Standards for Privacy of Individually Identifiable Health Information. Final Privacy Rule Preamble.. Section 164.512 - Uses and Disclosures for which Consent, Individual Authorization, or Opportunity to Agree or Object is Not Required


Section 164.512 includes provisions that allow, but that do not require, covered entities to disclose protected health information without individual authorization for a variety of purposes which represent important national priorities. Pursuant to § 164.512, covered entities may disclose protected health information for specified purposes as follows: as required by law; for public health activities; to public officials regarding victims of abuse, neglect, or domestic violence; for health oversight; for judicial and administrative proceedings; for law enforcement; for specified purposes regarding decedents; for organ donation and transplantation; for research; to avert an imminent threat to health or safety; for specialized government functions (such as for intelligence and national security activities); and to comply with workers' compensation laws. While these provisions are subject to the PRA, we believe that the burden associated with this requirement is exempt from the PRA as stipulated under 5 CFR 1320.3(b)(2).

For research, if a covered entity wants to use or disclose protected health information without individual authorization, it must obtain documentation that a waiver, in whole or in part, of the individual authorization required by § 164.508 for use or disclosure of protected health information has been approved by either an Institutional Review Board (IRB), established in accordance with 7 CFR 1c.107, 10 CFR 745.107, 14 CFR 1230.107, 15 CFR 27.107, 16 CFR 1028.107, 21 CFR 56.107, 22 CFR 225.107, 28 CFR 46.107, 32 CFR 219.107, 34 CFR 97.107, 38 CFR 16.107, 40 CFR 26.107, 45 CFR 46.107, 45 CFR 690.107, or 49 CFR 11.107; or a privacy board. The burden associated with these requirements is the time and effort necessary for a covered entity to maintain documentation demonstrating that they have obtained IRB or privacy board approval, which meet the requirements of this section. On an annual basis it is estimated that these requirements will affect 113,524 IRB reviews. We further estimate that it will take an average of 5 minutes per review to meet these requirements on an annual basis. Therefore, the total estimated annual burden associated with this requirement is 9,460 hours.