Permitted Use/Disclosure of PHI for Incidental Use, Public Benefit and Research (Without Authorization)

Incidental Use


The HIPAA Privacy Rule does not intend to ignore the fact that sometimes sharing PHI is incidental in nature and it cannot be prevented, no matter how stringently a covered entity may adhere to HIPAA guidelines. However, the HIPAA Privacy Rule does stress upon the covered entity to follow some basic requirements even in such circumstances. These include:

• The covered entity has tried its best to adopt the logical privacy safeguards that could have been used during incidental use
• The information that was shared under such circumstances was limited to a bare minimum

Understanding Disclosure of PHI for Public Benefit Activities

The Privacy Rule is sensitive to sharing of information that is critical from a national perspective. Hence, under such exceptional circumstances, it permits the use/disclosure of Protected Health Information without seeking authorization or permission from the concerned individual. It should be understood that these provisions are seldom used, in rare incidents, wherein national priorities stand to be compromised if the personal information of an individual is withheld. The use of such information is for reasons that are totally besides the framework of healthcare.

A covered entity may also disclose PHI to:

• Recognized public health authorities that have been legally authorized for collecting data for the prevention or control of diseases, injuries or disabilities
• Public health agencies and government authorities that have been authorized to access information for reporting cases of child abuse and neglect
• Agencies that abide by FDA regulations and need PHI-based information for FDA-regulated activities like product tracking, product recalls, reporting critical incidents and conducting post-marketing analysis
• Prospective employers who require information related to work-related illness, injury or compliance with occupational-related medical surveillance records of the concerned individual (the employee). Sharing such information is deemed reasonable because it is needed by an employer to comply with the standards set by the OHSA (Occupational Safety and Health Administration) and similar state laws

Cases of Suspected Communicable Health Hazards — A covered entity may also use/disclose PHI to the concerned authorities, when an individual is suspected of having contracted or being exposed to communicable diseases and the notification for sharing such information has been authorized by the law.

When Abuse/ Domestic Violence/Neglect is suspected — covered entities can disclose PHI to the appropriate social or government authorities, if they suspect that the concerned individual is a victim or is inovled in abuse, domestic violence or neglect.

Healthcare Regulation/Supervision Activities — covered entities are allowed to use/disclose PHI to the concerned agencies when legally-authorized, health oversight investigations, like audits, require access to such information. Such investigations are often seen in the review of the healthcare system functioning and evaluating the effectiveness of various federal and state benefit programs.

Judicial Proceedings — if a court of law or an administrative tribunal orders information that falls within the realm of Protected Health Information from the covered entity, then disclosing such information is permissible. Often such information is requested through subpoenas. Usually, when a subpoena or its legal equal is presented to a covered entity, an official assurance of notifying the individual or a protective order is furnished.

For Law Enforcement Purposes — a covered entity may use/disclose PHI to law enforcement agencies according to some guidelines that define the kind of permissible circumstances when such disclosures are acceptable:

• Information is directly asked for by the law in the form of subpoenas, court orders or warrants and administrative requests
• When PHI is needed to identify or locate a material witness, a suspect or a fugitive and missing persons
• Details are sought by law enforcement officials in relation to an established or suspected victim of crime
• The covered entity suspects criminal activity as the cause for an individual’s death and needs such information for notifying law enforcement agencies
• The covered entity has reason to believe that PHI could serve as evidence to a crime that has occurred on the covered entity’s premises
• The covered healthcare provider is involved in a medical emergency that has not occurred on its premises but needs to inform the law enforcement agencies about the nature of crime, such as the location or about the victims and perpetrators

Concerning Decedents — covered entities can use/disclose PHI to funeral directors, coroners and medical examiners who need to:

• perform death-related formalities authorized by the law
• establish the identify of a deceased person
• determine the cause of death

Donation of Cadaver — covered entities can use/disclose PHI for facilitating the donation or transplantation of a cadaver’s organs such as the eyes or other vital organs.

Imminent Threat to Life, Health or Safety — a covered entity may use or disclose PHI if doing so is necessary for preventing a serious threat to the well-being of the concerned individual or the general public. Similarly, if the PHI is sought by law enforcement agencies for identifying or apprehending an escaped criminal/convict, the covered entity may disclose it.

Workers’ Compensation — a covered entity may disclose PHI if doing so is necessary to comply with workers’ compensation laws and other related programs that define benefits for work-related disabilities, injuries and illnesses.

Critical Government Activities — a covered entity can use/disclose PHI without seeking authorization when such information is requested for vital government functions. Some common examples of such government activities include:
• Execution of military missions
• Conducting national security-related, intelligence activities
• Providing security cover to the President
• Making determinations regarding the medical fitness of State Department Employees
• Measures taken for protecting inmates and employees in a correctional facility
• Determining eligibility for enrollment under government benefit programs

Understanding Disclosure of PHI for Research
The covered entity is allowed to use/disclose PHI for research-centered activities without seeking any authorization from the individual, given that the covered entity can furnish:

• Documentation containing an approval from the Institutional Review Board or the Privacy Board. This approval sanctions the waiver of an authorization needed from the individual for the use/disclosure of PHI for research-based purposes

• Representations from a researcher that he will not manipulate PHI sought from the covered entity and that seeking PHI is necessary for the research. Such a document should emphasize that the use/disclosure of PHI is exclusively for the purpose of verifiable research protocols or for related activities concerned to the research

A scenario that links Research to PHI of Decedents — the covered entity is allowed to use/disclose PHI to a researcher, if he can obtain a representations illustrating that the information is being sought for research on the decedents. However, along with the researcher’s statement, documentation related to the death of the individual whose is being sought for research, should be provided.