Uses and disclosures for health oversight activities

§164.512(d) Standard: Uses and disclosures for health oversight activities
(1) Permitted disclosures. A covered entity may disclose protected health information to a health oversight agency for oversight activities authorized by law, including audits; civil, administrative, or criminal investigations; inspections; licensure or disciplinary actions; civil, administrative, or criminal proceedings or actions; or other activities necessary for appropriate oversight of:
(i) The health care system;
(ii) Government benefit programs for which health information is relevant to beneficiary eligibility;
(iii) Entities subject to government regulatory programs for which health information is necessary for determining compliance with program standards; or
(iv) Entities subject to civil rights laws for which health information is necessary for determining compliance.

§164.512(d)(2) Exception to health oversight activities. For the purpose of the disclosures permitted by paragraph (d)(1) of this section, a health oversight activity does not include an investigation or other activity in which the individual is the subject of the investigation or activity and such investigation or other activity does not arise out of and is not directly related to:
(i) The receipts of health care;
(ii) A claim for public benefits related to health; or
(iii) Qualification for, or receipt of, public benefits or services when a patient’s health is integral to the claim for public benefits or services.

§164.512(d)(3) Joint activities or investigations. Notwithstanding paragraph (d)(2) of this section, if a health oversight activity or investigation is conducted in conjunction with an oversight activity or investigation relating to a claim for public benefits not related to health, the joint activity or investigation is considered a health oversight activity for purposes of paragraph (d) of this section.

§164.512(d)(4) Permitted uses. If a covered entity also is a health oversight agency, the covered entity may use protected health information for health oversight activities as permitted by paragraph (d) of this section.

Audit Inquiry

Is PHI used or disclosed for health oversight activities consistent with the established performance criterion?

Obtain and review policies and procedures for using or disclosing PHI for health oversight activities.

Obtain a sample of disclosures made for this purpose and verify that the established performance criterion have been met.
Regarding §164.512(d)(4), is the covered entity also a health oversight agency? If so, is PHI used for health oversight activities conducted by the covered entity?

If yes, obtain and review policies and procedures for using PHI for health oversight activities conducted by the covered entity and determine whether they are consistent with the requirements of the established performance criterion.

Obtain a sample of uses made for this purpose and verify that the established performance criterion have been met.