Contact us: Mature Compliance Programs Made Easier!
HIPAA Survival Guide Note: Privacy Rule Roadmap
References: § 164.502. This section contains the general rules regarding permitted Uses and Disclosures and represents the starting point for determining whether or not the Rule has been violated.
Description: This section addresses a determination of whether the Rule has been violated. Determining whether the Rule has been violated is important vis-a-vis a number of privacy program processes and the Items that correspond to them. For example, your organization must determine whether the Rule has been violated before: 1) notifying patients of a breach; and 2) sanctioning an employee. We are also required to monitor our business associate agreements to ensure that our partners do not violate the substantive sections of the Rule. Because this section provides a roadmap to the entire Privacy Rule, it defines and points to all permitted uses & disclosures.
§164.502 Uses and disclosures of protected health information: general rules.
(a) Standard. A covered entity or business associate may not use or disclose protected health information, except as permitted or required by this subpart or by subpart C of part 160 of this subchapter.
Permitted uses and disclosures: What is this? This section determines what the permittted uses and disclosures are under the Privacy Rule. These uses do not require any prior approval from the individual and are allowed per se.
(1) Covered entities: Permitted uses and disclosures. A covered entity is permitted to use or disclose protected health information as follows:
(i) To the individual;
(ii) For treatment, payment, or health care operations, as permitted by and in compliance with §164.506;
(iii) Incident to a use or disclosure otherwise permitted or required by this subpart, provided that the covered entity has complied with the applicable requirements of §§164.502(b), 164.514(d), and 164.530(c) with respect to such otherwise permitted or required use or disclosure;
(iv) Except for uses and disclosures prohibited under §164.502(a)(5)(i), pursuant to and in compliance with a valid authorization under §164.508;
(v) Pursuant to an agreement under, or as otherwise permitted by, §164.510; and
(vi) As permitted by and in compliance with this section, §164.512, §164.514(e), (f), or (g).
Required uses and disclosures: What is this? This section determines when Covered Entities and Business Associates are required to make disclosures. In short, these disclosures are mandatory under the Privacy Rule.
(2) Covered entities: Required disclosures. A covered entity is required to disclose protected health information:
(i) To an individual, when requested under, and required by §164.524 or §164.528; and
(ii) When required by the Secretary under subpart C of part 160 of this subchapter to investigate or determine the covered entity's compliance with this subchapter.
Business Associates Permitted and Required uses and disclosures: What is this? The following sections determine when a Business Associate is permitted or required to make a disclosure under the Privacy Rule.
(3) Business associates: Permitted uses and disclosures. A business associate may use or disclose protected health information only as permitted or required by its business associate contract or other arrangement pursuant to §164.504(e) or as required by law. The business associate may not use or disclose protected health information in a manner that would violate the requirements of this subpart, if done by the covered entity, except for the purposes specified under §164.504(e)(2)(i)(A) or (B) if such uses or disclosures are permitted by its contract or other arrangement.
(4) Business associates: Required uses and disclosures. A business associate is required to disclose protected health information:
(i) When required by the Secretary under subpart C of part 160 of this subchapter to investigate or determine the business associate's compliance with this subchapter.
(ii) To the covered entity, individual, or individual's designee, as necessary to satisfy a covered entity's obligations under §164.524(c)(2)(ii) and (3)(ii) with respect to an individual's request for an electronic copy of protected health information.
Prohibited uses and disclosures.: What is this? The following to sections determine what is an absolutely prohibted use and disclosure under the Privacy Rule.
(5) Prohibited uses and disclosures.
(i) Use and disclosure of genetic information for underwriting purposes: Notwithstanding any other provision of this subpart, a health plan, excluding an issuer of a long-term care policy falling within paragraph (1)(viii) of the definition of health plan, shall not use or disclose protected health information that is genetic information for underwriting purposes. For purposes of paragraph (a)(5)(i) of this section, underwriting purposes means, with respect to a health plan:
(A) Except as provided in paragraph (a)(5)(i)(B) of this section:
(1) Rules for, or determination of, eligibility (including enrollment and continued eligibility) for, or determination of, benefits under the plan, coverage, or policy (including changes in deductibles or other cost-sharing mechanisms in return for activities such as completing a health risk assessment or participating in a wellness program);
(2) The computation of premium or contribution amounts under the plan, coverage, or policy (including discounts, rebates, payments in kind, or other premium differential mechanisms in return for activities such as completing a health risk assessment or participating in a wellness program);
(3) The application of any pre-existing condition exclusion under the plan, coverage, or policy; and
(4) Other activities related to the creation, renewal, or replacement of a contract of health insurance or health benefits.
(B) Underwriting purposes does not include determinations of medical appropriateness where an individual seeks a benefit under the plan, coverage, or policy.
(ii) Sale of protected health information:
(A) Except pursuant to and in compliance with §164.508(a)(4), a covered entity or business associate may not sell protected health information.
(B) For purposes of this paragraph, sale of protected health information means:
(1) Except as provided in paragraph (a)(5)(ii)(B)(2) of this section, a disclosure of protected health information by a covered entity or business associate, if applicable, where the covered entity or business associate directly or indirectly receives remuneration from or on behalf of the recipient of the protected health information in exchange for the protected health information.
(2) Sale of protected health information does not include a disclosure of protected health information:
(i) For public health purposes pursuant to §164.512(b) or §164.514(e);
(ii) For research purposes pursuant to §164.512(i) or §164.514(e), where the only remuneration received by the covered entity or business associate is a reasonable cost-based fee to cover the cost to prepare and transmit the protected health information for such purposes;
(iii) For treatment and payment purposes pursuant to §164.506(a);
(iv) For the sale, transfer, merger, or consolidation of all or part of the covered entity and for related due diligence as described in paragraph (6)(iv) of the definition of health care operations and pursuant to §164.506(a);
(v) To or by a business associate for activities that the business associate undertakes on behalf of a covered entity, or on behalf of a business associate in the case of a subcontractor, pursuant to §§164.502(e) and 164.504(e), and the only remuneration provided is by the covered entity to the business associate, or by the business associate to the subcontractor, if applicable, for the performance of such activities;
(vi) To an individual, when requested under §164.524 or §164.528;
(vii) Required by law as permitted under §164.512(a); and
(viii) For any other purpose permitted by and in accordance with the applicable requirements of this subpart, where the only remuneration received by the covered entity or business associate is a reasonable, cost-based fee to cover the cost to prepare and transmit the protected health information for such purpose or a fee otherwise expressly permitted by other law.
(b) Standard: Minimum necessary
Minimum Necessary: What is this? This Item addresses the “minimum necessary” principle, which states that the only PHI required to be shared should be shared in any given instance. The minimum necessary standard is a key protection of the Rule. It is based on the best practice that PHI should not be used or disclosed when it is not necessary to satisfy a particular purpose or carry out a function. The minimum necessary standard requires us to evaluate our practices and enhance our safeguards as needed to limit unnecessary or inappropriate access to and disclosure of PHI. The following section describes where the minimum necessary does not apply.
(1) Minimum necessary applies. When using or disclosing protected health information or when requesting protected health information from another covered entity or business associate, a covered entity or business associate must make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.
(2) Minimum necessary does not apply. This requirement does not apply to:
(i) Disclosures to or requests by a health care provider for treatment;
(ii) Uses or disclosures made to the individual, as permitted under paragraph (a)(1)(i) of this section or as required by paragraph (a)(2)(i) of this section;
(iii) Uses or disclosures made pursuant to an authorization under §164.508;
(iv) Disclosures made to the Secretary in accordance with subpart C of part 160 of this subchapter;
(v) Uses or disclosures that are required by law, as described by §164.512(a); and
(vi) Uses or disclosures that are required for compliance with applicable requirements of this subchapter.
Restrictions: What is this? Patients are permitted to make PHI restriction requests to Covered Entities pursuant to uses and disclosures. However, in only one case must the restriction be honored by the Covered Entitty. That is referred to the "out of pocket" exception. If a patient agrees to pay for the service provided completely "out of pocket" (e.g. an HIV test) then the patient is allowed to request that the covered restrict any disclosure related to the services provided (e.g. the result). The Covered Entity is also mandated to work with the patient so that other Coveered Entities (e.g. a pharmacy) can also restrict. However if a Covered Entity accepts the request (i.e., even if it is not "out of pocket) then it must be honored.
(c) Standard: Uses and disclosures of protected health information subject to an agreed upon restriction. A covered entity that has agreed to a restriction pursuant to §164.522(a)(1) may not use or disclose the protected health information covered by the restriction in violation of such restriction, except as otherwise provided in §164.522(a).
De-identification: What is this? A Covered Entity or Business Associate may use de-identified PHI as long as the de-identification is consistent with the requirements imposed by the Privacy Rule. If the PHI is re-identified for any purpose then the entirety of the Privacy Rule is appliacable to any further uses and disclosures of said PHI. It is recommended that de-identification be performed by a professional with the necessary credentials for the task (e.g., an experienced statisticiant that has done similar verifiable work in the past).
(d) Standard: Uses and disclosures of de-identified protected health information.
(1) Uses and disclosures to create de-identified information. A covered entity may use protected health information to create information that is not individually identifiable health information or disclose protected health information only to a business associate for such purpose, whether or not the de-identified information is to be used by the covered entity.
(2) Uses and disclosures of de-identified information. Health information that meets the standard and implementation specifications for de-identification under §164.514(a) and (b) is considered not to be individually identifiable health information, i.e., de-identified. The requirements of this subpart do not apply to information that has been de-identified in accordance with the applicable requirements of §164.514, provided that:
(i) Disclosure of a code or other means of record identification designed to enable coded or otherwise de-identified information to be re-identified constitutes disclosure of protected health information; and
(ii) If de-identified information is re-identified, a covered entity may use or disclose such re-identified information only as permitted or required by this subpart.
Disclosures to business associates: What is this? Business Associate Agreements (“BAAs”) are required with those partners with whom you share PHI so they can perform a business function on your behalf (e.g., billing). You may also need other kinds of arrangements for those partners that want to perform research with your patients’ PHI. You are required to obtain “satisfactory assurances” that your Business Associates are complying with the Security Rule in the same manner that you are required to. Usually this is performed through a set of questionnaires.
(e) (1) Standard: Disclosures to business associates.
(i) A covered entity may disclose protected health information to a business associate and may allow a business associate to create, receive, maintain, or transmit protected health information on its behalf, if the covered entity obtains satisfactory assurance that the business associate will appropriately safeguard the information. A covered entity is not required to obtain such satisfactory assurances from a business associate that is a subcontractor.
(ii) A business associate may disclose protected health information to a business associate that is a subcontractor and may allow the subcontractor to create, receive, maintain, or transmit protected health information on its behalf, if the business associate obtains satisfactory assurances, in accordance with §164.504(e)(1)(i), that the subcontractor will appropriately safeguard the information.
(2) Implementation specification: Documentation. The satisfactory assurances required by paragraph (e)(1) of this section must be documented through a written contract or other written agreement or arrangement with the business associate that meets the applicable requirements of §164.504(e).
Deceased individuals: What is this? After an individual has been deceased for over 50 years the individual's health information nor longer constitutes PHI. What this means is practices is that the Privacy Rule no longer applies to the information. It ceases to be PHI.
(f) Standard: Deceased individuals. A covered entity must comply with the requirements of this subpart with respect to the protected health information of a deceased individual for a period of 50 years following the death of the individual.
Personal representatives: Although the sections below describe various fact patterns of when a personal representative is lawfully allowed to act on behalf of th indvidual under the Privacy Rule, it does not provide a definition for how a person legally acquires the status of personal representative. That's because that status is determined by state law. A Covered Entity or Business Associate must look to the state law where the entity's operations are accessed in order to establish whether the person claiming to be a personal representative is in fact one.
(g) (1) Standard: Personal representatives. As specified in this paragraph, a covered entity must, except as provided in paragraphs (g)(3) and (g)(5) of this section, treat a personal representative as the individual for purposes of this subchapter.
(2) Implementation specification: adults and emancipated minors. If under applicable law a person has authority to act on behalf of an individual who is an adult or an emancipated minor in making decisions related to health care, a covered entity must treat such person as a personal representative under this subchapter, with respect to protected health information relevant to such personal representation.
(3) (i) Implementation specification: unemancipated minors. If under applicable law a parent, guardian, or other person acting in loco parentis has authority to act on behalf of an individual who is an unemancipated minor in making decisions related to health care, a covered entity must treat such person as a personal representative under this subchapter, with respect to protected health information relevant to such personal representation, except that such person may not be a personal representative of an unemancipated minor, and the minor has the authority to act as an individual, with respect to protected health information pertaining to a health care service, if:
(A) The minor consents to such health care service; no other consent to such health care service is required by law, regardless of whether the consent of another person has also been obtained; and the minor has not requested that such person be treated as the personal representative;
(B) The minor may lawfully obtain such health care service without the consent of a parent, guardian, or other person acting in loco parentis, and the minor, a court, or another person authorized by law consents to such health care service; or
(C) A parent, guardian, or other person acting in loco parentis assents to an agreement of confidentiality between a covered health care provider and the minor with respect to such health care service.
(ii) Notwithstanding the provisions of paragraph (g)(3)(i) of this section:
(A) If, and to the extent, permitted or required by an applicable provision of State or other law, including applicable case law, a covered entity may disclose, or provide access in accordance with §164.524 to, protected health information about an unemancipated minor to a parent, guardian, or other person acting in loco parentis;
(B) If, and to the extent, prohibited by an applicable provision of State or other law, including applicable case law, a covered entity may not disclose, or provide access in accordance with §164.524 to, protected health information about an unemancipated minor to a parent, guardian, or other person acting in loco parentis; and
(C) Where the parent, guardian, or other person acting in loco parentis, is not the personal representative under paragraphs (g)(3)(i)(A), (B), or (C) of this section and where there is no applicable access provision under State or other law, including case law, a covered entity may provide or deny access under §164.524 to a parent, guardian, or other person acting in loco parentis, if such action is consistent with State or other applicable law, provided that such decision must be made by a licensed health care professional, in the exercise of professional judgment.
(4) Implementation specification: Deceased individuals. If under applicable law an executor, administrator, or other person has authority to act on behalf of a deceased individual or of the individual's estate, a covered entity must treat such person as a personal representative under this subchapter, with respect to protected health information relevant to such personal representation.
(5) Implementation specification: Abuse, neglect, endangerment situations. Notwithstanding a State law or any requirement of this paragraph to the contrary, a covered entity may elect not to treat a person as the personal representative of an individual if:
(i) The covered entity has a reasonable belief that:
(A) The individual has been or may be subjected to domestic violence, abuse, or neglect by such person; or
(B) Treating such person as the personal representative could endanger the individual; and
(ii) The covered entity, in the exercise of professional judgment, decides that it is not in the best interest of the individual to treat the person as the individual's personal representative.
(h) Standard: Confidential communications. A covered health care provider or health plan must comply with the applicable requirements of §164.522(b) in communicating protected health information.
(i) Standard: Uses and disclosures consistent with notice. A covered entity that is required by §164.520 to have a notice may not use or disclose protected health information in a manner inconsistent with such notice. A covered entity that is required by §164.520(b)(1)(iii) to include a specific statement in its notice if it intends to engage in an activity listed in §164.520(b)(1)(iii)(A)–(C), may not use or disclose protected health information for such activities, unless the required statement is included in the notice.
(j) Standard: Disclosures by whistleblowers and workforce member crime victims
(1) Disclosures by whistleblowers. A covered entity is not considered to have violated the requirements of this subpart if a member of its workforce or a business associate discloses protected health information, provided that:
(i) The workforce member or business associate believes in good faith that the covered entity has engaged in conduct that is unlawful or otherwise violates professional or clinical standards, or that the care, services, or conditions provided by the covered entity potentially endangers one or more patients, workers, or the public; and
(ii) The disclosure is to:
(A) A health oversight agency or public health authority authorized by law to investigate or otherwise oversee the relevant conduct or conditions of the covered entity or to an appropriate health care accreditation organization for the purpose of reporting the allegation of failure to meet professional standards or misconduct by the covered entity; or
(B) An attorney retained by or on behalf of the workforce member or business associate for the purpose of determining the legal options of the workforce member or business associate with regard to the conduct described in paragraph (j)(1)(i) of this section.
(2) Disclosures by workforce members who are victims of a crime. A covered entity is not considered to have violated the requirements of this subpart if a member of its workforce who is the victim of a criminal act discloses protected health information to a law enforcement official, provided that:
(i) The protected health information disclosed is about the suspected perpetrator of the criminal act; and
(ii) The protected health information disclosed is limited to the information listed in §164.512(f)(2)(i).
[65 FR 82802, Dec. 28, 2000, as amended at 67 FR 53267, Aug. 14, 2002]
Make sure you are Omnibus Rule Compliant: HIPAA Privacy Checklist.