Page 1
AMC/HIPAA Workgroup
101
Section Three: Uses and disclosures
Websuche.info die frische Suchmaschine alteredrealitycc derkach private Krankenversicherung Autoversicherung KFZ Versicherung Lebensversicherung KFZ Versicherungsvergleich Autoversicherungen KFZ Versicherungen Lebensversicherungen Horoskop Horoskope Eintrag bbsnet Reisen Urlaub Baufinanzierung Hausfinanzierung Immobilienfinanzierung Erotik Hallenbau Vermieterrechtsschutz Last Minute Algarve Ferienhaus Portugal Werbemittel Werbeartikel Viking Buerobedarf Bueroartikel Bueromaterial Kalender Drucker Druckerpatronen Tintenpatronen HP Drucker Werbeartikel Werbemittel Bueromoebel Kopierer Krankenversicherungsvergleich Werbeartikel Werbemittel Kreditvergleich
tableofcontents.htm   start.htm   securitysectiontwo.htm   securitysectionthree.htm   securitysectionone.htm   securitycategories.htm   references.htm   privacysectiontwo.htm   privacysectionthree.htm   privacysectionone.htm   privacysectionfour.htm   privacysectionfive.htm   privacycategories.htm   jobdescriptions.htm   introduction.htm   index.htm   hipaatrifold.htm   hipaasuppliment.htm   hipaaresources.htm   hipaaexecsummary.htm   guidelinesorganization.htm   generalpolicyguidelines.htm   generalcategories.htm   definitions.htm   contractsandpolicies.htm   contact.htm   amchipaasecurityandprivacyguidelines.htm   acronyms.htm   acknowledgements.htm  
Page 2
AMC/HIPAA Workgroup
102
Sub-Section A:
General Uses and Disclosures
Page 3
AMC/HIPAA Workgroup
103
PRIV.13
Uses and disclosures of protected heath information
§ 164.502(a)
HIPAA Requirement
Standard. A covered entity may not use or disclose protected health information,
except as permitted or required by this subpart or by subpart C of part 160 of this
subchapter.
(1) Permitted uses and disclosures. A covered entity is permitted to use or
disclose protected health information as follows:
(i) To the individual;
(ii) Pursuant to and in compliance with a consent that complies with
§ 164.506
, to
carry out treatment, payment, or health care operations;
(iii) Without consent, if consent is not required under § 164.506(a) and has not
been sought under § 164.506(a)(4), to carry out treatment, payment, or health
care operations, except with respect to psychotherapy notes;
(iv) Pursuant to and in compliance with an authorization that complies with
§ 164.508
;
(v) Pursuant to an agreement under, or as otherwise permitted by,
§ 164.510
; and
(vi) As permitted by and in compliance with this section,
§ 164.512
, or
§ 164.514(e),
(f), and (g).
(2) Required disclosures. A covered entity is required to disclose protected health
information:
(i) To an individual, when requested under, and as required by
§§ 164.524
or
164.528
; and
(ii) When required by the Secretary under subpart C of part 160 of this
subchapter to investigate or determine the covered entity's compliance with this
subpart.
AMC Explanation of HIPAA Regulation
This is a general provision identifying the conditional uses and disclosures of protected health
information. Only uses and disclosures that are permitted or required by the regulations are
allowed. (The reader should review the definitions of use and disclosure carefully.)
The
permitted
uses/disclosures are: (i) to the individual; (ii) with consent of the patient for
treatment, payment, and health care operations, all of which are well defined terms in the
regulations; (iii) without consent in limited cases for treatment, payment, and healthcare
operations (e.g. inmates, emergencies ­ see PRIV.07 and § 164.506); (iv) with an authorization
from the patient; (v) without written consent but with an opportunity to agree or disagree prior to
the use or release (e.g. patient directory listing); and (vi) when data is de-identified or when the
public good (as defined) permits the use/disclosure.
The only two
required
uses/disclosures are: (i) to the individual who is the subject of the records;
and (ii) to HHS to investigate compliance with the regulations.
Page 4
AMC/HIPAA Workgroup
104
Key Issues
What effects on cost and operations will flow from various alternatives about how an
AMC defines the "covered entity" or "covered entities," i.e. as a component, hybrid,
organized healthcare system, or simple entity? This choice will determine whether some
activities are "uses" or "disclosures."
Are there any uses or disclosures currently performed without authorization that will
require an authorization under the HIPAA privacy regulations (especially those that the
patient may not agree to)?
Should covered entities provide a central store of consents, authorizations, and
revocations?
How much new work will be created by the possible release of records (all records; not
just what is now thought of as the medical record) to patients?
Will de-identifying be used much more frequently under these regulations than it is now?
Category I Guidelines-Actions must be taken to address these
The covered entity must limit its uses and disclosures to those permitted or required.
Category II Guidelines-Actions should be taken to address these
Consider managing the consents and authorizations centrally for each covered entity in
the AMC.
Consider obtaining compliant consents and authorizations prior to the effective date of
the regulations.
Examine and amend any programs for which patients may not currently give
authorization to have their protected health information used or disclosed.
Consider adapting existing procedures where only small changes are needed for
compliance prior to starting new procedures in programs where no procedure currently
exists.
Roadblocks
Achieving compliance is partially dependent on consistent practice and effective communication
across AMC operational units. This effort will be challenging for most AMCs.
Comments
For most AMCs, developing procedures and documentation standards will be a significant
undertaking. The decentralized nature of most AMCs will make the coordination of consents
and authorizations challenging. A lack of coordination, however, will increase the risk of
improper sharing of information across the covered entity. Even when managed properly,
privacy is a personal thing and the perception of individual mistrust could be felt across the
different operational units within an AMC.
This is an area in which some states have stricter law; such laws still apply under the HIPAA
privacy regulations.
Page 5
AMC/HIPAA Workgroup
105
PRIV.14
Uses and disclosures of protected health information subject to an agreed-
upon restriction
§ 164.502(c)
HIPAA Requirement
Standard: uses and disclosures of protected health information subject to an
agreed upon restriction. A covered entity that has agreed to a restriction pursuant
to
§ 164.522(a)(1)
may not use or disclose the protected health information
covered by the restriction in violation of such restriction, except as otherwise
provided in § 164.522(a).
AMC Explanation of HIPAA Regulation
This provision of the regulations requires covered entities that have agreed to a restriction on use
or disclosure of an individual's protected health information to respect the agreed-to restrictions
unless and until they are revoked. There is an exception for use or disclosure in emergency
circumstances in § 164.522(a).
Key Issues
How much complexity in operations and communications will be created by the use of
different use/disclosure "policies" for different patients?
Will some patients not participate well in treatment without special restrictions?
Can record use/disclosure be satisfactorily restricted without running afoul of legal
requirements to use/disclose protected health information?
How will providers and others be kept aware of specific restrictions for specific patients
over time as they change?
How will pre-HIPAA restrictive agreements be treated?
Category I Guidelines-Actions must be taken to address these
Abide by any restrictions the covered entity agrees to.
Category II Guidelines-Actions should be taken to address these
Consider the practicality of respecting a restriction prior to agreeing to it, and weigh that
practicality against the willingness of the patient to participate fully in care without the
restriction.
Consider the most common causes for requests for special restrictions, and design a small
set of restriction protocols to accommodate these common causes where practical (e.g.,
celebrity, social stigma, physical danger).
Establish a systematic way of communicating restrictions to workforce members, some of
whom may become workforce members after the restriction comes into being.
Avoid making the totality of special restrictions for patients treated by the same
workforce members too complex for the staff to respect all of them.
When patients ask for restrictions that cannot be agreed to, the covered entity should,
when possible, refer them to a facility that can honor the restriction.
Examine existing programs for providing aliases for patients for use in complying with
this provision.
Page 6
AMC/HIPAA Workgroup
106
Roadblocks
The staff can only handle so much complexity of use/disclosure protocol. This limit may be
short of what some patients would prefer.
Comments
AMCs treat people who have cause for special restrictions: celebrities, people with socially
stigmatized diseases, people in physical danger if their information is improperly used or
disclosed, and so on. Treating these people optimally may involve some restrictions that would
be untenable or contrary to what other patients desire in their own cases.
In the special, though common, case of a member of the AMC workforce wanting restrictions
that guarantee that colleagues and the employer do not have access to information about the
workforce member's health status, there may be no way for the AMC to accommodate the
individual's request short of referral to another facility.
Page 7
AMC/HIPAA Workgroup
107
PRIV.15
Uses and disclosures of de-identified protected health information
§ 164.502(d)
The complete description of the issues related to de-identification is in the section related to
§ 164.514(a), described below in PRIV.40.
HIPAA Requirement
Standard: uses and disclosures of de-identified protected health information.
(1)
Uses and disclosures to create de-identified information. A covered entity
may use protected health information to create information that is not
individually identifiable health information or disclose protected health
information only to a business associate for such purpose, whether or not the de-
identified information is to be used by the covered entity.
(2)
Uses and disclosures of de-identified information. Health information that
meets the standard and implementation specifications for de-identification under
§ 164.514(a
) and (b) is considered not to be individually identifiable health
information, i.e., de-identified. The requirements of this subpart do not apply to
information that has been de-identified in accordance with the applicable
requirements of r 164.514, provided that:
(i) Disclosure of a code or other means of record identification designed to
enable coded or otherwise de-identified information to be re-identified constitutes
disclosure of protected health information; and
(ii) If de-identified information is re-identified, a covered entity may use or
disclose such re-identified information only as permitted or required by this
subpart.
Page 8
AMC/HIPAA Workgroup
108
PRIV.16
Disclosures to business associates
§ 164.502(e)
HIPAA Requirement
(1)Standard: disclosures to business associates.
(i) A covered entity may disclose protected health information to a business
associate and may allow a business associate to create or receive protected
health information on its behalf, if the covered entity obtains satisfactory
assurance that the business associate will appropriately safeguard the
information.
(ii) This standard does not apply:
(A) With respect to disclosures by a covered entity to a health care provider
concerning the treatment of the individual;
(B) With respect to disclosures by a group health plan or a health insurance
issuer or HMO with respect to a group health plan to the plan sponsor, to the
extent that the requirements of
§ 164.504(f)
apply and are met; or
(C) With respect to uses or disclosures by a health plan that is a government
program providing public benefits, if eligibility for, or enrollment in, the health
plan is determined by an agency other than the agency administering the health
plan, or if the protected health information used to determine enrollment or
eligibility in the health plan is collected by an agency other than the agency
administering the health plan, and such activity is authorized by law, with respect
to the collection and sharing of individually identifiable health information for the
performance of such functions by the health plan and the agency other than the
agency administering the health plan.
(iii) A covered entity that violates the satisfactory assurances it provided as a
business associate of another covered entity will be in noncompliance with the
standards, implementation specifications, and requirements of this paragraph and
§ 164.504(e).
(2)
Implementation specification: documentation. A covered entity must
document the satisfactory assurances required by paragraph (e)(1) of this section
through a written contract or other written agreement or arrangement with the
business associate that meets the applicable requirements of § 164.504(e).
AMC Explanation of HIPAA Regulation
The scope of this point is captured in the phrase requiring the covered entity to "obtain[ ]
satisfactory assurance that the business associate will appropriately safeguard the information."
The rest of the regulation text elaborates how to obtain and demonstrate this assurance. The key
point in this elaboration is a set of contractual requirements that the covered entity must impose
on a business associate whether the business associate is itself a covered entity or not. There are
three exceptions: disclosures to health care providers for treatment; disclosures by a group
health plan, insurance issuer, or HMO to the plan sponsor (which must instead follow
§ 164.504(f)); and disclosures between two government agencies that are allowed by law to
share certain data in the performance of a government health plan's functions.
Page 9
AMC/HIPAA Workgroup
109
Key Issues
How many business associate relations will require new contractual language and
processes to implement the provisions?
How much variety in privacy-maintenance processes can one AMC or one business
associate realistically implement among its (typically) several hundred business
associates with whom it shares protected health information?
How does the requirement for the covered entity to "mitigate harm" (see § 164.530(f))
when it knows of an inappropriate use or disclosure by a business associate affect the
"indemnification" terms of the contract? Note that § 164.504(e) requires business
associates to report known inappropriate uses or disclosures to the covered entity.
How will this regulation change agreements with those business associates with whom a
covered entity already has a confidentiality agreement (e.g. attorneys)?
Category I Guidelines-Actions must be taken to address these
Covered entities must create and manage the contractual requirements as provided in this
section.
Category II Guidelines-Actions should be taken to address these
To improve efficiency, consider using terms that standardize the operational requirements
on the covered entity and on its business associates.
Consider encouraging the business associate community to use standard terms so it will
have standardized operational requirements with all of the covered entities with which it
contracts.
Engage in a systematic process of review, amendment (or creation), and negotiation of
contracts well before the effective date of the regulations.
Roadblocks
This point could lead to a profusion of contractual terms requiring a profusion of behaviors in
each covered entity and business associate of covered entities. It is not yet apparent how and
when more standardized terms that might induce simpler operations models will emerge; if they
do emerge, it will likely have to be at the national level.
The timeframe to amend and negotiate the typically several hundred affected contracts in an
AMC is likely too short, and the staff time necessary to handle this process will be challenging to
find.
Comments
The HIPAA statute did not allow direct regulation of all entities creating/receiving protected
health information. This provision exists to ensure that safeguards for handling of protected
health information apply to business associates of covered entities, since the statute did not
permit them to be directly regulated.
Page 10
AMC/HIPAA Workgroup
110
PRIV.17 Deceased
individuals
§ 164.502(f)
The complete description of issues related to deceased individuals is in the section related to
§ 164.512(g) described below in PRIV.33.
HIPAA Requirement
Standard: deceased individuals. A covered entity must comply with the
requirements of this subpart with respect to the protected health information of a
deceased individual.
Page 11
AMC/HIPAA Workgroup
111
PRIV.18 Personal
representatives
§ 164.502(g)
HIPAA Requirement
(1)
Standard: personal representatives. As specified in this paragraph, a
covered entity must, except as provided in paragraphs (g)(3) and (g)(5) of this
section, treat a personal representative as the individual for purposes of this
subchapter.
(2)
Implementation specification: adults and emancipated minors. If under
applicable law a person has authority to act on behalf of an individual who is an
adult or an emancipated minor in making decisions related to health care, a
covered entity must treat such person as a personal representative under this
subchapter, with respect to protected health information relevant to such personal
representation.
(3)
Implementation specification: unemancipated minors. If under applicable
law a parent, guardian, or other person acting in loco parentis has authority to
act on behalf of an individual who is an unemancipated minor in making
decisions related to health care, a covered entity must treat such person as a
personal representative under this subchapter, with respect to protected health
information relevant to such personal representation, except that such person
may not be a personal representative of an unemancipated minor, and the minor
has the authority to act as an individual, with respect to protected health
information pertaining to a health care service, if:
(i) The minor consents to such health care service; no other consent to such
health care service is required by law, regardless of whether the consent of
another person has also been obtained; and the minor has not requested that such
person be treated as the personal representative;
(ii) The minor may lawfully obtain such health care service without the consent of
a parent, guardian, or other person acting in loco parentis, and the minor, a
court, or another person authorized by law consents to such health care service;
or
(iii) A parent, guardian, or other person acting in loco parentis assents to an
agreement of confidentiality between a covered health care provider and the
minor with respect to such health care service.
(4)
Implementation specification: deceased individuals. If under applicable
law an executor, administrator, or other person has authority to act on behalf of a
deceased individual or of the individual's estate, a covered entity must treat such
person as a personal representative under this subchapter, with respect to
protected health information relevant to such personal representation.
(5)
Implementation specification: abuse, neglect, endangerment situations.
Notwithstanding a State law or any requirement of this paragraph to the contrary,
a covered entity may elect not to treat a person as the personal representative of
an individual if:
(i) The covered entity has a reasonable belief that:
(A) The individual has been or may be subjected to domestic violence, abuse, or
neglect by such person; or
Page 12
AMC/HIPAA Workgroup
112
(B) Treating such person as the personal representative could endanger the
individual; and
(ii) The covered entity, in the exercise of professional judgment, decides that it is
not in the best interest of the individual to treat the person as the individual's
personal representative.
AMC Explanation of HIPAA Regulation
This section describes the conditions of use for protected health information with respect to
personal representatives.
Key Issues
Who will determine who is the appropriate personal representative?
How will the determination of the personal representative be documented and by whom?
What needs to occur if an entity elects not to treat a person as the personal representative?
What are the liabilities associated with denying someone as a personal representative
because of abuse, neglect, or endangerment situations and later finding out one was
wrong? How can a covered entity mitigate the risk?
Category I Guidelines-Actions must be taken to address these
Develop policy and procedures for determining who qualifies as a personal
representative.
Category II Guidelines-Actions should be taken to address these
The designated personal representative should be explicitly documented.
The designated personal representative should be educated on his or her rights and
responsibilities.
Roadblocks
No roadblocks specific to this point.
Comments
AMCs should work closely with their legal counsels on this provision. It will be important to
consider and address legal issues when developing the policies and procedures.
Page 13
AMC/HIPAA Workgroup
113
PRIV.19 Confidential
communications
§ 164.502(h)
The complete description of issues related to confidential communication is in the section related
to § 164.522(b) described below in PRIV.44.
HIPAA Requirement
Standard: confidential communications. A covered health care provider or health
plan must comply with the applicable requirements of
§ 164.522(b)
in
communicating protected health information.
Section § 164.522(b):
(b)(1) Standard: confidential communications requirements.
(i) A covered health care provider must permit individuals to request and must
accommodate reasonable requests by individuals to receive communications of
protected health information from the covered health care provider by alternative
means or at alternative locations.
(ii) A health plan must permit individuals to request and must accommodate
reasonable requests by individuals to receive communications of protected health
information from the health plan by alternative means or at alternative locations,
if the individual clearly states that the disclosure of all or part of that information
could endanger the individual,
(2) Implementation specifications: conditions on providing confidential
communications.
(i) A covered entity may require the individual to make a request for a
confidential communication described in paragraph (b)(1) of this section in
writing.
(ii) A covered entity may condition the provision of a reasonable accommodation
on:
(A) When appropriate, information as to how payment, if any, will be handled;
and
(B) Specification of an alternative address or other method of contact.
(iii) A covered health care provider may not require an explanation from the
individual as to the basis for the request as a condition of providing
communications on a confidential basis.
(iv) A health plan may require that a request contain a statement that disclosure
of all or part of the information to which the request pertains could endanger the
individual.
Page 14
AMC/HIPAA Workgroup
114
PRIV.20
Uses and disclosures consistent with notice
§ 164.502(i)
HIPAA Requirement
Standard: uses and disclosures consistent with notice. A covered entity that is
required by § 164.520 to have a notice may not use or disclose protected health
information in a manner inconsistent with such notice. A covered entity that is
required by
§ 164.520(b)(
1)(iii) to include a specific statement in its notice if it
intends to engage in an activity listed in § 164.520(b)(1)(iii)(A)-(C), may not use
or disclose protected health information for such activities, unless the required
statement is included in the notice.
AMC Explanation of HIPAA Regulation
Each covered entity is required to post and distribute a statement of privacy practices describing
the covered entity's duties and individuals' rights regarding the use and disclosure of protected
health information. All uses and disclosures of protected health information must be consistent
with this statement.
§ 164.520 describes the requirements for notices of privacy practices, and § 164.520(b)(1)(iii)
(A)-(C) describe the requirements for specific notices of intended use or disclosure of protected
health information for: (A) reminders to individuals regarding appointments, and information
about treatment alternatives or other health-related benefits; (B) fund-raising; or (C) reports by a
group health plan, health insurance issuer, or HMO to the sponsor of the plan.
Key Issues
What will be needed to ensure that privacy practices are consistent with required
published statements of privacy practices?
Category I Guidelines-Actions must be taken to address these
Ensure that the covered entity's privacy practices with respect to use and disclosure of
protected health information are consistent with its notices of privacy practices.
Category II Guidelines-Actions should be taken to address these
Consider developing and implementing measures to determine how well practice
conforms to the notice (e.g. surveys, counts of complaints of deviation).
Roadblocks
No roadblocks specific to this point.
Comments
None.
Page 15
AMC/HIPAA Workgroup
115
PRIV.21
Disclosures by whistleblowers and workforce member crime victims
§ 164.502(j)
HIPAA Requirement
Standard: disclosures by whistleblowers and workforce member crime victims.
(1)
Disclosures by whistleblowers. A covered entity is not considered to have
violated the requirements of this subpart if a member of its workforce or a
business associate discloses protected health information, provided that:
(i) The workforce member or business associate believes in good faith that the
covered entity has engaged in conduct that is unlawful or otherwise violates
professional or clinical standards, or that the care, services, or conditions
provided by the covered entity potentially endangers one or more patients,
workers, or the public; and
(ii) The disclosure is to:
(A) A health oversight agency or public health authority authorized by law to
investigate or otherwise oversee the relevant conduct or conditions of the covered
entity or to an appropriate health care accreditation organization for the purpose
of reporting the allegation of failure to meet professional standards or
misconduct by the covered entity; or
(B) An attorney retained by or on behalf of the workforce member or business
associate for the purpose of determining the legal options of the workforce
member or business associate with regard to the conduct described in paragraph
(j)(1)(i) of this section.
(2)
Disclosures by workforce members who are victims of a crime. A covered
entity is not considered to have violated the requirements of this subpart if a
member of its workforce who is the victim of a criminal act discloses protected
health information to a law enforcement official, provided that:
(i) The protected health information disclosed is about the suspected perpetrator
of the criminal act; and
(ii) The protected health information disclosed is limited to the information listed
in
§ 164.512(f)(
2)(i).
AMC Explanation of HIPAA Regulation
This section shields the covered entity from action for disclosures made by whistleblowers as
part of the reporting of a violation. If a workforce member of an AMC discloses protected health
information to a health oversight agency or to an attorney in the process of reporting either an
allegation of unlawful conduct by the covered entity, or a violation of professional standards or
clinical standards, or conditions in the covered entity that endanger patients, then the disclosure
is not treated as a violation of the regulations by the covered entity.
In addition, a workforce member who is a victim of a crime may disclose identifying protected
health information about the suspected perpetrator to a law enforcement official, and such
disclosure is not considered to be a violation of the regulations. The limitations on the specific
information that may be disclosed under the protection of this provision are found in
§ 164.512(f)(2)(i).
Page 16
AMC/HIPAA Workgroup
116
Key Issues
What civil liability could covered entities have for harm from the breach, even if they are
shielded under the regulations?
Category I Guidelines-Actions must be taken to address these
Covered entities are not required to do anything to comply with this portion of the
regulation other than to be aware that such conditions exist and are defined in the
regulation.
Category II Guidelines-Actions should be taken to address these
Create or bolster internal reporting and compliance programs so as to reduce the need for
whistleblower disclosures.
Ensure that it is practical for workforce members who are crime victims to limit their
disclosures to law enforcement to the items listed in the regulation.
When making disclosures under this section, note that the disclosure is made pursuant to
this section.
Roadblocks
No roadblocks specific to this point.
Comments
None.
Page 17
AMC/HIPAA Workgroup
117
PRIV.22
Use and disclosure for facility directories
§ 164.510(a)
HIPAA Requirement
Standard: use and disclosure for facility directories.
(1)
Permitted uses and disclosure. Except when an objection is expressed in
accordance with paragraphs (a)(2) or (3) of this section, a covered health care
provider may:
(i) Use the following protected health information to maintain a directory of
individuals in its facility:
(A)
The individual's name;
(B) The individual's location in the covered health care provider's facility;
(C) The individual's condition described in general terms that does not
communicate specific medical information about the individual; and
(D)
The individual's religious affiliation; and
(ii) Disclose for directory purposes such information:
(A)
To members of the clergy; or
(B) Except for religious affiliation, to other persons who ask for the individual by
name.
(2)
Opportunity to object. A covered health care provider must inform an
individual of the protected health information that it may include in a directory
and the persons to whom it may disclose such information (including disclosures
to clergy of information regarding religious affiliation) and provide the individual
with the opportunity to restrict or prohibit some or all of the uses or disclosures
permitted by paragraph (a)(1) of this section.
(3) Emergency circumstances.
(i) If the opportunity to object to uses or disclosures required by paragraph
(a)(2) of this section cannot practicably be provided because of the individual's
incapacity or an emergency treatment circumstance, a covered health care
provider may use or disclose some or all of the protected health information
permitted by paragraph (a)(1) of this section for the facility's directory, if such
disclosure is:
(A) Consistent with a prior expressed preference of the individual, if any, that is
known to the covered health care provider; and
(B) In the individual's best interest as determined by the covered health care
provider, in the exercise of professional judgment.
(ii) The covered health care provider must inform the individual and provide an
opportunity to object to uses or disclosures for directory purposes as required by
paragraph (a)(2) of this section when it becomes practicable to do so.
AMC Explanation of HIPAA Regulation
A covered entity (typically a hospital) may, with limitations, use and disclose selected protected
health information to create patient directories for use by clergy and others who ask for patients
by name. The covered entity must inform individuals that protected health information may be
included in patient directories, and tell them who may see the directory entries, and must allow
individuals to restrict or prohibit some or all of the permitted uses or disclosures. In emergency
Page 18
AMC/HIPAA Workgroup
118
treatment circumstances or if the patient is incapacitated and thus cannot be notified, the covered
entity may use or disclose some or all of the individual's patient directory information with
limitations. In such circumstances, the individual must be informed as soon as it is practicable.
Key Issues
What mechanisms are needed to ensure that patients can restrict or prohibit use or
disclosure of directory information where desired?
What criteria will be used to determine that "(t)he individual's condition (is) described in
general terms that does (sic) not communicate specific medical information....?"
How can printed reports from patient directories be limited to those with a need to see
them?
Category I Guidelines-Actions must be taken to address these
Limit protected health information in patient directories to name, location in facility,
general statement of condition, and religious affiliation.
Limit disclosure of religious affiliation to members of the clergy only.
Limit other disclosures of protected health information in patient directories to persons
who ask for individuals by name.
Provide individuals with an opportunity to restrict or prohibit the use of some or all of
their protected health information in patient directories unless they are unable to
communicate their preferences due to emergency circumstances or incapacity.
Category II Guidelines-Actions should be taken to address these
Establish policies and procedures for authenticating members of the clergy.
Establish mechanisms that ensure patients' conditions are appropriately described.
Consider the meaning of the term "impracticable" as used here. It is generally taken to
be a stronger standard than "impractical."
Consider routing some inquiries to personnel who have been specially trained to handle
sensitive cases.
Roadblocks
No roadblocks specific to this point.
Comments
None.
Page 19
AMC/HIPAA Workgroup
119
PRIV.23
Uses and disclosures for involvement in the individual's care and notification
purposes
§ 164.510(b)
HIPAA Requirement
Standard: uses and disclosures for involvement in the individual's care and
notification purposes.
(1)
Permitted uses and disclosures. (i) A covered entity may, in accordance
with paragraphs (b)(2) or (3) of this section, disclose to a family member, other
relative, or a close personal friend of the individual, or any other person
identified by the individual, the protected health information directly relevant to
such person's involvement with the individual's care or payment related to the
individual's health care.
(ii) A covered entity may use or disclose protected health information to notify, or
assist in the notification of (including identifying or locating), a family member, a
personal representative of the individual, or another person responsible for the
care of the individual of the individual's location, general condition, or death.
Any such use or disclosure of protected health information for such notification
purposes must be in accordance with paragraphs (b)(2), (3), or (4) of this section,
as applicable.
(2)
Uses and disclosures with the individual present. If the individual is
present for, or otherwise available prior to, a use or disclosure permitted by
paragraph (b)(1) of this section and has the capacity to make health care
decisions, the covered entity may use or disclose the protected health information
if it:
(i)
Obtains the individual's agreement;
(ii)
Provides the individual with the opportunity to object to the disclosure,
and the individual does not express an objection; or
(iii) Reasonably infers from the circumstances, based the exercise of
professional judgment, that the individual does not object to the disclosure.
(3)
Limited uses and disclosures when the individual is not present. If the
individual is not present for, or the opportunity to agree or object to the use or
disclosure cannot practicably be provided because of the individual's incapacity
or an emergency circumstance, the covered entity may, in the exercise of
professional judgment, determine whether the disclosure is in the best interests of
the individual and, if so, disclose only the protected health information that is
directly relevant to the person's involvement with the individual's health care. A
covered entity may use professional judgment and its experience with common
practice to make reasonable inferences of the individual's best interest in
allowing a person to act on behalf of the individual to pick up filled prescriptions,
medical supplies, X-rays, or other similar forms of protected health information.
(4)
Use and disclosures for disaster relief purposes. A covered entity may use
or disclose protected health information to a public or private entity authorized
by law or by its charter to assist in disaster relief efforts, for the purpose of
coordinating with such entities the uses or disclosures permitted by paragraph
(b)(1)(ii) of this section. The requirements in paragraphs (b)(2) and (3) of this
Page 20
AMC/HIPAA Workgroup
120
section apply to such uses and disclosure to the extent that the covered entity, in
the exercise of professional judgment, determines that the requirements do not
interfere with the ability to respond to the emergency circumstances.
AMC Explanation of HIPAA Regulation
A covered entity may, with limitations, use or disclose (typically to relatives) protected
health information for the purposes of notification and involvement in an individual's
care. A covered entity may also use professional judgment and its experience with
common practice in allowing a person to act on behalf of the individual to pick up filled
prescriptions, medical supplies, X-rays, or other similar forms of protected health
information. Finally, a covered entity may, with limitations, use or disclose protected
health information to a public or private entity authorized by law or by its charter to assist
in disaster relief efforts.
Key Issues
What procedures are needed to ensure that persons do not inappropriately receive
protected health information about an individual under the provisions of this section?
Category I Guidelines-Actions must be taken to address these
Develop and implement policies and procedures that help ensure appropriate and correct
use and disclosure under this section.
Category II Guidelines-Actions should be taken to address these
Develop and implement policies and procedures that help ensure that disclosures under
this section are not made to inappropriate persons.
Roadblocks
No roadblocks specific to this point.
Comments
Review PRIV.18 for related considerations.
Page 21
AMC/HIPAA Workgroup
121
PRIV.24
Uses and disclosures of protected health information for marketing
§ 164.514(e)(1)
HIPAA Requirement
Standard: uses and disclosures of protected health information for marketing. A
covered entity may not use or disclose protected health information for marketing
without an authorization that meets the applicable requirements of
§ 164.508
,
except as provided for by paragraph (e)(2) of this section.
(2)
Implementation specifications: requirements relating to marketing.
(i) A covered entity is not required to obtain an authorization under § 164.508
when it uses or discloses protected health information to make a marketing
communication to an individual that:
(A) Occurs in a face-to-face encounter with the individual;
(B) Concerns products or services of nominal value; or
(C) Concerns the health-related products and services of the covered entity or of
a third party and the communication meets the applicable conditions in
paragraph (e)(3) of this section.
(ii) A covered entity may disclose protected health information for purposes of
such communications only to a business associate that assists the covered entity
with such communications.
(3)
Implementation specifications: requirements for certain marketing
communications. For a marketing communication to qualify under paragraph
(e)(2)(i) of this section, the following conditions must be met:
(i) The communication must:
(A) Identify the covered entity as the party making the communication;
(B) If the covered entity has received or will receive direct or indirect
remuneration for making the communication, prominently state that fact; and
(C) Except when the communication is contained in a newsletter or similar type of
general communication device that the covered entity distributes to a broad
cross-section of patients, enrollees, or other broad groups of individuals, contain
instructions describing how the individual may opt out of receiving future such
communications.
(ii) If the covered entity uses or discloses protected health information to target
the communication to individuals based on their health status or condition:
(A) The covered entity must make a determination prior to making the
communication that the product or service being marketed may be beneficial to
the health of the type or class of individual targeted; and
(B) The communication must explain why the individual has been targeted and
how the product or service relates to the health of the individual.
(iii) The covered entity must make reasonable efforts to ensure that individuals
who decide to opt out of receiving future marketing communications, under
paragraph (e)(3)(i)(c) of this section, are not sent such communications.
Page 22
AMC/HIPAA Workgroup
122
AMC Explanation of HIPAA Regulation
The regulations explicitly allow the use of protected health information for targeted (by the
health history or status of the recipient) marketing by or for the covered entity without an explicit
authorization from the individual. If the marketing is done face-to-face, anything can be
marketed; items of nominal value can be marketed without restriction. Otherwise, health related
products can be marketed to individuals provided the covered entity is identified, any
remuneration to the covered entity is prominently disclosed, and an opt-out capability is included
(except for broad newsletters). If protected health information is used to target the health-related
product, the covered entity must make a determination that it may be of value for the condition
and must explain in the communication why the individual is being targeted.
Key Issues
To what does the covered entity want to lend its name?
How will the covered entity monitor and control the use of its name?
Who will determine if the item has value to the patient?
Category I Guidelines-Actions must be taken to address these
For health related products:
Identify the covered entity in the marketing communication.
If the covered entity receives direct or indirect remuneration, state that fact
prominently in the communication.
Except for newsletters and the like, offer individuals the opportunity to opt out of
future such communications.
Maintain a record of the disclosures.
Category II Guidelines-Actions should be taken to address these
Have a central method to manage opt-outs.
Roadblocks
No roadblocks specific to this point.
Comments
This section of the regulations was not in the Notice of Proposed Rulemaking and has not had a
real opportunity for comment. Some reviewers see it as overly broad, allowing individuals even
less privacy than they have now for video rentals. For these reasons, AMCs should watch this
area for changes before investing seriously in implementations.
Page 23
AMC/HIPAA Workgroup
123
PRIV.25
Uses and disclosures for fundraising
§ 164.514(f)(1)
HIPAA Requirement
Standard: uses and disclosures for fundraising. A covered entity may use, or
disclose to a business associate or to an institutionally related foundation, the
following protected health information for the purpose of raising funds for its own
benefit, without an authorization meeting the requirements of
§ 164.508
:
(i)
Demographic information relating to an individual; and
(ii) Dates of health care provided to an individual.
(2)
Implementation specifications: fundraising requirements. (i) The covered
entity may not use or disclose protected health information for fundraising
purposes as otherwise permitted by paragraph (f)(1) of this section unless a
statement required by
§ 164.520
(b)(1)(iii)(B) is included in the covered entity's
notice;
(ii) The covered entity must include in any fundraising materials it sends to an
individual under this paragraph a description of how the individual may opt out
of receiving any further fundraising communications.
(iii) The covered entity must make reasonable efforts to ensure that individuals
who decide to opt out of receiving future fundraising communications are not sent
such communications.
AMC Explanation of HIPAA Regulation
The covered entity may engage in, or contract for, fundraising for its benefit using protected
health information. The covered entity must allow an opt-out feature and provide a means of
managing the opt-outs. If the covered entity intends to use demographics and dates of health
care in fund-raising, it must include a statement that it plans to do so in the privacy notice.
Key Issues
How will the limits placed on fundraising without an authorization affect which
fundraising efforts will continue?
Category I Guidelines-Actions must be taken to address these if fundraising is pursued:
Include an opt-out method.
Make reasonable efforts to ensure that opt-outs are honored across the covered entity.
Maintain a record of disclosures.
Include a statement in privacy notice if patient information will be used to target patients
for receipt of fundraising materials.
Category II Guidelines-Actions should be taken to address these
Review the notice of privacy policy to determine whether it permits the use of other
protected health information for fundraising.
Page 24
AMC/HIPAA Workgroup
124
Roadblocks
Covered entities with decentralized fundraising may find it difficult to implement the opt-out
provisions. The language of the regulation may exclude mailings targeted using diagnosis
without authorization. If so, this will significantly affect many mailings done today.
Comments
The limits on which information may be used in fund-raising without an authorization may foster
the use of authorizations to provide clear permission to use additional information (e.g.
diagnosis) or cause some forms of fund-raising activities to stop.
Page 25
AMC/HIPAA Workgroup
125
PRIV.26
Uses and disclosures for underwriting and related purposes
§ 164.514(g)
HIPAA Requirement
Standard: uses and disclosures for underwriting and related purposes. If a health
plan receives protected heath information for the purpose of underwriting,
premium rating, or other activities relating to the creation, renewal, or
replacement of a contract of health insurance or health benefits, and if such
health insurance or health benefits are not placed with the health plan, such
health plan may not use or disclose such protected health information for any
other purpose, except as may be required by law.
AMC Explanation of HIPAA Regulation
When a covered entity receives an individual's protected health information as part of an
application for health insurance or other health benefits, and the individual does not
obtain insurance or benefits from the covered entity, the covered entity may not use or
disclose such protected health information for any other purpose except as required by
law.
Key Issues
What mechanisms are needed for appropriate disposal or destruction of protected health
information received as part of an unsuccessful application process for health insurance
or other health benefits?
What mechanisms are needed to ensure the appropriate handling of such protected health
information in the event of the sale, acquisition, liquidation, or bankruptcy of the covered
entity originally receiving the protected health information?
Category I Guidelines-Actions must be taken to address these
Develop policies and procedures to limit the use or disclosure of protected health
information received as part of an unsuccessful application process for health insurance
or other health benefits to only that required by law.
Category II Guidelines-Actions should be taken to address these
None.
Roadblocks
No roadblocks specific to this point.
Comments
None.
Page 26
AMC/HIPAA Workgroup
126
Sub-Section B: Balancing Privacy and Public Responsibility
Page 27
AMC/HIPAA Workgroup
127
PRIV.27
Uses and disclosures required by law
§ 164.512(a)
HIPAA Requirement
Standard: uses and disclosures required by law.
(1)
A covered entity may use or disclose protected health information to the
extent that such use or disclosure is required by law and the use or disclosure
complies with and is limited to the relevant requirements of such law.
(2)
A covered entity must meet the requirements described in paragraph (c),
(e), or (f) of this section for uses or disclosures required by law.
AMC Explanation of HIPAA Regulation
A covered entity may use or disclose protected health information without patient authorization
or consent where the use or disclosure is required by law. The use or disclosure must be limited
to that required by law and must meet the requirements of one of the following sections:
§ 164.512(c) Disclosures about victims of abuse, neglect, or domestic violence;
§ 164.512(e) Disclosures for judicial or administrative proceedings;
§ 164.512(f) Disclosures for law enforcement purposes.
Key Issues
What mechanisms are needed to ensure that only those uses and disclosures required by
law are made without individuals' consents or authorization?
Category I Guidelines-Actions must be taken to address these
Establish mechanisms to appropriately limit uses and disclosures required by law.
Determine the legal relation of the requirements under this section to stricter state laws.
Category II Guidelines-Actions should be taken to address these
Establish procedures for authenticating requests for disclosure of protected health
information that is required or permitted under this section.
Consider checklists in addition to narrative descriptions of reporting requirements to
assist staff in avoiding errors in reporting.
Involve legal staff and other knowledgeable individuals to ensure appropriate reporting.
Maintain records of all disclosures under this section and the statutory rationale for each.
Roadblocks
No roadblocks specific to this point.
Comments
None.
Page 28
AMC/HIPAA Workgroup
128
PRIV.28
Uses and disclosures for public health activities
§ 164.512(b)
HIPAA Requirement
Standard: uses and disclosures for public health activities.
(1) Permitted
disclosures. A covered entity may disclose protected health
information for the public health activities and purposes described in this
paragraph to:
(i) A public health authority that is authorized by law to collect or receive such
information for the purpose of preventing or controlling disease, injury, or
disability, including, but not limited to, the reporting of disease, injury, vital
events such as birth or death, and the conduct of public health surveillance,
public health investigations, and public health interventions; or, at the direction
of a public health authority, to an official of a foreign government agency that is
acting in collaboration with a public health authority;
(ii) A public health authority or other appropriate government authority
authorized by law to receive reports of child abuse or neglect;
(iii) A person subject to the jurisdiction of the Food and Drug Administration:
(A) To report adverse events (or similar reports with respect to food or dietary
supplements), product defects or problems (including problems with the use or
labeling of a product), or biological product deviations if the disclosure is made
to the person required or directed to report such information to the Food and
Drug Administration;
(B) To track products if the disclosure is made to a person required or directed by
the Food and Drug Administration to track the product;
(C) To enable product recalls, repairs, or replacement (including locating and
notifying individuals who have received products of product recalls, withdrawals,
or other problems); or
(D) To conduct post marketing surveillance to comply with requirements or at the
direction of the Food and Drug Administration;
(iv) A person who may have been exposed to a communicable disease or may
otherwise be at risk of contracting or spreading a disease or condition, if the
covered entity or public health authority is authorized by law to notify such
person as necessary in the conduct of a public health intervention or
investigation; or
(v) An employer, about an individual who is a member of the workforce of the
employer, if:
(A) The covered entity is a covered health care provider who is a member of the
workforce of such employer or who provides a health care to the individual at the
request of the employer:
(
1
)
To conduct an evaluation relating to medical surveillance of the
workplace; or
(
2
)
To evaluate whether the individual has a work-related illness or injury;
(B) The protected health information that is disclosed consists of findings
concerning a work-related illness or injury or a workplace-related medical
surveillance;
Page 29
AMC/HIPAA Workgroup
129
(C) The employer needs such findings in order to comply with its obligations,
under 29 CFR parts 1904 through 1928, 30 CFR parts 50 through 90, or under
state law having a similar purpose, to record such illness or injury or to carry out
responsibilities for workplace medical surveillance;
(D) The covered health care provider provides written notice to the individual
that protected health information relating to the medical surveillance of the
workplace and work-related illnesses and injuries is disclosed to the employer:
(
1
)
By giving a copy of the notice to the individual at the time the health care
is provided; or
(
2
)
If the health care is provided on the work site of the employer, by posting
the notice in a prominent place at the location where the health care is provided.
(2) Permitted
uses. If the covered entity also is a public health authority, the
covered entity is permitted to use protected health information in all cases in
which it is permitted to disclose such information for public health activities
under paragraph (b)(1) of this section.
AMC Explanation of HIPAA Regulation
In specified situations, a covered entity may disclose
(and sometimes use) protected health
information for public health activities without an individual's consent or authorization. The
permitted
disclosures
are enumerated in the regulation. Permitted
uses
for public health
activities exist only where the disclosing covered entity is itself a public health authority, in
which case the covered entity is permitted to use all information that it is permitted to disclose
under paragraph (b)(1) of this section.
Key Issues
How will authorized agencies and individuals and permitted disclosures be identified?
Category I Guidelines-Actions must be taken to address these
Develop and implement policies and procedures to ensure that the above reporting
requirements are met.
Category II Guidelines-Actions should be taken to address these
Establish procedures for authenticating requests for disclosure of protected health
information that is required or permitted under this section.
Consider checklists in addition to narrative descriptions of reporting requirements to
assist staff in avoiding errors in reporting.
Involve legal staff and other knowledgeable individuals to ensure appropriate reporting.
Maintain records of all disclosures under this section and the regulatory rationale for
each.
Roadblocks
No roadblocks specific to this point.
Comments
None.
Page 30
AMC/HIPAA Workgroup
130
PRIV.29
Disclosures about victims of abuse, neglect, or domestic violence
§ 164.512(c)
HIPAA Requirement
Standard: disclosures about victims of abuse, neglect or domestic violence.
(1) Permitted
disclosures. Except for reports of child abuse or neglect
permitted by paragraph (b)(1)(ii) of this section, a covered entity may disclose
protected health information about an individual whom the covered entity
reasonably believes to be a victim of abuse, neglect, or domestic violence to a
government authority, including a social service or protective services agency,
authorized by law to receive reports of such abuse, neglect, or domestic violence:
(i) To the extent the disclosure is required by law and the disclosure complies
with and is limited to the relevant requirements of such law;
(ii) If the individual agrees to the disclosure; or
(iii) To the extent the disclosure is expressly authorized by statute or regulation
and:
(A) The covered entity, in the exercise of professional judgment, believes the
disclosure is necessary to prevent serious harm to the individual or other
potential victims; or
(B) If the individual is unable to agree because of incapacity, a law enforcement
or other public official authorized to receive the report represents that the
protected health information for which disclosure is sought is not intended to be
used against the individual and that an immediate enforcement activity that
depends upon the disclosure would be materially and adversely affected by
waiting until the individual is able to agree to the disclosure.
(2)
Informing the individual. A covered entity that makes a disclosure
permitted by paragraph (c)(1) of this section must promptly inform the individual
that such a report has been or will be made, except if:
(i) The covered entity, in the exercise of professional judgment, believes
informing the individual would place the individual at risk of serious harm; or
(ii) The covered entity would be informing a personal representative, and the
covered entity reasonably believes the personal representative is responsible for
the abuse, neglect, or other injury, and that informing such person would not be
in the best interests of the individual as determined by the covered entity, in the
exercise of professional judgment.
AMC Explanation of HIPAA Regulation
Disclosure of protected health information about victims of abuse, neglect, or domestic violence
without the individual's consent or authorization is permitted by a covered entity in specified
situations. These are described in the regulation. They are also described under § 164.512(c),
which addresses reporting to a public health authority or other appropriate government authority
authorized by law to receive reports of child abuse or neglect. In instances where the covered
entity makes disclosures according to the above rules, the covered entity must promptly inform
the individual that the disclosure has been made, unless certain enumerated conditions exist.
Page 31
AMC/HIPAA Workgroup
131
Key Issues
How can complex reporting requirements be efficiently communicated to and executed
by staffs with variety of different responsibilities and duties?
Who will determine that a reportable event has occurred?
Who will make the report?
Category I Guidelines-Actions must be taken to address these
Develop and implement detailed policies, procedures, and mechanisms for permitted
reporting.
Develop a process for informing the individual about public health reports, making the
report, and deciding whether or not to inform the individual.
Category II Guidelines-Actions should be taken to address these
Establish procedures for authenticating requests for disclosure of protected health
information that is required or permitted under this section.
Consider flow charts in addition to narrative descriptions of reporting requirements to
assist staff in avoiding errors in reporting.
Involve legal staff and other knowledgeable individuals to ensure appropriate reporting.
Document the fact that the report was made or that a decision was made not to report.
Determine for your organization who will determine that a reportable event has occurred.
Roadblocks
No roadblocks specific to this point.
Comments
None.
Page 32
AMC/HIPAA Workgroup
132
PRIV.30
Uses and disclosures for health oversight activities
§ 164.512(d)
HIPAA Requirement
Standard: uses and disclosures for health oversight activities.
(1) Permitted
disclosures. A covered entity may disclose protected health
information to a health oversight agency for oversight activities authorized by
law, including audits; civil, administrative, or criminal investigations;
inspections; licensure or disciplinary actions; civil, administrative, or criminal
proceedings or actions; or other activities necessary for appropriate oversight of:
(i) The health care system;
(ii) Government benefit programs for which health information is relevant to
beneficiary eligibility;
(iii) Entities subject to government regulatory programs for which health
information is necessary for determining compliance with program standards; or
(iv) Entities subject to civil rights laws for which health information is necessary
for determining compliance.
(2)
Exception to health oversight activities. For the purpose of the
disclosures permitted by paragraph (d)(1) of this section, a health oversight
activity does not include an investigation or other activity in which the individual
is the subject of the investigation or activity and such investigation or other
activity does not arise out of and is not directly related to:
(i) The receipt of health care;
(ii) A claim for public benefits related to health; or
(iii) Qualification for, or receipt of, public benefits or services when a patient's
health is integral to the claim for public benefits or services.
(3)
Joint activities or investigations. Notwithstanding paragraph (d)(2) of this
section, if a health oversight activity or investigation is conducted in conjunction
with an oversight activity or investigation relating to a claim for public benefits
not related to health, the joint activity or investigation is considered a health
oversight activity for purposes of paragraph (d) of this section.
(4) Permitted
uses. If a covered entity also is a health oversight agency, the
covered entity may use protected health information for health oversight activities
as permitted by paragraph (d) of this section.
AMC Explanation of HIPAA Regulation
Entities may disclose protected health information without consent or authorization for certain
specified health oversight activities.
Key Issues
Who will determine what disclosures are permitted, and what may be disclosed?
How will this information be released and who will determine that it is released in a way
that minimizes risk?
Who are the relevant oversight bodies and what oversight are they exercising?
Page 33
AMC/HIPAA Workgroup
133
Category I Guidelines-Actions must be taken to address these:
Develop and document a policy and process compliant with the requirements of this
section for the disclosure of protected health information for health oversight activities.
Maintain a record of disclosures for health oversight activities; section § 164.528 implies
the need to be able to provide a record of these disclosures as part of the disclosure
history that entities must provide to individuals on request.
Category II Guidelines-Actions should be taken to address these
Establish procedures for authenticating requests for disclosure of protected health
information that is required or permitted under this section.
Document all disclosures and the rationale for health oversight activities.
Roadblocks
Determining what "health oversight activities" means may be difficult.
Comments
De-identified data could perhaps be used in this area.
Page 34
AMC/HIPAA Workgroup
134
PRIV.31
Disclosures for judicial and administrative proceedings
§ 164.512(e)
HIPAA Requirement
Standard: disclosures for judicial and administrative proceedings.
(1) Permitted
disclosures. A covered entity may disclose protected health
information in the course of any judicial or administrative proceeding:
(i) In response to an order of a court or administrative tribunal, provided that the
covered entity discloses only the protected health information expressly
authorized by such order; or
(ii) In response to a subpoena, discovery request, or other lawful process, that is
not accompanied by an order of a court or administrative tribunal, if:
(A) The covered entity receives satisfactory assurance, as described in paragraph
(e)(1)(iii) of this section, from the party seeking the information that reasonable
efforts have been made by such party to ensure that the individual who is the
subject of the protected health information that has been requested has been given
notice of the request; or
(B) The covered entity receives satisfactory assurance, as described in paragraph
(e)(1)(iv) of this section, from the party seeking the information that reasonable
efforts have been made by such party to secure a qualified protective order that
meets the requirements of paragraph (e)(1)(v) of this section.
(iii) For the purposes of paragraph (e)(1)(ii)(A) of this section, a covered entity
receives satisfactory assurances from a party seeking protecting health
information if the covered entity receives from such party a written statement and
accompanying documentation demonstrating that:
(A) The party requesting such information has made a good faith attempt to
provide written notice to the individual (or, if the individual's location is
unknown, to mail a notice to the individual's last known address);
(B) The notice included sufficient information about the litigation or proceeding
in which the protected health information is requested to permit the individual to
raise an objection to the court or administrative tribunal; and
(C) The time for the individual to raise objections to the court or administrative
tribunal has elapsed, and:
(
1
)
No objections were filed; or
(
2
)
All objections filed by the individual have been resolved by the court or
the administrative tribunal and the disclosures being sought are consistent with
such resolution.
(iv) For the purposes of paragraph (e)(1)(ii)(B) of this section, a covered entity
receives satisfactory assurances from a party seeking protected health
information, if the covered entity receives from such party a written statement and
accompanying documentation demonstrating that:
(A) The parties to the dispute giving rise to the request for information have
agreed to a qualified protective order and have presented it to the court or
administrative tribunal with jurisdiction over the dispute; or
(B) The party seeking the protected health information has requested a qualified
protective order from such court or administrative tribunal.
Page 35
AMC/HIPAA Workgroup
135
(v)
For purposes of paragraph (e)(1) of this section, a
qualified protective
order
means, with respect to protected health information requested under
paragraph (e)(1)(ii) of this section, an order of a court or of an administrative
tribunal or a stipulation by the parties to the litigation or administrative
proceeding that:
(A) Prohibits the parties from using or disclosing the protected health information
for any purpose other than the litigation or proceeding for which such
information was requested; and
(B) Requires the return to the covered entity or destruction of the protected health
information (including all copies made) at the end of the litigation or proceeding.
(vi) Notwithstanding paragraph (e)(1)(ii) of this section, a covered entity may
disclose protected health information in response to lawful process described in
paragraph (e)(1)(ii) of this section without receiving satisfactory assurance under
paragraph (e)(1)(ii)(A) or (B) of this section, if the covered entity makes
reasonable efforts to provide notice to the individual sufficient to meet the
requirements of paragraph (e)(1)(iii) of this section or to seek a qualified
protective order sufficient to meet the requirements of paragraph (e)(1)(iv) of this
section.
(2)
Other uses and disclosures under this section. The provisions of this
paragraph do not supersede other provisions of this section that otherwise permit
or restrict uses or disclosures of protected health information.
AMC Explanation of HIPAA Regulation
Entities may disclose protected health information for specific judicial and administrative
proceedings, though with restrictions. The requesting party must "assure" the covered entity that
there have been reasonable attempts to contact the subject of the records and allow him or her an
opportunity to formally object to the disclosure. A covered entity may seek to notify the patient
to provide this opportunity. The request must be refused unless the requestor agrees to limit uses
and disclosures to the needs of the proceeding and to destroy or return protected health
information at the end of the proceeding.
Key Issues
Who will determine what is permitted for disclosure under this point?
How will this protected health information be released, and who will determine that it is
released in a way that minimizes risk?
Who will determine whether the requestor has made "satisfactory assurance?"
How will a covered entity ensure that the protected health information is returned or
destroyed?
What duty to mitigate harm does a covered entity have with regard to potential
inappropriate further disclosures by the requesting party?
Category I Guidelines-Actions must be taken to address these
Develop and document a policy and process compliant with the requirements of this
section for the disclosure of protected health information for judicial and administrative
proceedings.
Page 36
AMC/HIPAA Workgroup
136
Maintain a record of disclosures for judicial and administrative proceedings; § 164.528
implies the need to have a record of these disclosures as part of the disclosure history that
entities must provide to individuals on request.
Category II Guidelines-Actions should be taken to address these
Establish procedures for authenticating requests for disclosure of protected health
information that is required or permitted under this section.
Document all disclosures for judicial and administrative proceedings.
Request either return of the disclosed protected health information or assurance that the
protected health information has been destroyed.
Roadblocks
Ensuring consistent practice across the AMC, determining that "satisfactory assurances" have
taken place, and coordinating such disclosures across the AMC may prove unwieldy if not
properly assessed and organized.
Comments
Some disclosure requests of this type will likely be ones that the patient makes in order to
support his or her claims in a proceeding. Other requests may be ones that patients will object to
because of the potential that the disclosure will not favor their interests in a proceeding. Because
of this tension, AMCs should consider having a sound and readily defensible system for
managing these disclosures.
Page 37
AMC/HIPAA Workgroup
137
PRIV.32
Disclosures for law enforcement purposes
§ 164.512(f)
HIPAA Requirement
Standard: disclosures for law enforcement purposes. A covered entity may
disclose protected health information for a law enforcement purpose to a law
enforcement official if the conditions in paragraphs (f)(1) through (f)(6) of this
section are met, as applicable.
(1)
Permitted disclosures: pursuant to process and as otherwise required by
law. A covered entity may disclose protected health information:
(i) As required by law including laws that require the reporting of certain types of
wounds or other physical injuries, except for laws subject to paragraph (b)(1)(ii)
or (c)(1)(i) of this section; or
(ii) In compliance with and as limited by the relevant requirements of:
(A) A court order or court-ordered warrant, or a subpoena or summons issued by
a judicial officer;
(B)
A grand jury subpoena; or
(C) An administrative request, including an administrative subpoena or summons,
a civil or an authorized investigative demand, or similar process authorized under
law, provided that:
(
1
)
The information sought is relevant and material to a legitimate law
enforcement inquiry;
(
2
)
The request is specific and limited in scope to the extent reasonably
practicable in light of the purpose for which the information is sought; and
(
3
)
De-identified information could not reasonably be used.
(2)
Permitted disclosures: limited information for identification and location
purposes. Except for disclosures required by law as permitted by paragraph
(f)(1) of this section, a covered entity may disclose protected health information in
response to a law enforcement official's request for such information for the
purpose of identifying or locating a suspect, fugitive, material witness, or missing
person, provided that:
(i) The covered entity may disclose only the following information:
(A)
Name and address;
(B)
Date and place of birth;
(C)
Social security number;
(D)
ABO blood type and rh factor;
(E)
Type of injury;
(F)
Date and time of treatment;
(G)
Date and time of death, if applicable; and
(H) A description of distinguishing physical characteristics, including height,
weight, gender, race, hair and eye color, presence or absence of facial hair
(beard or moustache), scars, and tattoos.
(ii) Except as permitted by paragraph (f)(2)(i) of this section, the covered entity
may not disclose for the purposes of identification or location under paragraph
(f)(2) of this section any protected health information related to the individual's
Page 38
AMC/HIPAA Workgroup
138
DNA or DNA analysis, dental records, or typing, samples or analysis of body
fluids or tissue.
(3)
Permitted disclosure: victims of a crime. Except for disclosures required
by law as permitted by paragraph (f)(1) of this section, a covered entity may
disclose protected health information in response to a law enforcement official's
request for such information about an individual who is or is suspected to be a
victim of a crime, other than disclosures that are subject to paragraph (b) or (c)
of this section, if:
(ii) The individual agrees to the disclosure; or
(iii) The covered entity is unable to obtain the individual's agreement because of
incapacity or other emergency circumstance, provided that:
(A) The law enforcement official represents that such information is needed to
determine whether a violation of law by a person other than the victim has
occurred, and such information is not intended to be used against the victim;
(B) The law enforcement official represents that immediate law enforcement
activity that depends upon the disclosure would be materially and adversely
affected by waiting until the individual is able to agree to the disclosure; and
(C) The disclosure is in the best interests of the individual as determined by the
covered entity, in the exercise of professional judgment.
(4)
Permitted disclosure: decedents. A covered entity may disclose protected
health information about an individual who has died to a law enforcement official
for the purpose of alerting law enforcement of the death of the individual if the
covered entity has a suspicion that such death may have resulted from criminal
conduct.
(5)
Permitted disclosure: crime on premises. A covered entity may disclose to
a law enforcement official protected health information that the covered entity
believes in good faith constitutes evidence of criminal conduct that occurred on
the premises of the covered entity.
(6)
Permitted disclosure: reporting crime in emergencies.
(i) A covered health care provider providing emergency health care in response
to a medical emergency, other than such emergency on the premises of the
covered health care provider, may disclose protected health information to a law
enforcement official if such disclosure appears necessary to alert law enforcement
to:
(A)
The commission and nature of a crime;
(B) The location of such crime or of the victim(s) of such crime; and
(C) The identity, description, and location of the perpetrator of such crime.
(ii) If a covered health care provider believes that the medical emergency
described in paragraph (f)(6)(i) of this section is the result of abuse, neglect, or
domestic violence of the individual in need of emergency health care, paragraph
(f)(6)(i) of this section does not apply and any disclosure to a law enforcement
official for law enforcement purposes is subject to paragraph (c) of this section.
AMC Explanation of HIPAA Regulation
AMCs can, and in some cases must, disclose protected health information for law enforcement
purposes. This section prescribes the conditions when protected health information can be
Page 39
AMC/HIPAA Workgroup
139
disclosed. These disclosure conditions include: when required by law; in compliance with a
court order, grand jury subpoena, or administrative request (when certain restrictions and
conditions are met); limited information for identification and location purposes; disclosures by
victims of a crime; disclosures based on suspicion that decedent's death was caused by a
criminal act or that a crime was conducted by the individual, and reporting a crime in an
emergency. Covered entities may not disclose DNA information, dental records, or tissue or
body fluid samples under this provision.
Key Issues
Who will determine what can and must be disclosed?
Who will determine that the information sought is "relevant," "specific," "limited," and
that the purpose requires protected health information instead of de-identified
information?
How will the covered entity determine that the disclosure of a victim's protected health
information is in the victim's best interest?
How will release of this protected health information be controlled and documented?
How will the covered entity be assured that the released protected health information is
protected and then destroyed in a compliant manner?
Category I Guidelines-Actions must be taken to address these
Develop policies and processes compliant with the requirements of this section for
releasing protected health information to law enforcement agencies.
Maintain a record of disclosures for law enforcement purposes; § 164.528 implies the
need to have a record of these disclosures as part of the disclosure history that entities
must provide to individuals on request.
Determine if de-identified information would be adequate prior to making any disclosure.
Category II Guidelines-Actions should be taken to address these
Establish procedures for authenticating requests for disclosure of protected health
information that is required or permitted under this section.
Request law enforcement agencies to return disclosed protected health information or
report that the protected health information has been destroyed.
Require law enforcement agencies to sign an agreement that they will follow standards to
safeguard the disclosed protected health information.
Roadblocks
Failing to ensure consistent interpretation of the terms "relevant," "specific," and "limited,"
across the AMC will create confusion, and coordinating disclosures across the AMC will require
open communication and collaboration.. Determining when the request requires protected health
information instead of de-identified information can be difficult.
Comments
Disclosures of this type are likely to have significant results for the parties involved. AMCs
should have procedures to ensure that their practices comply with the regulations with a high
Page 40
AMC/HIPAA Workgroup
140
degree of accuracy. The alternative may be knowing improper disclosure of protected health
information by the covered entity-which is a felony under HIPAA.
Page 41
AMC/HIPAA Workgroup
141
PRIV.33
Uses and disclosures about decedents
§ 164.512(g)
HIPAA Requirement
Standard: uses and disclosures about decedents.
(1)
Coroners and medical examiners. A covered entity may disclose protected
health information to a coroner or medical examiner for the purpose of
identifying a deceased person, determining a cause of death, or other duties as
authorized by law. A covered entity that also performs the duties of a coroner or
medical examiner may use protected health information for the purposes
described in this paragraph.
(2) Funeral
directors. A covered entity may disclose protected health
information to funeral directors, consistent with applicable law, as necessary to
carry out their duties with respect to the decedent. If necessary for funeral
directors carry out their duties, the covered entity may disclose the protected
health information prior to, and in reasonable anticipation of, the individual's
death.
AMC Explanation of HIPAA Regulation
Protected health information about a deceased person can only be used or disclosed as described
here or for other uses and disclosures required by law (§ 164.512(a)). Except for the specific
disclosures here, these regulations apply the same standard to protected health information about
a deceased person as they do to protected health information pertaining to a living person.
Key Issues
How will the entity authenticate coroners and medical examiners?
How will the entity authenticate funeral directors?
What protected health information about the deceased individual do the coroners, medical
examiners, and funeral directors need?
Category I Guidelines-Actions must be taken to address these
Develop policies and procedures for determining what information should be released to
whom it should be released, as well as how such releases should be documented.
Category II Guidelines-Actions should be taken to address these
Establish procedures for authenticating requests for disclosure of protected health
information that is required or permitted under this section.
Develop a list of the minimum necessary protected health information to disclose to
funeral directors.
Roadblocks
No roadblocks specific to this point.
Page 42
AMC/HIPAA Workgroup
142
Comments
Uses and disclosures specifically allowing for research are covered in PRIV.35. An executor or
estate administrator must be treated as a personal representative per § 164.502(g)(4)).
Prior to this regulation, the privacy rights of an individual under federal law ended with death;
their data were available under the Freedom of Information Act. States may have more
restrictive provisions.
Page 43
AMC/HIPAA Workgroup
143
PRIV.34
Uses and disclosures for cadaveric organ, eye, or tissue donation purposes
§ 164.512(h)
HIPAA Requirement
Standard: uses and disclosures for cadaveric organ, eye or tissue donation
purposes. A covered entity may use or disclose protected health information to
organ procurement organizations or other entities engaged in the procurement,
banking, or transplantation of cadaveric organs, eyes, or tissue for the purpose of
facilitating organ, eye or tissue donation and transplantation.
AMC Explanation of HIPAA Regulation
AMCs can release protected health information to organ procurement agencies to facilitate
cadaveric tissue donation. Such information is essential to the determination of usefulness of
harvested organs, eyes, or tissue.
Key Issues
How and where will such disclosures be documented?
Category I Guidelines-Actions must be taken to address these
Develop policies and procedures on how protected health information will be disclosed
for the purpose of cadaveric tissue donation.
Category II Guidelines-Actions should be taken to address these
Determine if minimum necessary disclosure is appropriate for procurement, banking, and
transport resources purposes since the scope of their involvement may be limited.
The actual transport team should be considered as the treatment team for whom the
complete disclosure of protected health information is appropriate.
Roadblocks
No roadblocks specific to this point.
Comments
None.
Page 44
AMC/HIPAA Workgroup
144
PRIV.35
Uses and disclosures for research purposes
§ 164.512(i)
HIPAA Requirement
Standard: uses and disclosures for research purposes.
(1)
Permitted uses and disclosures. A covered entity may use or disclose
protected health information for research, regardless of the source of funding of
the research, provided that:
(i)
Board approval of a waiver of authorization. The covered entity obtains
documentation that an alteration to or waiver, in whole or in part, of the
individual authorization required by §164.508 for use or disclosure of protected
health information has been approved by either:
(A) An Institutional Review Board (IRB), established in accordance with 7 CFR
1c.107, 10 CFR 745.107, 14 CFR 1230.107, 15 CFR 27.107, 16 CFR 1028.107,
21 CFR 56.107, 22 CFR 225.107, 24 CFR 60.107, 28 CFR 46.107, 32 CFR
219.107, 34 CFR 97.107, 38 CFR 16.107, 40 CFR 26.107, 45 CFR 46.107, 45
CFR 690.107, or 49 CFR 11.107; or
(B)
A privacy board that:
(
1
)
Has members with varying backgrounds and appropriate professional
competency as necessary to review the effect of the research protocol on the
individual's privacy rights and related interests;
(
2
)
Includes at least one member who is not affiliated with the covered entity,
not affiliated with any entity conducting or sponsoring the research, and not
related to any person who is affiliated with any of such entities; and
(
3
)
Does not have any member participating in a review of any project in
which the member has a conflict of interest.
(ii)
Reviews preparatory to research. The covered entity obtains from the
researcher representations that:
(A) Use or disclosure is sought solely to review protected health information as
necessary to prepare a research protocol or for similar purposes preparatory to
research;
(B) No protected health information is to be removed from the covered entity by
the researcher in the course of the review; and
(C) The protected health information for which use or access is sought is
necessary for the research purposes.
(iii) Research on decedent's information. The covered entity obtains from the
researcher:
(A) Representation that the use or disclosure is sought is solely for research on
the protected health information of decedents;
(B) Documentation, at the request of the covered entity, of the death of such
individuals; and
(C) Representation that the protected health information for which use or
disclosure is sought is necessary for the research purposes.
(2)
Documentation of waiver approval. For a use or disclosure to be
permitted based on documentation of approval of an alteration or waiver, under
Page 45
AMC/HIPAA Workgroup
145
paragraph (i)(1)(i) of this section, the documentation must include all of the
following:
(i)
Identification and date of action. A statement identifying the IRB or
privacy board and the date on which the alteration or waiver of authorization was
approved;
(ii) Waiver
criteria. A statement that the IRB or privacy board has determined
that the alteration or waiver, in whole or in part, of authorization satisfies the
following criteria:
(A) The use or disclosure of protected health information involves no more than
minimal risk to the individuals;
(B) The alteration or waiver will not adversely affect the privacy rights and the
welfare of the individuals;
(C) The research could not practicably be conducted without the alteration or
waiver;
(D) The research could not practicably be conducted without access to and use of
the protected health information;
(E) The privacy risks to individuals whose protected health information is to be
used or disclosed are reasonable in relation to the anticipated benefits if any to
the individuals, and the importance of the knowledge that may reasonably be
expected to result from the research;
(F) There is an adequate plan to protect the identifiers from improper use and
disclosure;
(G) There is an adequate plan to destroy the identifiers at the earliest opportunity
consistent with conduct of the research, unless there is a health or research
justification for retaining the identifiers, or such retention is otherwise required
by law; and
(H) There are adequate written assurances that the protected health information
will not be reused or disclosed to any other person or entity, except as required by
law, for authorized oversight of the research project, or for other research for
which the use or disclosure of protected health information would be permitted by
this subpart.
(iii) Protected health information needed. A brief description of the protected
health information for which use or access has been determined to be necessary
by the IRB or privacy board has determined, pursuant to paragraph (i)(2)(ii)(D)
of this section;
(iv)
Review and approval procedures. A statement that the alteration or
waiver of authorization has been reviewed and approved under either normal or
expedited review procedures, as follows:
(A) An IRB must follow the requirements of the Common Rule, including the
normal review procedures (7 CFR 1c.108(b), 10 CFR 745.108(b), 14 CFR
1230.108(b), 15 CFR 27.108(b), 16 CFR 1028.108(b), 21 CFR 56.108(b), 22 CFR
225.108(b), 24 CFR 60.108(b), 28 CFR 46.108(b), 32 CFR 219.108(b), 34 CFR
97.108(b), 38 CFR 16.108(b), 40 CFR 26.108(b), 45 CFR 46.108(b), 45 CFR
690.108(b), or 49 CFR 11.108(b)) or the expedited review procedures (7 CFR
1c.110, 10 CFR 745.110, 14 CFR 1230.110, 15 CFR 27.110, 16 CFR 1028.110,
21 CFR 56.110, 22 CFR 225.110, 24 CFR 60.110, 28 CFR 46.110, 32 CFR
Page 46
AMC/HIPAA Workgroup
146
219.110, 34 CFR 97.110, 38 CFR 16.110, 40 CFR 26.110, 45 CFR 46.110, 45
CFR 690.110, or 49 CFR 11.110);
(B)
A privacy board must review the proposed research at convened meetings
at which a majority of the privacy board members are present, including at least
one member who satisfies the criterion stated in paragraph (i)(1)(i)(B)(
2
) of this
section, and the alteration or waiver of authorization must be approved by the
majority of the privacy board members present at the meeting, unless the privacy
board elects to use an expedited review procedure in accordance with paragraph
(i)(2)(iv)(C) of this section;
(C) A privacy board may use an expedited review procedure if the research
involves no more than minimal risk to the privacy of the individuals who are the
subject of the protected health information for which use or disclosure is being
sought. If the privacy board elects to use an expedited review procedure, the
review and approval of the alteration or waiver of authorization may be carried
out by the chair of the privacy board, or by one or more members of the privacy
board as designated by the chair; and
(v) Required
signature. The documentation of the alteration or waiver of
authorization must be signed by the chair or other member, as designated by the
chair, of the IRB or the privacy board, as applicable.
AMC Explanation of HIPAA Regulation
This section describes the process for the use or disclosure of protected health information in
research without specific authorization from the individual. The first four waiver criteria listed
above [164.512(I)(2)(ii)(A-D)] for approval of use of protected health information without
authorization already appear in the Common Rule. Waiver criterion (E) is already required of all
protocols reviewed by the IRB or privacy board. The last three represent additional criteria not
explicitly addressed in the Common Rule, but often found in research protocols. Existing IRBs
or new privacy boards will need to review research protocols for compliance with privacy
requirements. "Reviews preparatory to research" and "research on decedent's information"
require notification of the covered entity for use or disclosure. Receiving and monitoring these
notifications may fall to the IRB or Privacy Board. Entities having any federally funded projects
involving human subjects are required to have an IRB. If an entity does not already have an
IRB, then it will be required to have a privacy board.
Key Issues
How should the intersection of research (IRB-based) privacy protocols and clinical
privacy protocols be managed?
How is the IRB or privacy board going to handle the increased workload?
How can § 164.512(ii)(B) be accomplished in this electronic age?
Category I Guidelines-Actions must be taken to address these
Ensure that the IRB or Privacy Board reviews relevant research proposals before
researchers can obtain any protected health information.
Provide training and funding to the IRB or Privacy Board so it can perform these duties.
Page 47
AMC/HIPAA Workgroup
147
Category II Guidelines ­ Areas where policies should be considered
Update the IRB processes and documentation to reflect these new requirements.
For research planning, consider using de-identified protected health information at the
earliest opportunity in the data gathering cycle.
Roadblocks
Additional costs related to compliance will be viewed as having a negative effect on the research
enterprise.
Comments
The "reviews preparatory to research" can be used to generate pilot data for research projects or
to address "case finding" in clinical trials. The notice must be obtained by the covered entity; the
recipient of this notice is likely to be the IRB. Similarly, "research on decedent's information"
requires notification of the covered entity.
Although the headings of the various sections use the term "waiver," the text states "alteration to
or waiver." This allows the IRB or Privacy Board to modify the requirements related to
authorizations for research in sections of § 164.508 to approve, for instance, research using
verbal informed consent [a modification to § 164.508(c)(1)(vii)].
Page 48
AMC/HIPAA Workgroup
148
PRIV.36
Uses and disclosures to avert a serious threat to health or safety
§ 164.512(j)
HIPAA Requirement
Standard: uses and disclosures to avert a serious threat to health or safety.
(1) Permitted
disclosures. A covered entity may, consistent with applicable
law and standards of ethical conduct, use or disclose protected health
information, if the covered entity, in good faith, believes the use or disclosure:
(i)
(A) Is necessary to prevent or lessen a serious and imminent threat to the health
or safety of a person or the public; and
(B) Is to a person or persons reasonably able to prevent or lessen the threat,
including the target of the threat; or
(ii) Is necessary for law enforcement authorities to identify or apprehend an
individual:
(A) Because of a statement by an individual admitting participation in a violent
crime that the covered entity reasonably believes may have caused serious
physical harm to the victim; or
(B) Where it appears from all the circumstances that the individual has escaped
from a correctional institution or from lawful custody, as those terms are defined
in § 164.501.
(2)
Use or disclosure not permitted.. A use or disclosure pursuant to
paragraph (j)(1)(ii)(A) of this section may not be made if the information
described in paragraph (j)(1)(ii)(A) of this section is learned by the covered
entity:
(i) In the course of treatment to affect the propensity to commit the criminal
conduct that is the basis for the disclosure under paragraph (j)(1)(ii)(A) of this
section, or counseling or therapy; or
(ii) Through a request by the individual to initiate or to be referred for the
treatment, counseling, or therapy described in paragraph (j)(2)(i) of this section.
(3)
Limit on information that may be disclosed. A disclosure made pursuant
to paragraph (j)(1)(ii)(A) of this section shall contain only the statement
described in paragraph (j)(1)(ii)(A) of this section and the protected health
information described in paragraph (f)(2)(i) of this section.
(4)
Presumption of good faith belief. A covered entity that uses or discloses
protected health information pursuant to paragraph (j)(1) of this section is
presumed to have acted in good faith with regard to a belief described in
paragraph (j)(1)(i) or (ii) of this section, if the belief is based upon the covered
entity's actual knowledge or in reliance on a credible representation by a person
with apparent knowledge or authority.
AMC Explanation of HIPAA Regulation
Covered entities can release protected health information to prevent or lessen a serious and
imminent threat to the health or safety of a person or of the public. This section prescribes the
conditions under which such disclosures are permitted. There is a presumption in this standard
that the entity is acting in good faith.
Page 49
AMC/HIPAA Workgroup
149
Key Issues
Who will determine if the disclosure is permitted or not?
How will permitted releases of protected health information be documented?
How will "good faith" be determined and documented?
What conditions must exist for counselors and therapists to be permitted to disclose
protected health information provided to them in the course of treatment?
Category I Guidelines-Actions must be taken to address these
Develop policies and procedures on how protected health information can be disclosed to
avert a serious threat to health and safety.
Category II Guidelines-Actions should be taken to address these
None.
Roadblocks
No roadblocks specific to this point.
Comments
None.
Page 50
AMC/HIPAA Workgroup
150
PRIV.37
Uses and disclosures for specialized government functions
§ 164.512(k)
HIPAA Requirement
Standard: uses and disclosures for specialized government functions.
Military and veterans activities.
(i)
Armed Forces personnel. A covered entity may use and disclose the
protected health information of individuals who are Armed Forces personnel for
activities deemed necessary by appropriate military command authorities to
assure the proper execution of the military mission, if the appropriate military
authority has published by notice in the Federal Register the following
information:
(A) Appropriate military command authorities; and
(B) The purposes for which the protected health information may be used or
disclosed.
(ii)
Separation or discharge from military service. A covered entity that is a
component of the Departments of Defense or Transportation may disclose to the
Department of Veterans Affairs (DVA) the protected health information of an
individual who is a member of the Armed Forces upon the separation or
discharge of the individual from military service for the purpose of a
determination by DVA of the individual's eligibility for or entitlement to benefits
under laws administered by the Secretary of Veterans Affairs.
(iii) Veterans. A covered entity that is a component of the Department of
Veterans Affairs may use and disclose protected health information to
components of the Department that determine eligibility for or entitlement to, or
that provide, benefits under the laws administered by the Secretary of Veterans
Affairs.
(iv)
Foreign military personnel. A covered entity may use and disclose the
protected health information of individuals who are foreign military personnel to
their appropriate foreign military authority for the same purposes for which uses
and disclosures are permitted for Armed Forces personnel under the notice
published in the Federal Register pursuant to paragraph (k)(1)(i) of this section.
(2)
National security and intelligence activities. A covered entity may
disclose protected health information to authorized federal officials for the
conduct of lawful intelligence, counter-intelligence, and other national security
activities authorized by the National Security Act (50 U.S.C. 401,
et seq.
) and
implementing authority (e.g., Executive Order 12333).
(3)
Protective services for the President and others. A covered entity may
disclose protected health information to authorized federal officials for the
provision of protective services to the President or other persons authorized by 18
U.S.C. 3056, or to foreign heads of state or other persons authorized by 22 U.S.C.
2709(a)(3), or to for the conduct of investigations authorized by 18 U.S.C. 871
and 879.
(4)
Medical suitability determinations. A covered entity that is a component
of the Department of State may use protected health information to make medical
suitability determinations and may disclose whether or not the individual was
Page 51
AMC/HIPAA Workgroup
151
determined to be medically suitable to the officials in the Department of State who
need access to such information for the following purposes:
(i)
For the purpose of a required security clearance conducted pursuant to
Executive Orders 10450 and 12698;
(ii) As necessary to determine worldwide availability or availability for
mandatory service abroad under sections 101(a)(4) and 504 of the Foreign
Service Act; or
(iii) For a family to accompany a Foreign Service member abroad, consistent
with section 101(b)(5) and 904 of the Foreign Service Act.
Correctional institutions and other law enforcement custodial situations.
(i) Permitted
disclosures. A covered entity may disclose to a correctional
institution or a law enforcement official having lawful custody of an inmate or
other individual protected health information about such inmate or individual, if
the correctional institution or such law enforcement official represents that such
protected health information is necessary for:
(A) The provision of health care to such individuals;
(B) The health and safety of such individual or other inmates;
(C) The health and safety of the officers or employees of or others at the
correctional institution;
(D) The health and safety of such individuals and officers or other persons
responsible for the transporting of inmates or their transfer from one institution,
facility, or setting to another;
(E) Law enforcement on the premises of the correctional institution; and
(F) The administration and maintenance of the safety, security, and good order of
the correctional institution.
(ii) Permitted
uses. A covered entity that is a correctional institution may use
protected health information of individuals who are inmates for any purpose for
which such protected health information may be disclosed.
(iii) No application after release. For the purposes of this provision, an
individual is no longer an inmate when released on parole, probation, supervised
release, or otherwise is no longer in lawful custody.
Covered entities that are government programs providing public benefits.
(i)
A health plan that is a government program providing public benefits may
disclose protected health information relating to eligibility for or enrollment in
the health plan to another agency administering a government program providing
public benefits if the sharing of eligibility or enrollment information among such
government agencies or the maintenance of such information in a single or
combined data system accessible to all such government agencies is required or
expressly authorized by statute or regulation.
(ii) A covered entity that is a government agency administering a government
program providing public benefits may disclose protected health information
relating to the program to another covered entity that is a government agency
administering a government program providing public benefits if the programs
serve the same or similar populations and the disclosure of protected health
information is necessary to coordinate the covered functions of such programs or
Page 52
AMC/HIPAA Workgroup
152
to improve administration and management relating to the covered functions of
such programs.
AMC Explanation of HIPAA Regulation
This section prescribes the circumstances under which protected health information can be used
or disclosed for specialized government functions, including military and veterans activities,
correctional institutions and other law enforcement custodial situations, and covered entities that
are government programs providing public benefits. Additionally, this section addresses release
issues for covered entities within the Department of Veterans Affairs.
Key Issues
Who will determine if the appropriate military authority has been established?
Who will determine whether an individual is an "authorized federal official?"
How can correctional facilities ensure that protected health information of released
inmates is no longer available for use or disclosure?
Category I Guidelines-Actions must be taken to address these
Develop policies and procedures for the use and disclosure of protected health
information for specialized government functions.
Category II Guidelines-Actions should be taken to address these
Establish procedures for authenticating requests for disclosure of protected health
information that is required or permitted under this section.
Ensure that written and approved procedures are in place and available to all personnel
associated with these agencies.
Collaborate with specialized government agencies for effective transmission, use, and
disclosure of protected health information.
Roadblocks
No roadblocks specific to this point.
Comments
The following references provide additional material relevant to this guideline:
National Security Act (50 U.S.C. 401, et seq.) and implementing authority (e.g.,
Executive Order 12333).
18 U.S.C. 3056, 22 U.S.C. 2709(a)(3), 18 U.S.C. 871 and 879.
Executive Orders 10450 and 12698.
§§ 101(a)(4) and 504 of the Foreign Service Act.
§§ 101(b)(5) and 904 of the Foreign Service Act.
Page 53
AMC/HIPAA Workgroup
153
PRIV.38
Disclosures for workers' compensation
§ 164.512(l)
HIPAA Requirement
Standard: disclosures for workers' compensation. A covered entity may disclose
protected health information as authorized by and to the extent necessary to
comply with laws relating to workers' compensation or other similar programs,
established by law, that provide benefits for work-related injuries or illness
without regard to fault.
AMC Explanation of HIPAA Regulation
Releases of protected health information that are required by workers' compensation laws are
excluded from the general rule against disclosure of protected health information. This standard
permits a covered entity to disclose protected health information to satisfy the conditions of
work-related compensation as required by law.
Key Issues
To whom can a covered entity release workers' compensation-related protected health
information?
What are the covered entity's responsibilities if protected health information provided to
an authorized compensation agency or service is improperly handled or disclosed?
Category I Guidelines-Actions must be taken to address these
Develop a process and procedure for disclosure of the minimum necessary protected
health information when it is requested by an authorized compensation agency.
Category II Guidelines-Actions should be taken to address these
Establish procedures for authenticating requests for disclosure of protected health
information that is required or permitted under this section.
Confirm the existence of written policies and procedures that delineate responsibility and
that identify that consent or authorization are not required when protected health
information is disclosed to a lawful compensation agency.
Communicate the covered entity's understanding of the standard to associated workers'
compensation agencies.
Roadblocks
No roadblocks specific to this point.
Comments
None.
Page 54
AMC/HIPAA Workgroup
154
PRIV.39 Minimum
necessary
§ 164.502(b)
HIPAA Requirement
Standard: minimum necessary. (1) Minimum necessary applies. When using or
disclosing protected health information or when requesting protected health
information from another covered entity, a covered entity must make reasonable
efforts to limit protected health information to the minimum necessary to
accomplish the intended purpose of the use, disclosure, or request.
(2) Minimum necessary does not apply. This requirement does not apply to:
(i) Disclosures to or requests by a health care provider for treatment;
(ii) Uses or disclosures made to the individual, as permitted under paragraph
(a)(1)(i) of this section, as required by paragraph (a)(2)(i) of this section, or
pursuant to an authorization under
§ 164.508
, except for authorizations requested
by the covered entity under § 164.508(d), (e), or (f);
(iii) Disclosures made to the Secretary in accordance with subpart C of part 160
of this subchapter (see AMC Explanation below);
(iv) Uses or disclosures that are required by law, as described by
§ 164.512(a);
and
(v) Uses or disclosures that are required for compliance with applicable
requirements of this subchapter.
AMC Explanation of HIPAA Regulation
This regulation requires that entities must make reasonable efforts to ensure that the minimum
necessary protected health information is disclosed or used for any reason except disclosure to a
provider for treatment, disclosure to the patient, disclosures made to HHS pursuant to a privacy
investigation, or disclosures required by other law or these regulations. (Note: Use of protected
health information for treatment appears to be subject to the minimum necessary provisions).
Policies must be created and implemented that define the conditions in which necessary
disclosures will be permitted to achieve a specified purpose. § 164.514(d), covered later in this
document, provides implementation specifications for use, disclosure, and requests.
Key Issues
How will entities know what quantity of protected health information is reasonable for
current needs or reasonably projected future needs?
What measures must a covered entity take to ensure that reasonable protections are
applied?
How adaptive must policies be to be sufficiently flexible for thoughtful interpretation
among covered entities?
What documentation of process and decisions is needed?
Category I Guidelines-Actions must be taken to address these
Create and implement policies that identify and manage uses and disclosure of protected
health information to which the minimum necessary standard does and does not apply.
Page 55
AMC/HIPAA Workgroup
155
Category II Guidelines-Actions should be taken to address these
Routinely monitor procedures and practices related to managing the minimum necessary
standard for effectiveness.
Use technology, where appropriate, to restrict the flow of protected health information
and to manage an accounting of what protected health information is shared with covered
entities.
Ensure that the right balance is struck between making protected health information
needed for care available and ensuring that inappropriate access is inhibited.
Roadblocks
Ensuring that the right balance is struck between providing needed access and inhibiting
inappropriate access will be difficult, especially for protected health information that is needed
infrequently but is essential and urgent when needed.
Comments
This point in the regulations has created a good deal of concern among provider organizations. It
is worth comparing this point to the typical "need to know" policy in a typical provider
organization today. The typical "need to know" policy limits the allowed access to information
to the amount that a workforce member needs to do their job. Electronic information systems
may help enforce this policy by not allowing access at all to protected health information that a
specific user does not have a categorical need for (e.g., admitting clerks do not need to know
discharge diagnosis). In addition to the technical restriction, workforce members are obligated
by policies on conduct to limit their actual access to that which is needed for their jobs. In some
systems today, audit logs are used to detect patterns of inappropriate access.
The standard outlined in this point is very similar to the "need to know" policy. The key
difference for provider organizations is that failure to enforce the policy is now a regulatory
matter. For end users, the key difference is that using one's technical access capability to
inappropriately access and/or disclose protected health information is now a felony instead of
simply being a violation of employer policies.
Page 56
AMC/HIPAA Workgroup
156
PRIV.40
De-identification of protected health information
§ 164.514
(a)
HIPAA Requirement
(a)
Standard: de-identification of protected health information. Health
information that does not identify an individual and with respect to which there is
no reasonable basis to believe that the information can be used to identify an
individual is not individually identifiable health information.
(b)
Implementation specifications: requirements for de-identification of
protected health information. A covered entity may determine that health
information is not individually identifiable health information only if:
(1)
A person with appropriate knowledge of and experience with generally
accepted statistical and scientific principles and methods for rendering
information not individually identifiable:
(i) Applying such principles and methods, determines that the risk is very small
that the information could be used, alone or in combination with other reasonably
available information, by an anticipated recipient to identify an individual who is
a subject of the information; and
(ii) Documents the methods and results of the analysis that justify such
determination; or
(2)
(i) The following identifiers of the individual or of relatives, employers, or
household members of the individual, are removed:
(A) Names;
(B) All geographic subdivisions smaller than a State, including street address,
city, county, precinct, zip code, and their equivalent geocodes, except for the
initial three digits of a zip code if, according to the current publicly available
data from the Bureau of the Census:
(
1
)
The geographic unit formed by combining all zip codes with the same
three initial digits contains more than 20,000 people; and
(
2
)
The initial three digits of a zip code for all such geographic units
containing 20,000 or fewer people is changed to 000.
(C) All elements of dates (except year) for dates directly related to an individual,
including birth date, admission date, discharge date, date of death; and all ages
over 89 and all elements of dates (including year) indicative of such age, except
that such ages and elements may be aggregated into a single category of age 90
or older;
(D) Telephone numbers;
(E) Fax numbers;
(F) Electronic mail addresses;
(G) Social security numbers;
(H) Medical record numbers;
(I) Health plan beneficiary numbers;
(J) Account numbers;
(K) Certificate/license numbers;
(L) Vehicle identifiers and serial numbers, including license plate numbers;
Page 57
AMC/HIPAA Workgroup
157
(M) Device identifiers and serial numbers;
(N) Web Universal Resource Locators (URLs);
(O) Internet Protocol (IP) address numbers;
(P) Biometric identifiers, including finger and voice prints;
(Q) Full face photographic images and any comparable images; and
(R) Any other unique identifying number, characteristic, or code; and
(ii) The covered entity does not have actual knowledge that the information could
be used alone or in combination with other information to identify an individual
who is a subject of the information.
(c)
Implementation specifications: re-identification. A covered entity may
assign a code or other means of record identification to allow information de-
identified under this section to be re-identified by the covered entity, provided
that:
(1) Derivation. The code or other means of record identification is not
derived from or related to information about the individual and is not otherwise
capable of being translated so as to identify the individual; and
(2) Security. The covered entity does not use or disclose the code or other
means of record identification for any other purpose, and does not disclose the
mechanism for re-identification.
AMC Explanation of HIPAA Regulation
Information that is de-identified as defined in the regulation is no longer considered to be
protected health information, and is thus exempt from the other provisions of the regulation. The
regulation describes two methods of de-identifying information.
Key Issues
In what situations will de-identification be used?
Who will perform the de-identification? Using what methods and techniques?
De-identified information used for human subject research still requires IRB oversight;
how will review under HIPAA be carried out?
How will Common Rule differences be handled?
Category I Guidelines-Actions must be taken to address these
Develop and implement policies, procedures, organizational structures, and processes for
determining when and how to de-identify protected health information.
Category II Guidelines-Actions should be taken to address these
Develop methods for monitoring the efficacy of de-identification strategies and for
remedying failures to adequately de-identify.
Be aware of and make use of "more advanced statistical techniques."
Consider how to qualify people to do disclosure analysis.
Roadblocks
No roadblocks specific to this point.
Page 58
AMC/HIPAA Workgroup
158
Comments
"Individually identifiable" is defined in HIPAA as follows: "...identifies the individual or with
respect to which there is a reasonable basis to believe that the information can be used to identify
the individual."
"De-identified" as defined in these regulations (including the "re-identification" code) is
considered to be "coded" by IRBs in current interpretation (see reference [3]), and is subject to
IRB review.
Extensive relevant experience and expertise exists under the rubric of "disclosure analysis,"
which deals with techniques for avoiding disclosure of confidential information about
individuals and corporate entities with the release of statistical tabulations and data extractions.
The references provided in the regulations are key to any use of disclosure analysis; see FR 65,
page 82709 (and below).
The ability to create de-identified data is provided to the covered entity under the operations
activities of the consent for healthcare, billing, and operations.
Some states may have de-identification criteria that are more stringent than the safe harbor
method. Be aware of those differences if the de-identified data are to be used in another state.
The regulations depend upon the following definitions, which differ from those used in the
Common Rule:
a) Anonymous data: Health information that has never been labeled with patient/subject
identifiers.
b) Anonymized data: Health information where the identifiers have been removed and
no means exists for re-identifying patients/subjects.
c) De-identified data: Health information where the identifiers have been removed but
means exist for re-identifying patients/subjects if required. (The National Bioethics
Advisory Commission describes this as "coded data." in its guidelines for IRBs on
genetic research. OHRP has adopted that guideline for all research under its auspices
[see Reference 3].)
Re-identification of de-identified data would be permitted under appropriate circumstances; for
example, patient care where misdiagnosis is discovered in the course of a research study.
References
(1)
Statistical Policy Working Paper 22 - Report on Statistical Disclosure limitation
Methodology
(
http://www.fcsm.gov/working-papers/wp22.html
) (prepared by the Subcommittee
on Disclosure Limitation Methodology, Federal Committee on Statistical Methodology, Office
of Management and Budget).
(2)
Checklist on Disclosure Potential of Proposed Data Releases
(
http://www.fcsm.gov/docs/checklist_799.doc
) (prepared by the Confidentiality and Data Access
Committee, Federal Committee on Statistical Methodology, Office of Management and Budget).
Page 59
AMC/HIPAA Workgroup
159
(3)
Research Involving Human Biological Materials: Ethical Issues and Policy
Guidance
, August 1999 (available at
http://bioethics.gov/pubs.html
).
Page 60
AMC/HIPAA Workgroup
160
PRIV.41
Minimum necessary requirements
§ 164.514(d)(1)
HIPAA Requirement
Standard: minimum necessary requirements. A covered entity must reasonably
ensure that the standards, requirements, and implementation specifications of
§ 164.502(b) and this section relating to a request for or the use and disclosure of
the minimum necessary protected health information are met.
Implementation specifications: minimum necessary uses of protected health
information.
(i) A covered entity must identify:
(A) Those persons or classes of persons, as appropriate, in its workforce who
need access to protected health information to carry out their duties; and
(B) For each such person or class of persons, the category or categories of
protected health information to which access is needed and any conditions
appropriate to such access.
(ii) A covered entity must make reasonable efforts to limit the access of such
persons or classes identified in paragraph (d)(2)(i)(A) of this section to protected
health information consistent with paragraph (d)(2)(i)(B) of this section.
(3)
Implementation specification: minimum necessary disclosures of protected
health information. (i) For any type of disclosure that it makes on a routine and
recurring basis, a covered entity must implement policies and procedures (which
may be standard protocols) that limit the protected health information disclosed
to the amount reasonably necessary to achieve the purpose of the disclosure.
(ii) For all other disclosures, a covered entity must:
(A) Develop criteria designed to limit the protected health information disclosed
to the information reasonably necessary to accomplish the purpose for which
disclosure is sought; and
(B) Review requests for disclosure on an individual basis in accordance with such
criteria.
(iii) A covered entity may rely, if such reliance is reasonable under the
circumstances, on a requested disclosure as the minimum necessary for the stated
purpose when:
(A) Making disclosures to public officials that are permitted under
§ 164.512
, if
the public official represents that the information requested is the minimum
necessary for the stated purpose(s);
(B) The information is requested by another covered entity;
(C) The information is requested by a professional who is a member of its
workforce or is a business associate of the covered entity for the purpose of
providing professional services to the covered entity, if the professional
represents that the information requested is the minimum necessary for the stated
purpose(s); or
(D) Documentation or representations that comply with the applicable
requirements of
§ 164.512(i)
have been provided by a person requesting the
information for research purposes.
Page 61
AMC/HIPAA Workgroup
161
(4)
Implementation specifications: minimum necessary requests for protected
health information.
(i) A covered entity must limit any request for protected health information to
that which is reasonably necessary to accomplish the purpose for which the
request is made, when requesting such information from other covered entities.
(ii) For a request that is made on a routine and recurring basis, a covered entity
must implement policies and procedures (which may be standard protocols) that
limit the protected health information requested to the amount reasonably
necessary to accomplish the purpose for which the request is made.
(iii) For all other requests, a covered entity must review the request on an
individual basis to determine that the protected health information sought is
limited to the information reasonably necessary to accomplish the purpose for
which the request is made.
(5)
Implementation specification: other content requirement. For all uses,
disclosures, or requests to which the requirements in paragraph (d) of this section
apply, a covered entity may not use, discloses or request an entire medical record,
except when the entire medical record is specifically justified as the amount that
is reasonably necessary to accomplish the purpose of the use, disclosure, or
request.
AMC Explanation of HIPAA Regulation
This point in the regulations covers the implementation specifications for using, disclosing, and
requesting protected health information. The general requirement on minimum use/disclosure is
in § 164.502(b). The covered entity must categorize users by their "need to know" profile and
establish policies that reasonably limit inappropriate access to protected health information based
on the listed categories. Covered entities must also limit their own requests for disclosure from
other entities to the minimum needed. Finally, no use, disclosure, or request for a complete
medical record is considered minimal unless it is specifically justified as minimal.
Key Issues
Are policies, procedures, and practices with respect to "minimum necessary" use or
disclosure consistent with appropriate care for all patients and categories of patients?
Do policies, procedures, and practices unnecessarily deter, inhibit, or restrict research use
of protected health information?
Are criteria for minimum disclosure defined, or left to judgment? If they are left to
judgment, how is judgment exercised?
What monitoring mechanisms can be used to assure appropriate application of the
minimum necessary disclosure principle?
Category I Guidelines-Actions must be taken to address these
Identify appropriate persons to determine what protected health information should be
used, disclosed, and requested consistent with the minimum necessary standard.
Ensure that the persons identified under paragraph (b)(2)(i) of this section make the
minimum necessary determinations, when required.
Page 62
AMC/HIPAA Workgroup
162
Within the limits of the covered entity's technological capabilities, provide for the
making of such determinations individually.
Define and implement only reasonable policies; the regulations don't require entities to
accept unreasonable cost or disruption in pursuit of this objective.
Category II Guidelines-Actions should be taken to address these
Develop and implement policies and procedures for uses and disclosures that are covered
in the various other subsections on uses and disclosures. Key articles are:
§ 164.508(a)(1) deals with authorizations for use or disclosure initiated by the
affected individual.
§ 164.514 deals with access of individuals to their own protected health information,
but only mentions copying costs for records.
§ 164.522 is a section entitled "Rights to request privacy protection for protected
health information."
§ 164.510 describes uses and disclosures permitted without individual authorization.
Subsections are devoted to: public health; health oversight; judicial proceedings;
coroners and medical examiners; law enforcement; government health data systems;
directories; payment; research; emergencies; next-of-kin; other disclosures required
by law; application to specialized classes (DOD, VA, other government workers).
Roadblocks
For many patient care situations and human-subjects research questions, the "minimum
necessary" data becomes apparent only in retrospect. This implies that one may have to initially
provide access to more data than is permissible to use in every case. The accessor must be
constrained by policy from accessing information in each case that is beyond the minimum
needed for his or her task. Also, there appear to be conflicting societal expectations regarding
malpractice or negligence where additional data use may prevent patient injury.
Comments
The implementation specifications on minimum disclosure given in this section make the
procedural and policy requirements pretty clear. Burdensome and onerous implementations are
not required; use the reasonableness principle to guide the development of technique in meeting
this requirement.
Page 63
AMC/HIPAA Workgroup
163
PRIV.42 Verification
requirements
§ 164.514(h)(1)
HIPAA Requirement
Standard: verification requirements. Prior to any disclosure permitted by this
subpart, a covered entity must:
(i) Except with respect to disclosures under § 164.510, verify the identity of a
person requesting protected health information and the authority of any such
person to have access to protected health information under this subpart, if the
identity or any such authority of such person is not known to the covered entity;
and
(ii) Obtain any documentation, statements, or representations, whether oral or
written, from the person requesting the protected health information when such
documentation, statement, or representation is a condition of the disclosure under
this subpart.
(2)
Implementation specifications: verification.
(i)
Conditions on disclosures. If a disclosure is conditioned by this subpart
on particular documentation, statements, or representations from the person
requesting the protected health information, a covered entity may rely, if such
reliance is reasonable under the circumstances, on documentation, statements, or
representations that, on their face, meet the applicable requirements.
(A) The conditions in
§ 164.512(f)(
1)(ii)(C) may be satisfied by the administrative
subpoena or similar process or by a separate written statement that, on its face,
demonstrates that the applicable requirements have been met.
(B) The documentation required by
§ 164.512(i)(
2) may be satisfied by one or
more written statements, provided that each is appropriately dated and signed in
accordance with § 164.512(i)(2)(i) and (v).
(ii)
Identity of public officials. A covered entity may rely, if such reliance is
reasonable under the circumstances, on any of the following to verify identity
when the disclosure of protected health information is to a public official or a
person acting on behalf of the public official:
(A) If the request is made in person, presentation of an agency identification
badge, other official credentials, or other proof of government status;
(B) If the request is in writing, the request is on the appropriate government
letterhead; or
(C) If the disclosure is to a person acting on behalf of a public official, a written
statement on appropriate government letterhead that the person is acting under
the government's authority or other evidence or documentation of agency, such as
a contract for services, memorandum of understanding, or purchase order, that
establishes that the person is acting on behalf of the public official.
(iii) Authority of public officials. A covered entity may rely, if such reliance is
reasonable under the circumstances, on any of the following to verify authority
when the disclosure of protected health information is to a public official or a
person acting on behalf of the public official:
Page 64
AMC/HIPAA Workgroup
164
(A) A written statement of the legal authority under which the information is
requested, or, if a written statement would be impracticable, an oral statement of
such legal authority;
(B) If a request is made pursuant to legal process, warrant, subpoena, order, or
other legal process issued by a grand jury or a judicial or administrative tribunal
is presumed to constitute legal authority.
(iv)
Exercise of professional judgment. The verification requirements of this
paragraph are met if the covered entity relies on the exercise of professional
judgment in making a use or disclosure in accordance with
§ 164.510
or acts on a
good faith belief in making a disclosure in accordance with
§ 164.512(j).
AMC Explanation of HIPAA Regulation
This standard requires reasonable assurances, whether in writing or by official document, of the
identity and authority of any party requesting protected health information. It also explains the
circumstances under which a public official may request information.
Key Issues
What reasonable measures will be used to verify the identity of a requesting individual or
entity if the requestor is not commonly known to the covered entity?
What means will be used to evaluate professional judgment in the absence of the required
documentation or identification of an entity requesting protected health information?
Under what circumstances can a covered entity be reassured that public officials are
authorized to request protected health information verbally and without a written
statement?
Category I Guidelines-Actions must be taken to address these
Develop policies and procedures for verifying identity and authority of requestors:
Obtain representation or documentation of purpose from any person requesting
protected health information under this regulation;
Verify the identity of persons requesting protected health information before giving
them access;
Confirm that persons acting on behalf of a public official have appropriate statements
on official letterhead before providing them with protected health information;
Establish a policy that legal authority is presumed when a request is made relative to
a legal proceeding, warrant, subpoena, or order;
Develop a formal process to authorize disclosure in the absence of a written
verification;
Make good faith efforts to identify the people requesting disclosure and the
circumstances of disclosure as provided in this section.
Category II Guidelines-Actions should be taken to address these
Develop policies that clearly define what sources of identification and what documents of
authority can be used to verify permission for disclosure.
Provide comprehensive guidelines and back-up resources to assist with questions of
verification.
Page 65
AMC/HIPAA Workgroup
165
When protected health information is released to a legal authority without valid consent,
send a cover letter with the material containing a reminder to the recipients that the
information is of a sensitive nature and must be handled as such. Retain a copy of the
letter for the record.
Consider existing processes for disclosure under this section in concert with verifications
for parties to whom protected health information is disclosed.
Brief frequent requestors of information on the procedural changes required under this
standard.
Roadblocks
No roadblocks specific to this point.
Comments
There is a need to provide resources and support for front line workforce implementing these
guidelines.