§ 164.502 Uses and disclosures of protected health information: general rules
Introductory Comment: This section is lengthy. The actual text is broken down into a number of "standards" with "implementation specifications." The standards are labeled (a), (b), (c) etc. We list/paraphrase the standard and where appropriate add commentary.
(a) Standard: A covered entity may not use or disclose PHI, except as permitted or required by the rules.
Permitted uses and disclosures:
(1) To the individual
(2) For treatment, payment, or otherwise in compliance with the rules
(3) Incident to an otherwise permitted use
HIPAA Survival Guide Note
There are other permitted uses (e.g. when authorized) as well as some required disclosures (e.g. to the individual and to HHS when requested).
(b) Standard: Minimum necessary. In general, other than for treatment, the use and disclosure of PHI by a CE must be limited to the minimum required to achieve the desired purpose.
(c) Standard: Use and disclosure of PHI subject to an agreed upon restriction. If you have agreed to a restriction then you must honor that agreement.
(d) Standard: Use and disclosure of de-identified PHI.
HIPAA Survival Guide Note
De-identified PHI essentially means that it can no longer be tied to an individual. If you want to share this information then special rules apply. Usually, de-identified PHI is used for clinical research or public health purposes.
(e) Standard: Disclosure to business associates. Use and disclosure is permitted as long as the provider obtains assurances that that the business associate (BA) will appropriately safeguard the information. A written contract or other written agreement is required. In general, this standard does not apply to use and disclosure concerning the treatment of an individual.
HIPAA Survival Guide Note
These assurances must be obtained in writing, usually in the form of a contractual agreement. The HITECH Act imposes additional requirements on business associates. Also, as previously mentioned, special attention needs to be placed on whether software vendors should be considered business associates. We believe that many would indeed qualify, especially hosted software-as-a-service (SaaS) vendors. We suspect that the implications related to this have gone largely unrecognized by small providers.
(f) Standard: Deceased Individuals. A CE must comply with PHI requirements of a deceased individual as provided for in the rules.
(g) Standard: Personal representatives. The general rule is that a personal representative must be treated the same as the individual as per the rules.
HIPAA Survival Guide Note
This standard is quite convoluted and has numerous sub-parts that deal with issues of emancipated minors, unemancipated minors, and implications regarding state law. Because the question of use and disclosure regarding minors is sensitive and often controlled by state law in critically important ways, we make the following suggestions: 1) read this standard in its entirety; 2) seek advice of counsel regarding applicable state law provisions; and/or 3) have counsel develop a "decision tree" to be used by staff to resolve these types of questions during daily operations.
(h) Standard: Confidential communications. A provider must comply with PHI confidentially requirements covered in §164.522(b).
HIPAA Survival Guide Note
Essentially, reasonable requests from individuals regarding confidential communications of PHI must be honored.
(i) Standard: Use and disclosure consistent with notice. A CE who is required to provide notice (See §164.520) must not use and disclose PHI in a manner inconsistent with such notice.
HIPAA Survival Guide Note
This is key principle of privacy law in general which says you must do what you said you would do. Obviously, any deviation from this is a violation of the PR.
(j) Standard: Disclosure by whistleblowers.
HIPAA Survival Guide Note
Note: This standard provides for certain special considerations when a member of a provider's workforce or a BA "blows the whistle."
Make sure you are Omnibus Rule Compliant: HIPAA Privacy Checklist.