abuse, neglect, domestic violence (HIPAA)

HIPAA's Privacy Rule permits covered entities to disclose protected health information (PHI) about an individual whom the covered entity reasonably believes to be a victim of abuse, neglect, or domestic violence.

Such disclosures can be made only to government agencies authorized by law to receive such reports, such as:

  • social service or protective services agencies; and

The disclosures must comply with, but also be limited to, the relevant requirements of such law.

The individual -- or his/her personal representative -- must agree to the disclosure; or, in the absence of such agreement, to the extent explicitly authorized by statute or regulation:

  • the covered entity, in the exercise of professional judgment, must believe the disclosure without agreement is necessary to prevent serious harm to the individual or other potential victims; or
  • the individual is unable to agree because of incapacity, and a law enforcement or other public official authorized to receive the report represents that the PHI for which disclosure is sought is not intended to be used against the individual and that an immediate enforcement activity that depends upon the disclosure would be materially and adversely affected by waiting until the individual is able to agree to the disclosure.

A covered entity that makes such a disclosure must promptly inform the individual that such a report has been or will be made, except if the covered entity:

  • in the exercise of professional judgment, believes informing the individual would place the individual at risk of serious harm; or
  • would be informing a personal representative, and the covered entity reasonably believes the personal representative is responsible for the abuse, neglect, or other injury, and that informing such person would not be in the best interests of the individual.

See also:

Last modified: 24-Apr-2006 [RC]


   © 2002-2006 Contributing authors and University of Miami School of Medicine