In the NPRM we would have allowed covered entities to use or disclose protected health information without individual authorization where such use or disclosure was required by other law, as long as the use or disclosure met all relevant requirements of such law. However, a legally mandated use or disclosure which fell into one or more of the national priority purposes expressly identified in proposed § 164.510 of the NPRM would have been subject to the terms and conditions specified by the applicable paragraph of proposed § 164.510. Thus, a disclosure required by law would have been allowed only to the extent it was not otherwise prohibited or restricted by another provision in proposed § 164.510. For example, mandatory reporting to law enforcement officials would not have been allowed unless such disclosures conformed to the requirements of proposed § 164.510(f) of the NPRM, on uses and disclosures for law enforcement purposes. As explained in the NPRM, this provision was not intended to obstruct access to information deemed important enough by federal, state or other government authorities to require it by law.
In § 164.512(a) of the final rule, we retain the proposed approach, and we permit covered entities to comply with laws requiring the use or disclosure of protected health information, provided the use or disclosure meets and is limited to the relevant requirements of such other laws. To more clearly address where the substantive and procedural requirements of other provisions in this section apply, we have deleted the general sentence from the NPRM which stated that the provision "does not apply to uses or disclosures that are covered by paragraphs (b) through (m)" of proposed § 164.510. Instead, in § 164.512 (a)(2) we list the specific paragraphs that have additional requirements with which covered entities must comply. They are disclosures about victims of abuse, neglect or domestic violence (§ 164.512(c)), for judicial and administrative proceedings (§ 164.512(e)), and for law enforcement purposes (§ 164.512(f)). We include a new definition of "required by law." See § 164.501. We clarify that the requirements provided for in § 164.514(h) relating to verification apply to disclosures under this paragraph. Those provisions require covered entities to verify the identity and authority of persons to whom they make disclosures. We note that the minimum necessary requirements of § 164.514(d) do not apply to disclosures made under this paragraph.
We note that this rule does not affect what is required by other law, nor does it compel a covered entity to make a use or disclosure of protected health information required by the legal demands or reporting requirements listed in the definition of "required by law." Covered entities will not be sanctioned under this rule for responding in good faith to such legal process and reporting requirements. However, nothing in this rule affects, either by expanding or contracting, a covered entity's right to challenge such process or reporting requirements under other laws. The only disclosures of protected health information compelled by this rule are disclosures to an individual (or the personal representative of an individual) or to the Secretary for the purposes of enforcing this rule.
Uses and disclosures permitted under this paragraph must be limited to the protected health information necessary to meet the requirements of the law that compels the use or disclosure. For example, disclosures pursuant to an administrative subpoena are limited to the protected health information authorized to be disclosed on the face of the subpoena.