HIPAA FAQ – Disclosures Required by Law
Yes. The Privacy Rule permits a covered entity to disclose protected health information (PHI) without the authorization of the individual to a state-designated Protection and Advocacy (P&A) system to the extent that such disclosure is required by law and the disclosure complies with the requirements of that law. 45 CFR 164.512(a). The Developmental Disabilities Assistance and Bill of Rights Act (DD Act) provides for each state to designate a public or private entity as the Protection and Advocacy system to protect and advocate for the rights of individuals with developmental disabilities, including investigating incidents of abuse or neglect. The P&A designated pursuant to the DD Act is also the Protection and Advocacy system for purposes of the Protection and Advocacy for Individuals with Mental Illness Act (PAIMI Act) and is empowered to protect and advocate for the rights of individuals with mental illness. These statutes and their implementing regulations require that access to records be provided to P&As under certain circumstances. See the DD Act at 42 USCA 15043(a)(2)(I) and (J) and the PAIMI Act at 42 USCA 10805(a)(4), and their implementing regulations at 45 CFR 1386.22 and 42 CFR 51.41, respectively. Thus, a covered entity may disclose PHI as required by the DD and PAIMI Acts to P&As requesting access to such records in carrying out their protection and advocacy functions under these Acts. Similarly, covered entities may disclose PHI to P&As where another federal, state or other law mandates such disclosures, consistent with the requirements in such law. Where disclosures are required by law, the Privacy Rule’s minimum necessary standard does not apply, since the law requiring the disclosure will establish the limits on what should be disclosed. Moreover, with respect to required by law disclosures, a covered entity cannot use the Privacy Rule as a reason not to comply with its other legal obligations.
Section 164.512(a)(2) provides that in making a “required by law” disclosure about adult abuse, neglect or domestic violence (section 164.512(c)), for judicial or administrative proceedings (section 164.512(e)), or for law enforcement purposes (section 164.512(f)), covered entities must also comply with any additional privacy requirements in these provisions that apply. However, none of the additional procedural protections in sections 164.512(c), (e) and (f) apply to the type of “required by law” disclosures to P&As under the provisions of the DD and PAIMI Acts discussed here.
Yes. SSA requires nursing homes, extended care facilities, and intermediate care facilities to report to SSA, within 2 weeks, admissions information about anyone receiving SSI who is admitted to the institution. The purpose of these reporting requirements is to prevent SSI overpayments caused by a SSI recipient’s failure to timely report changes in eligibility.
These requirements are stated in the Social Security Act (42 U.S.C. 1383(e)(1)(C)), and communicated through SSA’s guidance and other implementation materials. The Privacy Rule permits covered entities to disclose protected health information without the individual’s authorization as required to comply with this law. See 45 CFR 164.512(a).
No. The Privacy Rule does not prohibit a covered entity from obtaining an individual’s consent to use or disclose his or her health information and, therefore, presents no barrier to the entity’s ability to comply with State law requirements.
Yes. The HIPAA Privacy Rule permits a covered entity to disclose protected health information as necessary to comply with State law. No minimum necessary determination is required. See 45 CFR 164.512(a) and 164.502(b).
No. The Privacy Rule is not intended to impede the flow of health information to those who need it to process or adjudicate claims, or coordinate care, for injured or ill workers under workers’ compensation systems. The minimum necessary standard generally requires covered entities to make reasonable efforts to limit uses and disclosures of, as well as requests for, protected health information to the minimum necessary to accomplish the intended purpose. For disclosures of protected health information made for workers’ compensation purposes under 45 CFR 164.512(l), the minimum necessary standard permits covered entities to disclose information to the full extent authorized by State or other law. In addition, where protected health information is requested by a State workers’ compensation or other public official for such purposes, covered entities are permitted reasonably to rely on the official’s representations that the information requested is the minimum necessary for the intended purpose. See 45 CFR 164.514(d)(3)(iii)(A).
For disclosures of protected health information for payment purposes, covered entities may disclose the type and amount of information necessary to receive payment for any health care provided to an injured or ill worker.
The minimum necessary standard does not apply to disclosures that are required by State or other law or made pursuant to the individual’s authorization.
“Payment” is broadly defined as activities by health plans or health care providers to obtain premiums or obtain or provide reimbursements for the provision of health care. The activities specified are by way of example and are not intended to be an exclusive listing. Billing, claims management, collection activities and related data processing are expressly included in the definition of “payment.” See the definition of “payment” at 45 CFR 164.501.
Obtaining information about the location of the individual is a routine activity to facilitate the collection of amounts owed and the management of accounts receivable, and, therefore, would constitute a payment activity. See 45 CFR 164.501. The covered entity and its business associate would also have to comply with any limitations placed on location information services by the Fair Debt Collection Practices Act (Federal Trade Commission).