Covered entities may use their professional judgment when releasing information to a member or in the course of what is known as Treatment, Payment and Operations if the use or disclosure is determined to be in the best interest of the individual such as when the individual is incapacitated, in an emergency situation, or not available.
Informal permission may be obtained by asking the individual outright, or by circumstances that clearly give the individual the opportunity to agree, agree with some reluctance, or object.
A covered entity and their business associates must develop and implement policies and procedures that restrict access and uses of protected health information based on the specific roles of the members of their workforce. These policies and procedures must identify the persons, or classes of persons, in the workforce who need access to protected health information to carry out their duties, the categories of protected health information to which access is needed, and any conditions under which they need the information to do their jobs.
A covered entity and business associates must obtain the individual’s written authorization for any use or disclosure of protected health information that is not for treatment, payment or health care operations or otherwise permitted or required by the Privacy Rule. However, a covered entity or business associate can not condition treatment, payment, enrollment, or benefits eligibility on an individual granting an authorization, except in limited circumstances.
All authorizations must be in plain language, and contain specific information regarding the information to be disclosed or used, the person(s) disclosing and receiving the information, expiration, right to revoke in writing, and other data.
A covered entity must always obtain an individual’s authorization to use or disclose psychotherapy notes with the following exceptions (Meritain Health has a separate authorization for this purpose).
• The covered entity who originated the notes may use them for treatment.
• A covered entity may use or disclose, without an individual’s authorization, psychotherapy notes, for its own training, and to defend itself in legal proceedings brought by the individual, for HHS to investigate or determine the covered entity’s compliance with the Privacy Rules, to avert a serious and imminent threat to public health or safety, to a health oversight agency for lawful oversight of the originator of the psychotherapy notes, for the lawful activities of a coroner or medical examiner, or as required by law.
The HIPAA Privacy Rule expressly permits certain covered entities to disclose to the National Instant Criminal Background Check System (NICS) the identities of those individuals who, for mental health reasons are prohibited by Federal law from having a firearm.
Releasing PHI without an Authorization:
The Privacy Rule permits use and disclosure of protected health information, without an individual’s authorization or permission, for 12 national priority purposes. These disclosures are permitted, although not required, by the Rule in recognition of the important uses made of health information outside of the health care context. Specific conditions or limitations apply to each public interest purpose.
|Required by law||Public Health Activities|
|Victims of Abuse, Neglect or Domestic Violence||Health Oversight Activities|
|Judicial and Administrative Proceedings||Law Enforcement Purposes|
|Essential Government Functions||Research. Serious threat to Health or Safety|
|Workers Compensation||Cadaveric Organ, Eye, or Tissue Donation|
|Decedents: Covered entities may disclose protected health information to funeral directors as needed, and to coroners or medical examiners to identify a deceased person, determine the cause of death and perform other functions by law.|
This content is being provided as an informational tool. It is believed to be accurate at the time of posting and is subject to change. It is recommended that plans consult with their own experts or counsel to review all applicable federal and state legal requirements that may apply to their group health plan. By providing this information, Meritain Health is not exercising discretionary authority or assuming a plan fiduciary role, nor is Meritain Health providing legal advice.