Permitted Uses & Disclosures of PHI To the Individual Treatment, Payment, and Health Care Operations Opportunity to Agree or Object Incidental Use or Disclosure Public Interest & Benefit Limited Data Set for research/public health/health care operations June 2014 HIPAA - General Principles

HIPAA - General Principles 1. To the Individual Self-explanatory June 2014 HIPAA - General Principles

2. Treatment, Payment, and Health Care Operations A covered entity may use & disclose PHI for any of the above activities conducted on its own June 2014 HIPAA - General Principles

2. Treatment, Payment, and Health Care Operations A covered entity may also disclose PHI for: the treatment activities of any HCP the payment activities of another covered entity or any HCP the health care ops of another covered entity (involving either quality / competency assurance OR fraud/abuse detection & compliance activities) Caveat = both covered entities must HAVE or HAVE HAD a relationship with the individual and the PHI pertains to the relationship June 2014 HIPAA - General Principles

HIPAA - General Principles Treatment “ The provision, coordination, or management of health care and related services for an individual by one or more HCP, including consultation between providers and referral…” June 2014 HIPAA - General Principles

HIPAA - General Principles Payment “ Activities of a health plan to… and activities of a health care provider to obtain payment or be reimbursed for the provision of health care to an individual” June 2014 HIPAA - General Principles

Health Care Operations Quality assessment/improvement (incl. case mgmt / care coordination) Competency assurance (performance eval, credentialing, accreditation) Medical reviews/audits/legal services (fraud & abuse detection/compliance) Insurance – underwriting/risk rating Business planning/development/mgmt/admin General administrative activities of the entity June 2014 HIPAA - General Principles

Must I obtain consent for this? Consent = written permission from individuals to use/disclose their PHI Is OPTIONAL under the Privacy Rule If you elect to obtain consent for this use, the content of the form and the process are at YOUR discretion June 2014 HIPAA - General Principles

3. Opportunity to Agree or Object Informal permission by patient, obtained by asking them outright or by circumstance Covered entities may use professional judgment for best interest of patient when: Patient is incapacitated Emergency situation Patient not available Examples Pharmacy dispenses meds to a family member Provider informs family of patient’s general condition or location June 2014 HIPAA - General Principles

4. Incidental Use or Disclosure Privacy Rule recognizes that every risk of an incidental use/disclosure cannot be eliminated Use/disclosure as a result of another permitted use/disclosure is permitted if: Covered entity has reasonable safeguards as required in place PHI shared was limited to “minimum necessary” June 2014 HIPAA - General Principles

5. Public Interest & Benefit Required by Law – statute/regulation/court order Public Health activities Victims of abuse/neglect/domestic violence Health oversight activities Judicial & administrative proceedings Law enforcement June 2014 HIPAA - General Principles

5. Public Interest & Benefit Decedents – funeral directors / medical examiners Organ/tissue donation Research Serious threat to health or safety Essential government functions Workers’ compensation June 2014 HIPAA - General Principles

6. Limited Data Set for Research/Public Health/Health Care Operations Limited data set = PHI where specific direct identifiers have been removed Recipient of PHI must enter into a “data use agreement” promising specific safeguards for the PHI in the data set June 2014 HIPAA - General Principles