HIPAA Permitted Disclosures

The HIPAA privacy rule is not absolute. It recognizes that certain disclosures are beneficial, such as those where information must be shared to ensure that a patient receives the best treatment.

Section 164.510 provides that a covered entity may use or disclose protected health information, provided that the individual is informed in advance of the use or disclosure and has the opportunity to agree to or prohibit or restrict the use or disclosure, in accordance with the applicable requirements of this section. The covered entity may orally inform the individual of and obtain the individual’s oral agreement or objection to a use or disclosure permitted by this section.

Directories

Unless the individual objects, a covered entity may include limited information in a directory. Permitted information includes the individual’s name, the individual’s location in the provider’s facility, the individual’s condition described in general terms that do not communicate specific medical information; and the individual’s religious affiliation. The information may be communicated to members of the clergy and to other persons who ask for the individual by name. Section 164.510(a)(1).

Persons involved in care

A covered entity may disclose limited information to a person involved in the individual’s care. The information disclosed must be directly related to that person’s involvement with the individual’s care or payment for care. A covered entity may also disclose information necessary to identify or notify a personal representative or other person responsible for the individual’s care. If the patient is present and has capacity, the covered entity must obtain consent, provide the individual with an opportunity to object, or reasonably infer under the circumstances that the individual does not object. Section 164.510(b). In situations where the patient is not present, lacks capacity, or if there is an emergency, the covered entity may, in the exercise of professional judgment, determine whether the disclosure is in the best interests of the individual and, if so, disclose only the protected health information that is directly relevant to the person’s involvement with the individual’s health care. 45 C.F.R. § 164.510(b)(3).

Errands for the Patient

A covered entity may use professional judgment and its experience with common practice to make reasonable inferences of the individual’s best interest in allowing a person to act on behalf of the individual to pick up filled prescriptions, medical supplies, X-rays, or other similar forms of protected health information. Section 164.510(b)(3).

Abuse or Neglect

A covered entity may disclose protected health information about an individual whom the covered entity reasonably believes to be a victim of abuse, neglect, or domestic violence to a government authority, including a social service or protective services agency, authorized by law to receive reports of such abuse, neglect, or domestic violence. Section 154.512(c).

Judicial and administrative proceedings

A covered entity may disclose protected health information in response to an order of a court or administrative tribunal, provided that it discloses only the protected health information expressly authorized by the order. It may disclose protected health information in response to a subpoena, discovery request or other lawful process if the individual had notice and there was no objection, or if a qualified protective order has been entered. Section 164.512(e).

Disclosure Pursuant to Authorization

Except as otherwise permitted or required by Subpart E, a covered entity may not use or disclose protected health information without an authorization that is valid under section 164.508. When a covered entity obtains or receives a valid authorization for its use or disclosure of protected health information, its use or disclosure must be consistent with the authorization. Pursuant to Section 164.508(c)(1), a valid authorization under this section must contain at least the following elements:

(i) A description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion.

(ii) The name or other specific identification of the person(s), or class of persons, authorized to make the requested use or disclosure.

(iii) The name or other specific identification of the person(s), or class of persons, to whom the covered entity may make the requested use or disclosure.

(iv) A description of each purpose of the requested use or disclosure. The statement “at the request of the individual” is a sufficient description of the purpose when an individual initiates the authorization and does not, or elects not to, provide a statement of the purpose.

(v) An expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure. The statement “end of the research study,” “none,” or similar language is sufficient if the authorization is for a use or disclosure of protected health information for research, including for the creation and maintenance of a research database or research repository.

(vi) Signature of the individual and date. If the authorization is signed by a personal representative of the individual, a description of such representative’s authority to act for the individual must also be provided.

In addition to the core elements, Section 164.508(c)(2) requires the authorization to contain statements adequate to place the individual on notice of all of the following:

(i) The individual’s right to revoke the authorization in writing, and either:

(A) The exceptions to the right to revoke and a description of how the individual may revoke the authorization; or

(B) To the extent that the information in paragraph (c)(2)(i)(A) of this section is included in the notice required by § 164.520, a reference to the covered entity’s notice.

(ii) The ability or inability to condition treatment, payment, enrollment or eligibility for benefits on the authorization, by stating either:

(A) The covered entity may not condition treatment, payment, enrollment or eligibility for benefits on whether the individual signs the authorization when the prohibition on conditioning of authorizations in paragraph (b)(4) of this section applies; or

(B) The consequences to the individual of a refusal to sign the authorization when, in accordance with paragraph (b)(4) of this section, the covered entity can condition treatment, enrollment in the health plan, or eligibility for benefits on failure to obtain such authorization.

(iii) The potential for information disclosed pursuant to the authorization to be subject to redisclosure by the recipient and no longer be protected by this subpart.

The authorization must be written in plain language. If a covered entity seeks an authorization from an individual for a use or disclosure of protected health information, the covered entity must provide the individual with a copy of the signed authorization.

See also Informed Consent and HIPAA.

Tags:

Start Here

Enter your name and email address to keep up with what’s new at EZ Elder Law!

  • This field is for validation purposes and should be left unchanged.

[Return to Top]