 |
164.514(f) |
|
 |
|
3.5. Uses and Disclosures
for Fundraising: |
|
| |
3.5.1. |
CE may use or disclose
to a BA or to an institutionally related foundation the following
PHI for the purpose of raising funds for its own benefit without authorization
pursuant to 164.508 [¶ 7.]:
3.5.1.1. |
Demographic
information relating to individual; and |
3.5.1.2. |
Dates of health
care provided to individual. |
|
| |
3.5.2. |
Requirements for use/disclosure
for fundraising:
3.5.2.1. |
CE may not use/disclose PHI for fundraising
purposes unless CE's privacy notice includes a statement required
by 164.520(b)(1)(iii)(B) [¶ 4.2.3.2.]
|
3.5.2.2. |
CE must include
in any fundraising materials sent a description of how to opt
out of receiving further communications. |
3.5.2.3. |
CE must make
reasonable efforts to ensure that individuals who opt out of
receiving communications are not sent such communications. |
|
|
164.514(g) |
|
|
|
|
|
Uses and Disclosures
for Underwriting and Related Purposes: If a health plan receives
PHI for the purpose of underwriting, premium rating, or other activities
relating to the creation, renewal or replacement of a contract of
health insurance or health benefits, and if such health insurance
or health benefits are not placed with the health plan, such health
plan may not use or disclose such PHI for any other purpose, except
as required by law. |
|
164.502(b) |
|
|
|
|
|
Minimum Necessary: When using or disclosing
PHI or when requesting PHI from another CE, a CE must make reasonable
efforts to limit PHI to the minimum necessary to accomplish the
intended purpose of the use, disclosure, or request.
|
|
164.502(b)(2) |
|
|
|
| |
3.7.1. |
Minimum
necessary standard does not apply to:
|
3.7.1.1. |
Disclosures to or requests by a health
care provider for treatment;
|
3.7.1.2. |
Uses or disclosures made to the individual,
or pursuant to an authorization [¶ 7];
|
3.7.1.3. |
Uses/disclosures required by law under
164.512(a) [¶ 9.3.], and;
|
3.7.1.4. |
Uses/disclosures
required for compliance with applicable parts of the privacy
regulations. |
|
|
| 164.514(d)(2) |
|
|
|
| |
3.7.2. |
Implementing
standard for minimum necessary uses of PHI:
3.7.2.1. |
CE must identify
those persons or classes of persons, as appropriate, in its
workforce who need access to PHI to carry out their duties;
and |
3.7.2.2. |
For each such
person or class of persons, the category or categories of PHI
to which access is needed and any conditions appropriate to
such access. |
3.7.2.3. |
CE must make
reasonable efforts to limit the access of such persons or classes
identified above to PHI consistent with the categories described
above. |
|
|
| 164.514(d)(3) |
|
|
|
| |
3.7.3. |
Implementing
standard for minimum necessary disclosures of PHI:
3.7.3.1. |
For any type
of disclosure that it makes on a routine and recurring basis,
a CE must implement policies and procedures (which may be standard
protocols) that limit the PHI disclosed to the amount reasonably
necessary to achieve the purpose of the disclosure. For all
other disclosures, a CE must: develop criteria designed to limit
the PHI disclosed to the information reasonably necessary to
accomplish the purpose for which disclosure is sought, and;
review requests for disclosure on an individual basis in accordance
with such criteria. |
3.7.3.2. |
CE may rely,
if such reliance is reasonable under the circumstances, on a
requested disclosure as the minimum necessary for the stated
purpose when:
3.7.3.2.1. |
Making disclosures
to public officials that are permitted under 164.512 [¶
9.], if the public official represents that the information
requested is the minimum necessary for the stated purpose(s); |
3.7.3.2.2. |
The information is
requested by another CE; |
3.7.3.2.3. |
The information is
requested by a professional who is a member of its workforce
or is a business associate of the CE for the purpose of
providing professional services to the CE, if the professional
represents that the information requested is the minimum
necessary for the stated purpose(s); or |
3.7.3.2.4. |
Documentation or representations
that comply with the applicable requirements of 164.512(i)
[¶ 9.8.] have been provided by a person requesting
the information for research purposes. |
|
|
|
| 164.514(d)(4) |
|
|
|
|
3.7.4. |
Implementing standard
for minimum necessary requests for PHI:
3.7.4.1. |
CE must limit any request
for PHI to that which is reasonably necessary to accomplish
the purpose for which the request is made, when requesting such
information from other CEs; |
3.7.4.2. |
For a request that is made
on a routine and recurring basis, CE must implement policies
and procedures (which may be standard protocols) that limit
the PHI requested to the amount reasonably necessary to accomplish
the purpose for which the request is made; |
3.7.4.3. |
For all other requests, CE must develop
criteria designed to limit the request to the information
reasonable necessary to accomplish the purpose for which the
request was made; and review requests for disclosure on an
individual basis in accordance with such criteria.
|
|
|
| 164.514(d)(5) |
|
|
|
|
3.7.5. |
Requests for the entire
record: For all uses, disclosures, or requests to which the requirements
of ¶ 3.7. apply, a CE may not use, disclose or request an entire
medical record, except when the entire medical record is specifically
justified as the amount that is reasonably necessary to accomplish
the purpose of the use, disclosure, or request. |
|
164.502(f) |
|
|
|
|
|
PHI of Deceased
Individuals: CE must comply with requirements of the privacy regulations
with respect to PHI of deceased individuals. |
|
164.502(g) |
|
|
|
|
|
Personal Representatives: Except as provided
in ¶ 3.9.2. and ¶ 3.9.4., CE must treat a personal representative
as the individual.
|
|
Adults and emancipated minors:
If under applicable law, a person has authority to act on
behalf of an adult or emancipated minor in making health care
decisions, CE must treat the person as a personal representative
with respect to PHI relevant to such representation.
|
|
|
Unemancipated minors: If under
applicable law, a parent, guardian, or other person acting
in loco parentis , has authority to act on behalf of an unemancipated
minor in making health care decisions, CE must treat the person
as a personal representative with respect to PHI relevant
to such representation, except that person may not be a personal
representative and the minor may act as an individual with
respect to PHI pertaining to health care if:
|
3.9.2.1.
|
Minor consents to such health care
services, and no other consent is required by law (regardless
of whether another person's consent has been obtained),
and the minor has not requested that an other person
to be treated as the personal representative;
|
|
3.9.2.2.
|
Minor may lawfully obtain health
care service without consent of parent, guardian, or
other person acting in loco parentis and consent (by
the minor, or court, or another legally authorized person)
has been obtained;
|
|
3.9.2.3.
|
Parent, guardian, or other person
acting in loco parentis assents to an agreement
of confidentiality between health care provider and
the minor.
|
|
|
|
| 164.502(g)(3)(ii) |
|
|
|
| |
|
3.9.2.4.
|
Notwithstanding the provisions contained in
¶ 3.9.2 through ¶ 3.9.2.4: (1) if and to the extent, permitted
or required by an applicable provision of State or other law, including
applicable case law, a CE may disclose, or provide access in accordance
with ¶ 8.1 to, PHI about an unemancipated minor to a parent,
guardian, or other person acting in loco parentis; (2) if, and to
the extent, prohibited by an applicable provision of State or other
law, including applicable case law, a CE may not disclose, or provide
access in accordance with ¶ 8.1 about an unemancipated minor
to a parent, guardian or other person acting in loco parentis; and;
(3) where the parent, guardian, or other person acting in loco parentis
is not the personal representative under ¶ 3.9 and where there
is no applicable access provision under state or other law, including
case law, a CE may provide or deny access under ¶ 8.1 to a
parent, guardian, or other person acting in loco parentis, if such
action is consistent with State or other applicable law, provided
that such decision must be made by a licensed health care professional,
in exercise of professional judgment.
|
|
| |
|
|
|
| |
|
Deceased individuals: If under applicable
law, an executor, administrator, or other person has authority to
act on behalf of a deceased individual or his/her estate, the CE
must treat the person as a personal representative with respect
to PHI relevant to such representation.
|
| |
|
Abuse, neglect, and endangerment situations:
Notwithstanding a state law or any requirement of ¶ 3.9.4 to
the contrary, CE may elect not to treat a person as a personal representative
of an individual if:
|
3.9.4.1.
|
CE has reasonable belief that individual
has been or may be subjected to domestic violence, abuse or
neglect by such person, or treating such person as the personal
representative could endanger the individual, and
|
|
3.9.4.2.
|
CE, in exercise of professional judgment,
decides it is not in the best interest of the individual to
treat the person as the personal representative.
|
|
|
| |
|
|
|
|
| |
|
|
|
|
