Skip to main content

HIPAA CE Privacy - Authorized and Unauthorized Disclosures

Guidance for implementing HIPAA CE Privacy requirements related to authorized and unauthorized disclosures.

D
Written by Drew Salisbury
Updated over 3 weeks ago

For detailed requirement language, visit the U.S. Dept of Health and Human Services.

Requirement

Guidance

§164.502(a)(5)(i): Prohibited uses and disclosures -Use and disclosure of genetic information for underwriting purposes

Unless your organization is an issuer of long-term care policies, define requirements for ensuring the health plan does not use or disclose PHI that is genetic information for underwriting purposes. View instructions for defining underwriting requirements.

Define any underwriting exclusions—clarify that underwriting purposes do not include determinations of medical appropriateness where an individual seeks a benefit under the plan.

To ensure clarity and compliance, define genetic information, genetic services, and genetic testing.

Implement monitoring and audit mechanisms to ensure genetic information is not used for prohibited purposes.

Documentation and retention guidelines should cover the retention of policies and procedures related to genetic information for at least six years.

§164.502(g): Personal representatives

Implement controls over personal representatives as it pertains to disclosure and access to PHI.

Address the following:

- For the purposes of PHI access and disclosure, treat a personal representative as the individual as required under applicable law.

- Recognize individuals with legal authority to act on behalf of adults or emancipated minors as personal representatives for relevant PHI.

- Ensure compliance with state and federal laws regarding when a parent, guardian, or individual acting in loco parentis is or is not the personal representative of an unemancipated minor.

- Allow minors to act as their own representatives in situations defined by law (e.g., confidential services, self-consented care).

- Treat an executor, administrator, or other legally authorized person as the personal representative for the deceased individual’s PHI.

- In cases of suspected domestic violence, abuse, or neglect, use professional judgment to determine if treating an individual as the personal representative would endanger the individual or is not in their best interest.

§164.502(i): Uses and disclosures consistent with notice

Establish policies for participation in Organized Health Care Arrangements (OHCA), ensuring compliance with any applicable HIPAA requirements.

Ensure all participating entities agree to abide by the terms of the OHCA, including the handling of shared PHI.

Permit the use and disclosure of PHI among participating covered entities in the OHCA as necessary for treatment, payment, and health care operations.

Thoropass' HIPAA CE Privacy Policy covers OHCA participation. Completing action item AI-1316 Create necessary HIPAA CE Privacy Policy satisfies the policy aspect of this requirement.

Documentation and retention guidelines should cover the retention of records of OHCAs, including agreements, policies, and procedures, for at least six years.

§164.502(j)(1): Disclosures by whistleblowers

Allow disclosures of PHI are allowed when necessary to prevent or lessen a serious and imminent threat to health or safety, provided such disclosure is made to a person or entity able to prevent or mitigate the threat.

Any such disclosure must be based on a good faith belief that the disclosure is necessary to avert a serious threat, involve professional judgment, and comply with applicable laws and ethical guidelines.

Maintain records of all disclosures made under this provision, including the basis for determining the threat and the entities to which the information was disclosed.

§164.502(j)(2): Disclosures by workforce members who are victims of a crime

Allow disclosures of PHI when necessary to prevent or lessen a serious and imminent threat to health or safety, provided such disclosure is made to a person or entity able to prevent or mitigate the threat.

Any such disclosure must be based on a good faith belief that the disclosure is necessary to avert a serious threat, involve professional judgment, and comply with applicable laws and ethical guidelines.

Maintain records of all disclosures made under this provision, including the basis for determining the threat and the entities to which the information was disclosed.

§164.504(f): Requirements for group health plans

Allow disclosures of PHI to group health plans only as necessary for plan administration purposes and in compliance with HIPAA.

Prohibit group health plans from using or disclosing PHI for employment-related actions or other non-plan purposes.

Require plan sponsors to provide written certification that they will safeguard PHI and comply with HIPAA requirements before disclosing any PHI to them.

Limit disclosures to group health plans to the minimum necessary information required for plan administration.

Document disclosures to group health plans and implement monitoring to ensure compliance with HIPAA requirements.

§164.504(g): Requirements for a covered entity with multiple covered functions

Establish, document, and enforce policies to segregate PHI handling by covered function (health plan, health care provider, or health care clearinghouse) and restrict workforce access to PHI based on the specific function being performed.

Review and update PHI handling policies at least annually or after significant changes.

Conduct regular audits and enforce compliance with documented sanctions for violations.

Train workforce members on function-specific PHI handling and segregation requirements, and ensure policies are communicated and acknowledged by all relevant staff.

Thoropass' HIPAA CE Privacy Policy covers segregation of PHI handling. Completing action item AI-1316 Create necessary HIPAA CE Privacy Policy satisfies the policy aspect of this requirement.

§164.506(a): Permitted uses and disclosures

Allow uses and disclosures of PHI for treatment, payment, and health care operations without requiring patient authorization, as permitted by HIPAA.

PHI should only be used or disclosed for treatment, payment, and health care operations without the the written authorization of the individual when such use or disclosure is required by law and the use or disclosure complies with, and is limited to, the relevant requirements of the law.

Document and monitor all uses and disclosures to ensure they align with treatment, payment, and health care operations purposes.

§164.506(b)(1&2): Consent for uses and disclosures

Develop and enforce a policy to manage individual consent for using or disclosing PHI for treatment, payment, or health care operations, ensuring consent is not used where authorization is required.

Maintain secure records of consents obtained, with clear procedures for storage and retention in compliance with HIPAA requirements.

Conduct periodic reviews of consent practices to ensure compliance.

Thoropass' HIPAA CE Privacy Policy covers individual consent. Completing action item AI-1316 Create necessary HIPAA CE Privacy Policy satisfies the policy aspect of this requirement.

§164.508(a)(1-3)(b)(1&2): Authorizations for uses and disclosures

Require written authorization from the individual before using or disclosing PHI, except as permitted or required by HIPAA without authorization. View instructions for documenting authorizations.

Ensure that written authorizations include the required core elements, such as a description of the PHI, the purpose of use/disclosure, expiration date, and the individual’s signature.

Include all required statements in the authorization, such as the individual's right to revoke authorization, conditions on treatment/payment based on authorization, and potential redisclosure risks.

Verify that authorizations meet HIPAA requirements for validity before disclosing PHI.

Documentation and retention guidelines should cover the retention of copies of all signed authorizations and any related documentation for at least six years.

§164.508(b)(3): Compound authorizations - Exceptions

Ensure that authorizations for the use or disclosure of PHI are not combined with other documents to create a compound authorization, except in limited circumstances as allowed under HIPAA.

Authorizations for research purposes may be combined with another authorization for the same research project.

Authorizations for use or disclosure of psychotherapy notes may not be combined with other types of authorizations.

Ensure all combined authorizations are clearly delineated and compliant with HIPAA’s specific provisions for compound authorizations.

Documentation and retention guidelines should cover the retention of records of all compound authorizations for at least six years.

§164.508(b)(4): Prohibition on conditioning of authorizations

Do not condition the provision of treatment, payment, enrollment in a health plan, or eligibility for benefits on an individual’s authorization for the use or disclosure of PHI, except as explicitly allowed by HIPAA.

Permissible exceptions include authorizations for research-related treatment, enrollment in certain health plans, and services provided solely for creating PHI.

Clearly inform individuals of the reason for any exceptions to ensure transparency and compliance.

Retain records of any exception-based authorizations to demonstrate compliance with HIPAA’s retention requirements.

§164.510(a)(1&2): Use and disclosure for facility directories - Opportunity to object

Develop and implement policies for including patient information (e.g., name, location, condition, religious affiliation) in facility directories.

Provide clear processes for individuals to object to inclusion in facility directories and document their preferences.

Establish protocols for including individuals in directories during emergencies where obtaining preferences is impractical, ensuring compliance with HIPAA.

Restrict access to facility directory information to authorized personnel and ensure it is used only for intended purposes.

Thoropass' HIPAA CE Privacy Policy covers facility directories. Completing action item AI-1316 Create necessary HIPAA CE Privacy Policy satisfies the policy aspect of this requirement.

§164.510(a)(3): Uses and disclosures for facility directories in emergency circumstances

Develop and implement policies for including patient information (e.g., name, location, condition, religious affiliation) in facility directories.

Define and document conditions where directory information can be included during emergencies when obtaining objections is not feasible. Maintain records of these disclosures, including the purpose and justification for disclosure.

Thoropass' HIPAA CE Privacy Policy covers facility directories. Completing action item AI-1316 Create necessary HIPAA CE Privacy Policy satisfies the policy aspect of this requirement.

§164.510(b)(1): Permitted uses and disclosures

Establish clear policies for disclosing PHI to family members, close contacts, or others involved in the patient’s care, based on the individual’s consent or inferred agreement.

Define procedures for disclosures during emergencies or when the individual is incapacitated, ensuring disclosures align with HIPAA.

Maintain a record of disclosures made to family or others involved in care, including the purpose and scope of the information shared.

Develop procedures for notifying family members or others about the patient’s location or condition, consistent with the individual’s preferences.

Thoropass' HIPAA CE Privacy Policy covers family member disclosures. Completing action item AI-1316 Create necessary HIPAA CE Privacy Policy satisfies the policy aspect of this requirement.

§164.510(b)(2): Uses and disclosures with the individual present

Use or disclose PHI only after obtaining the individual’s explicit agreement.

Before disclosing PHI, offer the individual an opportunity to object. If the individual does not express an objection, proceed with the disclosure.

If the individual is present and does not explicitly object, reasonably infer their agreement based on the circumstances and professional judgment.

Ensure the disclosure is limited to information relevant to the individual’s care or notification purposes, as outlined in §164.510(b)(1).

§164.510(b)(3): Limited uses and disclosures when the individual is not present

Implement a process to disclose PHI in situations where the individual is not present or unable to provide consent due to incapacity or emergency, if you determine the disclosure is in the individual's best interests.

Use professional judgment and ensure only the PHI directly relevant to the recipient's involvement in the individual's care, payment, or notification is disclosed.

Infer the individual's best interest based on experience and common practice, such as allowing someone to pick up prescriptions, medical supplies, or X-rays on behalf of the individual.

Record the circumstances, recipient, and the professional judgment supporting the disclosure to ensure accountability and compliance.

§164.510(b)(4): Uses and disclosures for disaster relief purposes

Allow the use or disclosure of PHI to public or private entities authorized by law or charter to assist in disaster relief efforts.

Limit disclosures to the purpose of coordinating disaster relief efforts, such as locating individuals or notifying family members of their condition or location.

Use professional judgment to ensure disclosures are made in the best interest of individuals while supporting disaster response efforts.

Apply requirements of all other such disclosures when the individual is present, not present, or has provided verbal agreement, unless professional judgment determines that such requirements hinder the ability to respond effectively to the disaster.

Record disclosures made for disaster relief purposes, including the recipient entity, the purpose of disclosure, and the emergency context.

§164.510(b)(5): Uses and disclosures when the individual is deceased

Allow the disclosure of PHI to family members or other individuals involved in the deceased individual’s care or payment for healthcare prior to their death.

Limit the disclosure to PHI that is directly relevant to the person’s involvement with the individual’s care or payment.

Ensure that disclosures are not made if they conflict with any known, previously expressed preferences of the deceased individual.

Use professional judgment to assess the appropriateness of the disclosure, considering the individual's preferences and the recipient's role in their care or payment.

Maintain records of disclosures, including the recipient, the scope of information disclosed, and any prior expressed preferences that guided the decision.

§164.512(a): Uses and disclosures required by law

Define a policy that governs PHI disclosures required by law, ensuring compliance with all applicable legal mandates.

Implement procedures to verify the legitimacy and authority of legal requests for PHI disclosure.

Maintain records of all PHI disclosures made under legal requirements, including the requesting entity and the justification for the disclosure.

Thoropass' HIPAA CE Privacy Policy covers disclosures required by law. Completing action item AI-1316 Create necessary HIPAA CE Privacy Policy satisfies the policy aspect of this requirement.

§164.512(b): Uses and disclosures for public health activities

Define policies for disclosures to public health authorities for disease control, prevention, and other public health purposes.

Implement procedures to verify the legitimacy and authority of public health agencies requesting PHI.

Maintain records of PHI disclosures to public health authorities, including the scope of information shared and the purpose of the disclosure.

Ensure that only the minimum necessary PHI is disclosed for public health activities.

Thoropass' HIPAA CE Privacy Policy covers disclosures to public health authorities. Completing action item AI-1316 Create necessary HIPAA CE Privacy Policy satisfies the policy aspect of this requirement.

§164.512(c): Disclosures about victims of abuse, neglect or domestic violence

Define policies for disclosures of PHI related to victims of abuse, neglect, or domestic violence, including when disclosures are permissible and mandatory.

Implement procedures to assess and verify the risk to the victim before disclosing PHI to authorities or other parties.

Maintain detailed records of disclosures related to abuse, neglect, or domestic violence, including the justification and recipient information.

Ensure that only the minimum necessary PHI is disclosed in abuse or neglect situations.

Thoropass' HIPAA CE Privacy Policy covers disclosures related to victims. Completing action item AI-1316 Create necessary HIPAA CE Privacy Policy satisfies the policy aspect of this requirement.

§164.512(d): Uses and disclosures for health oversight activities

Define policies for disclosures of PHI to health oversight agencies for audits, investigations, licensure, and other oversight activities.

Implement procedures to verify the legitimacy and authority of health oversight agencies requesting PHI.

Maintain records of PHI disclosures made to health oversight agencies, including the scope of information shared and the purpose of the disclosure.

Ensure that only the minimum necessary PHI is disclosed for health oversight activities.

Thoropass' HIPAA CE Privacy Policy covers health oversight agency disclosures.
Completing action item AI-1316 Create necessary HIPAA CE Privacy Policy satisfies the policy aspect of this requirement.

§164.512(e): Disclosures for judicial and administrative proceedings

Define policies for disclosing PHI in response to subpoenas, court orders, or other legal requests in judicial and administrative proceedings.

Implement procedures to verify the legitimacy of subpoenas, court orders, or other legal instruments before disclosing PHI.

Maintain records of all PHI disclosures made in response to judicial or administrative proceedings, including the legal request and justification for disclosure.

Ensure that only the minimum necessary PHI is disclosed in response to legal proceedings.

Thoropass' HIPAA CE Privacy Policy covers judicial disclosure requests. Completing action item AI-1316 Create necessary HIPAA CE Privacy Policy satisfies the policy aspect of this requirement.

§164.512(f)(1): Disclosures for law enforcement purposes

Define policies for responding to law enforcement requests for PHI, including subpoenas, court orders, warrants, and emergency disclosures.

Define and implement procedures to verify the legitimacy and authority of law enforcement requests and legal documents, such as subpoenas or warrants, before disclosing PHI.

Maintain detailed records of PHI disclosures made to law enforcement, including the justification and legal basis for disclosure.

Ensure that only the minimum necessary PHI is disclosed to law enforcement, consistent with the purpose of the request.

Thoropass' HIPAA CE Privacy Policy covers disclosures to law enforcement. Completing action item AI-1316 Create necessary HIPAA CE Privacy Policy satisfies the policy aspect of this requirement.

§164.512(f)(2): Disclosures for law enforcement purposes - Identification and location

Define policies for responding to law enforcement requests for PHI, including subpoenas, court orders, warrants, and emergency disclosures.

Define and implement procedures to verify the legitimacy and authority of law enforcement requests and legal documents, such as subpoenas or warrants, before disclosing PHI.

Disclose PHI to law enforcement officials solely for the purposes of identifying or locating a suspect, fugitive, material witness, or missing person.

Restrict disclosures to the following categories of information:

- Name and address

- Date and place of birth

- Social security number

- ABO blood type and Rh factor

- Type of injury

- Date and time of treatment

- Date and time of death (if applicable)

- Description of distinguishing physical characteristics (e.g., height, weight, gender, race, hair and eye color, facial hair, scars, tattoos)

Prohibit disclosures related to DNA or DNA analysis, dental records, or typing/samples/analysis of blood fluids or tissue for identification or location purposes.

Maintain detailed records of PHI disclosures made to law enforcement, including the justification and legal basis for disclosure.

Include disclosures for identification or location purposes in regular compliance audits to confirm adherence to these requirements.

§164.512(f)(3): Disclosures for law enforcement purposes - PHI of a possible victim of a crime

Allow disclosure of PHI to law enforcement officials about an individual who is or is suspected to be a victim of a crime, provided the individual agrees to the disclosure.

Ensure that the individual’s consent is obtained prior to the disclosure, unless the individual is unable to agree due to incapacity or other emergency circumstances.

If the individual cannot consent, disclose PHI only if the disclosure aligns with the organization’s good faith belief and professional judgment that it is in the best interest of the individual.

Verify the identity and authority of the law enforcement official making the request for PHI before disclosure.

Record all disclosures made under this provision, including the law enforcement request, the scope of the PHI disclosed, and the basis for determining the individual’s incapacity or emergency circumstances.

Limit the PHI disclosed to the minimum necessary to address the law enforcement need.

§164.512(f)(4): Disclosures for law enforcement purposes - Individual who has died as a result of suspected criminal conduct

Allow disclosure of PHI to law enforcement officials to alert them of an individual's death if there is suspicion that the death resulted from criminal conduct.

Ensure the disclosure is based on a reasonable suspicion of criminal activity related to the death.

Limit the PHI disclosed to only the information necessary to fulfill the purpose of notifying law enforcement.

Record the disclosure, including the nature of the suspicion, the information shared, and the recipient details.

§164.512(f)(5): Disclosures for law enforcement purposes -Crime on premises

Define policies for disclosing PHI to law enforcement when it constitutes evidence of criminal conduct on the covered entity’s premises.

Require staff to confirm and document a good faith belief that the PHI relates to criminal conduct on the premises before disclosure.

Record the details of the disclosure, including the scope of PHI shared, the justification, and the requesting law enforcement entity.

Ensure that only the minimum necessary PHI related to the criminal conduct is disclosed.

Thoropass' HIPAA CE Privacy Policy covers disclosures of evidence of criminal conduct on premises. Completing action item AI-1316 Create necessary HIPAA CE Privacy Policy satisfies the policy aspect of this requirement.

§164.512(f)(6): Disclosures for law enforcement purposes

Define policies for disclosing PHI to law enforcement when reporting a crime during an emergency situation, ensuring HIPAA compliance.

Ensure law enforcement's request aligns with HIPAA’s criteria for emergency disclosures and document the justification.

Record the circumstances, scope of PHI disclosed, and justification for the disclosure during an emergency situation.

Limit disclosed PHI to the minimum necessary to address the law enforcement request during an emergency.

Thoropass' HIPAA CE Privacy Policy covers emergency disclosures to law enforcement. Completing action item AI-1316 Create necessary HIPAA CE Privacy Policy satisfies the policy aspect of this requirement.

§164.512(g): Uses and disclosures about decedents

Permit disclosures of PHI to coroners, medical examiners, and funeral directors as necessary to fulfill their duties, including identifying a deceased person, determining a cause of death, and arranging funeral services.

Limit the PHI disclosed to what is relevant and necessary to achieve the specific purpose of the request.

Confirm the identity and legal authority of individuals or entities requesting decedent PHI.

Maintain records of disclosures, including the purpose and requesting party, and securely retain PHI of deceased individuals for 50 years post-death in compliance with HIPAA rules.

§164.512(h): Uses and disclosures for cadaveric organ, eye or tissue donation

Allow the use or disclosure of PHI to organ procurement organizations or entities involved in the procurement, banking, or transplantation of cadaveric organs, eyes, or tissue.

Ensure the disclosure supports the purpose of facilitating organ, eye, or tissue donation and transplantation.

Limit the PHI disclosed to what is necessary to achieve the purpose of donation or transplantation.

Record disclosures, including the date, recipient entity, and the purpose of the disclosure, to maintain transparency and compliance.

§164.512(i)(1): Uses and disclosures for research purposes - Permitted uses and disclosures

Define policies for disclosing PHI for research purposes, ensuring HIPAA compliance.

Verify research requests re IRB or privacy board approval and assurance that PHI use is minimized.

Record the purpose, scope, and legal basis of PHI disclosures for research purposes.

Ensure that disclosures for research without authorization comply with HIPAA’s waiver of authorization requirements, including documentation from an IRB or privacy board.

Limit PHI disclosed to the minimum necessary to achieve research objectives.

Thoropass' HIPAA CE Privacy Policy covers disclosures for research purposes. Completing action item AI-1316 Create necessary HIPAA CE Privacy Policy satisfies the policy aspect of this requirement.

§164.512(i)(2): Uses and disclosures for research purposes - Documentation of waiver approval

Ensure all research disclosures without individual authorization are approved by an IRB or privacy board, as specified by §164.512(i)(2).

Develop and implement criteria for disclosures of PHI for research purposes, ensuring the scope of information disclosed is limited to the minimum necessary.

Maintain documentation of IRB or privacy board approvals, including written statements verifying the waiver of individual authorization.

Conduct periodic audits to verify that all research-related disclosures comply with the established criteria and are appropriately documented.

§164.512(k)(1): Uses and disclosures for specialized government functions - Military

Develop policies permitting PHI disclosures to the Department of Defense or Veterans Affairs for military and veterans' activities, in accordance with §164.512(k)(1).

Implement procedures to verify the identity and authority of military officials or entities requesting PHI.

Maintain records of all disclosures made under this provision, including the scope, purpose, and authorization of the disclosure.

Ensure that PHI disclosures are limited to the minimum necessary to fulfill military or veterans’ purposes.

Thoropass' HIPAA CE Privacy Policy covers DOD or DOVA dislosures. Completing action item AI-1316 Create necessary HIPAA CE Privacy Policy satisfies the policy aspect of this requirement.

§164.512(k)(2): Uses and disclosures for specialized government functions - National security and intelligence activities

Establish policies permitting PHI disclosures to authorized federal officials for national security or intelligence purposes.

Implement procedures to verify the identity and authorization of federal officials requesting PHI for national security or intelligence purposes.

Maintain records of all disclosures made under this provision, including the identity of the federal official, the purpose of the request, and the scope of the PHI disclosed.

Ensure PHI disclosures are limited to the minimum necessary to fulfill the national security or intelligence purpose.

Thoropass' HIPAA CE Privacy Policy covers disclosures to federal officials. Completing action item AI-1316 Create necessary HIPAA CE Privacy Policy satisfies the policy aspect of this requirement.

§164.512(k)(3): Uses and disclosures for specialized government functions - Protective services

Develop policies allowing disclosures of PHI to authorized federal officials for protective services or investigations related to the President or other dignitaries.

Ensure procedures are in place to verify the identity and authority of federal officials requesting PHI for protective services or investigation purposes.

Record all disclosures made under this provision, including details about the requester, the purpose of the request, and the PHI disclosed.

Limit disclosures to the minimum necessary information required for protective services or related investigations.

Thoropass' HIPAA CE Privacy Policy covers disclosures to federal officials. Completing action item AI-1316 Create necessary HIPAA CE Privacy Policy satisfies the policy aspect of this requirement.

§164.512(k)(4): Uses and disclosures for specialized government functions - Medical suitability determinations

A covered entity that is a component of the Department of State may use protected health information to evaluate an individual’s medical suitability.

Disclose PHI to Department of State officials who need access for specific purposes, including:
Required security clearances under Executive Orders 10450 and 12698.

Determining worldwide availability or availability for mandatory service abroad as required by sections 101(a)(4) and 504 of the Foreign Service Act.

Assessing whether a family can accompany a Foreign Service member abroad, under sections 101(b)(5) and 904 of the Foreign Service Act.

Ensure PHI is only used or disclosed as necessary for the authorized purposes and does not exceed the minimum information required.

Maintain records of PHI disclosures, including the purpose and recipient, to ensure transparency and accountability.

§164.512(k)(5): Uses and disclosures for specialized government functions – Correctional institutions

A covered entity may disclose PHI about inmates or individuals in lawful custody to correctional institutions or law enforcement officials if the information is necessary for:

- Providing health care to the individual

- Ensuring the health and safety of the individual or other inmates

- Protecting the health and safety of officers, employees, or others at the institution

- Protecting the health and safety of individuals responsible for inmate transportation or transfer

- Supporting law enforcement activities on the premises of the institution

- Maintaining the safety, security, and good order of the correctional institution

A covered entity functioning as a correctional institution may use PHI for any purpose that aligns with the permitted disclosures outlined above.

These provisions no longer apply once an individual is released from custody, whether on parole, probation, supervised release, or other lawful release.

Implement procedures to verify the authority and lawful custody of the requesting correctional institution or law enforcement official before disclosing PHI.

Maintain a record of PHI disclosures made to correctional institutions or law enforcement, including the purpose and recipient, to ensure compliance with HIPAA regulations.

§164.512(k)(6): Uses and disclosures for specialized government functions – Providing public benefits

Health plans that are government programs providing public benefits may disclose PHI related to eligibility or enrollment to other government agencies administering similar programs, if required or expressly authorized by statute or regulation.

Government agencies administering public benefit programs may disclose PHI to other government agencies that administer similar programs, provided:

- The programs serve the same or similar populations

- The disclosure is necessary to coordinate functions or improve administration and management of the programs

Ensure that disclosures are supported by statutory or regulatory requirements, or are necessary to improve program administration.

Record the details of PHI disclosures, including the receiving agency, purpose, and statutory or regulatory basis, to ensure compliance and accountability.

§164.512(l): Disclosures for workers' compensation

A covered entity may disclose PHI as authorized by laws related to workers' compensation or similar programs that provide benefits for work-related injuries or illnesses, regardless of fault.

Limit disclosures to the minimum necessary to comply with applicable workers' compensation laws and related requirements.

Verify the authority of the requesting entity or program to ensure compliance with laws governing workers' compensation.

Maintain records of PHI disclosures made under this provision, including the purpose and recipient, to support accountability and auditability.

§164.514(f): Uses and disclosures for fundraising

Use or disclose PHI without prior authorization for the purposes of fundraising when that PHI consists of demographic information, dates of service, department of service information, treating physician, outcome information, and/or health insurance status.

Provide individuals with a clear and simple mechanism to opt out of receiving fundraising communications and ensure their decision is promptly honored.

Include a statement in the Notice of Privacy Practices informing individuals of the possibility of using PHI for fundraising purposes and their right to opt out.

Limit the PHI used or disclosed for fundraising to the minimum necessary to achieve the purpose.

Maintain records of PHI used or disclosed for fundraising purposes, including opt-out requests and the organization’s response to those requests.

§164.514(g): Uses and Disclosures for underwriting and related purposes

Unless your organization is an issuer of long-term care policies, define requirements for ensuring the health plan does not use or disclose PHI that is genetic information for underwriting purposes. View instructions for defining underwriting requirements.

Define any underwriting exclusions—clarify that underwriting purposes do not include determinations of medical appropriateness where an individual seeks a benefit under the plan.

To ensure clarity and compliance, define genetic information, genetic services, and genetic testing.

Implement monitoring and audit mechanisms to ensure genetic information is not used for prohibited purposes.

§164.530(f): Mitigation

Develop a process to handle and report PHI breaches in compliance with the requirements of HIPAA §164.530(i).

Did this answer your question?