Part 3: Uses and Disclosures (FAQ 61 of
61. What Are the Allowable Uses and Disclosures?
We will list each HIPAA category of allowable use and disclosure, together
with some discussion as appropriate. (If we included every detail of every
disclosure, the discussion would double the size of this guide.) A covered
entity that must comply with the HIPAA rule needs to know all the specifics,
but a patient generally only needs to be aware of the categories of uses
and disclosures. Every covered entity's notice of privacy practices
should include some information about each type of allowable disclosure.
Those who want to know more can read the rule itself.
- Treatment, Payment, and Health Care Operations. We covered this category
of uses and disclosures in detail in an earlier question. The category
includes uses and disclosures for a very large number of purposes.
- Required by law. We've already covered this category in detail
in the previous question. We used this category to illustrate the complexity
of allowable disclosures.
- Public Health Activities. Public health disclosures are one of the
more expansive disclosure categories under the rule. There are at least
five general types of public health disclosures. Some public health
disclosures are to traditional federal, state, and local public health
agencies. The reporting of communicable diseases is an example. It is
the type of disclosure that draws few, if any, objections. Additional
confidentiality protections may apply to some of the information disclosed
to public health agencies. Disclosures to manufacturers of pharmaceutical
medicines and devices for the reporting of adverse events may qualify
as public health disclosures. Some public health disclosures can be
to employers for medical surveillance of the workplace. These disclosures
to private entities explain why the public health category so expansive.
Many different organizations play a role in public health, including
- Victims of Abuse, Neglect, or Domestic Violence. Reporting of victims
can be done to a social service agency or other government authority
(including the police) that is authorized to receive the reports.
- Health Oversight Activities. Various government agencies regulate
and oversee parts of the health care system. Disclosures are permissible
for activities authorized (not just required!) by law, including audits,
investigations, inspections, licensing, and similar functions. One patient
protection included in the rule prevents the use of information disclosed
for oversight purposes against the patient who is the subject of the
record disclosed. So if an agency investigates a health care provider,
it cannot use information about that provider's patients against
the patients themselves. However, if the information reveals health
care fraud by the patient or involving public benefits for health care
or benefits based on health condition, the information can be used against
the patient. The protection for patients with oversight disclosures
is limited, but it has some substance.
- Judicial and Administrative Proceedings. A covered entity can respond
to a court order or the order of an administrative agency for health
records. The authority to disclose also covers subpoenas and discovery
requests. The conditions that attach to these disclosures are lengthy
and include some obligation to give notice to the patient who is the
subject of the record. The complexity here is enough to choke a lawyer
because the HIPAA rule interacts with already elaborate state laws and
- Law Enforcement Purposes. The rule has six flavors of law enforcement
disclosure. The loosest allows disclosures for administrative requests.
An administrative request does not require judicial approval or even
have to be in writing. Any law enforcement official can ask for information
by stating that the information sought is relevant to a legitimate law
enforcement inquiry, by limiting the request to information reasonably
practicable to the purpose, and by saying that de-identified information
cannot be used. It is hard to imagine a more unrestricted type of police
disclosure. A covered entity need not comply with an administrative
request, but it may do so. The other types of law enforcement disclosures
are not so open-ended. One, for example, allows a provider to report
a crime that occurred in the provider's office.
- Decedents. A covered entity can share information about people who
died with coroners and funeral directors. They may need to know if the
decedent has AIDS, for example.
- Organ and Tissue Donation. A covered entity can disclose patient
information to organizations engaged in tissue banking and transplantation
to facilitate donations.
- Research. Researchers engaged in health research and other types
of research often want access to health records. The rule allows disclosures
for research but generally requires that a research project be approved
by an Institutional Review Board (IRB). An IRB is an existing institution
-- often part of the organization conducting the research -- that oversees
research activities to protect human subjects. The research section
of HIPAA is particularly convoluted in order to address different needs
of researchers. We observe that HHS itself conducts and funds research
using health records. The rule reflects the needs of HHS and researchers,
while offering some procedural protections for privacy. There are many
policy conflicts involving research disclosures, and the rule strikes
a balance that some like and some do not.
- Serious Threats to Health or Safety. A covered entity may use or
disclose a patient record if it believes in good faith that the use
or disclosure is necessary to prevent or lessen a serious and imminent
threat to the health or safety of a person or the public. There are
a few other conditions.
- Specialized Government Functions. This category of uses and disclosures
has six subcategories. Some relate to military, veterans, and prison
functions. Another category allows disclosure to the Secret Service
to protect the President and some other officials. Another broad subcategory
allows disclosure to government programs providing public benefits.
- National security or intelligence agency. This is the broadest subcategory
for disclosure. HIPAA imposes no conditions or procedures for national
security disclosures. The disclosures are not mandatory (at least not
under HIPAA), but any national security or intelligence agency can request
a health record on any individual without prerequisite and without violating
HIPAA, even if the disclosure would violate medical ethics.
- Worker's Compensation. HIPAA allows any disclosure authorized
and necessary to comply with laws relating to worker's compensation.
The worker's compensation system typically requires the routine
disclosure of health information about injured workers. HIPAA stays
out of the way and allows the normal processes to continue without any
procedural or substantive interference.