HIPAA Permitted Uses and Disclosures of Protected Health Information (PHI)
|Title||HIPAA Permitted Uses and Disclosures of Protected Health Information (PHI)|
|Sub-category||Health Affairs Matters - General|
Effective: September 19, 2013
Revised: January 8, 2004; October 8, 2010; September 18, 2013
Transitioned from Interim to Permanent: July 17, 2014.
ECU HIPAA Privacy Office, 252-744-5200
Modification to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules; Final Rule, 78 Federal Register 17 (25 January 2013), pp. 5566-5702.
1.1. This regulation applies to East Carolina University's Health Care Components ("ECU Health Care Components") that create or maintain Protected Health Information ("PHI"). Additionally, this regulation covers interactions involving Uses and Disclosures between an ECU Health Care Component and other areas of ECU that may receive PHI. The purpose of this regulation is to provide guidance on permitted Uses and Disclosures of PHI.
2.1. Authorization means a specialized written permission that contains specific elements for the Use and/or Disclosure of an individual's PHI for certain purposes other than treatment, payment and healthcare operations and as permitted under Federal and State Law.
2.2. Business Associate means:
2.2.1. With respect to an ECU Health Care Component, a Person who:
126.96.36.199. On behalf of an ECU Health Care Component or an Organized Health Care Arrangement in which an ECU Health Care Component participates, but other than in the capacity of a Workforce member, creates, receives, maintains, or transmits PHI for a function or activity including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, patient safety activities, billing, benefit management, practice management, and re-pricing; or
188.8.131.52. Provides, other than in the capacity of a workforce member of an ECU Health Care Component, legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or for such covered entity, or to or for an Organized Health Care Arrangement in which an ECU Health Care Arrangement participates, where the provision of the service involves the disclosure of PHI from such covered entity or arrangement, or from another business associate of such covered entity or arrangement, to the person.
2.3. Covered Entity means a health plan; a health clearinghouse; or a health care provider who transmits any health information in electronic form in connection with a transaction covered by HIPAA.
2.4. Disclosure means the release, transfer, provision of access to, or divulging in any manner of PHI outside of an ECU Health Care Component.
2.5. Minimum Necessary means limiting the PHI Used, Disclosed or requested to the amount reasonably necessary to accomplish the intended purpose of the Use, Disclosure or request.
2.6. Protected Health Information means:
2.6.1. Individually identifiable information, that is a subset of health information, including demographic information collected from an individual, and:
184.108.40.206. Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and
220.127.116.11. Relates to the past, present, or future physical or mental health or condition of a subject; the provision of health care to a subject, or the past, present, or future payment for the provision of health to a subject; and
18.104.22.168.1. That identifies the subject; or
22.214.171.124.2. With respect to which there is a reasonable basis to believe the information can be used to identify the individual.
2.6.2. PHI can be:
126.96.36.199. Transmitted by electronic media;
188.8.131.52. Maintained in electronic media; or
184.108.40.206. Transmitted or maintained in any other form or medium.
2.6.3. PHI excludes individually identifiable information that is:
220.127.116.11. In education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g;
18.104.22.168. In records described at 20 U.S.C. 1232g(a)(4)(B)(iv);
22.214.171.124. In employment records held by a covered entity in its role as employer; and
126.96.36.199. Regarding a person who has been deceased for more than 50 years.
2.7. Use means the sharing, employment, application, utilization, examination, or analysis of PHI within ECU's Health Care Components.
3.1. ECU Health Care Components will comply with the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") regarding the obligation to safeguard PHI against Use or Disclosure that may not be permitted or required under applicable Federal and State laws.
4.1. Generally Permitted Uses and Disclosures:
4.1.1. Treatment, payment, and health care operations. ECU Health Care Components shall obtain a general consent to Use and Disclose PHI prior to providing services and a copy shall be retained in the Components' Designated Record Set. At a minimum a new form should be initiated and signed annually. ECU Health Care Components may:
188.8.131.52. Use and Disclose PHI for their own treatment, payment, and health care operation activities.
184.108.40.206. Disclose PHI for treatment activities of a health care provider.
220.127.116.11. Disclose PHI to another Covered Entity or health care provider for the payment activities of the entity that receives the information.
18.104.22.168. Disclose PHI to another covered entity for health care operations or activities of the entity that receives the information, if each entity either has or had a relationship with the individual who is the subject of the PHI being requested, the PHI pertains to such relationship, and the disclosure is:
22.214.171.124.1. For the purpose of health care fraud and abuse detection or compliance; or
126.96.36.199.2. For the following health care operations purposes:
188.8.131.52.2.1. Conducting quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines, provided that the obtaining of generalizable knowledge is not the primary purposes of any studies resulting from such activities; patient safety activities; population-based activities relating to improving health or reducing health care costs, protocol development, case management and care coordination, contacting of health care providers and patients with information about treatment alternatives; and related functions that do not include treatment; or
184.108.40.206.2.2. Reviewing the competence or qualifications of health care professionals, evaluating practitioner and provider performance, health plan performance, conducting training programs in which students, trainees, or practitioners in areas of health care learn under supervision to practice or improve their skills as health care providers, training of non-health care professionals, accreditation, certification, licensing, or credentialing activities.
220.127.116.11. Disclose PHI about an individual to Vidant Medical Center, as part of our organized health care arrangement, for any health care operations activities of the organized health care arrangement.
4.1.2. Business Associates of ECU's Health Care Components. PHI may be exchanged with Business Associates as long as a Business Associate Agreement is completed.
4.1.3. Designated Health Care Components. ECU has identified designated health care components. All designated health care components must comply with the HIPAA regulations. ECU Health Care Components:
18.104.22.168. Must not disclose PHI to another non-health care component of ECU in circumstances in which HIPAA would prohibit such Disclosures if the health care component and the other component were separate and distinct legal entities.
22.214.171.124. Must protect electronic PHI with respect to another component of ECU to the same extent that it would be required to under HIPAA to protect such information if the health care component and the other component were separate and distinct legal entities.
126.96.36.199. If a person performs duties for both a health care component in the capacity of a workforce member of such component and for another component of ECU in the same capacity with respect to that component, such workforce member must not Use or Disclose PHI created or received in the course of or incident to the workforce member's work for the health care component.
4.1.4. Fundraising. ECU Health Care Components must comply with HIPAA regulations regarding the Use and Disclosure of PHI for fundraising. Specifically, PHI will not be Used or Disclosed for fundraising unless it meets the standard provided in the HIPAA regulations. PHI that does not meet the standard may only be used pursuant to a specific authorization from the individual granting more expansive use of their PHI.
4.2. Uses and Disclosures for Which an Authorization is Required:
4.2.1. Psychotherapy Notes. Certain restrictions apply to the Use and Disclosure of Psychotherapy notes.
4.2.2. Marketing. ECU Health Care Components must comply with HIPAA regulations regarding the use of PHI for marketing. A face-to-face communication made by an ECU Health Care component to an individual, or a promotional gift of nominal value provided by an ECU Health Component is permitted; however, other types of marketing activities using PHI require an authorization.
4.2.3. Sale of PHI. ECU Health Care Components must comply with the HIPAA regulations regarding the sale of PHI. Specifically, an ECU Health Care Component must obtain a written authorization for any Disclosure of PHI which is a sale of PHI and such authorization must state that the Disclosure will result in remuneration to the ECU Health Care Component.
4.2.4. Research. ECU Health Care Components must comply with the HIPAA regulations regarding research. An ECU Health Care Component must obtain an authorization for the Use or Disclosure of PHI for research purposes unless a waiver to the authorization requirement has been granted in accordance with paragraph 4.4.9. For more complete information please refer to www.ecu.edu/irb.
4.3. Uses and Disclosure Requiring an Opportunity for the Individual to Agree or to Object:
4.3.1. Family Members and Friends. When the requirements of 188.8.131.52. or 184.108.40.206 below are met, ECU Health Care Components may (i) Disclose to a family member, other relative, or a close personal friend of the individual, or any other person identified by the individual, PHI directly relevant to such person's involvement with the individual's care or payment related to the individual's care; and (ii) Use PHI to notify, or assist in the notification of (including identifying or locating), a family member, a personal representative of the patient, or another person responsible for the care of the individual, of the individual's location, general condition, or death.
220.127.116.11. If the individual is present at the time of or prior to the Use or Disclosure and has the capacity to make decisions, the use or disclosure may be made if (i) the individual's authorization is obtained; (ii) the individual is provided with an opportunity to object and the patient does not object; or (iii) it is reasonably inferred from the circumstances, using professional judgment, that the individual does not object to the disclosure.
18.104.22.168. If the individual is not present at the time of or prior to the Use or Disclosure or the opportunity to object to the Use or Disclosure cannot practicably be provided due to the patient's incapacity or in an emergency, the Use or Disclosure may be made if the Disclosure is in the best interest of the individual, using professional judgment, and, if so, only the PHI which is directly relevant to the individual's involvement with the individual's care or payment related to the individual's health care, or needed for notification purposes may be Disclosed. ECU Health Care Components may use professional judgment and experience with common practice to make reasonable inferences regarding the individual's best interest in allowing a person to act on behalf of the patient to pick up filled prescriptions, medical supplies, x-rays, or other similar forms of PHI.
4.3.2. Disaster Relief Purposes. ECU Health Care Components may Use or Disclose PHI to a public or private entity authorized by law or by its charter to assist in disaster relief efforts, for the purpose of coordinating with such entities the Use or Disclosure permitted by paragraph 4.3.1(ii). The requirements in paragraphs 22.214.171.124, 126.96.36.199 and 4.3.3. apply to such Uses and Disclosure to the extent that the Component, in the exercise of professional judgment, determines that the requirements do not interfere with the ability to respond to the emergency situation.
4.3.3. Deceased Individual. If the individual is deceased, ECU Health Care Components may Disclose to a family member, or other persons identified in paragraph 4.3.1. who were involved in the individual's care or payment for health care prior to the individual's death, PHI of the individual that is relevant to such person's involvement, unless doing so is inconsistent with any prior expressed preference of the individual that is known to the Component.
4.4. Permitted Uses and Disclosures when Consent or Authorization is not required:
4.4.1. Disclosure required by law. PHI may be Used or Disclosed if and to the extent required by law.
4.4.2. Public health activities. PHI may be Used or Disclosed to a public health authority that is authorized by law to collect or receive such information for preventing or controlling disease, injury or disability, including public health issues, vital records, child or adult abuse or neglect; adverse food or drug events, and investigations of work-related illnesses or injuries as required under law.
4.4.3. Victims of abuse, neglect, or domestic violence. PHI may be Used or Disclosed to a government authority, including a social service or protective service agency, which is investigating a report of abuse, neglect or domestic violence to the extent the disclosure is required or permitted by law.
4.4.4. Health oversight activities. With certain exceptions, PHI may be Used or Disclosed to a health oversight agency for oversight activities authorized by law, including audits, civil, administrative or criminal investigations or proceedings, inspections, licensure or disciplinary actions, or other government benefit or regulatory programs (e.g., The Joint Commission).
4.4.5. Judicial and Administrative Proceedings. PHI may be Disclosed in the course of a judicial or administrative proceeding in response to an order of a court or administrative tribunal, a subpoena, discovery request or other lawful process with certain assurances.
4.4.6. Law Enforcement Purposes. PHI may be Disclosed for law enforcement purposes to a law enforcement official under certain conditions. Law enforcement reasons may include (1) limited information requests for identification and location purposes; (2) pertaining to victims of a crime; (3) suspicion that death has occurred as a result of criminal conduct; (4) in the event that a crime occurs on the site of the practice; and (5) medical emergency when it is likely that a crime has occurred; and (6) reporting certain types of wounds or other physical injuries.
4.4.7. Decedents. PHI regarding decedents may be Disclosed to coroners, medical examiners and funeral directors if necessary to carry out the duties of their positions.
4.4.8. Cadaveric organ, eye, or tissue donation. PHI may be Disclosed to organ procurement, banking or transplantation organizations to facilitate organ, eye or tissue donation and transplantation.
4.4.9. Research. PHI may be Used for research without the individual's authorization if the University and Medical Center Institutional Review Board (UMCIRB) grants a wavier of the requirement for authorization. For more complete information please refer to www.ecu.edu/irb.
4.4.10. Threats to Health or Safety. PHI may be Used or Disclosed under certain circumstances if a health care provider believes in good faith that the use or disclosure is necessary to protect a person or the public.
4.4.11. Specialized Government Functions. PHI may be Used or Disclosed for specialized government functions such as military and veterans activities, security and intelligence activities, protective services for officials, medical suitability, and correctional institutions.
4.4.12. Workers' Compensation. PHI may be Used or Disclosed to the extent required to comply with workers' compensation and similar programs.
4.5. Minimum Necessary Standard: ECU Health Care Components must limit PHI to the Minimum Necessary to accomplish the intended purpose on all Uses and Disclosures except:
4.5.1. Disclosures to or requests by a health care provider for treatment purposes;
4.5.2. Uses or Disclosures to the individual;
4.5.3. Uses or Disclosures pursuant to an authorization;
4.5.4. Disclosures made to the Secretary of Health and Human Services in accordance with the applicable requirements of HIPAA;
4.5.5. Uses or Disclosures that are required by law; and
4.5.6. Uses or Disclosures that are required for compliance with applicable requirements of HIPAA.
4.6. Authorization to Use or Disclose PHI: Uses and Disclosures not covered in this regulation require the patient's specific authorization.
4.7. Designation: ECU Health Care Components must designate an office or person to receive and process all requests for Use and Disclosure of PHI except those related to treatment, payment, and health care operations.