[Login]

Final Rule for Standards for Privacy of Individually Identifiable Health Information. What the Rule Covers

Analysis by the AHIMA Policy and Government Relations Team

Uses and Disclosures for Which Consent, an Authorization, or Opportunity to Agree or Object Is Not Required

The Rule states (§164.512) that "a covered entity may use or disclose PHI without the written consent or authorization of the individual as described in Consent for Uses or Disclosures to Carry Out Treatment, Payment, or Health Care Operations and Uses and Disclosures for Which an Authorization is Required, respectively, or the opportunity for the individual to agree or object as described in Uses and Disclosures Requiring an Opportunity for the Individual to Agree or to Object in the situations covered this section, subject to the applicable requirements of this section. When the covered entity is required by this section to inform the individual of, or when the individual may agree to, a use or disclosure permitted by this section the covered entity’s information and the individual’s agreement may be given orally.

Standard: Uses and Disclosure Required by Law

A covered entity may use or disclose PHI to the extent that such uses or disclosure is required by law and the use or disclosure is required by law and the use or disclosure complies with and is limited to the relevant requirements of such law. However, a covered entity must meet the requirements descried in the section [below] for uses or disclosures required by law.

Standard: Uses and Disclosure for Public Health Activities

Permitted Disclosures
A covered entity may disclose PHI for the public health activities and purposes described in this paragraph to:

  • A public health authority that is authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury, or disability, including, but not limited to the reporting of disease, injury, vital events such as birth or death, and the conduct of public health surveillance, public health investigations, and public health interventions; or, at the direction of a public health authority, to an official of a foreign government agency that is acting in collaboration with a public health authority;

  • A public health authority or other appropriate government authority authorized by law to receive reports of child abuse or neglect;

  • A person subject to the jurisdiction of the Food and Drug Administration (FDA):
    • To report adverse events (or similar reports with respect to food or dietary supplements), product defects or problems (including problems with the use or labeling of a product), or biological product deviations if the disclosure is made to the person required or directed to report such information to the FDA;
    • To track products if the disclosure is made to a person required or directed by the FDA to track the product;
    • To enable product recalls, repairs, or replacement (including locating and notifying individuals who have received products of product recalls, withdrawals, or other problems); or
    • To conduct post-marketing surveillance to comply with requirements or at the direction of the FDA.
  • A person who may have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading a disease or condition, if the covered entity or public health authority is authorized by law to notify such person as necessary in the conduct of a public health intervention or investigation; or

  • An employer, about an individual who is a member of the workforce of the employer, if:
    • The covered entity is a covered healthcare provider who is a member of the workforce of such an employer or who provides a healthcare [service] to the individual at the request of the employer to conduct an evaluation relating to medical surveillance of the workplace or to evaluate whether the individual has a work-related illness or injury;
    • The PHI that is disclosed consists of findings concerning a work-related illness or injury or a workplace-related medical surveillance;
    • The employer needs such findings in order to comply with its obligations under 29 CFR parts 1904 through 1928, 30 CFR parts 50 through 90, or under state law having a similar purpose to record such illness or injury or to carry out responsibilities for workplace medical surveillance;
    • The covered healthcare provider provides written notice to the individual that PHI relating to the medical surveillance of the workplace and work-related illnesses and injuries is disclosed to the employer;
    • By giving a copy of the notice to the individual when healthcare is provided; or
    • If the healthcare is provided on the work site of the employer, by posting the notice in a prominent place at the location where the healthcare is provided.

Permitted Uses
If the covered entity also is a public health authority, the covered entity is permitted to use PHI in all cases in which it is permitted to disclose such information for public health activities under "permitted disclosures."

Standard: Disclosures About Victims of Abuse, Neglect, or Domestic Violence

Permitted Disclosures
Except for reports of child abuse or neglect permitted by the section of permitted uses under public health, a covered entity may disclose PHI about an individual whom the covered entity reasonably believes to be a victim of abuse, neglect, or domestic violence to a government authority, including a social service or protective services agency, authorized by law to receive reports of such abuse, neglect, or domestic violence:

  • To the extent the disclosure is required by law and the disclosure complies with and is limited to the relevant requirements of such law;

  • If the individual agrees to the disclosure; or

  • To the extent the disclosure is expressly authorized by statute or regulation, and:
    • The covered entity, in the exercise of professional judgment, believes the disclosure is necessary to prevent serious harm to the individual or other potential victims; or
    • If the individual is unable to agree because of incapacity, a law enforcement or other public official authorized to receive the report represents that the PHI for which disclosure is sought is not intended to be used against the individual and that an immediate enforcement activity that depends upon the disclosure would be materially and adversely affected by waiting until the individual is able to agree to the disclosure.

Informing the Individual
A covered entity that makes a disclosure permitted by the permitted uses [just above] of this section must promptly inform the individual that such a report has been or will be made, except if:

  • The covered entity, in the exercise of professional judgment, believes informing the individual would place the individual at risk of serious harm; or

  • The covered entity would be informing a personal representative, and the covered entity reasonably believes the personal representative is responsible for the abuse, neglect, or other injury, and that informing such person would not be in the best interests of the individual as determined by the covered entity, in the exercise of professional judgement.

Standard: Uses and Disclosures for Health Oversight Activities

Permitted Disclosures
A covered entity may disclose PHI to a health oversight agency for oversight activities authorized by law, including audits; civil, administrative, or criminal investigations; inspections; licensure or disciplinary actions; civil, administrative, or criminal proceedings or actions; or other activities necessary for appropriate oversight of:

  • The healthcare system;

  • Government benefits programs for which health information is relevant to beneficiary eligibility;

  • Entities subject to government regulatory programs for which health information is necessary for determining compliance with program standards; or

  • Entities subject to civil rights laws for which health information is necessary for determining compliance.

Exception to Health Oversight Activities
For the purpose of the disclosures permitted by "permitted disclosures" [see above] of this section, a health oversight activity does not include an investigation or other activity in which the individual is the subject of the investigation or activity and such investigation or other activity does not arise from and is not directly related to:

  • The receipt of healthcare;
  • A claim for public benefits related to health; or
  • Qualifications for, or receipt of, public benefits or services when a patient’s health is integral to the claim for public benefits or services.

Joint Activities or Investigations
Notwithstanding the paragraph on "exception to health oversight activities," if a health oversight activity or investigation is conducted in conjunction with an oversight activity or investigation relating to a claim for public benefits not related to health, the joint activity or investigation is considered a health oversight activity for purposes of the standard for "uses and disclosures for health oversight activities."

Permitted Uses
If a covered entity is also a health oversight agency, the covered entity may use PHI for health oversight activities as permitted by the standard for "uses and disclosures for health oversight activities."

Standard: Disclosures for Judicial and Administrative Proceedings

Permitted Disclosures
A covered entity may disclose PHI in the course of any judicial or administrative proceeding:

  • In response to an order of a court or administrative tribunal, provided that the covered entity discloses only the PHI expressly authorized by such order; or

  • In response to a subpoena, discovery request, or other lawful process, that is not accompanied by an order of a court or administrative tribunal, if the covered entity receives satisfactory assurance from the party seeking the PHI that reasonable efforts have been made by such party to:
    • Ensure that the individual who is the subject of the PHI that has been requested has been given notice of the request by receiving from such party a written statement and accompanying documentation demonstrating that:
    • The party requesting such information has made a good faith attempt to provide written notice to the individual (or, if the individual’s location is unknown, to mail a notice to the individual’s last known address);
    • The notice included sufficient information about the litigation or proceeding in which the PHI is requested to permit the individual to raise an objection to the court or administrative tribunal; and
    • The time for the individual to raise objections to the court or administrative tribunal has elapsed, and no objectives were filed or all objections filed by the individual have been resolved by the court or the administrative tribunal and the disclosures being sought are consistent with such resolution; or
    • public a qualified protective order by receiving from such party a written statement and accompanying documentation demonstrating that:
    • The parties to the dispute giving rise to the request for information have agreed to a qualified protective order and have presented it to the court or administrative tribunal with jurisdiction over the dispute; or
    • The party seeking the PHI has requested a qualified protective order from such court or administrative tribunal.
  • A qualified protective order means—with respect to PHI requested in this section—by an order of a court or of an administrative tribunal or a stipulation by the parties to the litigation or administrative proceeding that:
    • Prohibits the parties from using or disclosing the PHI for any purpose other than the litigation or proceeding for which such information was requested; and
    • Requires the return to the covered entity or destruction of the PHI (including all copies made) at the end of the litigation or proceeding.
  • A covered entity may disclose PHI in response to lawful process described above without receiving satisfactory assurance if the covered entity makes reasonable efforts to provide notice to the individual sufficient to meet the requirements of this section or to seek a qualified protective as noted above.

Standard: Disclosure for Law Enforcement Purposes

A covered entity may disclose PHI for a law enforcement purpose to a law enforcement official if the following conditions are met, as applicable:

Permitted Disclosures: Pursuant to Process and as Otherwise Required by Law
A covered entity may disclose PHI:

  • As required by law including laws that require the reporting of certain types of wounds or other physical injuries, except for laws that require special reporting to special agencies.

  • In compliance with and as limited by the relevant requirements of:
    • A court order or court-ordered warrant, or a subpoena or summons issued by a judicial officer;
    • A grand jury subpoena; or
    • An administrative request, including an administrative subpoena or summons, a civil or an authorized investigative demand, or similar process authorized under law, provided that:
    • The information sought is relevant and material to a legitimate law enforcement inquiry;
    • The request is specific and limited in scope to the extent reasonably practicable in light of the purpose for which the information is sought; and
    • De-identified information could not reasonably be used.

Permitted Disclosures: Limited Information for Identification and Location Purposes
Except for disclosures required by law as permitted pursuant to process and as otherwise required by law [above], a covered entity may disclose PHI in response to a law enforcement official’s request for such information for the purpose of identifying or locating a suspect, fugitive, material witness, or missing person, provided that only the following information is disclosed:

  • Name and address;
  • Date and place of birth;
  • Social security number;
  • ABO blood type and rh factor;
  • Type of injury;
  • Date and time of treatment;
  • Date and time of death, if applicable; and
  • A description of distinguishing physical characteristics, including health, weight, gender, race, hair and eye color, presence or absence of facial hair (beard or moustache), scars, and tattoos.

This section also discusses the issue of releasing information related to "DNA or DNA analysis, dental records, or typing, samples or analysis of body fluids or tissue" for identification and location purposes. Covered entities cannot release any of this information, with the exception of the eight categories, noted just above, which can in some cases be determined through analysis such as DNA testing and the like.

Permitted Disclosures: Victims of a Crime
A covered entity may disclose PHI in response to a law enforcement official’s request for such information about an individual who is or is suspected to be a victim of a crime, other than disclosures that are subject to laws that require special reporting to special agencies, if the individual agrees to the disclosure or the covered entity is unable to obtain the individual’s agreement because of incapacity or other emergency circumstance, provided that:

  • The law enforcement official represents that such information is needed to determine whether a violation of law by a person other than the victim has occurred, and such information is not intended to be used against the victim;

  • The law enforcement official represents that immediate law enforcement activity that depends upon the disclosure would be materially and adversely affected by waiting until the individual is able to agree to the disclosure; and

  • The disclosure is in the best interests of the individual as determined by the covered entity, in the exercise of professional judgement.

Permitted Disclosure: Decedents
A covered entity may disclose PHI about an individual who has died to a law enforcement official for the purpose of alerting law enforcement of the death of the individual if the covered entity has a suspicion that such death may have resulted from criminal conduct.

Permitted Disclosure: Crime on Premises
A covered entity may disclose to a law enforcement official PHI that the covered entity believes in good faith constitutes evidence of criminal conduct that occurred on the premises of the covered entity.

Permitted Disclosure: Reporting Crime in Emergencies

  • A covered healthcare provider providing emergency healthcare in response to a medical emergency, other than such emergency on the premises of the covered health-care provider, may disclose PHI to a law enforcement official if such disclosure appears necessary to alert law enforcement to:
    • The commission and nature of a crime;
    • The location of such crime or of the victim(s) of such crime; and
    • The identity, description, and location of the perpetrator of such crime;
  • If a covered healthcare provider believes that the medical emergency is the result of abuse, neglect or domestic violence of the individual in need of emergency healthcare, this section, "report crime in emergencies" does not apply; rather, the standards under "Disclosures About Victims of Abuse, Neglect or Domestic Violence," apply

Standard: Uses and Disclosures About Decedents

Coroners and Medical Examiners
A covered entity may disclose PHI to a corner or medical examiner for the purpose of identifying a deceased person, determining a cause of death, or other duties as authorized by law. A covered entity that also performs the duties of a coroner or medical examiner may use PHI for the purposes described here.

Funeral Directors
A covered entity may disclose PHI to funeral directors, consistent with applicable law, as necessary to carry out their duties with respect to the decedent. If necessary for funeral directors to carry out their duties, the covered entity may disclose the PHI prior to, and in reasonable anticipation of, the individual’s death.

Uses and Disclosures for Cadaveric Organ, Eye, or Tissue Donation Purposes
A covered entity may use or disclose PHI to organ procurement organizations or other entities engaged in the procurement, banking, or transplantation of cadaveric organs, eyes, or tissue for the purpose of facilitating organ, eye or tissue donation and transplantation.

Standard: Uses and Disclosures for Research Purposes

Permitted Uses and Disclosures
A covered entity may use or disclose PHI for research, regardless of the source of funding of the research provided that:

Board Approval of a Waiver of Authorization
The covered entity obtains documentation that an alteration to or waiver, in whole or in part, of the individual authorization required by Uses and Disclosures for Which an Authorization Is Required for use or disclosure of PHI has been approved by either:

  • An Institutional Review Board (IRB), established in accordance with federal law [see 65FR82816]; or

  • A privacy board that:
    • Has members with varying backgrounds and appropriate professional competency as necessary to review the effect of the research protocol on the individual’s privacy right and related interests;
    • Includes at least one member who is not affiliated with the covered entity, not affiliated with any entity conducting or sponsoring the research, and not related to any person who is affiliated with any of such entities; and
    • Does not have any member participating in a review of any project in which the member has a conflict of interests.

Reviews Preparatory to Research
The covered entity obtains from the researcher representations that:

  • Use or disclosure is sought solely to review PHI as necessary to prepare a research protocol or for similar purposes preparatory to research;

  • No PHI is to be removed from the covered entity by the researcher in the course of the review; and

  • The PHI for which use or access is sought is necessary for the research purposes.

Research on Decedent’s Information
The covered entity obtains from the researcher:

  • Representation that the use or disclosure sought is solely for research on the PHI of decedents;

  • Documentation, as the request of the covered entity, of the death of such individuals; and

  • Representation that the PHI for which use or disclosure is sought is necessary for the research purposes.

Documentation of Waiver Approval
For a use or disclosure to be permitted based on documentation of approval of an alteration or waiver under the "board approval of a waiver" section above, the documentation must include all of the following:

Identification and Date of Action
A statement identifying the IRB or privacy board and the date on which the alteration or waver of the authorization was approved;

Waiver Criteria
A statement that the IRB or privacy board has determined that the alteration or waiver, in whole or in part, of authorization satisfies the following criteria:

  • The use or disclosure of PHI involves no more than minimal risk to the individuals;

  • The alteration or waiver will not adversely affect the privacy rights and the welfare of the individuals;

  • The research could not practicably be conducted without the alteration or waiver;

  • The research could not practicably be conducted without access to and use of the PHI;

  • The privacy risks to individuals whose PHI is to be used or disclosed are reasonable in relation to the anticipated benefits, if any, to the individuals, and the importance of the knowledge that may reasonably be expected to result from the research;

  • There is an adequate plan to protect the identifiers from improper use and disclosure;

  • There is an adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research, unless there is a health or research justification for retaining the identifiers, or such retention is otherwise required by law; and

  • There are adequate written assurances that the PHI will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research project, or for other research for which the use or disclosure of PHI would be permitted by this [Rule].

Protected Health Information Needed
A brief description of the PHI for which use or access has been determined to be necessary by the IRB or privacy board had determined;

Review and Approval Procedures
A statement that the alteration or waiver of authorization has been reviewed and approved under either normal or expedited review procedures, as follows:

  • An IRB must follow the requirements of the Common Rule (45CFR46), including the normal review procedures or the expedited review procedures required under federal law;

  • A privacy board must review the proposed research at convened meetings at which a majority of the privacy board members are present, including at least one member who satisfies the criterion for nonaffiliation (stated above);

  • A privacy board may use an expedited review procedure if the research involves no more than minimal risk to the privacy of the individuals who are the subjects of the PHI for which use or disclosure is being sought. If the privacy board elects to use an expedited review procedure, the review and approval of the alteration or waiver of authorization may be carried out by the chair of the privacy board, or by one or more members of the privacy board as designated by the chair; and

Required Signature
The documentation of the alteration or waiver of authorization must be signed by the chair or other member, as designated by the chair, of the IRP or the privacy board, as applicable.

{This section on release of PHI for research purposes without authorization generated considerable discussion and comment when introduced in the NPRM. Readers are directed to 65FR82535-82539 in the section-by-section of the preamble, and 65FR82689-82699 in the comments section if interested. The secretary does note some concern for situations where a noncovered entity might receive PHI as proposed, but violates the internal commitments and releases the information.

According to the Rule, even if such a waiver is approved, the institution must still note research disclosures (general not specific) in its Notice. Such a note in the Notice might motivate some individuals and patients to restrict the release of their information, or cause them to seek healthcare from an entity not involved in research.

The IRB review process has been operating for some time under the Common Rule. Covered entities’ (healthcare providers) involvement with IRBs have varied. It will be up to the covered provider to ensure the changes in IRB or privacy board processes meet the requirements of this Rule and that the on-going activity of the IRB/privacy board maintain its compliance to this Rule and the other rules that are applicable.

A review of this rule might cause some covered entities to consider a privacy board, as described in this section of the Rule. Adoption of such a board does call for the involvement of unrelated parties and certain attendance requirements. This should be seriously considered.

There are several national organizations calling for further review of the federal rules on the use of PHI in medical research. If your organization is involved with research, it would be best to regularly monitor the developments concerning this issue.}

Standard: Uses and Disclosures to Avert a Serious Threat to Health or Safety

Permitted Disclosures
A covered entity may – consistent with applicable law and standards of ethical conduct – use or disclose PHI, if the covered entity, in good faith, believes the use or disclosure:

  • Is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public and disclosure is made to a person or persons whom can reasonably prevent or lessen the threat, including the target of the threat; or

  • Is necessary for law enforcement authorities to identify or apprehend an individual:
    • Because of a statement by an individual admitting participation in a violent crime that the covered entity reasonably believes may have caused serious physical harm to the victim;

      {Note that in such a case the covered entity can only release the "statement" and not any other information except for that indicated in "Disclosures for Law Enforcement Purposes" noted above.}

      or
    • Where it appears from all the circumstances that the individual has escaped from a correctional institution or from lawful custody as those terms are defined in [this Rule].

Use or Disclosure Not Permitted
A use or disclosure pursuant to this section may not be made if the information described (see above) is learned by the covered entity:

  • In the course of treatment to affect the propensity to commit the criminal conduct that is the basis for the disclosure noted above, or counseling or therapy; or

  • Through a request by the individual to initiate or be referred for the treatment, counseling, or therapy just described.

Presumption of Good Faith Belief
A covered entity that uses or discloses PHI pursuant to "permitted disclosure" is presumed to have acted in good faith with regard to a belief that the individual may have caused serious physical harm to the victim or that the individual has escaped from a correctional institution or from lawful custody, if the belief is based upon the covered entity’s actual knowledge or in reliance on credible representation by a person with apparent knowledge or authority.

Standard: Uses and Disclosure for Specialized Government Functions

Military and Veterans
"A covered entity may use and disclose the PHI of individuals who are Armed Forces personnel for activities deemed necessary by appropriate military command authorities to assure the proper execution of the military mission, based on a future Federal Register notice to be published which will define who the appropriate military command authorities are and for what purposes PHI may be used or disclosed."

Separation or Discharge
"A covered entity that is a component of the Departments of Defense or Transportation may disclose to the Department of Veterans Affairs (DVA) the PHI of an individual who is a member of the Armed Forces upon the separation or discharge of the individual from military service for the purpose of a determination by DVA of the individual’s eligibility for or entitlement to benefits under laws administered by the Secretary of Veterans Affairs"

Veterans
"A covered entity that is a component of the DVA may use and disclose PHI to components of the Department that determine eligibility for or entitlement to, or that provide, benefits under the laws administered by the Secretary of Veterans Affairs."

Foreign Military Personnel
A covered entity may use and disclose the PHI of individuals who are foreign military personnel to their appropriate foreign military authority for the same purposes for which use and disclosures are permitted for Armed Forces personnel under the notice to be published for "Military and Veterans" above.

{While the items for separation or discharge and veterans pertain to armed forces and veterans entities, the sections on military service and foreign military personnel will apply to all covered entities once the notice referred to is published. Covered entities will have to watch for such a notice and may have to include reference to such a notice in their Privacy Notice.}

National Security and Intelligence Activities
A covered entity may disclose PHI to authorized federal officials for the conduct of lawful intelligence, counterintelligence, and other national security activities authorized by the National Security Act (50 U.S.C. 401, et seq.) and implementing authority (for example, Executive Order 12333).

Protective Services for the President and Others
A covered entity may disclose PHI to authorized federal officials for the provision of protective services to the president or other persons authorized by 19 U.S.C. 3056, or to foreign heads of state or other persons authorized by 22 U.S.C. 2709(a)(3), or to the conduct of investigations authorized by 18 U.S.C. 871 and 879.

Medical Suitability Determinations
The Rule covers some unique situations for covered entities that are only a component of the US Department of State. {As such, this section should not be viewed as required by any other entities.}

{The three situations above are not situations most covered entities will encounter. Such situations should fall into an entity’s plan to direct such inquires to a source that can determine the validity of such a request.}

Correctional Institutions and Other Law Enforcement Custodial Situations

Permitted Disclosures
"A covered entity may disclose to a correctional institution or a law enforcement official having lawful custody of an inmate or other individual PHI about such inmate or individual, if the correctional institution or such law enforcement official represents that such PHI is necessary for:

  • The provision of health care to such individuals;

  • The health and safety of such individual or other inmates;

  • The health and safety of the officers or employees of or others at the correctional institution;

  • The health and safety of such individuals and officers or other persons responsible for the transporting of inmates or their transfer from one institution, facility, or setting to another;

  • Law enforcement on the premises of the correctional institution; and

  • The administration and maintenance of the safety, security, and good order of the correctional institution."

Permitted Uses
"A covered entity that is a correctional institution may use PHI of individuals who are inmates for any purpose for which such PHI may be disclosed."

No Application After Release
"For the purposes of this provision, an individual is no longer an inmate when released on parole, probation, supervised release, or otherwise is no longer in lawful custody."

{This set of requirements will require close attention. The permitted disclosures vary on what can be disclosed, to whom, and when. There is actually limited information that can be disclosed to the immediate custodian of the inmate or individual, who is the official most likely to be present as treatment is provided. Training of the entity’s workforce on these differences will be necessary. Note that the permission is negated once there is a release.}

Covered Entities That Are Government Programs Providing Public Benefits

  • "A health plan that is a government program providing public benefits may disclose PHI relating to eligibility for or enrollment in the health plan to another agency administering a government program providing public benefits if the sharing of eligibility or enrollment information among such government agencies or the maintenance of such information is a single or combined data system accessible to all such government agencies is required or expressly authorized by statute or regulation."

  • "A covered entity that is a government agency administering a government program providing public benefits may disclose PHI related to the program to another covered entity that is a government agency administering a government program providing public benefits if the programs serve the same or similar populations and the disclosure of PHI is necessary to coordinate the covered functions of such programs or to improve administration and management relating to the covered functions of such programs."

{Both of these sections relate to programs within a "government." The first limits the PHI to eligibility and enrollment purposes, but the second is much more broad. Protections here would have to be provided in the federal or local regulations governing these agencies.}

Standard: Disclosure for Workers’ Compensation

"A covered entity may disclose PHI as authorized by and to the extent necessary to comply with laws relating to workers’ compensation or other similar programs, established by law, that provide benefits for work-related injuries or illnesses without regard to fault."

{Workers’ compensation programs are not covered under HIPAA. There is no requirement for such programs to use the Transaction Standards and Codes. This section would seem to provide additional authority for PHI disclosure even though it would also fall under payment activities. Affected covered entities might want to note this in their Privacy Notice.}

Presidential Executive Order: To Protect the Privacy of Protected Health Information in Oversight Investigations

On December 26, 2000 the President Clinton issued Executive Order 13181 in the Federal Register (65FR81321-81323 at http://www.access.gpo.gov/su_docs/fedreg/a001226c.html ).

Essentially the order indicates that the policy of the US Government will be "that law enforcement [federal] may not use PHI concerning an individual that is discovered during the course of health oversight activities for unrelated civil, administrative, or criminal investigations of a non-health oversight matter, except when the balance of relevant factors weights clearly in favor of its use. That is, PHI may not be so used unless the public interest and the need for disclosure clearly outweigh the potential for injury to the patient, to the physician-patient relationship, and to the treatment services."

Go to next section, Other Requirements Relating to Uses and Disclosures of Protected Health Information.

Go to previous section, Uses and Disclosures Requiring an Opportunity for the Individual to Agree or to Object.

Go to document index.