|
§
164.502 Uses and disclosures of protected health information: general rules.
(a)
Standard. A covered entity may not use or disclose protected health
information, except as permitted or required by this subpart or by subpart C of
part 160 of this subchapter.
(1)
Permitted uses and disclosures. A
covered entity is permitted to
use or
disclose protected health information as follows:
(i)
To the individual;
(ii)
Pursuant to and in compliance with a consent that complies with § 164.506, to
carry out treatment, payment, or health care
operations;
(iii)
Without consent, if consent is not required under § 164.506(a) and has not been
sought under § 164.506(a)(4), to carry out treatment, payment, or health care
operations, except with respect to psychotherapy
notes;
(iv)
Pursuant to and in compliance with an authorization that complies with §
164.508;
(v)
Pursuant to an agreement under, or as otherwise permitted by, § 164.510; and
(vi)
As permitted by and in compliance with this section, § 164.512, or §
164.514(e), (f), and (g).
(2)
Required disclosures. A covered entity is required to disclose
protected
health information:
(i)
To an individual, when requested under, and as required by §§ 164.524 or
164.528; and
(ii)
When required by the Secretary under subpart C of part 160 of this subchapter to
investigate or determine the covered
entity's compliance with this subpart.
(b)
Standard: minimum necessary. (1) Minimum necessary applies. When
using or disclosing protected health information or when requesting
protected
health information from another covered
entity, a covered entity must make
reasonable efforts to limit protected health information to the minimum
necessary to accomplish the intended purpose of the use, disclosure, or request.
(2)
Minimum necessary does not apply. This requirement does not apply to:
(i)
Disclosures to or requests by a health care provider for treatment;
(ii)
Uses or disclosures made to the individual, as permitted under paragraph
(a)(1)(i) of this section, as required by paragraph (a)(2)(i) of this section,
or pursuant to an authorization under § 164.508, except for authorizations
requested by the covered entity under § 164.508(d), (e), or (f);
(iii)
Disclosures made to the Secretary in accordance with subpart C of part 160 of
this subchapter;
(iv)
Uses or disclosures that are required by
law, as described by § 164.512(a); and
(v)
Uses or disclosures that are required for compliance with applicable
requirements of this subchapter.
(c)
Standard: uses and disclosures of protected health information subject to an
agreed upon restriction. A covered entity that has agreed to a restriction
pursuant to § 164.522(a)(1) may not use or disclose the protected health
information covered by the restriction in violation of such restriction, except
as otherwise provided in § 164.522(a).
(d)
Standard: uses and disclosures of de-identified
protected health information.
(1)
Uses and disclosures to create de-identified information. A
covered
entity may use protected health information to create information that is not
individually identifiable health information or disclose protected health
information only to a business associate for such purpose, whether or not the
de-identified information is to be used by the covered
entity.
(2)
Uses and disclosures of de-identified information. Health information
that meets the standard and implementation specifications for de-identification
under § 164.514(a) and (b) is considered not to be individually identifiable
health information, i.e., de-identified. The requirements of this subpart do not
apply to information that has been de-identified in accordance with the
applicable requirements of § 164.514, provided that:
(i)
Disclosure of a code or other means of record identification designed to enable
coded or otherwise de-identified information to be re-identified constitutes
disclosure of protected health
information; and
(ii)
If de-identified information is re-identified, a covered entity may use or
disclose such re-identified information only as permitted or required by this
subpart.
(e)(1)
Standard: disclosures to business
associates. (i) A covered entity may
disclose protected health information to a
business associate and may allow a
business associate to create or receive protected health information on its
behalf, if the covered entity obtains satisfactory assurance that the business
associate will appropriately safeguard the information.
(ii)
This standard does not apply:
(A)
With respect to disclosures by a covered entity to a
health care provider
concerning the treatment of the individual;
(B)
With respect to disclosures by a group health plan or a
health insurance issuer
or HMO with respect to a group health plan to the plan
sponsor, to the extent
that the requirements of § 164.504(f) apply and are met; or
(C)
With respect to uses or disclosures by a
health plan that is a government
program providing public benefits, if eligibility for, or enrollment in, the
health plan is determined by an agency other than the agency administering the
health plan, or if the protected health information
used to determine enrollment
or eligibility in the health plan is collected by an agency other than the
agency administering the health
plan, and such activity is authorized by law,
with respect to the collection and sharing of individually identifiable health
information for the performance of such functions by the health plan and the
agency other than the agency administering the health
plan.
(iii)
A covered entity that violates the satisfactory assurances it provided as a
business associate of another covered entity will be in noncompliance with the
standards, implementation
specifications, and requirements of this paragraph and
§ 164.504(e).
(2)
Implementation specification: documentation. A covered entity must
document the satisfactory assurances required by paragraph (e)(1) of this
section through a written contract or other written agreement or arrangement
with the business associate that meets the applicable requirements of §
164.504(e).
(f)
Standard: deceased individuals. A covered entity must comply with the
requirements of this subpart with respect to the protected health information of
a deceased individual.
(g)(1)
Standard: personal representatives. As specified in this paragraph, a
covered entity must, except as provided in paragraphs (g)(3) and (g)(5) of this
section, treat a personal representative as the individual for purposes of this
subchapter.
(2)
Implementation specification: adults and emancipated minors. If under
applicable law a person has authority to act on behalf of an individual who is
an adult or an emancipated minor in making decisions related to health
care, a
covered entity must treat such person as a personal representative under this
subchapter, with respect to protected health information relevant to such
personal representation.
(3)
Implementation specification: unemancipated minors. If under applicable
law a parent, guardian, or other person acting in loco parentis has
authority to act on behalf of an individual who is an unemancipated minor in
making decisions related to health
care, a covered entity must treat such person
as a personal representative under this subchapter, with respect to protected
health information relevant to such personal representation, except that such
person may not be a personal representative of an unemancipated minor, and the
minor has the authority to act as an individual, with respect to
protected
health information pertaining to a health care service, if:
(i)
The minor consents to such health care service; no other consent to such
health
care service is required by law, regardless of whether the consent of another
person has also been obtained; and the minor has not requested that such person
be treated as the personal representative;
(ii)
The minor may lawfully obtain such health care service without the consent of a
parent, guardian, or other person acting in loco parentis, and the minor,
a court, or another person authorized by law consents to such health care
service; or
(iii)
A parent, guardian, or other person acting in loco parentis assents to an
agreement of confidentiality between a covered health care provider and the
minor with respect to such health care service.
(4)
Implementation specification: deceased individuals. If under applicable
law an executor, administrator, or other person has authority to act on behalf
of a deceased individual or of the individual's estate, a
covered entity must
treat such person as a personal representative under this subchapter, with
respect to protected health information relevant to such personal
representation.
(5)
Implementation specification: abuse, neglect, endangerment situations.
Notwithstanding a State law or any requirement of this paragraph to the
contrary, a covered entity may elect not to treat a person as the personal
representative of an individual if:
(i)
The covered entity has a reasonable belief that:
(A)
The individual has been or may be subjected to domestic violence, abuse, or
neglect by such person; or
(B)
Treating such person as the personal representative could endanger the individual; and
(ii)
The covered entity, in the exercise of professional judgment, decides that it is
not in the best interest of the individual to treat the person as the
individual’s
personal representative.
(h)
Standard: confidential communications. A covered health care provider or
health plan must comply with the applicable requirements of § 164.522(b) in
communicating protected health
information.
(i)
Standard: uses and disclosures consistent with notice. A
covered entity
that is required by § 164.520 to have a notice may not use or disclose
protected health information in a manner inconsistent with such notice. A
covered entity that is required by § 164.520(b)(1)(iii) to include a specific
statement in its notice if it intends to engage in an activity listed in §
164.520(b)(1)(iii)(A)-(C), may not use or disclose protected health information
for such activities, unless the required statement is included in the notice.
(j)
Standard: disclosures by whistleblowers and
workforce member crime victims.
(1)
Disclosures by whistleblowers. A covered entity is not considered to have
violated the requirements of this subpart if a member of its workforce or a
business associate discloses protected health
information, provided that:
(i)
The workforce member or business associate believes in good faith that the
covered entity has engaged in conduct that is unlawful or otherwise violates
professional or clinical standards, or that the care, services, or conditions
provided by the covered entity potentially endangers one or more patients,
workers, or the public; and
(ii)
The disclosure is to:
(A)
A health oversight agency or public health authority authorized by law to
investigate or otherwise oversee the relevant conduct or conditions of the
covered entity or to an appropriate health care accreditation organization for
the purpose of reporting the allegation of failure to meet professional
standards or misconduct by the covered
entity; or
(B)
An attorney retained by or on behalf of the workforce member or business
associate for the purpose of determining the legal options of the workforce
member or business associate with regard to the conduct described in paragraph
(j)(1)(i) of this section.
(2)
Disclosures by workforce members who are victims of a crime. A covered
entity is not considered to have violated the requirements of this subpart if a
member of its workforce who is the victim of a criminal act discloses protected
health information to a law enforcement
official, provided that:
(i)
The protected health information disclosed is about the suspected perpetrator of
the criminal act; and
(ii)
The protected health information disclosed is limited to the information listed
in § 164.512(f)(2)(i).
|
