIPAA Privacy Rule and DMT Interactions

Under the HIPAA Privacy Rule, doctors, nurses, and other health care providers may share patient health information for treatment purposes without the patient's authorization. Are lab personnel on a DMT included in the class of covered entities permitted to share PHI in this manner?

Yes, lab personnel have the same status as doctors, nurses, and other providers who are HIPAA-covered professionals. Accordingly, PHI such as X-rays, lab and pathology reports, diagnoses and other medical information may be used or disclosed by DMT members for treatment purposes without the patient's authorization. 1

What about a DMT member including PHI in consultation with other providers about a patient's condition? Must the patient's written authorization be obtained first?

No, the Privacy Rule's definition of “treatment" includes consulting with another provider about a patient. That means a DMT member is expressly permitted to disclose a patient's PHI to a provider treating the individual. 2

Business Associate Standards

Patient authorization isn't required for a DMT member to share PHI for treatment purposes. But does a hospital need to set up a Business Associate (BA) contract with the DMT?

No, the Office of Civil Rights, which administers HIPAA provisions, does not require a BA contract to be in force for disclosures by a covered entity to a provider for treatment of an individual.

What does the BA exception mean in practical terms?

A physician doesn't need to have a BA contract with a DMT as a condition of disclosing PHI for the treatment of an individual. Likewise, a hospital lab isn't required to have a BA contract in place to disclose PHI to a reference lab in order to disclose PHI during the course of treatment for a patient.

The bottom Line on PHI Disclosure to a DMT

To recap, what are the key HIPAA considerations for a hospital or physician planning to disclose PHI to a DMT?

As long as the disclosure is for treatment purposes, no patient authorization is needed, nor is a BA agreement required. One caveat, though, is to check if your state's privacy laws may have precedence over the Privacy Rule, especially regarding disclosure of PHI related to HIV. 3

Working With DMTs Across State Line

What if the DMT resides in a different state than the provider who requests the DMT's services? Do any restrictions apply?

The DMT's lab must be CLIA-certified in the state where the testing is performed, but in general no other certificates or licenses are required. (However, check state laws in New York and Washington, where more stringent statutes govern lab facilities.)

What determines the location of treatment?

Since the practice of medicine requires licensure in the state where direct patient care is being provided, the location of the patient defines the location of treatment. Nonetheless, physician-to-physician consultations are commonly allowed across borders under state licensure requirements.

Aligning with a DMT

Are there special legal and regulatory considerations when a health provider and a DMT are not operating within the same enterprise?

HIPAA and CLIA account for separate entities being engaged in the treatment of patients as previously described. There are operational advantages to having the treating provider and the DMT within the same enterprise. Some legal or regulatory advantages could apply in such a case, but it's likely they would not be as significant as the operational benefits.

Best practices for DMT Interaction

What's the best advice for everyday interactions with a DMT?

Do not email or transmit PHI across an open network without encrypting the data. Additionally, HIV or genetic information should not be disclosed unless you are certain about what your state law allows. Finally, if working with a DMT across state lines, make sure providers are appropriately licensed at the location of treatment—where the patient is during the encounter.

When in doubt about the legal and regulatory aspects of working with a DMT, who should be contacted?

Consult with your institution's Privacy and Information Security offices.

LabLeaders will be your go-to source for more detailed DMT information over the next several months. Experts in DMT will drill down into practical considerations such as how to create and develop an effective DMT, potential obstacles, what's working in the field, assessing a DMT's financial impact, what you need to know about compliance, and more. Stay tuned for this and other exciting DMT content as the DMT series continues at


1. U.S. Department of Health and Human Services. Uses and disclosures for treatment, payment and health care operations. Available at:
2. Ibid.
3. UTMB Health, Office of Legal and Regulatory Affairs. Shelly B. Witter. Legal and regulatory issues related to the DMT. February 2017.

Additional resources


Previous Article
Software Every DMT Should Know About
Software Every DMT Should Know About

Get to know the electronic tools that can help your DMT operate more efficiently

Next Article
Diagnostics Management Team
Diagnostics Management Team

A series designed to help drive better diagnostics management

× has a new home. Tell us a bit about yourself.

First Name
Last Name
Mobile Phone Number
Thank you!
Error - something went wrong!