HIPAA Pros - Disclosures © HIPAA Pros 2002 All rights reserved
Attorneys Plaintiff’s attorney, written authorization is required. County’s counsel in defense of a malpractice case. Documentation should be provided describing the reason for this disclosure. Client authorization is not required. Minimum necessary standards must be applied. A Business Associate agreement with County’s counsel is required.
Insurance Representatives PHI may be used or disclosed for payment under the HIPAA written acknowledgement of receipt of the Notice of Privacy Practices but must be limited to the minimum necessary information.
Vendors PHI can be shared with vendors working on behalf of the County, once Business Associate agreements are established. Minimum necessary standards should be applied.
Physicians, Case Managers, and/or Other Providers Establish policies and procedures to verify, before release of the information, that these individuals are part of the client’s treatment team, then disclosures would be covered by the HIPAA written acknowledgement for treatment, payment and operations.
Physicians, Case Managers, and/or Other Providers Establish policies and procedures to verify, before release of the information, that these individuals are part of the client’s treatment team, then disclosures would be covered by the HIPAA written acknowledgement for treatment, payment and operations.
Governmental Agencies Adopt and develop policies and procedures for each disclosure required or allowed by law or regulation. If not required or allowed, client authorization may need to be obtained. Business Associate agreements may have to be developed and established for disclosures to agencies that are not specifically required by law or authorized by HIPAA regulations. Disclosures, with some exceptions, must be documented in the accounting of disclosures.
Agencies That Respond To Abuse, Neglect Or Domestic Violence A covered entity may disclose PHI about an individual whom the covered entity reasonably believes to be a victim of abuse, neglect or domestic violence to an appropriate government authority. Reports of child abuse and neglect are permitted under the public health activity permissible disclosure.
Agencies That Respond To Abuse, Neglect Or Domestic Violence Such disclosure may be made: Required by law and the disclosure complies with and is limited to the relevant requirements; Individual agrees to the disclosure; or Exercise of professional judgment, the disclosure is necessary to prevent serious harm to the individual or other potential victim; or Individual is unable to agree because of incapacity .
Judicial or Administrative Proceedings A covered entity may disclose PHI in the course of any judicial or administrative proceeding: in response to an order of a court or administrative tribunal, provided only that PHI expressly authorized is disclosed; or in response to a subpoena, discovery request or other lawful process if certain specific requirements are met with written acknowledgement of receipt of the Notice of Privacy Practices or authorization.
Families / Personal Representatives If the client is present or available prior to the disclosure and has the capacity to make decisions, they must agree Based on the exercise of professional judgment, that the client does not object. If the client is not present and the opportunity to agree or object cannot practicably be provided because of incapacity or emergency, the covered entity may exercise professional judgment to determine whether disclosure is in the best interest of the client.
To Agencies When Required by Law A covered entity may use or disclose PHI to the extent that such use or disclosure is required by law and complies with and is limited to the relevant requirements of such law.
Public Health Officials The Privacy Rule continues to allow for the existing practice of sharing PHI, without client written acknowledgement of receipt of the Notice of Privacy Practices or authorization, with public health authorities that are authorized by law to collect or receive such information to aid them in their mission of protecting the health of the public – such as: Reporting of disease or injury; Reporting deaths and births; investigating the occurrence and cause of injury and disease; and monitoring adverse outcomes related to food, drugs, biological products, and dietary supplements.
Law Enforcement Agents Appropriate disclosure for law enforcement purposes, including: Pursuant to legal process and as otherwise required by law; For identification and location purposes, as long as no more than the specified limited information is released; For identification of a victim of a crime if certain protective requirements are met; About decedents; To report crime on the covered entity’s premises; and To report crime in emergencies.
Law Enforcement Agents Limitations Absent a warrant or other prior process, when law enforcement is seeking to identify or locate a suspect. Disclosure of DNA information. Permission from persons who have been the victim of domestic violence or abuse before disclosing information about them to law enforcement.
Health Oversight Agencies A health oversight agency may receive PHI for designated oversight activities with written acknowledgement of receipt of the Notice of Privacy Practices or authorization.
Coroners / Medical Examiners A covered entity may disclose PHI about a decedent, without written acknowledgement of receipt of the Notice of Privacy Practices, authorization or an opportunity to agree or object, to certain classes of individuals; namely to a coroner or a medical examiner for the purpose of identifying a deceased person, determining a cause of death or other duties as authorize by law.
Coroners / Medical Examiners In most cases, a deceased individual’s PHI is entitled to the same protection as that of a live person. If a covered entity wishes to use or disclose the PHI of a deceased individual, the covered entity must seek the permission of the decedent’s personal representative.
Organ Donation Agencies A covered entity may use or disclose PHI to organ procurement organizations or other entities engaged in the procurement, banking or transplantation of cadaveric organs, eyes or tissue for donation and transplantation purposes without written acknowledgement of receipt of the Notice of Privacy Practices or authorization.
Workers’ Compensation Administrators or Agencies State law dictates the disclosure requirements for workers’ compensation purposes.
Prisoners Under HIPAA, an inmate has limited rights and a covered health care provider has limited obligations. Without written acknowledgement of receipt of the Notice of Privacy Practices, Counties may use or disclose PHI for TPO purposes. An inmate does not have a right to receive a Notice of Privacy Practices.
FDA Counties can generally disclose PHI, without authorization, “to a person subject to FDA’s jurisdiction with respect to an FDA-regulated product or activity for which that person has responsibility, for the purpose of activities related to the quality, safety or effectiveness of such FDA-regulated product or activity.” The rule states that these purposes include, but are not limited to, the purposes identified in the initial rule, i.e., reporting adverse events, etc.
Emancipated Minors State and other applicable laws and professional practices with respect to minors and parents preempts HIPAA.