Under HIPAA's Privacy Rule, uses and disclosures of protected health information (PHI) by covered entities can be divided into four categories:

• core uses and disclosures, for which no permission is required -- although an optional consent can be employed -- which includes routine treatment, payment and other health care operations;

• those requiring a supplemental authorization -- such as most kinds of research, and some kinds or marketing and fundraising;

• those requiring an opportunity to agree or object, but no written authorization; and

• those not requiring even an opportunity to agree or object.

The third of these categories includes the limited subset of PHI used for for facility directories, and disclosures to those involved in a person's care. (As regards the latter, see the discussion of personal representatives.)

The fourth category includes PHI uses and disclosures:

• for public health activities;

• about victims of abuse, neglect or domestic violence;

• for health oversight activities;

• for judicial or administrative proceedings;

• for law enforcement;

• about deceased persons (including cadaveric organ and tissue donations);

• where permitted by an IRB or Privacy Board waiver, for research;

• to avert a serious, imminent threat to public safety;

• certain government functions (e.g., national security, military, corrections);

• or anything else required by law.

In most cases, the language of the regulations for this fourth category is that the covered entity "may disclose" such information -- indicating it is permitted but not required by HIPAA.

Individuals are entitled to an accounting of disclosures in the fourth category, though that accounting may be temporarily suspended in certain circumstances.

See also:

• 45 CFR 164.506, 45 CFR 164.508, 45 CFR 164. 510, 45 CFR 164.512

  Last modified: 10-May-2005 [RC]