HIPAA Privacy Rule: Permitted PHI uses and disclosures
- Though sometimes the goals of the HIPAA Privacy Rule can get lost in data breach and monetary penalty news, ensuring that patient data is both properly protected and accessible should be a consistent focus for the healthcare industry. Balancing these two functions and properly disclosing patient data in the right situations is no afterthought for healthcare organizations.
According to the Privacy Rule, a covered entity may not use or disclose protected health information, except either: (1) as the Privacy Rule permits or requires; or (2) as the individual who is the subject of the information (or the individual’s personal representative) authorizes in writing. HealthITSecurity.com will kick off its HIPAA Privacy Rule series with a breakdown of permitted protected health information (PHI) uses and disclosures.
Healthcare providers, health plans, healthcare clearinghouses and business associates are all covered under the HIPAA Privacy Rule. And PHI is defined as, among other items, an individual’s past, present or future physical or mental health or condition; the provision of health care to the individual, or the past, present, or future payment for the provision of health care to the individual. A covered entity is permitted, but not required, to use and disclose PHI, without an individual’s authorization, in these situations:
To the Individual – A HIPAA covered entity may disclose protected health information to the individual who is the subject of the information.
Treatment, Payment, Health Care Operations – A covered entity may use and disclose PHI for its own treatment, payment, and health care operations activities. Other disclosures include provider treatment and payment activities
READ MORE: How Identity Management IGA Secures Protected Health Information
Another option is obtaining consent – written permission from individuals to use and disclose their PHI for treatment, payment, and health care operations. Consent is optional under the Privacy Rule for all covered entities.
Uses and Disclosures with Opportunity to Agree or Object – By asking the individual outright, or by circumstances that clearly give the individual the opportunity to agree, acquiesce, or object, a covered entity can get informal permission for a disclosure. An example of this may be when an individual is incapacitated.
Incidental Use and Disclosure – It’s important to note that covered entities and BAs aren’t required to eliminate every risk of an incidental use or disclosure of PHI. With the provisions that the covered entity has adopted reasonable safeguards as required by the Privacy Rule and the information being shared was limited to the “minimum necessary,” a disclosure that was “incident” to an otherwise permitted use or disclosure is permitted.
Public Interest and Benefit Activities – The HIPAA Privacy Rule permits use and disclosure of PHI, without an individual’s authorization or permission, for these 12 national priority purposes.
Required by Law – These required by law disclosures include by statute, regulation, or court orders.
READ MORE: OCR Settles Improper PHI Disposal Case, Resolves Potential HIPAA Violation
Public Health Activities – These activities include:
(1) public health authorities authorized by law to collect or receive such information for preventing or controlling disease, injury, or disability and to public health or other government authorities authorized to receive reports of child abuse and neglect;
(2) entities subject to FDA regulation regarding FDA regulated products or activities for purposes such as adverse event or tracking of products
(3) individuals who may have contracted or been exposed to a communicable disease when notification is authorized by law;
(4) employers, regarding employees, when requested by employers, for information concerning a work-related illness or injury or workplace related medical surveillance
Victims of Abuse, Neglect or Domestic Violence – These are situations where disclosure of PHI belonging to victims of abuse, neglect, or domestic violence may be necessary.
Health Oversight Activities – Covered entities may disclose PHI to health oversight agencies for legally authorized health oversight activities, including audits and investigations necessary for oversight of the health care system and government benefit programs.
Judicial and Administrative Proceedings – Assuming notice to the individual or a protective order are provided, an order from a court or administrative tribunal may allow covered entities to disclose PHI.
READ MORE: How Did This Happen? Understanding the Issue of Third-Party Tracking Tech in Healthcare
Law Enforcement Purposes – These conditions must be met for PHI to be disclosed for law enforcement reasons:
(1) as required by law (including court orders, court-ordered warrants, subpoenas) and administrative requests;
(2) to identify or locate a suspect, fugitive, material witness, or missing person;
(3) in response to a law enforcement official’s request for information about a victim or suspected victim of a crime;
(4) to alert law enforcement of a person’s death, if the covered entity suspects that criminal activity caused the death;
(5) when a covered entity believes that protected health information is evidence of a crime that occurred on its premises;
(6) by a covered health care provider in a medical emergency not occurring on its premises, when necessary to inform law enforcement about the commission and nature of a crime, the location of the crime or crime victims, and the perpetrator of the crime.
Decedents – For reasons such as identifying a deceased person or determining the cause of death,
Cadaveric Organ, Eye, or Tissue Donation – Covered entities may use or disclose PHI to facilitate the donation and transplantation of cadaveric organs, eyes, and tissue.
Research – Research is defined under the Privacy Rule as “any systematic investigation designed to develop or contribute to generalizable knowledge” and disclosures are allowed in these instances:
(1) documentation that an alteration or waiver of individuals’ authorization for the use or disclosure of protected health information about them for research purposes has been approved by an Institutional Review Board or Privacy Board;
(2) representations from the researcher that the use or disclosure of the protected health information is solely to prepare a research protocol or for similar purpose preparatory to research, that the researcher will not remove any protected health information from the covered entity, and that protected health information for which access is sought is necessary for the research;
(3) representations from the researcher that the use or disclosure sought is solely for research on the protected health information of decedents, that the protected health information sought is necessary for the research, and, at the request of the covered entity, documentation of the death of the individuals about whom information is sought.
Serious Threat to Health or Safety – Disclosures are permitted if they are believed to prevent or lessen a serious and imminent threat to a person or the public, when such disclosure is made to someone they believe can prevent or lessen the threat (including the target of the threat).
Essential Government Functions – These functions include: assuring proper execution of a military mission or conducting intelligence and national security activities that are authorized by law.
Workers’ Compensation – Covered entities may disclose PHI as allowed by workers’ compensation laws.
Limited Data Set – According to the Privacy Rule, limited data set, in which specific identifiers have been removed, may be used and disclosed for research, health care operations, and public health purposes, provided the recipient enters into a data use agreement promising specified safeguards for the protected health information within the limited data set.
Check out Authorized Uses and Disclosures next week.
