|
§
164.512 Uses and disclosures for which consent, an authorization, or opportunity
to agree or object is not required.
A
covered entity may use or disclose protected health information without the
written consent or authorization of the individual as described in §§ 164.506
and 164.508, respectively, or the opportunity for the individual to agree or
object as described in § 164.510, in the situations covered by this section,
subject to the applicable requirements of this section. When the covered entity
is required by this section to inform the individual of, or when the
individual
may agree to, a use or disclosure permitted by this section, the
covered entity’s
information and the individual’s agreement may be given orally.
(a)
Standard: uses and disclosures required by
law. (1) A covered entity may
use or disclose protected health information to the extent that such
use or
disclosure is required by law and the
use or disclosure complies with and is
limited to the relevant requirements of such law.
(2)
A covered entity must meet the requirements described in paragraph (c), (e), or
(f) of this section for uses or disclosures
required by law.
(b)
Standard: uses and disclosures for public health activities. (1) Permitted
disclosures. A covered entity may disclose protected health information for the
public health activities and purposes described in this paragraph to:
(i)
A public health authority that is authorized by law to collect or receive such
information for the purpose of preventing or controlling disease, injury, or
disability, including, but not limited to, the reporting of disease, injury,
vital events such as birth or death, and the conduct of public health
surveillance, public health investigations, and public health interventions; or,
at the direction of a public health
authority, to an official of a foreign
government agency that is acting in collaboration with a public health
authority;
(ii) A public health authority or other appropriate government authority
authorized by law to receive reports of child abuse or neglect;
(iii)
A person subject to the jurisdiction of the Food and Drug Administration:
(A)
To report adverse events (or similar reports with respect to food or dietary
supplements), product defects or problems (including problems with the use or
labeling of a product), or biological product deviations if the disclosure is
made to the person required or directed to report such information to the Food
and Drug Administration;
(B) To track products if the disclosure is made to a person required or directed
by the Food and Drug Administration to track the product;
(C) To enable product recalls, repairs, or replacement (including locating and
notifying individuals who have received products of product recalls,
withdrawals, or other problems); or
(D) To conduct post marketing surveillance to comply with requirements or at the
direction of the Food and Drug Administration;
(iv) A person who may have been exposed to a communicable disease or may
otherwise be at risk of contracting or spreading a disease or condition, if the
covered entity or public health authority is authorized by law to notify such
person as necessary in the conduct of a public health intervention or
investigation; or
(v) An employer, about an individual who is a member of the
workforce of the
employer, if:
(A) The covered entity is a covered
health care provider who is a member of the
workforce of such employer or who provides a health care to the individual at
the request of the employer:
(1) To conduct an evaluation relating to medical surveillance of the workplace;
or
(2) To evaluate whether the individual has a work-related illness or injury;
(B)
The protected health information that is disclosed consists of findings
concerning a work-related illness or injury or a workplace-related medical
surveillance;
(C) The employer needs such findings in order to comply with its obligations,
under 29 CFR parts 1904 through 1928, 30 CFR parts 50 through 90, or under state
law having a similar purpose, to record such illness or injury or to carry out
responsibilities for workplace medical surveillance;
(D) The covered health care provider provides written notice to the individual
that protected health information relating to the medical surveillance of the
workplace and work-related illnesses and injuries is disclosed to the employer:
(1) By giving a copy of the notice to the individual at the time the
health care
is provided; or
(2) If the health care is provided on the work site of the employer, by posting
the notice in a prominent place at the location where the health care is
provided.
(2)
Permitted uses. If the covered entity also is a public health
authority, the
covered entity is permitted to use protected health information in all cases in
which it is permitted to disclose such information for public health activities
under paragraph (b)(1) of this section.
(c)
Standard: disclosures about victims of abuse, neglect or domestic violence.
(1)
Permitted disclosures. Except for reports of child abuse or neglect
permitted by paragraph (b)(1)(ii) of this section, a covered entity may disclose
protected health information about an individual whom the
covered entity
reasonably believes to be a victim of abuse, neglect, or domestic violence to a
government authority, including a social service or protective services agency,
authorized by law to receive reports of such abuse, neglect, or domestic
violence:
(i)
To the extent the disclosure is required by law and the
disclosure complies with
and is limited to the relevant requirements of such law;
(ii)
If the individual agrees to the disclosure; or
(iii)
To the extent the disclosure is expressly authorized by statute or regulation
and:
(2)
Informing the individual. A covered entity that makes a disclosure
permitted by paragraph (c)(1) of this section must promptly inform the
individual that such a report has been or will be made, except if:
(i)
The covered entity, in the exercise of professional judgment, believes informing
the individual would place the individual at risk of serious harm; or
(ii)
The covered entity would be informing a personal representative, and the
covered
entity reasonably believes the personal representative is responsible for the
abuse, neglect, or other injury, and that informing such person would not be in
the best interests of the individual as determined by the
covered entity, in the
exercise of professional judgment.
(d)
Standard: uses and disclosures for health oversight activities.
(1)
Permitted disclosures. A covered entity may disclose
protected health
information to a health oversight agency for oversight activities authorized by
law, including audits; civil, administrative, or criminal investigations;
inspections; licensure or disciplinary actions; civil, administrative, or
criminal proceedings or actions; or other activities necessary for appropriate
oversight of:
(i)
The health care system;
(ii)
Government benefit programs for which health information is relevant to
beneficiary eligibility;
(iii)
Entities subject to government regulatory programs for which health information
is necessary for
determining compliance with program
standards; or
(iv)
Entities subject to civil rights laws for which health information is necessary
for determining compliance.
(2)
Exception to health oversight activities. For the purpose of the
disclosures permitted by paragraph (d)(1) of this section, a health oversight
activity does not include an investigation or other activity in which the
individual is the subject of the investigation or activity and such
investigation or other activity does not arise out of and is not directly
related to:
(i)
The receipt of health care;
(ii)
A claim for public benefits related to health; or
(iii)
Qualification for, or receipt of, public benefits or services when a patient’s
health is integral to the claim for public benefits or services.
(3)
Joint activities or investigations. Nothwithstanding paragraph (d)(2) of
this section, if a health oversight activity or investigation is conducted in
conjunction with an oversight activity or investigation relating to a claim for
public benefits not related to health, the joint activity or investigation is
considered a health oversight activity for purposes of paragraph (d) of this
section.
(4)
Permitted uses. If a covered entity also is a health oversight
agency,
the covered entity may use protected health information for health oversight
activities as permitted by paragraph (d) of this section.
(e)
Standard: disclosures for judicial and administrative proceedings.
(1)
Permitted disclosures. A covered entity may disclose
protected health
information in the course of any judicial or administrative proceeding:
(i)
In response to an order of a court or administrative tribunal, provided that the
covered entity discloses only the protected health information expressly
authorized by such order; or
(ii)
In response to a subpoena, discovery request, or other lawful process, that is
not accompanied by an order of a court or administrative tribunal, if:
(A)
The covered entity receives satisfactory assurance, as described in paragraph
(e)(1)(iii) of this section, from the party seeking the information that
reasonable efforts have been made by such party to ensure that the individual
who is the subject of the protected health information that has been requested
has been given notice of the request; or
(B)
The covered entity receives satisfactory assurance, as described in paragraph
(e)(1)(iv) of this section, from the party seeking the information that
reasonable efforts have been made by such party to secure a qualified protective
order that meets the requirements of paragraph (e)(1)(v) of this section.
(iii)
For the purposes of paragraph (e)(1)(ii)(A) of this section, a covered entity
receives satisfactory assurances from a party seeking protecting health
information if the covered entity receives from such party a written statement
and accompanying documentation demonstrating that:
(A)
The party requesting such information has made a good faith attempt to provide
written notice to the individual (or, if the
individual’s location is unknown,
to mail a notice to the individual’s last known address);
(B)
The notice included sufficient information about the litigation or proceeding in
which the protected health information is requested to permit the individual to
raise an objection to the court or administrative tribunal; and
(C)
The time for the individual to raise objections to the court or administrative
tribunal has elapsed, and:
(1)
No objections were filed; or
(2)
All objections filed by the individual have been resolved by the court or the
administrative tribunal and the disclosures being sought are consistent with
such resolution.
(iv)
For the purposes of paragraph (e)(1)(ii)(B) of this section, a covered entity
receives satisfactory assurances from a party seeking protected health
information, if the covered entity receives from such party a written statement
and accompanying documentation demonstrating that:
(A)
The parties to the dispute giving rise to the request for information have
agreed to a qualified protective order and have presented it to the court or
administrative tribunal with jurisdiction over the dispute; or
(B)
The party seeking the protected health information has requested a qualified
protective order from such court or administrative tribunal.
(v)
For purposes of paragraph (e)(1) of this section, a qualified protective
order means, with respect to protected health information requested under
paragraph (e)(1)(ii) of this section, an order of a court or of an
administrative tribunal or a stipulation by the parties to the litigation or
administrative proceeding that:
(A)
Prohibits the parties from using or disclosing the protected health information
for any purpose other than the litigation or proceeding for which such
information was requested; and
(B)
Requires the return to the covered entity or destruction of the protected health
information (including all copies made) at the end of the litigation or
proceeding.
(vi)
Nothwithstanding paragraph (e)(1)(ii) of this section, a covered entity may
disclose protected health information in response to lawful process described in
paragraph (e)(1)(ii) of this section without receiving satisfactory assurance
under paragraph (e)(1)(ii)(A) or (B) of this section, if the covered entity
makes reasonable efforts to provide notice to the individual sufficient to meet
the requirements of paragraph (e)(1)(iii) of this section or to seek a qualified
protective order sufficient to meet the requirements of paragraph (e)(1)(iv) of
this section.
(2)
Other uses and disclosures under this section. The provisions of this
paragraph do not supersede other provisions of this section that otherwise
permit or restrict uses or disclosures of protected health
information.
(f)
Standard: disclosures for law enforcement purposes. A
covered entity may
disclose protected health information for a law enforcement purpose to a law
enforcement official if the conditions in paragraphs (f)(1) through (f)(6) of
this section are met, as applicable.
(1)
Permitted disclosures: pursuant to process and as otherwise
required by law.
A covered entity may disclose protected health
information:
(i)
As required by law including laws that require the reporting of certain types of
wounds or other physical injuries, except for laws subject to paragraph
(b)(1)(ii) or (c)(1)(i) of this section; or
(ii)
In compliance with and as limited by the relevant requirements of:
(A)
A court order or court-ordered warrant, or a subpoena or summons issued by a
judicial officer;
(B)
A grand jury subpoena; or
(C)
An administrative request, including an administrative subpoena or summons, a
civil or an authorized investigative demand, or similar process authorized under
law, provided that:
(1)
The information sought is relevant and material to a legitimate law enforcement
inquiry;
(2)
The request is specific and limited in scope to the extent reasonably
practicable in light of the purpose for which the information is sought; and
(3)
De-identified information could not reasonably be used.
(2)
Permitted disclosures: limited information for identification and location
purposes. Except for disclosures required by law as permitted by paragraph
(f)(1) of this section, a covered entity may disclose protected health
information in response to a law enforcement official’s request for such
information for the purpose of identifying or locating a suspect, fugitive,
material witness, or missing person, provided that:
(i)
The covered entity may disclose only the following information:
(A)
Name and address;
(B)
Date and place of birth;
(C)
Social security number;
(D)
ABO blood type and rh factor;
(E)
Type of injury;
(F)
Date and time of treatment;
(G)
Date and time of death, if applicable; and
(H)
A description of distinguishing physical characteristics, including height,
weight, gender, race, hair and eye color, presence or absence of facial hair
(beard or moustache), scars, and tattoos.
(ii)
Except as permitted by paragraph (f)(2)(i) of this section, the covered entity
may not disclose for the purposes of identification or location under paragraph
(f)(2) of this section any protected health information related to the
individual’s DNA or DNA analysis, dental records, or typing, samples or
analysis of body fluids or tissue.
(3)
Permitted disclosure: victims of a crime. Except for
disclosures required
by law as permitted by paragraph (f)(1) of this section, a covered entity may
disclose protected health information in response to a law enforcement official’s
request for such information about an individual who is or is suspected to be a
victim of a crime, other than disclosures that are subject to paragraph (b) or
(c) of this section, if:
(ii)
The individual agrees to the disclosure; or
(iii)
The covered entity is unable to obtain the individual’s agreement because of
incapacity or other emergency circumstance, provided that:
(A)
The law enforcement official represents that such information is needed to
determine whether a violation of law by a person other than the victim has
occurred, and such information is not intended to be used against the victim;
(B)
The law enforcement official represents that immediate law enforcement activity
that depends upon the disclosure would be materially and adversely affected by
waiting until the individual is able to agree to the disclosure; and
(C)
The disclosure is in the best interests of the
individual as determined by the
covered entity, in the exercise of professional judgment.
(4)
Permitted disclosure: decedents. A covered entity may disclose
protected
health information about an individual who has died to a
law enforcement
official for the purpose of alerting law enforcement of the death of the
individual if the covered entity has a suspicion that such death may have
resulted from criminal conduct.
(5)
Permitted disclosure: crime on premises. A covered entity may disclose to
a law enforcement official protected health information that the
covered entity
believes in good faith constitutes evidence of criminal conduct that occurred on
the premises of the covered
entity.
(6)
Permitted disclosure: reporting crime in emergencies. (i) A covered
health care provider providing emergency health care in response to a medical
emergency, other than such emergency on the premises of the covered health care
provider, may disclose protected health information to a law enforcement
official if such disclosure appears necessary to alert law enforcement to:
(A)
The commission and nature of a crime;
(B)
The location of such crime or of the victim(s) of such crime; and
(C)
The identity, description, and location of the perpetrator of such crime.
(ii)
If a covered health care provider believes that the medical emergency described
in paragraph (f)(6)(i) of this section is the result of abuse, neglect, or
domestic violence of the individual in need of emergency
health care, paragraph
(f)(6)(i) of this section does not apply and any disclosure to a
law enforcement
official for law enforcement purposes is subject to paragraph (c) of this
section.
(g)
Standard: uses and disclosures about decedents. (1) Coroners and
medical examiners. A covered entity may disclose protected health
information to a coroner or medical examiner for the purpose of identifying a
deceased person, determining a cause of death, or other duties as authorized by
law. A covered entity that also performs the duties of a coroner or medical
examiner may use protected health information for the purposes described in this
paragraph.
(2)
Funeral directors. A covered entity may disclose protected health
information to funeral directors, consistent with applicable law, as necessary
to carry out their duties with respect to the decedent. If necessary for funeral
directors carry out their duties, the covered entity may disclose the protected
health information prior to, and in reasonable anticipation of, the individual’s
death.
(h)
Standard: uses and disclosures for cadaveric organ, eye or tissue donation
purposes. A covered entity may use or disclose protected health information
to organ procurement organizations or other entities engaged in the procurement,
banking, or transplantation of cadaveric organs, eyes, or tissue for the purpose
of facilitating organ, eye or tissue donation and transplantation.
(i)
Standard: uses and disclosures for research purposes. (1) Permitted
uses and disclosures. A covered entity may
use or disclose
protected health
information for research, regardless of the source of funding of the
research,
provided that:
(i)
Board approval of a waiver of authorization. The covered entity obtains
documentation that an alteration to or waiver, in whole or in part, of the
individual authorization required by §164.508 for use or disclosure of
protected health information has been approved by either:
(A)
An Institutional Review Board (IRB), established in accordance with 7 CFR
1c.107, 10 CFR 745.107, 14 CFR 1230.107, 15 CFR 27.107, 16 CFR 1028.107, 21 CFR
56.107, 22 CFR 225.107, 24 CFR 60.107, 28 CFR 46.107, 32 CFR 219.107, 34 CFR
97.107, 38 CFR 16.107, 40 CFR 26.107, 45 CFR 46.107, 45 CFR 690.107, or 49 CFR
11.107; or
(B)
A privacy board that:
(1)
Has members with varying backgrounds and appropriate professional competency as
necessary to review the effect of the research protocol on the individual’s
privacy rights and related interests;
(2)
Includes at least one member who is not affiliated with the covered
entity, not
affiliated with any entity conducting or sponsoring the research, and not
related to any person who is affiliated with any of such entities; and
(3)
Does not have any member participating in a review of any project in which the
member has a conflict of interest.
(ii)
Reviews preparatory to research. The covered entity obtains from the
researcher representations that:
(A)
Use or disclosure is sought solely to review
protected health information as
necessary to prepare a research protocol or for similar purposes preparatory to
research;
(B)
No protected health information is to be removed from the
covered entity by the
researcher in the course of the review; and
(C)
The protected health information for which
use or access is sought is necessary
for the research purposes.
(iii)
Research on decedent’s information. The covered entity obtains from the
researcher:
(A)
Representation that the use or disclosure is sought is solely for
research on
the protected health information of decedents;
(B)
Documentation, at the request of the covered
entity, of the death of such individuals; and
(C)
Representation that the protected health information for which
use or disclosure
is sought is necessary for the research purposes.
(2)
Documentation of waiver approval. For a use or disclosure to be permitted
based on documentation of approval of an alteration or waiver, under paragraph (i)(1)(i)
of this section, the documentation must include all of the following:
(i)
Identification and date of action. A statement identifying the IRB or
privacy board and the date on which the alteration or waiver of authorization
was approved;
(ii)
Waiver criteria. A statement that the IRB or privacy board has determined
that the alteration or waiver, in whole or in part, of authorization satisfies
the following criteria:
(A)
The use or disclosure of protected health information involves no more than
minimal risk to the individuals;
(B)
The alteration or waiver will not adversely affect the privacy rights and the
welfare of the individuals;
(C)
The research could not practicably be conducted without the alteration or
waiver;
(D)
The research could not practicably be conducted without access to and
use of the
protected health information;
(E)
The privacy risks to individuals whose protected health information is to be
used or disclosed are reasonable in relation to the anticipated benefits if any
to the individuals, and the importance of the knowledge that may reasonably be
expected to result from the research;
(F)
There is an adequate plan to protect the identifiers from improper use and disclosure;
(G)
There is an adequate plan to destroy the identifiers at the earliest opportunity
consistent with conduct of the research, unless there is a health or
research
justification for retaining the identifiers, or such retention is otherwise
required by law; and
(H)
There are adequate written assurances that the protected health information will
not be reused or disclosed to any other person or entity, except as required by
law, for authorized oversight of the research project, or for other
research for
which the use or disclosure of protected health information would be permitted
by this subpart.
(iii)
Protected health information needed. A brief description of the protected
health information for which use or access has been determined to be necessary
by the IRB or privacy board has determined, pursuant to paragraph (i)(2)(ii)(D)
of this section;
(iv)
Review and approval procedures. A statement that the alteration or waiver
of authorization has been reviewed and approved under either normal or expedited
review procedures, as follows:
(A)
An IRB must follow the requirements of the Common Rule, including the normal
review procedures (7 CFR 1c.108(b), 10 CFR 745.108(b), 14 CFR 1230.108(b), 15
CFR 27.108(b), 16 CFR 1028.108(b), 21 CFR 56.108(b), 22 CFR 225.108(b), 24 CFR
60.108(b), 28 CFR 46.108(b), 32 CFR 219.108(b), 34 CFR 97.108(b), 38 CFR
16.108(b), 40 CFR 26.108(b), 45 CFR 46.108(b), 45 CFR 690.108(b), or 49 CFR
11.108(b)) or the expedited review procedures (7 CFR 1c.110, 10 CFR 745.110, 14
CFR 1230.110, 15 CFR 27.110, 16 CFR 1028.110, 21 CFR 56.110, 22 CFR 225.110, 24
CFR 60.110, 28 CFR 46.110, 32 CFR 219.110, 34 CFR 97.110, 38 CFR 16.110, 40 CFR
26.110, 45 CFR 46.110, 45 CFR 690.110, or 49 CFR 11.110);
(B)
A privacy board must review the proposed research at convened meetings at which
a majority of the privacy board members are present, including at least one
member who satisfies the criterion stated in paragraph (i)(1)(i)(B)(2) of
this section, and the alteration or waiver of authorization must be approved by
the majority of the privacy board members present at the meeting, unless the
privacy board elects to use an expedited review procedure in accordance with
paragraph (i)(2)(iv)(C) of this section;
(C)
A privacy board may use an expedited review procedure if the research involves
no more than minimal risk to the privacy of the individuals who are the subject
of the protected health information for which
use or disclosure is being sought.
If the privacy board elects to use an expedited review procedure, the review and
approval of the alteration or waiver of authorization may be carried out by the
chair of the privacy board, or by one or more members of the privacy board as
designated by the chair; and
(v)
Required signature. The documentation of the alteration or waiver of
authorization must be signed by the chair or other member, as designated by the
chair, of the IRB or the privacy board, as applicable.
(j)
Standard: uses and disclosures to avert a serious threat to health or safety.
(1) Permitted disclosures. A covered entity may, consistent with
applicable law and standards of ethical conduct, use or disclose protected
health information, if the covered
entity, in good faith, believes the use or disclosure:
(i)(A)
Is necessary to prevent or lessen a serious and imminent threat to the health or
safety of a person or the public; and
(B)
Is to a person or persons reasonably able to prevent or lessen the threat,
including the target of the threat; or
(ii)
Is necessary for law enforcement authorities to identify or apprehend an individual:
(A)
Because of a statement by an individual admitting participation in a violent
crime that the covered entity reasonably believes may have caused serious
physical harm to the victim; or
(B)
Where it appears from all the circumstances that the individual has escaped from
a correctional institution or from lawful custody, as those terms are defined in
§ 164.501.
(2)
Use or disclosure not permitted.. A use or
disclosure pursuant to
paragraph (j)(1)(ii)(A) of this section may not be made if the information
described in paragraph (j)(1)(ii)(A) of this section is learned by the covered
entity:
(i)
In the course of treatment to affect the propensity to commit the criminal
conduct that is the basis for the disclosure under paragraph (j)(1)(ii)(A) of
this section, or counseling or therapy; or
(ii)
Through a request by the individual to initiate or to be referred for the
treatment, counseling, or therapy described in paragraph (j)(2)(i) of this
section.
(3)
Limit on information that may be disclosed. A disclosure made pursuant to
paragraph (j)(1)(ii)(A) of this section shall contain only the statement
described in paragraph (j)(1)(ii)(A) of this section and the protected health
information described in paragraph (f)(2)(i) of this section.
(4)
Presumption of good faith belief. A covered entity that uses or discloses
protected health information pursuant to paragraph (j)(1) of this section is
presumed to have acted in good faith with regard to a belief described in
paragraph (j)(1)(i) or (ii) of this section, if the belief is based upon the
covered entity’s actual knowledge or in reliance on a credible representation
by a person with apparent knowledge or authority.
(k)
Standard: uses and disclosures for specialized government functions. (1)
Military and veterans activities. (i) Armed Forces personnel. A
covered entity may use and disclose the protected health information of
individuals who are Armed Forces personnel for activities deemed necessary by
appropriate military command authorities to assure the proper execution of the
military mission, if the appropriate military authority has published by notice
in the Federal Register the following information:
(A)
Appropriate military command authorities; and
(B)
The purposes for which the protected health information may be
used or
disclosed.
(ii)
Separation or discharge from military service. A covered entity that is a
component of the Departments of Defense or Transportation may disclose to the
Department of Veterans Affairs (DVA) the protected health information of an
individual who is a member of the Armed Forces upon the separation or discharge
of the individual from military service for the purpose of a determination by
DVA of the individual’s eligibility for or entitlement to benefits under laws
administered by the Secretary of Veterans Affairs.
(iii)
Veterans. A covered entity that is a component of the Department of
Veterans Affairs may use and disclose protected health information to components
of the Department that determine eligibility for or entitlement to, or that
provide, benefits under the laws administered by the Secretary of Veterans
Affairs.
(iv)
Foreign military personnel. A covered entity may use and disclose the
protected health information of individuals who are foreign military personnel
to their appropriate foreign military authority for the same purposes for which
uses and disclosures are permitted for Armed Forces personnel under the notice
published in the Federal Register pursuant to paragraph (k)(1)(i) of this
section.
(2)
National security and intelligence activities. A covered entity may
disclose protected health information to authorized federal officials for the
conduct of lawful intelligence, counter-intelligence, and other national
security activities authorized by the National Security Act (50 U.S.C. 401, et
seq.) and implementing authority (e.g., Executive Order 12333).
(3)
Protective services for the President and others. A covered entity may
disclose protected health information to authorized federal officials for the
provision of protective services to the President or other persons authorized by
18 U.S.C. 3056, or to foreign heads of state or other persons authorized by 22
U.S.C. 2709(a)(3), or to for the conduct of investigations authorized by 18
U.S.C. 871 and 879.
(4)
Medical suitability determinations. A covered entity that is a component
of the Department of State may use protected health information to make medical
suitability determinations and may disclose whether or not the individual was
determined to be medically suitable to the officials in the Department of State
who need access to such information for the following purposes:
(i)
For the purpose of a required security clearance conducted pursuant to Executive
Orders 10450 and 12698;
(ii)
As necessary to determine worldwide availability or availability for mandatory
service abroad under sections 101(a)(4) and 504 of the Foreign Service Act; or
(iii)
For a family to accompany a Foreign Service member abroad, consistent with
section 101(b)(5) and 904 of the Foreign Service Act.
(5)
Correctional institutions and other law enforcement custodial situations. (i) Permitted
disclosures. A covered entity may disclose to a
correctional institution or a law enforcement official having lawful custody of
an inmate or other individual
protected health information about such
inmate or
individual, if the correctional institution or such
law enforcement official
represents that such protected health information is necessary for:
(A)
The provision of health care to such individuals;
(B)
The health and safety of such individual or other
inmates;
(C)
The health and safety of the officers or employees of or others at the
correctional institution;
(D)
The health and safety of such individuals and officers or other persons
responsible for the transporting of inmates or their transfer from one
institution, facility, or setting to another;
(E)
Law enforcement on the premises of the correctional
institution; and
(F)
The administration and maintenance of the safety, security, and good order of
the correctional institution.
(ii)
Permitted uses. A covered entity that is a correctional institution may
use protected health information of individuals who are
inmates for any purpose
for which such protected health information may be disclosed.
(iii)
No application after release. For the purposes of this provision, an
individual is no longer an inmate when released on parole, probation, supervised
release, or otherwise is no longer in lawful custody.
(6)
Covered entities that are government programs providing public benefits. (i) A health plan that is a government program providing public benefits may
disclose protected health information relating to eligibility for or enrollment
in the health plan to another agency administering a government program
providing public benefits if the sharing of eligibility or enrollment
information among such government agencies or the maintenance of such
information in a single or combined data system accessible to all such
government agencies is required or expressly authorized by statute or
regulation.
(ii)
A covered entity that is a government agency administering a government program
providing public benefits may disclose protected health information relating to
the program to another covered entity that is a government agency administering
a government program providing public benefits if the programs serve the same or
similar populations and the disclosure of protected health information is
necessary to coordinate the covered functions of such programs or to improve
administration and management relating to the covered functions of such
programs.
(l)
Standard: disclosures for workers’ compensation. A
covered entity may
disclose protected health information as authorized by and to the extent
necessary to comply with laws relating to workers’ compensation or other
similar programs, established by law, that provide benefits for work-related
injuries or illness without regard to fault.
|
