HIPAA

Information taken from US CDC and US HHS

Permitted Uses and Disclosure

When in doubt, defer the request to a higher ranking member of your team.

The law permits, but does not require, a covered entity to use and disclose PHI, without an individual’s authorization, for the following purposes or situations:

  • Disclosure to the individual (if the information is required for access or accounting of disclosures, the entity MUST disclose to the individual)
  • Treatment, payment, and healthcare operations
  • Opportunity to agree or object to the disclosure of PHI
    • An entity can obtain informal permission by asking the individual outright, or by circumstances that clearly give the individual the opportunity to agree, acquiesce, or object
  • Incident to an otherwise permitted use and disclosure
  • Limited dataset for research, public health, or healthcare operations
  • Public interest and benefit activities—The Privacy Rule permits use and disclosure of PHI, without an individual’s authorization or permission, for 12 national priority purposes:
    • When required by law
    • Public health activities
    • Victims of abuse or neglect or domestic violence
    • Health oversight activities
    • Judicial and administrative proceedings
    • Law enforcement
      • as required by law (including court orders, court-ordered warrants, subpoenas) and administrative requests;
      • to identify or locate a suspect, fugitive, material witness, or missing person;
      • in response to a law enforcement official’s request for information about a victim or suspected victim of a crime;
      • to alert law enforcement of a person’s death, if the covered entity suspects that criminal activity caused the death;
      • when a covered entity believes that protected health information is evidence of a crime that occurred on its premises; and
      • by a covered health care provider in a medical emergency not occurring on its premises, when necessary to inform law enforcement about the commission and nature of a crime, the location of the crime or crime victims, and the perpetrator of the crime.
    • Functions (such as identification) concerning deceased persons
    • Cadaveric organ, eye, or tissue donation
    • Research, under certain conditions
    • To prevent or lessen a serious threat to health or safety
    • Essential government functions
    • Workers’ compensation

    For more detailed use cases, see US HHS Summary of the HIPAA Privacy Rule