Patient’s Guide to HIPAA – Uses and Disclosures: What Are the Allowable Uses and Disclosures?
You are reading the Patient’s Guide to HIPAA, FAQ 60 .
HIPAA Guide Quick Links:
FAQ 60: What Are the Allowable Uses and Disclosures?
We will list each HIPAA category of allowable use and disclosure, together with some discussion as appropriate. (If we included every detail of every disclosure, it would double the size of this guide.) A covered entity that must comply with the HIPAA rule needs to know all the specifics, but an informed patient generally only needs to be generally aware of the categories of uses and disclosures. Every covered entity’s notice of privacy practices should include some information about each type of allowable disclosure. Those who want to know more can read the rule itself.
• Treatment, Payment, and Health Care Operations. We covered this category of uses and disclosures in detail in an earlier question. (See FAQ 56.) The category includes uses and disclosures for a very large number of purposes.
• Required by law. We’ve already covered this category in detail in the previous question. We used this category to illustrate the complexity of allowable disclosures.
• Public Health Activities. Public health disclosures are one of the more expansive disclosure categories under the rule. There are at least five general types of public health disclosures. Some public health disclosures are to traditional federal, state, and local public health agencies. The reporting of communicable diseases is an example. It is the type of disclosure that draws few, if any, objections. Additional confidentiality protections may apply to some of the information disclosed to public health agencies. Disclosures to manufacturers of pharmaceutical medicines and devices for the reporting of adverse events may qualify as public health disclosures. Some public health disclosures can be to employers for medical surveillance of the workplace. These disclosures to private entities explain why the public health category so expansive. Many different organizations play a role in public health, including employers.
The 2013 changes added a new public health type of disclosure. A covered entity can disclose proof of immunization to a school where an individual is a student or prospective student, if the school is required by law to have proof of immunization before admitting a student and the covered entity obtains and documents agreement to disclose from a parent or guardian or from an adult student. The agreement does not have to be in writing.
• Victims of Abuse, Neglect, or Domestic Violence. Reporting of victims can be done to a social service agency or other government authority (including the police) that is authorized to receive the reports.
• Health Oversight Activities. Many federal and state government agencies regulate and oversee parts of the health care system. Disclosures are permissible for activities authorized (not just required!) by law, including audits, investigations, inspections, licensing, and similar functions. One patient protection included in the rule prevents the use of information disclosed for oversight purposes against the patient who is the subject of the record disclosed. So if an agency investigates a health care provider, it cannot use information about that provider’s patients against the patients themselves. However, if the information reveals health care fraud by the patient or involving public benefits for health care or benefits based on health condition, the information can be used against the patient. The protection for patients with oversight disclosures is limited, but it has some substance.
• Judicial and Administrative Proceedings. A covered entity can respond to a court order or the order of an administrative agency for health records. The authority to disclose also covers subpoenas and discovery requests. The conditions that attach to these disclosures are lengthy and include some obligation to give notice to the patient who is the subject of the record. The complexity here is enough to choke a lawyer because the HIPAA rule interacts with already elaborate state laws and court procedures.
• Law Enforcement Purposes. The rule has six flavors of law enforcement disclosure. The loosest allows disclosures for administrative requests. An administrative request does not require judicial approval or even have to be in writing. Any law enforcement official can ask for information by stating that the information sought is relevant to a legitimate law enforcement inquiry, by limiting the request to information reasonably practicable to the purpose, and by saying that de-identified information cannot be used. It is hard to imagine a more unrestricted type of police disclosure. A covered entity need not comply with an administrative request, but it may do so. The other types of law enforcement disclosures are not so open-ended. One, for example, allows a provider to report a crime that occurred in the provider’s office. That seems more reasonable.
• Decedents. A covered entity can share information about people who died with coroners and funeral directors. They may need to know if the decedent has AIDS, for example.
• Organ and Tissue Donation. A covered entity can disclose patient information to organizations engaged in tissue banking and transplantation to facilitate donations.
• Research. Researchers engaged in health research and other types of research often want access to health records. The rule allows disclosures for research but generally requires that a research project be approved by an Institutional Review Board (IRB). An IRB is an existing institution – often part of the organization conducting the research – that oversees research activities to protect human subjects. The research section of HIPAA is particularly convoluted in order to address different needs of researchers. We observe that HHS itself conducts and funds research using health records. The rule reflects the needs of HHS and researchers, while offering some procedural protections for privacy. There are many policy conflicts involving research disclosures, and the rule strikes a balance that some like and some do not.
• Serious Threats to Health or Safety. A covered entity may use or disclose a patient record if it believes in good faith that the use or disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public. There are a few other conditions.
• Specialized Government Functions. This category of uses and disclosures has six subcategories. Some relate to military, veterans, and prison functions. Another category allows disclosure to the Secret Service to protect the President and some other officials. Another broad subcategory allows disclosure to government programs providing public benefits.
The broadest disclosures in the government functions subcategory authorize disclosure to any national security or intelligence agency. HIPAA imposes no conditions or procedures for national security disclosures. The disclosures are not mandatory (at least not under HIPAA), but any national security or intelligence agency can request a health record on any individual without prerequisite and without violating HIPAA, even if the disclosure would violate medical ethics. We think this is the single worst provision in the HIPAA Privacy Rule.
• Worker’s Compensation. HIPAA allows any disclosure authorized and necessary to comply with laws relating to worker’s compensation. The worker’s compensation system typically requires the routine disclosure of health information about injured workers. HIPAA stays out of the way and allows the normal processes to continue without any procedural or substantive interference.
Roadmap: Patient’s Guide to HIPAA: Part 3: What You Should Know about Uses and Disclosures (FAQ 60 of 65)