Four categories of uses and disclosures of PHI under HIPAA
Under HIPAA’s Privacy Rule, there are four categories under which covered entities can use and disclose of protected health information (PHI). These categories are:
- core uses and disclosures, for which no permission is required — although an optional consent can be employed. This includes routine treatment, payment and other health care operations;
- Disclosures requiring a supplemental authorization — such as most kinds of research, and some kinds or marketing and fundraising;
- Disclosures which require an opportunity to agree or object, but no written authorization. This category includes the limited subset of PHI used for for facility directories, and disclosures to those involved in a person’s care. (As regards the latter, see the discussion of personal representatives.).
- Disclosures which do not require even an opportunity to agree or object. This category includes uses and disclosures for public health activities, about victims of abuse, neglect or domestic violence, for health oversight activities, for judicial or administrative proceedings, for law enforcement, about deceased persons (including cadaveric organ and tissue donations), where permitted by an IRB or Privacy Board waiver, for research, to avert a serious, imminent threat to public safety, certain government functions (e.g., national security, military, corrections) or anything else required by law. In most cases, the language of the regulations for this fourth category is that the covered entity “may disclose” such information — indicating it is permitted but not required by HIPAA. Individuals are entitled to an accounting of disclosures in the fourth category, though that accounting may be temporarily suspended in certain circumstances.
Subscribe to the comments for this post