HIPAA Privacy Rule | Permitted Uses and Disclosures

As for the HIPAA Privacy Rule “Permitted Uses and Disclosures”, as an employee you need to know that a covered entity (and other relevant parties) is permitted - but not required - to use and disclose protected health information, without an individual’s authorization, for the following purposes or situations (source: www.hhs.gov):

  1. To the Individual (unless required for access or accounting of disclosures.
  2. Treatment, Payment, and Health Care Operations.
  3. Opportunity to Agree or Object.
  4. Incident to an otherwise permitted use and disclosure.
  5. Public Interest and Benefit Activities.
  6. Limited Data Set for the purposes of research, public health or health care operations.18 Covered entities may rely on professional ethics and best judgments in deciding which of these permissive uses and disclosures to make.

Each of the above conditions warrants further explanation, so please consider the following regarding these items:

  • “To the Individual”. It means just that - a covered entity (and other relevant parties) may disclose protected health information to the individual who is the subject of the information.
  • “Treatment, Payment, and Health Care Options”. Generally speaking, a covered entity (and other relevant parties) may use and disclose protected health information for its own treatment, payment, and health care operations activities. Furthermore, a covered entity (and other relevant parties) also may disclose protected health information for the treatment activities of any health care provider, the payment activities of another covered entity and of any health care provider, or the health care operations of another covered entity involving either quality or competency assurance activities or fraud and abuse detection and compliance activities, if both covered entities (or other relevant parties) have or had a relationship with the individual and the protected health information pertains to the relationship.
  • “Opportunity to Agree or Object”. Informal permission can also be obtained by asking the individual outright, or by relevant circumstance or situations that clearly give the individual the opportunity to agree, acquiesce, or object.
  • “Incident to an otherwise permitted use and disclosure”. The Privacy Rule also permits certain incidental uses and disclosures that occur as a by-product of another permissible or required use or disclosure, as long as the covered entity (or other relevant party) has applied reasonable safeguards and implemented the minimum necessary standard, where applicable. Furthermore, an incidental use or disclosure is a secondary use or disclosure that cannot reasonably be prevented, is limited in nature, and that occurs as a result of another use or disclosure that is permitted by the Rule. Source: www.hhs.gov | Incidental Uses and Disclosures)
  • “Public Interest and Benefit Activities”. The Privacy Rule permits use and disclosure of protected health information, without an individual’s authorization or permission, for 12 national priority purposes, which are the following:
  1. Required by Law
  2. Public Health Activities
  3. Victims of Abuse, Neglect, Domestic Violence
  4. Health Oversight Activities
  5. Judicial and Administrative Proceedings
  6. Law Enforcement Purposes
  7. Decedents
  8. Cadaveric Organ, Eye, or Tissue Donation
  9. Research
  10. Serious Threat to Health or Safety
  11. Essential Government Functions
  12. Worker’s Compensation
  • “Limited Data Set”. A limited data set, which essentially is protected health information that specified direct identifiers of individuals and their relatives, household members, and employers have been removed - may be used and disclosed for research, health care operations, and public health purposes, provided applicable criteria is met.

Download HIPAA Policies and Compliance Toolkits Today
hipaapoliciesandprocedures.com also offers industry leading HIPAA toolkits for both Covered Entities (CE) and Business Associates (BA) consisting of high-quality security policies and procedures, training material, readiness checklists and templates, essential legal forms, a HIPAA specific disaster recovery manual, and so much more. Learn about our industry leading HIPAA compliance toolkits today.