HIPAA
Course Content
- Welcome to ProHIPAA
- HIPAA Privacy and Rights and Protected Health Information
- HIPAA Breaches, Violations & Penalties and how to be Compliant
Can PHI Be Disclosed to Entities Other Than Public Health Authorities?
Can PHI be disclosed without authorization to entities other than public health authorities? Yes, the HIPAA Rule permits covered entities to disclose protected health information, without authorization, for cases of child abuse or neglect, FDA regulated products, exposure to communicable diseases, and workplace medical surveillance. For cases of Child abuse or neglect, covered entities may disclose protected health information to report known or suspected child abuse or neglect, if the report is made to a public health authority or other appropriate government authority that is authorized by law to receive such reports. For example, the social services department of a local government has the legal authority to receive reports of child abuse or neglect. The Privacy Rule would permit a covered entity to report such cases to that authority without obtaining individual authorization. In addition, a covered entity could report such cases to the police department when the police department is authorized by law to receive such reports. Covered entities may disclose protected health information to a person subject to FDA jurisdiction for public health purposes related to the quality, safety or effectiveness of an FDA-regulated product or activity for which that person has responsibility. Examples of purposes or activities for which such disclosures may be made, are to enable product recalls, repairs, replacement or something called lookback. This includes locating and notifying individuals who received recalled or withdrawn products or products that are the subject of lookback. PHI can also be disclosed to conduct post-marketing surveillance by a person subject to the jurisdiction of the FDA. This does not have to be a specific individual. It can be an individual or an entity, such as a partnership, corporation, or association. Covered entities may identify the party or parties responsible for an FDA-regulated product from the product label, from written material that accompanies the product (know as labeling), or from sources of labeling, such as the Physician’s Desk Reference. A covered entity may disclose protected health information to a person who is at risk of contracting or spreading a disease or condition if other law authorizes the covered entity to notify such individuals as necessary to carry out public health interventions or investigations. For example, a covered health care provider may disclose protected health information as needed to notify a person that he or she has been exposed to a communicable disease if the covered entity is legally authorized to do so to prevent or control the spread of that disease. A covered health care provider who provides a health care service to an individual at the request of the individual’s employer, or provides the service in the capacity of a member of the employer’s workforce, may disclose the individual’s protected health information to the employer for the purposes of workplace medical surveillance or the evaluation of work-related illness and injuries to the extent that the employer needs that information to comply with OSHA, the Mine Safety and Health Administration (which is MSHA, M-S-H-A.), or the requirements of State laws having a similar purpose. The information disclosed must be limited to the provider’s findings regarding such medical surveillance or work-related illness or injury. The covered health care provider must provide the individual with written notice that the information will be disclosed to his or her employer, or that the notice may be posted at the worksite if that is where the service is provided. Can PHI be disclosed for emergency preparedness? Information is often needed to serve people in the event of an emergency. For example, planners seek to meet the special needs of the elderly or persons with disabilities in the event of an evacuation. Covered entities may disclose information in a limited data set, when it has obtained a data use agreement with the data recipient and the information disclosed is limited to the amount reasonably necessary to accomplish that public health purpose. With a data use agreement, covered entities may disclose a limited data set for public health purposes for emergency response planning, to organizations that are not public health authorities. For example, a physician could disclose that a patient is a 101 year old woman who uses a motorized wheelchair if the data use agreement allows disclosure of age, gender and limitations.
The HIPAA Rule permits covered entities to disclose protected health information, without authorization, for cases of child abuse or neglect, FDA regulated products, exposure to communicable diseases, and workplace medical surveillance.
In addition information is often needed to serve people in the event of an emergency. Covered entities may disclose information in a limited data set, when it has obtained a data use agreement with the data recipient and the information disclosed is limited to the amount reasonably necessary to accomplish that public health purpose.