 |
|
|
 |
|
3. USES AND DISCLOSURES
|
164.502(a)(1) |
|
|
|
3.1. Permitted Uses and Disclosures:
CE is permitted to use/disclose PHI: |
|
| |
3.1.1. |
To the individual; |
| |
3.1.2. |
For TPO [¶ 5.];
|
| |
3.1.3. |
Incident to a use or disclosure otherwise permitted
or required by this subpart, provided that the CE has complied with
the applicable requirements of minimum necessary [¶ 2.3 and
¶ 3.7], and safeguards [¶ 11.3.3].
|
| |
3.1.4. |
Pursuant to an authorization [¶ 7.];
|
| |
3.1.5. |
Pursuant to an agreement,
or as otherwise permitted by 164.510 [¶ 6.]; |
| |
3.1.6. |
As otherwise permitted
pursuant to 164.502, 164.512, 164.514(e),(f),(g) [¶ 3., 9.]. |
|
164.502(a)(2) |
|
|
|
|
|
Required Disclosures: CE is required
to disclose PHI:
|
|
| |
|
|
|
| |
|
3.2.1. |
To individual pursuant
to 164.524, 164.528 [¶ 8.1., 11.2.]; |
|
| |
|
3.2.2. |
When required by the
Secretary of HHS to investigate or determine CE's compliance with
the regulations, [¶ 12.4]; |
|
| |
|
3.2.3. |
When required by law,
[¶ 9.3.through 9.6.] |
|
|
164.502(j) |
|
|
|
|
|
Disclosures
by Whistleblowers and Workforce Member Crime Victims: |
| |
3.3.1. |
CE has not violated use/disclosure restrictions
if a member of its workforce or a BA discloses PHI provided that:
3.3.1.1. |
The workforce member or BA
believes in good faith that the CE has engaged in conduct that
is unlawful or otherwise violates professional or clinical standards
or the care, services, or conditions provided by the CE potentially
endangers one or more patients, workers or the public; and |
3.3.1.2. |
The disclosure is to:
3.3.1.2.1. |
A public health authority,
health oversight agency, or healthcare accreditation organization
authorized to investigate or oversee the conduct at issue,
or |
3.3.1.2.2. |
An attorney retained
by the workforce member or BA for the purpose of determining
legal options of the workforce member or BA with regard
to the conduct. |
|
|
| |
3.3.2. |
CE has not violated use/disclosure
restrictions if a member of the workforce who is the victim of a criminal
act discloses PHI to a law enforcement officer, provided that:
3.3.2.1. |
PHI disclosed is about the suspected perpetrator
of the criminal act; and PHI disclosed is limited to the information
listed in 164.512(f)(2)(i) [¶ 9.6.2.1.]
|
|
|
|
164.514(e)
164.514(e)(1)
164.514(e)(2)
|
|
|
|
| |
3.4.1.
|
A CE may use or disclose a limited data set
("LDS") as long as the CE enters into a proper data use
agreement [¶ 3.4.2] for the use or disclosure of the LDS with
the recipient and meets the following requirements:
|
3.4.1.1.
|
CE may use or disclose LDS only for the
purposes of research, public health, or health care operations;
|
|
3.4.1.2.
|
CE may use PHI to create a LDS, or disclose
PHI to a BA to create a LDS, whether or not used by the CE;
and
|
|
3.4.1.3.
|
A LDS is PHI that excludes the following
listed direct identifiers of the individual, relatives, employer,
or household members:
|
| |
|
3.4.1.3.1.
|
Names
|
|
3.4.1.3.2.
|
Postal addresses
|
|
3.4.1.3.3.
|
Telephone numbers
|
|
3.4.1.3.4.
|
Fax numbers
|
|
3.4.1.3.5.
|
Electronic mail addresses
|
|
3.4.1.3.6.
|
Social security numbers
|
|
3.4.1.3.7.
|
Medical records numbers
|
|
3.4.1.3.8.
|
Health plan beneficiary numbers
|
|
3.4.1.3.9.
|
Account numbers
|
|
3.4.1.3.10.
|
Certificate or license numbers
|
|
3.4.1.3.11.
|
Vehicle identification numbers,
including license plate numbers
|
|
3.4.1.3.12.
|
Device and serial numbers
|
|
3.4.1.3.13.
|
Web Universal Resource Locators
(URLs)
|
|
3.4.1.3.14.
|
internal Protocal (IP) address numbers
|
|
3.4.1.3.15.
|
Biometric identifiers
|
|
3.4.1.3.16.
|
Full face or likeness images
|
|
|
|
| 164.514(e)(4) |
|
|
|
|
3.4.2. |
CE may use or disclose a LDS only if the CE obtains satisfactorily
assurance in the form of a data use agreement that the recipient
will only use or disclose the PHI for limited purposes. The data
use agreement between the CE and LDS Recipient must
|
3.4.2.1.
|
Establish the permitted uses or disclosures
of the LDS that are consistent with the limitation it be
used only for research, public health, or health care operations;
|
|
3.4.2.2.
|
3.4.2.2. The data use agreement cannot
authorize the Recipient to use or disclose the LDS in a
manner that the CE could not pursuant to this subpart;
|
|
3.4.2.3.
|
Establish who is permitted to use or disclose
the LDS; and
|
|
3.4.2.4.
|
Require the Recipient:
|
3.4.2.4.1.
|
Not to use or disclose the information
other than as permitted by the Agreement or as required
by law.
|
|
3.4.2.4.2.
|
Use appropriate safeguards to
prevent the use or disclosure of the LDS other than
provided for by the Agreement.
|
|
3.4.2.4.3.
|
Report any breach of the agreement
to the CE.
|
|
3.4.2.4.4.
|
To hold its agents and subcontractor
to the same obligations the Recipient has pursuant
to the Agreement.
|
|
3.4.2.4.5.
|
Not identify or re-identify the
information in the LDS or contact the individuals
whose information is in the LDS.
|
|
|
|
| 164.514(e)(4)(iii) |
|
|
|
|
3.4.3.
|
A CE must take steps to address violations of the Recipient.
|
3.4.3.1.
|
A CE is not in compliance if it is aware
the Recipient has a pattern of activity or practice that is
a material breach of the data use agreement, unless:
|
3.4.3.1.1.
|
The CE took reasonable steps to
cure or end the violation; and
|
|
3.4.3.1.2.
|
If such steps were unsuccessful
discontinued the disclosure of PHI to the Recipient
and reported the problem to the Secretary of HHS.
|
|
|
3.4.3.2.
|
A Recipient who breaches a data use agreement
and is a CE, is also non-compliant with the standards, implementation
specifications, and requirements of 164.514(e) [¶ 3.4].
|
|
|
| |
|
|
|
|
| |
|
|
|
|
