The new federal privacy regulations under the HIPAA establish that "covered entities'' may not use or disclose "protected health information''
except as permitted by the privacy regulation.23 The regulation defines ''covered entities'' to include health care providers (e.g. doctors, hospitals, labs, pharmacies, clinics),24 health plans, and health care clearinghouses.25 By requiring certain contractual terms in all covered entities' contracts with vendors, suppliers, and anyone else who may process or come into contact with protected health information in performing services for the covered entity, the regulation indirectly applies to business associates of covered entities as well.26
Under the privacy regulation, only the following categories of uses and disclosures of protected health information are permitted:
1. for purposes of treatment, payment, and health operations, with an individual's written consent ("Consent");27
2. for purposes unrelated to treatment, payment, or health operations (including research), with an individual's written authorization ("Authorization");28
3. for certain other purposes enumerated in the regulation, including protecting the public health and conducting research under a waiver of authorization, provided that applicable conditions are met.29
Moreover, even with respect to permitted uses and disclosures, a covered entity may use or disclose only the minimum necessary information to accomplish the intended purpose.30 Unless every use or disclosure of information fits within one of these permitted categories, the provider or health plan would be exposed to potential civil and criminal penalties for supplying information to a
23 See 65 Fed. Reg. at 82 805 (codified at 45 C.F.R. § 164.502(a)).
24 Id. at 82 799 (codified at 45 C.F.R. § 160.103).
25 See id. at 82 798 (codified at 45 C.F.R. § 160.102(a)).
26 See id. at 82 798, 82 806, 82 808 (codified at 45 C.F.R. §§ 160.103, 164.502(e), 164.504(e)).
27 See id. at 82 810-11 (codified at 45 C.F.R. § 164.506).
28 See id. at 82 811-12 (codified at 45 C.F.R. § 164.508).
29 See id. at 82 813-18 (codified at 45 C.F.R. § 164.512).
30 See id. at 82 805-06, 82 819 (codified at 45 C.F.R.
§§ 164.502(b),-.514(d)). The ''minimum necessary'' requirement does not apply to disclosures to a health care provider for treatment purposes. See id. at 82 805 (codified at 45 C.F.R. § 164.502(b)(2)(i)).
researcher. Likewise, the researcher may be exposed to potential criminal penalties for obtaining or disclosing such information if the covered entity did not comply with the regulation in supplying it to the researcher.31
Was this article helpful?