Uses and Disclosures of Protected Health Information
About This Policy
- Effective Date:
- Date of Last Review/Update:
- Responsible University Office:
- HIPAA Privacy and Security Compliance Office
- Responsible University Administrator:
- Vice President for University Clinical Affairs
This policy applies to all personnel, regardless of affiliation, who create, access or store Personally Identifiable Information (“PII”) and Protected Health Information (“PHI”) under the auspices of Indiana University, designated for purposes of complying with the final provisions of the Privacy and Security Rules regulated by the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act.
This policy applies to protected health information in any form: oral, electronic and paper.
Indiana University (IU) HIPAA Affected Areas will appropriately use and disclose protected health information for purposes permitted or required under the HIPAA and HITECH Acts, and other applicable rules, regulations, and laws. In some circumstances, Indiana State law may be more stringent and may preempt HIPAA.
When using or disclosing protected health information or when requesting protected health information from another covered entity or business associate, IU HIPAA Affected Areas will make reasonable efforts to limit the protected health information to the minimum amount necessary to accomplish the intended purpose of the use, disclosure, or request. It is important to note: Minimum necessary does not apply to uses and disclosures for treatment purposes.
Permitted uses and disclosures
IU HIPAA Affected Areas may generally use and disclose protected health information for treatment, payment, and health care operations without the individual’s authorization and without providing the individual with an opportunity to agree or object.
- Treatment. IU HIPAA Affected Areas may use and disclose protected health information to provide, coordinate or manage health care and related services to carry out treatment functions.
- Payment. IU HIPAA Affected Areas may use and disclose protected health information to bill and collect payment for the treatment and services provided to the patient. Payment includes, but is not limited to, actions relating to eligibility or coverage determinations, billing, claims management, collection activities, reviews for medical necessity determinations and appropriateness of care, utilization review and pre-authorizations
- Health Care Operations. IU HIPAA Affected Areas may use and disclose protected health information in order to conduct its normal business operations. Health care operations may include:
- Conducting quality assessment and improvement activities;
- Activities relating to improving or reducing health care costs;
- Contacting patients with information regarding treatment alternatives;
- Conducting audits; and
- Reviewing the competence or qualifications of health care professionals
Uses and disclosures for which an authorization or opportunity to agree or object is not required
IU HIPAA Affected Areas may use and/or disclose protected health information when permitted or required to do so by federal, state or local law. This may be done in the following circumstances without the individual’s authorization and without providing the individual an opportunity to agree or object.
- Judicial & Administrative Proceedings. IU HIPAA Affected Areas may disclose protected health information in the course of any judicial or administrative proceeding, in response to an order of a court or administrative tribunal (to the extent such disclosure is expressly authorized) or in certain conditions in response to a subpoena, discovery request or other lawful process.
- Law Enforcement Purposes. IU HIPAA Affected Areas may disclose protected health information for certain law enforcement purposes, such as:
- In response to a court order, subpoena, warrant, summons or similar process;
- To identify or locate a suspect, fugitive, material witness or missing person;
- About the victim of a crime, if under certain limited circumstances, we are unable to obtain the person’s agreement;
- About a death we believe may be the result of criminal conduct;
- About criminal conduct at the hospital; and
- In emergency circumstances, to report a crime, the location of the crime or victims, or the identity, description or location of the person who committed the crime.
- Report Abuse, Neglect or Domestic Violence. IU HIPAA Affected Areas may disclose protected health information to a public health authority that is permitted by law to receive reports of child abuse or neglect, and to notify the appropriate government authority if the HIPAA Affected Area believes the individual has been the victim of abuse, neglect, or domestic violence. Such disclosures will only be made when required or authorized by law.
- Public Health Activities. IU HIPAA Affected Areas may disclose protected health information for public health activities and purposes to a public health authority that is permitted by law to receive the information. These activities generally include the following:
- To prevent or control disease, injury or disability;
- To report births and deaths;
- To report child abuse or neglect
- To report reactions to medications or problems with products;
- To notify people of recalls of products they may be using; and
- To notify a person who may have been exposed to a disease or may be at risk for contracting or spreading a disease or condition.
- Health Oversight Activities. IU HIPAA Affected Areas may disclose protected health information to a health oversight agency for activities that are authorized by law. Such activities include, but are not limited to, audits, investigations, inspections, and licensure. These activities are necessary for the government to monitor the health care system, government programs, and compliance with civil rights laws.
- Disclosures about Decedents. IU HIPAA Affected Areas may disclose protected health information about deceased individuals to:
- Coroners and medical examiners for the purpose of identifying a deceased person, determining a cause of death, or other duties as authorized by law. If the HIPAA Affected Area also performs the duties of a coroner or medical examiner the HIPAA Affected Area may use protected health information for the purposes described in this paragraph.
- Funeral directors, consistent with applicable law, as necessary to carry out their duties with respect to the decedent. If necessary, the HIPAA Affected Area may disclose the protected health information prior to, and in reasonable anticipation of, the individual’s death.
- Cadaveric organ, eye or tissue donations. IU HIPAA Affected Areas may disclose protected health information to organ procurement organizations or other entities engaged in the procurement, banking, or transplantation of cadaveric organs, eyes, or tissue for the purpose of facilitating organ, eye, or tissue donation and transplantation.
- To avert a serious threat to health or safety. IU HIPAA Affected Areas may disclose protected health information when necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public. Any disclosure would be to someone who is able to help prevent the threat.
- Specialized government functions. IU HIPAA Affected Areas may use and/or disclose protected health information for national security and intelligence purposes authorized by the National Security Act, for protective services of the President and for certain military functions related to federal military personnel as required by military command authorities. We may also release protected health information about foreign military personnel to the appropriate foreign military authority.
- Workers’ compensation. IU HIPAA Affected Areas may disclose protected health information for workers' compensation or other similar programs. These programs provide benefits for work-related injuries or illnesses.
- Workforce Member in a Whistleblower Action. In limited circumstances, a workforce member may use and disclosure protected health information for a whistleblower action, subject to the following criteria: the workforce member believes in good faith that the IU has engaged in unlawful conduct or that the care endangers one or more patients, workers, or the public and the disclosure is to:
- a health oversight agency authorized to investigate those claims, or
- an attorney retained on the Workforce Member’s behalf
- Workforce Members Who Are Victims of a Crime. A member of IU’s workforce, who is a victim of a crime, may disclose protected health information to a law enforcement official provided that the protected health information disclosed is about the suspected perpetrator of the crime. IU will only disclose the limited information as set forth by §164.512(f)(2)(i), which includes:
- Name and Address
- Date and Place of Birth
- Social Security Number
- ABO Blood Type
- Type of Injury
- Date and Time of Treatment
- Date and time of death, if applicable
- A description of distinguishing physical characteristics, including height, weight, gender, race, hair and eye color, presence or absence of facial hair (beard or moustache), scars, and tattoos.
Uses and disclosures for which an authorization is required.
A signed authorization shall be obtained from an individual before using or disclosing that individual’s protected health information, unless otherwise permitted or required as described in this policy. Authorizations shall also be obtained prior to using and disclosing protected health information for research purposes, except for very limited circumstances permitted by HIPAA and the Common Rule.
- Marketing. An individual’s protected health information shall not be used or disclosed for marketing purposes without obtaining an authorization from the individual who is the subject of the protected health information, or their personal representative.
- Psychotherapy Notes. Use and disclosure of psychotherapy notes is subject to a heightened level of privacy/security under HIPAA/HITECH. Certain disclosures of your psychotherapy notes and mental health records may require your prior written authorization.
Uses and disclosures requiring an opportunity for the individual to agree or to object
Individuals will be given the opportunity to agree or object to the following uses/disclosures of their protected health information:
- Individuals Involved in the Patient’s Care. Unless the patient indicates otherwise, the IU HIPAA Affected Areas may disclose to a relative, a close friend or any other person designated by the patient, protected health information which directly relates to that person’s involvement in the patient’s healthcare. If the patient is unable to agree or object to such a disclosure, the HIPAA Affected Area may disclose such information as necessary for healthcare, if, based on professional judgment, it is determined to be in the patient’s best interest.
- Notification. We may disclose protected health information to notify or assist in notifying a family member or personal representative (or any other person who is responsible for the patient’s care) of the patient’s location, general condition or death.
- Disaster-Relief Efforts. IU HIPAA Affected Areas may disclose protected health information to an authorized public or private entity to assist in disaster-relief efforts.
Other requirements relating to uses and disclosures of protected health information
- Required Disclosures.
IU HIPAA Affected Areas will disclose protected health information to an Individual, when requested for access or accounting of disclosures; and when required by the Secretary of HHS for investigations of compliance.
- Business Associates.
IU HIPAA Affected Areas may disclose protected health information to business associates and allow business associates to receive, create, use, obtain, or transmit protected health information to perform covered functions or activities, provided that the HIPAA Affected Area obtains and documents reasonable assurances that the business associate will appropriately safeguard the protected health information. The reasonable assurance must be documented in the form of a business associate agreement.
- Minimum Necessary Requirements.
When using or disclosing protected health information or when requesting protected health information from another covered entity or business associate, IU HIPAA Affected Areas will make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request. *Minimum necessary does not apply to uses and disclosures for treatment purposes.
- Limited Data Sets.
A limited data set may be used or disclosed only for the purposes of research, public health or health care operations, so long as the IU HIPAA Affected Area enters into a data use agreement with the recipient prior to the use or disclosure of the limited data set. As further described in IU Policy HIPAA-P06, the IU HIPAA Affected Areas may use or disclose protected health information to a Business Associate for the creation of a limited data set.
IU HIPAA Affected Areas may freely use and disclose de-identified health information without obtaining an individual’s authorization. De-identified information is health information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual. The standard for de- identification involves removing a range of nineteen different types of identifying information concerning the individual, the individual’s employer, relatives and household members. For more details regarding de-identified data, see IU Policy HIPAA-P06.
- Research purposes.
IU HIPAA Affected Areas may use or disclose certain protected health information for the purpose of research in accordance with IU Standard Operating Procedures for Human Subject Research.
IU HIPAA Affected Areas may use or disclose certain protected health information for the purpose of raising funds for the benefit of HIPAA covered entities, without an authorization, in accordance with IU Policy HIPAA-P04.
Protected health information may be disclosed to IU’s health plan as necessary to carry out administrative functions of the Plan, such as underwriting, premium rating or other activities relating to the creation, renewal or replacement of a contract of health insurance or health benefit; however, if such health insurance or health benefits are not placed with the health plan, then the plan may not use or disclose such protected health information for any other purpose except as may be required by law.
- Verification Requirements.
Prior to disclosing protected health information pursuant to this policy, the IU HIPAA Affected Area must reasonably verify the identity of the person requesting the information and the authority of that person to have access to the protected information. See verification procedures at: http://protect.iu.edu/cybersecurity/data/identities.
Reason for Policy
The purpose of this policy is to provide guidance regarding the use and disclosure of protected health information in accordance with Indiana University’s policies and procedures and applicable state and federal laws.