HIPAA Compliance Plan
« Previous PageHIPAA Survival Guide Table of ContentsNext Page »

Make sure you are Omnibus Rule Compliant: HIPAA Privacy Checklist.

§ 164.506 Uses and disclosures to carry out treatment, payment, or health care operations

(a) Standard: Permitted uses and disclosures. Except with respect to USE AND DISCLOSURE that requires authorization, a Covered Entity may use and disclose Protected Health Information for treatment, payment or health care operations as provided for in (c) below.

(b) Standard: Consent for uses and disclosures permitted. A Covered Entity may obtain consent to disclose Protected Health Information for treatment, payment or health care operations. However, consent is not effective wherein an explicit authorization is required.

(c) Implementation specifications: Treatment, payment, or health care operations. Generally, a Covered Entity can use and disclose Protected Health Information for its own treatment, payment or health care operations and with other CE's where the appropriate relationships exist.

HIPAA Survival Guide Note

Consent for the purposes listed above is clearly a best practice but not mandated. However, obtaining consent is certainly consistent with the principle of "do the right thing" and a core component of an effective compliance strategy. The notice requirement (§160.520) does mandate that a "good faith" attempt be made to notify and obtain consent, and to otherwise document such attempts whether or not consent was granted.

§ 164.508 Uses and disclosures for which an authorization is required

Introductory Comment: The next three sections, taken as a whole, describe various options available to a provider regarding the concept of authorization. The current section (§164.508) mandates authorization in certain cases, the next section (§164.510) gives the individual an opportunity to "vote" on authorization, and the final section (§164.512) is where individual does not get the opportunity to "vote" on authorization.

(a) Standard: Authorizations for uses and disclosures.

(1) Authorization required: General rule. Except as otherwise permitted, a Covered Entity may not use or disclosed Protected Health Information unless it is valid under this section. All use and disclosure must be consistent with the authorization obtained.

(2) Authorization required. Psychotherapy notes.

HIPAA Survival Guide Note

Read the subsection in its entirety if you need to disclose such notes. You must get authorization to disclose, this is absolutely a "bright line" rule.

(3) Authorization required. Marketing. You must get authorization to use and disclose Protected Health Information for marketing purposes unless it is face-to-face communication between the Covered Entity and the individual or a promotional gift of nominal value provided by the CE. If remuneration for marketing is provided by a third party then the authorization must state as much.

HIPAA Survival Guide Note

Clearly marketing abuse is one of the things that the PR wants to prevent. In general, if you are not "marketing" and you do not disclose psychotherapy notes then you do not need to be concerned with authorizations.

(b) Implementation specifications: General requirements.

(c) Implementation specifications: Core elements and requirements.

HIPAA Survival Guide Note

If you do require authorizations as defined in (a) above, then sections (b) and (c) of this standard contain a list of detailed requirements that must be met. You should seek advice of counsel to ensure compliance.

Make sure you are Omnibus Rule Compliant: HIPAA Privacy Checklist.

« Previous PageHIPAA Survival Guide Table of ContentsNext Page »