uses and disclosures, general rules (HIPAA)

Under HIPAA rules, covered entities are generally permitted to use or disclose protected health information (PHI):

• to the individual or his/her authorized personal representative (this is required when the individual makes a formal request for access (per 45 CFR 164.524, 528);

• for treatment, payment or other health care operations, without any specific legal permission, or in compliance with an optional consent (per 45 CFR 164.506);

• for other purposes, in compliance with an authorization (per 45 CFR 164.508) or other agreement (per 45 CFR 164.510);

• for research, provided an IRB or Privacy Board has approved a waiver of authorization (per 45 CFR 164.514);

• in compliance with uses and disclosures permitted for law enforcement, for judicial or administrative proceedings, for public health activities or health system oversight, and other purposes identified in 45 CFR 164.512;

• to avert a serious, imminent threat to public health or safety (45 CFR 164.514);

• to the Secretary of DHHS for investigations of complaints or general compliance reviews (this is required when DHHS makes a formal request (per 45 CFR 160.306, 308);

• for fundraising or marketing, as limited by 45 CFR 164.514; or

• when the PHI has been adequately deidentified (per 45 CFR 164.514).

With some exceptions (e.g., related to information exchanged between/among providers for treatment), such uses and disclosures must adhere to a minimum necessary standard.

last modified: 12-Aug-2002 (RC)