• Home
  • Blog
  • Contact
HIPAA ComplianceHIPAA Compliance
HIPAA ComplianceHIPAA Compliance
  • Home
  • Blog
  • Contact

HIPAA Final Rule: Covered Entities–Permitted Uses and Disclosures & Required Disclosures

March 4, 2013 American Recovery and Reinvestment Act, Health IT and HITECH, HIPAA Law, Privacy No Comments

March 4, 2013.  Today, we start going through the HIPAA Privacy Rule, section by section, as modified in the Final Rule:  Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act [HITECH Act] and the Genetic Information Nondiscrimination Act; Other Modifications of the HIPAA Rules, which was published in the Federal Register on January 25, 2013.  The effective date of the Final Rule is March 26, 2013, and covered entities and business associates must comply by September 23, 2013.

Our focus today is on covered entities in 45 CFR 164.502: Uses and disclosures of protected health information:  General Rules­—(a) Standard.  A covered entity or business associate may not use or disclose protected health information, except as permitted or required by [the HIPAA Privacy Rule] or by subpart C of part 160 of this subchapter [Compliance and Investigations of General Administrative Requirements of Administrative Data Standards and Related Requirements].  Below we present the modified regulations pertaining to (1) Covered entities:  Permitted uses and disclosures; and (2) Covered entities:  Required disclosures.  78 Federal Register 5696

(1) Covered entities:  Permitted uses and disclosures.  A covered entity is permitted to use or disclose protected health information as follows:

(i) To the individual;

(ii) For treatment, payment, or health care operations, as permitted by and in compliance with 45 CFR 164.506 [Uses and disclosures to carry out treatment, payment, or health care operations];

(iii) Incident to a use or disclosure otherwise permitted or required by [the HIPAA Privacy Rule], provided that the covered entity has complied with the applicable requirements of 45 CFR 164.502(b) [Uses and disclosures of protected health information—Standard.  Minimum necessary], 164.514(d) [Other requirements relating to uses and disclosures of protected health information—Minimum necessary requirements], and 164.530(c) [Administrative requirements—Safeguards] with respect to such otherwise permitted or required use or disclosure;

(iv) Except for uses and disclosures prohibited under 45 CFR 164.502(a)(5)(i) [Prohibited uses and disclosures—Use and disclosure of genetic information for underwriting purposes], pursuant to and in compliance with a valid authorization under 45 CFR 164.508 [Uses and disclosures for which an authorization is required];

(v) Pursuant to an agreement under, or as otherwise permitted by, 45 CFR 164.510 [Uses and disclosures requiring an opportunity for the individual to agree or to object];

(vi) As permitted by and in compliance with this section, 45 CFR 164.512 [Uses and disclosures for which an authorization or opportunity to agree or object is not required], 164.514(e) [Other requirements relating to uses and disclosures of protected health information—Standard:  Limited data set], 164.514(f) [Fundraising communications], or 164.514(g) [Standard:  Uses and disclosures for underwriting and related purposes].

(2) Covered entities:  Required disclosures. A covered entity is required to disclose protected health information:

(i) To an individual, when requested under, and required by 45 CFR 164.524 [Access of individuals to protected health information] and 164.528 [Accounting of disclosures of protected health information]; and

(ii) When required by the Secretary under subpart C of part 160 of this subchapter [Compliance and Investigations of General Administrative Requirements of Administrative Data Standards and Related Requirements] to investigate or determine the covered entity’s compliance with this subchapter.

Tomorrow, we look at modified permitted and required uses and disclosures regulations pertaining to business associates.

Tags: accounting of disclosuresadministrative data standardsauthorizationbusiness associatecompliance and investigationscompliance datecovered entitieseffective datefundraising communicationHealth Care OperationsHIPAA Final RuleHIPAA PRIVACY RULElimited data setMarch 26 2013minimum necessaryminimum necessary requirementsModificationsPaymentpermitted disclosurespermitted usesprotected health informationrequired disclosuressafeguardsSecretarySeptember 23 2013standardTreatmentunderwriting
No Comments
Share
0

You also might be interested in

Facility Access Controls: Maintenance Records-What to Do and How to Do It

Apr 29, 2009

In our series on the HIPAA Administrative Simplification Security Rule,[...]

Access Control: What This HIPAA Security Rule Technical Safeguard Standard Means

Jun 2, 2009

This is the first Technical Safeguard Standard of the HIPAA[...]

Information Access Management: Access Authorization-What to Do and How to Do It

Feb 26, 2009

In our series on the HIPAA Administrative Simplification Security Rule,[...]

Leave a Reply Cancel Reply

Categories

  • 5010
  • American Recovery and Reinvestment Act
  • Enforcement
  • GINA
  • Health Care Reform
  • Health IT and HITECH
  • HIPAA Law
  • Identifiers
  • Meaningful Use
  • Privacy
  • Red Flags Rules
  • Security
  • Transactions & Code Sets
  • Uncategorized

Recent Posts

  • Contracting with Vendors that are NOT HIPAA Business Associates: Best Practices
  • HIPAA Breach: Who You Gonna Call?
  • Can I Be Sued for a HIPAA Violation?
  • Business Associate Agreements – a First Look at Indemnification
  • Gmail, Google Apps for Business HIPAA Business Associate Agreements

Archives

Contact Us

We're currently offline. Send us an email and we'll get back to you, asap.

Send Message
HIPAA- Health Insurance Portability Accountability Act

© 2023 · hipaa.com

Prev Next