HIPAA's Privacy Rule permits covered entities to disclose protected health information (PHI) to a health oversight agency for activities authorized by law. That would include:

• audits;

• civil, administrative, or criminal investigations;

• inspections; licensure or disciplinary actions; and

• civil, administrative, or criminal proceedings or actions.

Health oversight is necessary to monitor:

• the health care system as a whole;

• government benefit programs for which health information is relevant to beneficiary eligibility;

• entities subject to government regulatory programs for which health information is necessary for determining compliance with program standards; or

• entities subject to civil rights laws for which health information is necessary for determining compliance.

Health oversight activity does not include an investigation or other activity in which an individual is the subject of the investigation, and the investigation does not arise out of and is not directly related to:

• the receipt of health care;

• a claim for public benefits related to health; or

• qualification for, or receipt of, public benefits or services when a patient’s health is integral to the claim for public benefits or services.

(As regards the second of these, if a health oversight investigation is conducted in conjunction with an oversight investigation relating to a claim for public benefits not related to health, the joint activity or investigation is considered a health oversight activity.)

If a covered entity also is a health oversight agency, the covered entity may use PHI for health oversight activities.

See also:

• 45 CFR 164.512(d)

Last modified: 14-May-2005 [RC]