General Rules About the Health Insurance Portability and Accountability Act (HIPAA) Uses and DisclosuresUnder HIPAA rules, covered entities are generally permitted to use or disclose protected health information (PHI):
- to the individual or his/her authorized personal representative (this is required when the individual makes a formal request for access (per 45 CFR 164.524, 528);
- for treatment , payment or other health care operations , without any specific legal permission, or in compliance with an optional consent (per 45 CFR 164.506);
- for other purposes, in compliance with an authorization (per 45 CFR 164.508) or other agreement (per 45 CFR 164.510);
- for research , provided an IRB or Privacy Board has approved a waiver of authorization (per 45 CFR 164.514);
- in compliance with uses and disclosures permitted for law enforcement , for judicial or administrative proceedings, for public health activities or health system oversight , and other purposes identified in 45 CFR 164.512;
- to avert a serious, imminent threat to public health or safety (45 CFR 164.514);
- to the Secretary of DHHS for investigations of complaints or general compliance reviews (this is required when DHHS makes a formal request (per 45 CFR 160.306, 308);
- for fundraising or marketing , as limited by 45 CFR 164.514; or
- when the PHI has been adequately identified (per 45 CFR 164.514).
With some exceptions (e.g., related to information exchanged between/among providers for treatment), such uses and disclosures must adhere to a minimum necessary standard.
If you need more information regarding privacy and confidentiality, call UMBH at 1-800-294-8642. If you would like more information about HIPAA, please visit their website at www.hhs.gov/ocr/hipaa. |
