NRPM: Standards for Privacy of Individually Identifiable Health Information. § 164.510 Uses and disclosures for which individual authorization is not required.

11/03/1999

A covered entity may use or disclose protected health information, for purposes other than treatment, payment, or health care operations, without the authorization of the individual, in the situations covered by this section and subject to the applicable requirements provided for by this section.

(a) General requirements. In using or disclosing protected health information under this section:

(1) Verification. A covered entity must comply with any applicable verification requirements under § 164.518(c).

(2) Health care clearinghouses. A health care clearinghouse that uses or discloses protected health information it maintains as a business partner of a covered entity may not make uses or disclosures otherwise permitted under this section that are not permitted by the terms of its contract with the covered entity under § 164.506(e).

(b) Disclosures and uses for public health activities.

(1) Permitted disclosures. A covered entity may disclose protected health information for the public health activities and purposes described in this paragraph to:

(i) A public health authority that is authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury, or disability, including, but not limited to, the reporting of disease, injury, vital events such as birth or death, and the conduct of public health surveillance, public health investigations, and public health interventions;

(ii) A public health authority or other appropriate authority authorized by law to receive reports of child abuse or neglect;

(iii) A person or entity other than a governmental authority that can demonstrate or demonstrates that it is acting to comply with requirements or direction of a public health authority; or

(iv) A person who may have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading a disease or condition and is authorized by law to be notified as necessary in the conduct of a public health intervention or investigation.

(2) Permitted use. Where the covered entity also is a public health authority, the covered entity is permitted to use protected health information in all cases in which it is permitted to disclose such information for public health activities under paragraph (b)(1) of this section.

(c) Disclosures and uses for health oversight activities.

(1) Permitted disclosures. A covered entity may disclose protected health information to a health oversight agency for oversight activities authorized by law, including audit, investigation, inspection, civil, criminal, or administrative proceeding or action, or other activity necessary for appropriate oversight of:

(i) The health care system;

(ii) Government benefit programs for which health information is relevant to beneficiary eligibility; or

(iii) Government regulatory programs for which health information is necessary for determining compliance with program standards.

(2) Permitted use. Where a covered entity is itself a health oversight agency, the covered entity may use protected health information for health oversight activities described by paragraph (c)(1) of this section.

(d) Disclosures and uses for judicial and administrative proceedings.

(1) Permitted disclosures. A covered entity may disclose protected health information in the course of any judicial or administrative proceeding:

(i) In response to an order of a court or administrative tribunal; or

(ii) Where the individual is a party to the proceeding and his or her medical condition or history is at issue and the disclosure is pursuant to lawful process or otherwise authorized by law.

(2) Permitted use. Where the covered entity is itself a government agency, the covered entity may use protected health information in all cases in which it is permitted to disclose such information in the course of any judicial or administrative proceeding under paragraph (d)(1) of this section.

(3) Additional restriction.

(i) Where the request for disclosure of protected health information is accompanied by a court order, the covered entity may disclose only that protected health information which the court order authorizes to be disclosed.

(ii) Where the request for disclosure of protected health information is not accompanied by a court order, the covered entity may not disclose the information requested unless a request authorized by law has been made by the agency requesting the information or by legal counsel representing a party to litigation, with a written statement certifying that the protected health information requested concerns a litigant to the proceeding and that the health condition of such litigant is at issue at such proceeding.

(e) Disclosures to coroners and medical examiners. A covered entity may disclose protected health information to a coroner or medical examiner, consistent with applicable law, for the purposes of identifying a deceased person or determining a cause of death.

(f) Disclosures for law enforcement purposes. A covered entity may disclose protected health information to a law enforcement official if:

(1) Pursuant to process.

(i) The law enforcement official is conducting or supervising a law enforcement inquiry or proceeding authorized by law and the disclosure is:

(A) Pursuant to a warrant, subpoena, or order issued by a judicial officer that documents a finding by the judicial officer;

(B) Pursuant to a grand jury subpoena; or

(C) Pursuant to an administrative request, including an administrative subpoena or summons, a civil investigative demand, or similar process authorized under law, provided that:

(1) The information sought is relevant and material to a legitimate law enforcement inquiry;

(2) The request is as specific and narrowly drawn as is reasonably practicable; and

(3) De-identified information could not reasonably be used.

(ii) For the purposes of this paragraph, “law enforcement inquiry or proceeding” means:

(A) An investigation or official proceeding inquiring into a violation of, or failure to comply with, law; or

(B) A criminal, civil, or administrative proceeding arising from a violation of, or failure to comply with, law.

(2) Limited information for identifying purposes. The disclosure is for the purpose of identifying a suspect, fugitive, material witness, or missing person, provided that, the covered entity may disclose only the following information:

(i) Name;

(ii) Address;

(iii) Social security number;

(iv) Date of birth;

(v) Place of birth;

(vi) Type of injury or other distinguishing characteristic; and

(vii) Date and time of treatment.

(3) Information about a victim of crime or abuse. The disclosure is of the protected health information of an individual who is or is suspected to be a victim of a crime, abuse, or other harm, if the law enforcement official represents that:

(i) Such information is needed to determine whether a violation of law by a person other than the victim has occurred; and

(ii) Immediate law enforcement activity that depends upon obtaining such information may be necessary.

(4) Intelligence and national security activities. The disclosure is:

(i) For the conduct of lawful intelligence activities conducted pursuant to the National Security Act (50 U.S.C. 401, et seq.);

(ii) Made in connection with providing protective services to the President or other persons pursuant to 18 U.S.C. 3056; or

(iii) Made pursuant to 22 U.S.C. 2709(a)(3).

(5) Health care fraud. The covered entity believes in good faith that the information disclosed constitutes evidence of criminal conduct:

(i) That arises out of and is directly related to:

(A) The receipt of health care or payment for health care, including a fraudulent claim for health care;

(B) Qualification for or receipt of benefits, payments, or services based on a fraudulent statement or material misrepresentation of the health of the individual;

(ii) That occurred on the premises of the covered entity; or

(iii) Was witnessed by a member of the covered entity’s workforce.

(5) Urgent circumstances. The disclosure is of the protected health information of an individual who is or is suspected to be a victim of a crime, abuse, or other harm, if the law enforcement official represents that:

(i) Such information is needed to determine whether a violation of law by a person other than the victim has occurred; and

(ii) Immediate law enforcement activity that depends upon obtaining such information may be necessary.

(g) Disclosures and uses for governmental health data systems.

(1) Permitted disclosures. A covered entity may disclose protected health information to a government agency, or private entity acting on behalf of a government agency, for inclusion in a governmental health data system that collects health data for analysis in support of policy, planning, regulatory, or management functions authorized by law.

(2) Permitted uses. Where a covered entity is itself a government agency that collects health data for analysis in support of policy, planning, regulatory, or management functions, the covered entity may use protected health information in all cases in which it is permitted to disclose such information for government health data systems under paragraph (g)(1) of this section.

(h) Disclosures of directory information.

(1) Individuals with capacity. For individuals with the capacity to make their own health care decisions, a covered entity that is a health care provider may disclose protected health information for directory purposes, provided that, the individual has agreed to such disclosure.

(2) Incapacitated individuals. For individuals who are incapacitated, a covered entity that is a health care provider may, at its discretion and consistent with good medical practice and any prior expressions of preference of which the covered entity is aware, disclose protected health information for directory purposes.

(3) Information to be disclosed. The information that may be disclosed for directory purposes pursuant to paragraphs (h)(1) and (2) of this section, is limited to:

(i) Name of the individual;

(ii) Location of the individual in the health care provider’s facility; and

(iii) Description of the individual’s condition in general terms that do not communicate specific medical information about the individual.

(i) Disclosures for banking and payment processes. A covered entity may disclose, in connection with routine banking activities or payment by debit, credit, or other payment card, or other payment means, the minimum amount of protected health information necessary to complete a banking or payment activity to:

(1) Financial institutions. An entity engaged in the activities of a financial institution (as defined in section 1101 of the Right to Financial Privacy Act of 1978); or

(2) Entities acting on behalf of financial institutions. An entity engaged in authorizing, processing, clearing, settling, billing, transferring, reconciling, or collecting payments, for an entity described in paragraph (i)(1) of this section.

(j) Uses and disclosures for research purposes. A covered entity may use or disclose protected health information for research, regardless of the source of funding of the research, provided that, the covered entity has obtained written documentation of the following:

(1) Waiver of authorization. A waiver, in whole or in part, of authorization for use or disclosure of protected health information that has been approved by either:

(i) An Institutional Review Board, established in accordance with 7 CFR 1c.107, 10 CFR 745.107, 14 CFR 1230.107, 15 CFR 27.107, 16 CFR 1028.107, 21 CFR 56.107, 22 CFR 225.107, 28 CFR 46.107.32 CFR 219.107, 34 CFR 97.107, 38 CFR 16.107, 40 CFR 26.107.45 CFR 46.107, 45 CFR 690.107, or 49 CFR 11.107; or

(ii) A privacy board that:

(A) Has members with varying backgrounds and appropriate professional competency as necessary to review the research protocol;

(B) Includes at least one member who is not affiliated with the entity conducting the research or related to a person who is affiliated with such entity; and

(C) Does not have any member participating in a review of any project in which the member has a conflict of interest.

(2) Date of approval. The date of approval of the waiver, in whole or in part, of authorization by an Institutional Review Board or privacy board.

(3) Criteria. The Institutional Review Board or privacy board has determined that the waiver, in whole or in part, of authorization satisfies the following criteria:

(i) The use or disclosure of protected health information involves no more than minimal risk to the subjects;

(ii) The waiver will not adversely affect the rights and welfare of the subjects;

(iii) The research could not practicably be conducted without the waiver;

(iv) Whenever appropriate, the subjects will be provided with additional pertinent information after participation;

(v) The research could not practicably be conducted without access to and use of the protected health information;

(vi) The research is of sufficient importance so as to outweigh the intrusion of the privacy of the individual whose information is subject to the disclosure;

(vii) There is an adequate plan to protect the identifiers from improper use and disclosure; and

(viii) There is an adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research, unless there is a health or research justification for retaining the identifiers.

(4) Required signature. The written documentation must be signed by the chair of, as applicable, the Institutional Review Board or the privacy board.

(k) Uses and disclosures in emergency circumstances.

(1) Permitted disclosures. A covered entity may, consistent with applicable law and standards of ethical conduct and based on a reasonable belief that the use or disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of an individual or the public, use or disclose protected health information to a person or persons reasonably able to prevent or lessen the threat, including the target of the threat.

(2) Presumption of reasonable belief. A covered entity that makes a disclosure pursuant to paragraph (k)(1) of this section is presumed to have acted under a reasonable belief, if the disclosure is made in good faith based upon a credible representation by a person with apparent knowledge or authority (such as a doctor or law enforcement or other government official).

(l) Disclosures to next-of-kin.

(1) Permitted disclosures. A covered entity may disclose protected health information to a person who is a next-of-kin, other family member, or close personal friend of an individual who possesses the capacity to make his or her own health care decisions, if:

(i) The individual has verbally agreed to the disclosure; or

(ii) In circumstances where such agreement cannot practicably or reasonably be obtained, only the protected health information that is directly relevant to the person’s involvement in the individual’s health care is disclosed, consistent with good health professional practices and ethics.

(2) Next-of-kin defined. For purposes of this paragraph, “next-of-kin” is defined as defined under applicable law.

(m) Uses and disclosures for specialized classes.

(1) Military purposes. A covered entity that is a health care provider or health plan providing health care to individuals who are Armed Forces personnel may use and disclose protected health information for activities deemed necessary by appropriate military command authorities to assure the proper execution of the military mission, where the appropriate military authority has published by notice in the Federal Register the following information:

(i) Appropriate military command authorities;

(ii) The circumstances for which use or disclosure without individual authorization would be required; and

(iii) Activities for which such use or disclosure would occur in order to assure proper execution of the military mission.

(2) Department of Veterans Affairs. The Department of Veterans Affairs may use and disclose protected health information among components of the Department that determine eligibility for or entitlement to, or that provide, benefits under laws administered by the Secretary of Veterans Affairs.

(3) Intelligence community. A covered entity may disclose protected health information of an individual who is an employee of the intelligence community, as defined in Section 4 of the National Security Act, 50 U.S.C. 401a, and his or her dependents, if such dependents are being considered for posting abroad, to intelligence community agencies, where authorized by law.

(4) Department of State. The Department of State may use protected health information about the following individuals for the following purposes:

(i) As to applicants to the Foreign Service, for medical clearance determinations about physical fitness to serve in the Foreign Service on a worldwide basis, including about medical and mental conditions limiting assignability abroad; determinations of conformance to occupational physical standards, where applicable; and determinations of suitability.

(ii) As to members of the Foreign Service and other United States Government employees assigned to serve abroad under Chief of Mission authority, for medical clearance determinations for assignment to posts abroad, including medical and mental conditions limiting such assignment; determinations of conformance to occupational physical standards, where applicable; determinations about continued fitness for duty, suitability, and continuation of service at post (including decisions on curtailment); separation medical examinations; and determinations of eligibility of members of the Foreign Service for disability retirement (whether on application of the employee or the Secretary of State).

(iii) As to eligible family members of Foreign Service or other United States Government employees, for medical clearance determinations as described in paragraph (m)(4)(ii) of this section to permit eligible family members to accompany employees to posts abroad on Government orders; determinations regarding family members remaining at post; and separation medical examinations.

(n) Uses and disclosures otherwise required by law. A covered entity may use or disclose protected health information where such use or disclosure is required by law and the use or disclosure meets all relevant requirements of such law. This paragraph does not apply to uses or disclosures that are covered by paragraphs (b) through (m) of this section.