|
| |
The federal regulations on privacy set a minimum standard for privacy and
disclosure. The relevant section is excerpted here from the US Dept of
Health and Human Services website, with bold and color added to emphasize
points of this training:
HIPAA regulation, 45 C.F.R. 164.502 (g)(3)(ii)(B),
from:
http://www.hhs.gov/ocr/regtext.html
§ 164.502 Uses and disclosures of protected health information: general
rules.
(a) Standard. A covered entity may not use or disclose protected
health information, except as permitted or required by this subpart or by
subpart C of part 160 of this subchapter.
(1) Permitted uses and disclosures. A covered entity is permitted
to use or disclose protected health information as follows:
(i) To the individual;
(ii) Pursuant to and in compliance with a consent that complies with
§ 164.506, to carry out treatment, payment, or health care operations;
(iii) Without consent, if consent is not required under § 164.506(a)
and has not been sought under § 164.506(a)(4), to carry out treatment,
payment, or health care operations, except with respect to psychotherapy
notes;
(iv) Pursuant to and in compliance with an authorization that
complies with § 164.508;
(v) Pursuant to an agreement under, or as otherwise permitted by, §
164.510; and
(vi) As permitted by and in compliance with this section, § 164.512,
or § 164.514(e), (f), and (g).
(2) Required disclosures. A covered entity is required to disclose
protected health information:
(i) To an individual, when requested under, and as required by §§
164.524 or 164.528; and
(ii) When required by the Secretary under subpart C of part 160 of
this subchapter to investigate or determine the covered entity's
compliance with this subpart.
(b) Standard: minimum necessary.
(1) Minimum necessary applies. When using or disclosing protected
health information or when requesting protected health information from
another covered entity, a covered entity must make reasonable efforts to
limit protected health information to the minimum necessary to accomplish
the intended purpose of the use, disclosure, or request.
(2) Minimum necessary does not apply. This requirement does not
apply to:
(i) Disclosures to or requests by a health care provider for
treatment;
(ii) Uses or disclosures made to the individual, as permitted under
paragraph (a)(1)(i) of this section, as required by paragraph (a)(2)(i)
of this section, or pursuant to an authorization under § 164.508, except
for authorizations requested by the covered entity under § 164.508(d),
(e), or (f);
(iii) Disclosures made to the Secretary in accordance with subpart C
of part 160 of this subchapter;
(iv) Uses or disclosures that are required by law, as described by §
164.512(a); and
(v) Uses or disclosures that are required for compliance with
applicable requirements of this subchapter.
(c) Standard: uses and disclosures of protected health information subject
to an agreed upon restriction. A covered entity that has agreed to a
restriction pursuant to § 164.522(a)(1) may not use or disclose the protected
health information covered by the restriction in violation of such restriction,
except as otherwise provided in § 164.522(a).
(d) Standard: uses and disclosures of de-identified protected health
information.
(1) Uses and disclosures to create de-identified information. A
covered entity may use protected health information to create information
that is not individually identifiable health information or disclose
protected health information only to a business associate for such purpose,
whether or not the de-identified information is to be used by the covered
entity.
(2) Uses and disclosures of de-identified information. Health
information that meets the standard and implementation specifications for
de-identification under § 164.514(a) and (b) is considered not to be
individually identifiable health information, i.e., de-identified. The
requirements of this subpart do not apply to information that has been
de-identified in accordance with the applicable requirements of § 164.514,
provided that:
(i) Disclosure of a code or other means of record identification
designed to enable coded or otherwise de-identified information to be
re-identified constitutes disclosure of protected health information;
and
(ii) If de-identified information is re-identified, a covered entity
may use or disclose such re-identified information only as permitted or
required by this subpart.
(e)(1) Standard: disclosures to business associates.
(i) A covered entity may disclose protected health information to a
business associate and may allow a business associate to create or
receive protected health information on its behalf, if the covered
entity obtains satisfactory assurance that the business associate will
appropriately safeguard the information.
(ii) This standard does not apply:
(A) With respect to disclosures by a covered entity to a health
care provider concerning the treatment of the individual;
(B) With respect to disclosures by a group health plan or a
health insurance issuer or HMO with respect to a group health plan
to the plan sponsor, to the extent that the requirements of §
164.504(f) apply and are met; or
(C) With respect to uses or disclosures by a health plan that is
a government program providing public benefits, if eligibility for,
or enrollment in, the health plan is determined by an agency other
than the agency administering the health plan, or if the protected
health information used to determine enrollment or eligibility in
the health plan is collected by an agency other than the agency
administering the health plan, and such activity is authorized by
law, with respect to the collection and sharing of individually
identifiable health information for the performance of such
functions by the health plan and the agency other than the agency
administering the health plan.
(iii) A covered entity that violates the satisfactory assurances it
provided as a business associate of another covered entity will be in
noncompliance with the standards, implementation specifications, and
requirements of this paragraph and § 164.504(e).
(2) Implementation specification: documentation. A covered entity
must document the satisfactory assurances required by paragraph (e)(1) of
this section through a written contract or other written agreement or
arrangement with the business associate that meets the applicable
requirements of § 164.504(e).
(f) Standard: deceased individuals. A covered entity must comply with
the requirements of this subpart with respect to the protected health
information of a deceased individual.
(g)(1) Standard: personal representatives. As specified in this
paragraph, a covered entity must, except as provided in paragraphs (g)(3) and
(g)(5) of this section, treat a personal representative as the individual for
purposes of this subchapter.
(2) Implementation specification: adults and emancipated minors.
If under applicable law a person has authority to act on behalf of an
individual who is an adult or an emancipated minor in making decisions
related to health care, a covered entity must treat such person as a
personal representative under this subchapter, with respect to protected
health information relevant to such personal representation.
(3) Implementation specification:
unemancipated minors. If under
applicable law a parent, guardian, or other person acting in loco
parentis has authority to act on behalf of an individual who is an
unemancipated minor in making decisions related to health care, a covered
entity must treat such person as a personal representative under this
subchapter, with respect to protected health information relevant to such
personal representation, except
that such person may not be a personal
representative of an unemancipated minor, and the
minor has the authority to act as an individual, with respect to protected
health information pertaining to a health care service, if:
(i) The minor consents to such health care
service; no other consent to such health care service is required by
law, regardless of whether the consent of
another person has also been obtained; and the
minor has not requested that such person be
treated as the personal representative;
(ii) The minor may lawfully obtain such health care service without
the consent of a parent, guardian, or other person acting in loco
parentis, and the minor, a court, or another person authorized by
law consents to such health care service; or
(iii) A parent, guardian, or other person acting
in loco parentis assents to an agreement of
confidentiality between a covered health care provider and the minor
with respect to such health care service.
(4) Implementation specification: deceased individuals. If under
applicable law an executor, administrator, or other person has authority to
act on behalf of a deceased individual or of the individual's estate, a
covered entity must treat such person as a personal representative under
this subchapter, with respect to protected health information relevant to
such personal representation.
(5) Implementation specification: abuse, neglect, endangerment
situations. Notwithstanding a State law or any requirement of this
paragraph to the contrary, a covered entity may elect not to treat a person
as the personal representative of an individual if:
(i) The covered entity has a reasonable belief that:
(A) The individual has been or may be subjected to domestic
violence, abuse, or neglect by such person; or
(B) Treating such person as the personal representative could
endanger the individual; and
(ii) The covered entity, in the exercise of professional judgment,
decides that it is not in the best interest of the individual to treat
the person as the individual’s personal representative.
(h) Standard: confidential communications. A covered health care
provider or health plan must comply with the applicable requirements of §
164.522(b) in communicating protected health information.
(i) Standard: uses and disclosures consistent with notice. A covered
entity that is required by § 164.520 to have a notice may not use or disclose
protected health information in a manner inconsistent with such notice. A
covered entity that is required by § 164.520(b)(1)(iii) to include a specific
statement in its notice if it intends to engage in an activity listed in §
164.520(b)(1)(iii)(A)-(C), may not use or disclose protected health information
for such activities, unless the required statement is included in the notice.
(j) Standard: disclosures by whistleblowers and workforce member crime
victims.
(1) Disclosures by whistleblowers. A covered entity is not
considered to have violated the requirements of this subpart if a member of
its workforce or a business associate discloses protected health
information, provided that:
(i) The workforce member or business associate believes in good faith
that the covered entity has engaged in conduct that is unlawful or
otherwise violates professional or clinical standards, or that the care,
services, or conditions provided by the covered entity potentially
endangers one or more patients, workers, or the public; and
(ii) The disclosure is to:
(A) A health oversight agency or public health authority
authorized by law to investigate or otherwise oversee the relevant
conduct or conditions of the covered entity or to an appropriate
health care accreditation organization for the purpose of reporting
the allegation of failure to meet professional standards or
misconduct by the covered entity; or
(B) An attorney retained by or on behalf of the workforce member
or business associate for the purpose of determining the legal
options of the workforce member or business associate with regard to
the conduct described in paragraph (j)(1)(i) of this section.
(2) Disclosures by workforce members who are victims of a crime. A
covered entity is not considered to have violated the requirements of this
subpart if a member of its workforce who is the victim of a criminal act
discloses protected health information to a law enforcement official,
provided that:
(i) The protected health information disclosed is about the suspected
perpetrator of the criminal act; and
(ii) The protected health information disclosed is limited to the
information listed in § 164.512(f)(2)(i).
from:
http://www.hhs.gov/ocr/regtext.html
Download entire HIPAA regulation archived on our site:
To see entire HIPAA click
here:
Final Privacy Rule (HIPAA)
or at government site:
http://www.hhs.gov/ocr/regtext.html
.
| |
|
