March 4, 2013. Today, we start going through the HIPAA Privacy Rule, section by section, as modified in the Final Rule: Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act [HITECH Act] and the Genetic Information Nondiscrimination Act; Other Modifications of the HIPAA Rules, which was published in the Federal Register on January 25, 2013. The effective date of the Final Rule is March 26, 2013, and covered entities and business associates must comply by September 23, 2013.
Our focus today is on covered entities in 45 CFR 164.502: Uses and disclosures of protected health information: General Rules—(a) Standard. A covered entity or business associate may not use or disclose protected health information, except as permitted or required by [the HIPAA Privacy Rule] or by subpart C of part 160 of this subchapter [Compliance and Investigations of General Administrative Requirements of Administrative Data Standards and Related Requirements]. Below we present the modified regulations pertaining to (1) Covered entities: Permitted uses and disclosures; and (2) Covered entities: Required disclosures. 78 Federal Register 5696
(1) Covered entities: Permitted uses and disclosures. A covered entity is permitted to use or disclose protected health information as follows:
(i) To the individual;
(ii) For treatment, payment, or health care operations, as permitted by and in compliance with 45 CFR 164.506 [Uses and disclosures to carry out treatment, payment, or health care operations];
(iii) Incident to a use or disclosure otherwise permitted or required by [the HIPAA Privacy Rule], provided that the covered entity has complied with the applicable requirements of 45 CFR 164.502(b) [Uses and disclosures of protected health information—Standard. Minimum necessary], 164.514(d) [Other requirements relating to uses and disclosures of protected health information—Minimum necessary requirements], and 164.530(c) [Administrative requirements—Safeguards] with respect to such otherwise permitted or required use or disclosure;
(iv) Except for uses and disclosures prohibited under 45 CFR 164.502(a)(5)(i) [Prohibited uses and disclosures—Use and disclosure of genetic information for underwriting purposes], pursuant to and in compliance with a valid authorization under 45 CFR 164.508 [Uses and disclosures for which an authorization is required];
(v) Pursuant to an agreement under, or as otherwise permitted by, 45 CFR 164.510 [Uses and disclosures requiring an opportunity for the individual to agree or to object];
(vi) As permitted by and in compliance with this section, 45 CFR 164.512 [Uses and disclosures for which an authorization or opportunity to agree or object is not required], 164.514(e) [Other requirements relating to uses and disclosures of protected health information—Standard: Limited data set], 164.514(f) [Fundraising communications], or 164.514(g) [Standard: Uses and disclosures for underwriting and related purposes].
(2) Covered entities: Required disclosures. A covered entity is required to disclose protected health information:
(i) To an individual, when requested under, and required by 45 CFR 164.524 [Access of individuals to protected health information] and 164.528 [Accounting of disclosures of protected health information]; and
(ii) When required by the Secretary under subpart C of part 160 of this subchapter [Compliance and Investigations of General Administrative Requirements of Administrative Data Standards and Related Requirements] to investigate or determine the covered entity’s compliance with this subchapter.
Tomorrow, we look at modified permitted and required uses and disclosures regulations pertaining to business associates.