Privacy §164.502(a)(5)(i) Prohibited uses and disclosures - Use and disclosure of genetic information for underwriting purposes § 164.502(a)(5)(i) Use and disclosure of genetic information for underwriting purposes: Notwithstanding any other provision of this subpart, a health plan, excluding an issuer of a long-term care policy falling within paragraph (1)(viii) of the definition of health plan, shall not use or disclose protected health information that is genetic information for underwriting purposes. For purposes of paragraph (a)(5)(i) of this section, underwriting purposes means, with respect to a health plan: (A) Except as provided in paragraph (a)(5)(i)(B) of this section: (1) Rules for, or determination of, eligibility (including enrollment and continued eligibility) for, or determination of, benefits under the plan, coverage, or policy (including changes in deductibles or other cost-sharing mechanisms in return for activities such as completing a health risk assessment or participating in a wellness program); (2) The computation of premium or contribution amounts under the plan, coverage, or policy (including discounts, rebates, payments in kind, or other premium differential mechanisms in return for activities such as completing a health risk assessment or participating in a wellness program); (3) The application of any pre-existing condition exclusion under the plan, coverage, or policy; and (4) Other activities related to the creation, renewal, or replacement of a contract of health insurance or health benefits.

(B) Underwriting purposes does not include determinations of medical appropriateness where an individual seeks a benefit under the plan, coverage, or policy.



From § 160.103 Definitions.

Genetic information means: (1) Subject to paragraphs (2) and (3) of this definition, with respect to an individual, information about: (i) The individual's genetic tests; (ii) The genetic tests of family members of the individual; (iii) The manifestation of a disease or disorder in family members of such individual; or (iv) Any request for, or receipt of, genetic services, or participation in clinical research which includes genetic services, by the individual or any family member of the individual. (2) Any reference in this subchapter to genetic information concerning an individual or family member of an individual shall include the genetic information of:

(i) A fetus carried by the individual or family member who is a pregnant woman; and (ii) Any embryo legally held by an individual or family member utilizing an assisted reproductive technology. (3) Genetic information excludes information about the sex or age of any individual. (ii) Genetic services means: (1) A genetic test; (2) Genetic counseling (including obtaining, interpreting, or assessing genetic information); or (3) Genetic education. Genetic test means an analysis of human DNA, RNA, chromosomes, proteins, or metabolites, if the analysis detects genotypes, mutations, or chromosomal changes. Genetic test does not include an analysis of proteins or metabolites that is directly related to a manifested disease, disorder, or pathological condition. Does the health plan use or disclose for underwriting purposes, “Genetic Information” as defined at § 160.103, including family history? Inquire of management.

Obtain and review all underwriting policies and procedures (for example, published and unpublished underwriting guidelines currently used by underwriting staff, including manuals and training materials). Evaluate whether the underwriting policies are consistent with the established performance criterion.

Privacy §164.502(f) Deceased individuals §164.502(f) Standard: Deceased individuals: A covered entity must comply with the requirements of this subpart with respect to the protected health information of a deceased individual for a period of 50 years following the death of the individual.



From § 160.103 Definitions.

Protected health information means individually identifiable health information: (1) Except as provided in paragraph (2) of this definition,[….]

(2) Protected health information excludes individually identifiable health information: [….] (iv) Regarding a person who has been deceased for more than 50 years. Do the covered entity’s policies and procedures protect the deceased individual's PHI consistent with the established performance criterion? Inquire of management.

Obtain and review policies and procedures regarding use and disclosure of deceased individuals' PHIs. Evaluate whether the policies and procedures are consistent with the established performance criterion.

Privacy §164.502(g) Personal representatives §164.502(g)(1) Standard: Personal representatives. As specified in this paragraph, a covered entity must, except as provided in paragraphs (g)(3) and (g)(5) of this section, treat a personal representative as the individual for purposes of this subchapter.



§164.502(g)(2) Implementation specification: adults and emancipated minors: If under applicable law a person has authority to act on behalf of an individual who is an adult or an emancipated minor in making decisions related to health care, a covered entity must treat such person as a personal representative under this subchapter, with respect to protected health information relevant to such personal representation.



§164.502(g)(3)(i) Implementation specification: unemancipated minors: If under applicable law a parent, guardian, or other person acting in loco parentis has authority to act on behalf of an individual who is an unemancipated minor in making decisions related to health care, a covered entity must treat such person as a personal representative under this subchapter, with respect to protected health information relevant to such personal representation, except that such person may not be a personal representative of an unemancipated minor, and the minor has the authority to act as an individual, with respect to protected health information pertaining to a health care service, if:

(A) The minor consents to such health care service; no other consent to such health care service is required by law, regardless of whether the consent of another person has also been obtained; and the minor has not requested that such person be treated as the personal representative;

(B) The minor may lawfully obtain such health care service without the consent of a parent, guardian, or other person acting in loco parentis, and the minor, a court, or another person authorized by law consents to such health care service; or

(C) A parent, guardian, or other person acting in loco parentis assents to an agreement of confidentiality between a covered health care provider and the minor with respect to such health care service.



§164.502(g)(3)(ii) - Notwithstanding the provisions of paragraph (g)(3)(i) of this section:

(A) If, and to the extent permitted or required by an applicable provision of State or other law, including applicable case law, a covered entity may disclose, or in accordance with §164.524 provide access to, protected health information about an unemancipated minor to a parent, guardian, or other person acting in loco parentis;

(B) If, and to the extent prohibited by an applicable provision of State or other law, including applicable case law, a covered entity may not disclose, or in accordance with §164.524 provide access to, protected health information about an unemancipated minor to a parent, guardian, or other person acting in loco parentis; and

(C) Where the parent, guardian, or other person acting in loco parentis, is not the personal representative under paragraphs (g)(3)(i)(A), (B), or (C) of this section and where there is no applicable access provision under State or other law, including case law, a covered entity may provide or deny access under §164.524 to a parent, guardian, or other person acting in loco parentis, if such action is consistent with State or other applicable law, provided that such decision must be made by a licensed health care professional, in the exercise of professional judgment.



§164.502(g)(4) Implementation specification: Deceased individuals. If under applicable law an executor, administrator, or other person has authority to act on behalf of a deceased individual or of the individual's estate, a covered entity must treat such person as a personal representative under this subchapter, with respect to protected health information relevant to such personal representation.



§164.502(g) (5) Implementation specification: Abuse, neglect, endangerment situations. Notwithstanding a State law or any requirement of this paragraph to the contrary, a covered entity may elect not to treat a person as the personal representative of an individual if: (i) The covered entity has a reasonable belief that:

(A) The individual has been or may be subjected to domestic violence, abuse, or neglect by such person; or (B) Treating such person as the personal representative could endanger the individual; and (ii) The covered entity, in the exercise of professional judgment, decides that it is not in the best interest of the individual to treat the person as the individual's personal representative. Do the policies and procedures provide for the treatment of an authorized person as a personal representative?

Inquire of management how the entity recognizes personal representatives for an individual for compliance with HIPAA Rule requirements.

Obtain and review policies and procedures for the recognition and treatment of a personal representative. Evaluate whether the policies and procedures are consistent with the established performance criterion.

For example, do the policies and procedures address how the covered entity determines whether a person has authority to act on behalf of the individual? How do the policies and procedures address minors? The deceased?

Obtain and review a sample of personal representatives recognized by the entity. Evaluate whether the personal representative has been recognized and treated in a manner consistent with the established performance criterion and the entity established policies and procedures.

Obtain and review a sample of requests for persons to be recognized as personal representatives for individuals where the entity has not recognized the person as a personal representative. Evaluate whether the decision to not recognize the person as a personal representative was consistent with the established performance criterion and entity established policies and procedures. Evaluate whether the person has been treated consistent with the established performance criterion and the entity established policies and procedures.

Privacy §164.502(h) Confidential communications §164.502(h) Standard: Confidential communications: A covered health care provider or health plan must comply with the applicable requirements of §164.522(b) in communicating protected health information.

§164.522(b)(1) Standard: Confidential communications requirements: (i) A covered health care provider must permit individuals to request and must accommodate reasonable requests by individuals to receive communications of protected health information from the covered health care provider by alternative means or at alternative locations. (ii) A health plan must permit individuals to request and must accommodate reasonable requests by individuals to receive communications of protected health information from the health plan by alternative means or at alternative locations, if the individual clearly states that the disclosure of all or part of that information could endanger the individual.



§164.522(b)(2) Implementation specifications: Conditions on providing confidential communications: (i) A covered entity may require the individual to make a request for a confidential communication described in paragraph (b)(1) of this section in writing. (ii) A covered entity may condition the provision of a reasonable accommodation on: (A) When appropriate, information as to how payment, if any, will be handled; and (B) Specification of an alternative address or other method of contact. (iii) A covered health care provider may not require an explanation from the individual as to the basis for the request as a condition of providing communications on a confidential basis. (iv) A health plan may require that a request contain a statement that disclosure of all or part of the information to which the request pertains could endanger the individual. How does the entity provide for and accommodate requests by individuals for confidential communications? Inquire of management how the entity handles requests for confidential communications by individuals.



Obtain and review policies and procedures regarding requests for confidential communications. Evaluate whether the policies and procedures are consistent with the established performance criterion.



Obtain and review a sample of confidential communications requests made by individuals. Evaluate whether the requests were evaluated and accepted or denied consistent with the established performance criterion and the entity established policies and procedures.



Obtain a review a sample of communications to individuals for which a confidential communication request was accepted. Evaluate whether the communication was conducted consistent with the established performance criterion and the entity established policies and procedures.

Privacy §164.502(i) Uses and disclosures consistent with notice §164.502(i) Standard: Uses and disclosures consistent with notice: A covered entity that is required by §164.520 to have a notice may not use or disclose protected health information in a manner inconsistent with such notice. A covered entity that is required by §164.520(b)(1)(iii) to include a specific statement in its notice if it intends to engage in an activity listed in §164.520(b)(1)(iii)(A)-(C), may not use or disclose protected health information for such activities, unless the required statement is included in the notice. Are uses and disclosures made by the covered entity consistent with its notice of privacy practices?

Inquire of management whether uses and disclosures of PHI are consistent with the entity’s notice of privacy practices.



Obtain and review policies and procedures regarding uses and disclosures. Evaluate whether the uses and disclosures of PHI are consistent with the entity’s notice of privacy practices.

Privacy §164.502(j)(1) Disclosures by whistleblowers §164.502(j)(1) Disclosures by whistleblowers: A covered entity is not considered to have violated the requirements of this subpart if a member of its workforce or a business associate discloses protected health information, provided that:

(i) The workforce member or business associate believes in good faith that the covered entity has engaged in conduct that is unlawful or otherwise violates professional or clinical standards, or that the care, services, or conditions provided by the covered entity potentially endangers one or more patients, workers, or the public; and

(ii) The disclosure is to:

(A) A health oversight agency or public health authority authorized by law to investigate or otherwise oversee the relevant conduct or conditions of the covered entity or to an appropriate health care accreditation organization for the purpose of reporting the allegation of failure to meet professional standards or misconduct by the covered entity; or

(B) An attorney retained by or on behalf of the workforce member or business associate for the purpose of determining the legal options of the workforce member or business associate with regard to the conduct described in paragraph (j)(1)(i) of this section. Are whistleblower policies and procedures consistent with the requirements of this performance criterion?



Obtain and review documentation of disclosures by a workforce member not otherwise permitted by the Privacy Rule that the entity determined to meet the requirements of this standard.

Privacy §164.502(j)(2) Disclosures by workforce members who are victims of a crime §164.502(j)(2) - Disclosures by workforce members who are victims of a crime: A covered entity is not considered to have violated the requirements of this subpart if a member of its workforce who is the victim of a criminal act discloses protected health information to a law enforcement official, provided that:

(i) The protected health information disclosed is about the suspected perpetrator of the criminal act; and

(ii) The protected health information disclosed is limited to the information listed in §164.512(f)(2)(i). How has the covered entity ensured that disclosures by a workforce member related to his or her status as a victim of a crime are consistent with the rule?



Inquire of management how the entity identifies and treats disclosures of PHI by workforce members who are victims of a crime.



Obtain and review policies and procedures related to disclosures of PHI by workforce members who are victims of a crime. Evaluate whether disclosures are treated consistent with the established performance criterion and the entity established policies and procedures.

Privacy §164.504(e) Business associate contracts §164.504(e)(1) Standard: Business associate contracts.

(i) The contract or other arrangement required by § 164.502(e)(2) must meet the requirements of paragraph (e)(2), (e)(3), or (e)(5) of this section, as applicable.

(ii) A covered entity is not in compliance with the standards in § 164.502(e) and this paragraph, if the covered entity knew of a pattern of activity or practice of the business associate that constituted a material breach or violation of the business associate’s obligation under the contract or other arrangement, unless the covered entity took reasonable steps to cure the breach or end the violation, as applicable, and, if such steps were unsuccessful, terminated the contract or arrangement, if feasible.

(iii) A business associate is not in compliance with the standards in § 164.502(e) and this paragraph, if the business associate knew of a pattern of activity or practice of a subcontractor that constituted a material breach or violation of the subcontractor’s obligation under the contract or other arrangement, unless the business associate took reasonable steps to cure the breach or end the violation, as applicable, and, if such steps were unsuccessful, terminated the contract or arrangement, if feasible.



(2) Implementation specifications: Business associate contracts. A contract between the covered entity and a business associate must:

(i) Establish the permitted and required uses and disclosures of protected health information by the business associate. The contract may not authorize the business associate to use or further disclose the information in a manner that would violate the requirements of this subpart, if done by the covered entity, except that:

(A) The contract may permit the business associate to use and disclose protected health information for the proper management and administration of the business associate, as provided in paragraph (e)(4) of this section; and

(B) The contract may permit the business associate to provide data aggregation services relating to the health care operations of the covered entity.

(ii) Provide that the business associate will:

(A) Not use or further disclose the information other than as permitted or required by the contract or as required by law;

(B) Use appropriate safeguards and comply, where applicable, with subpart C of this part with respect to electronic protected health information, to prevent use or disclosure of the information other than as provided for by its contract;

(C) Report to the covered entity any use or disclosure of the information not provided for by its contract of which it becomes aware, including breaches of unsecured protected health information as required by § 164.410;

(D) In accordance with § 164.502(e)(1)(ii), ensure that any subcontractors that create, receive, maintain, or transmit protected health information on behalf of the business associate agree to the same restrictions and conditions that apply to the business associate with respect to such information;

(E) Make available protected health information in accordance with § 164.524;

(F) Make available protected health information for amendment and incorporate any amendments to protected health information in accordance with § 164.526;

(G) Make available the information required to provide an accounting of disclosures in accordance with § 164.528;

(H) To the extent the business associate is to carry out a covered entity’s obligation under this subpart, comply with the requirements of this subpart that apply to the covered entity in the performance of such obligation.

(I) Make its internal practices, books, and records relating to the use and disclosure of protected health information received from, or created or received by the business associate on behalf of, the covered entity available to the Secretary for purposes of determining the covered entity’s compliance with this subpart; and

(J) At termination of the contract, if feasible, return or destroy all protected health information received from, or created or received by the business associate on behalf of, the covered entity that the business associate still maintains in any form and retain no copies of such information or, if such return or destruction is not feasible, extend the protections of the contract to the information and limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible.

(iii) Authorize termination of the contract by the covered entity, if the covered entity determines that the business associate has violated a material term of the contract.

(3) Implementation specifications:

Other arrangements. (i) If a covered entity and its business associate are both governmental entities:

(A) The covered entity may comply with this paragraph and § 164.314(a)(1), if applicable, by entering into a memorandum of understanding with the business associate that contains terms that accomplish the objectives of paragraph (e)(2) of this section and § 164.314(a)(2), if applicable.

(B) The covered entity may comply with this paragraph and § 164.314(a)(1), if applicable, if other law (including regulations adopted by the covered entity or its business associate) contains requirements applicable to the business associate that accomplish the objectives of paragraph (e)(2) of this section and § 164.314(a)(2), if applicable.

(ii) If a business associate is required by law to perform a function or activity on behalf of a covered entity or to provide a service described in the definition of business associate in § 160.103 of this subchapter to a covered entity, such covered entity may disclose protected health information to the business associate to the extent necessary to comply with the legal mandate without meeting the requirements of this paragraph and § 164.314(a)(1), if applicable, provided that the covered entity attempts in good faith to obtain satisfactory assurances as required by paragraph (e)(2) of this section and § 164.314(a)(1), if applicable, and, if such attempt fails, documents the attempt and the reasons that such assurances cannot be obtained.

(iii) The covered entity may omit from its other arrangements the termination authorization required by paragraph (e)(2)(iii) of this section, if such authorization is inconsistent with the statutory obligations of the covered entity or its business associate.

(iv) A covered entity may comply with this paragraph and § 164.314(a)(1) if the covered entity discloses only a limited data set to a business associate for the business associate to carry out a health care operations function and the covered entity has a data use agreement with the business associate that complies with § 164.514(e)(4) and § 164.314(a)(1), if applicable.

(4) Implementation specifications: Other requirements for contracts and other arrangements.

(i) The contract or other arrangement between the covered entity and the business associate may permit the business associate to use the protected health information received by the business associate in its capacity as a business associate to the covered entity, if necessary:

(A) For the proper management and administration of the business associate; or

(B) To carry out the legal responsibilities of the business associate.

(ii) The contract or other arrangement between the covered entity and the business associate may permit the business associate to disclose the protected health information received by the business associate in its capacity as a business associate for the purposes described in paragraph (e)(4)(i) of this section, if:

(A) The disclosure is required by law; or

(B)(1) The business associate obtains reasonable assurances from the person to whom the information is disclosed that it will be held confidentially and used or further disclosed only as required by law or for the purposes for which it was disclosed to the person; and

(2) The person notifies the business associate of any instances of which it is aware in which the confidentiality of the information has been breached.

(5) Implementation specifications: Business associate contracts with subcontractors. The requirements of § 164.504(e)(2) through (e)(4) apply to the contract or other arrangement required by § 164.502(e)(1)(ii) between a business associate and a business associate that is a subcontractor in the same manner as such requirements apply to contracts or other arrangements between a covered entity and business associate. Does the covered entity enter into business associate contracts as required? Do these contracts contain all required elements? Inquire of management how the entity identifies and engages business associates.

Obtain and review policies and procedures related to the identification of business associates and the creation and establishment of business associate agreements. Evaluate whether the policies and procedures accurately identify business associates and establish business associate agreements consistent with the established performance criterion established performance criterion.

Technical Assistance: if available, review the entity’s template business associate agreement and provide technical assistance as to its contents.



Obtain and review a sample of business associate agreements. Evaluate whether the agreements are consistent with the established performance criterion entity-established policies and procedures.

Inquire of management as to whether any business associate arrangements involved onward transfers of PHI to additional business associates and subcontractors. If yes, review a sample of business associate agreements between the covered entity and such business associates for provisions requiring subsequent BAs/subcontractors to provide adequate assurances.

Has the covered entity come into the knowledge of a pattern or practice of the business associate that constituted a material breach of violation of the BA’s obligation? If so, obtain documentation of covered entity response and evaluate against the established performance criterion established performance criterion. Use of sampling procedures may be appropriate.

Obtain and review documentation of reports from the business associate to the covered entity of any uses or disclosures not provided for in its contract, and the covered entity response.

Privacy §164.504(f) Requirements for group health plans §164.504(f)(1) Standard: Requirements for group health plans.

(i) Except as provided under paragraph (f)(1)(ii) or (iii) of this section or as otherwise authorized under § 164.508, a group health plan, in order to disclose protected health information to the plan sponsor or to provide for or permit the disclosure of protected health information to the plan sponsor by a health insurance issuer or HMO with respect to the group health plan, must ensure that the plan documents restrict uses and disclosures of such information by the plan sponsor consistent with the requirements of this subpart. (ii) Except as prohibited by § 164.502(a)(5)(i), the group health plan, or a health insurance issuer or HMO with respect to the group health plan, may disclose summary health information to the plan sponsor, if the plan sponsor requests the summary health information for purposes of: (A) Obtaining premium bids from health plans for providing health insurance coverage under the group health plan; or (B) Modifying, amending, or terminating the group health plan. (iii) The group health plan, or a health insurance issuer or HMO with respect to the group health plan, may disclose to the plan sponsor information on whether the individual is participating in the group health plan, or is enrolled in or has disenrolled from a health insurance issuer or HMO offered by the plan. (2) Implementation specifications: Requirements for plan documents. The plan documents of the group health plan must be amended to incorporate provisions to: (i) Establish the permitted and required uses and disclosures of such information by the plan sponsor, provided that such permitted and required uses and disclosures may not be inconsistent with this subpart. (ii) Provide that the group health plan will disclose protected health information to the plan sponsor only upon receipt of a certification by the plan sponsor that the plan documents have been amended to incorporate the following provisions and that the plan sponsor agrees to: (A) Not use or further disclose the information other than as permitted or required by the plan documents or as required by law; (B) Ensure that any agents to whom it provides protected health information received from the group health plan agree to the same restrictions and conditions that apply to the plan sponsor with respect to such information; (C) Not use or disclose the information for employment-related actions and decisions or in connection with any other benefit or employee benefit plan of the plan sponsor; (D) Report to the group health plan any use or disclosure of the information that is inconsistent with the uses or disclosures provided for of which it becomes aware; (E) Make available protected health information in accordance with § 164.524; (F) Make available protected health information for amendment and incorporate any amendments to protected health information in accordance with § 164.526; (G) Make available the information required to provide an accounting of disclosures in accordance with § 164.528; (H) Make its internal practices, books, and records relating to the use and disclosure of protected health information received from the group health plan available to the Secretary for purposes of determining compliance by the group health plan with this subpart; (I) If feasible, return or destroy all protected health information received from the group health plan that the sponsor still maintains in any form and retain no copies of such information when no longer needed for the purpose for which disclosure was made, except that, if such return or destruction is not feasible, limit further uses and disclosures to those purposes that make the return or destruction of the information infeasible; and (J) Ensure that the adequate separation required in paragraph (f)(2)(iii) of this section is established. (iii) Provide for adequate separation between the group health plan and the plan sponsor. The plan documents must: (A) Describe those employees or classes of employees or other persons under the control of the plan sponsor to be given access to the protected health information to be disclosed, provided that any employee or person who receives protected health information relating to payment under, health care operations of, or other matters pertaining to the group health plan in the ordinary course of business must be included in such description; (B) Restrict the access to and use by such employees and other persons described in paragraph (f)(2)(iii)(A) of this section to the plan administration functions that the plan sponsor performs for the group health plan; and (C) Provide an effective mechanism for resolving any issues of noncompliance by persons described in paragraph (f)(2)(iii)(A) of this section with the plan document provisions required by this paragraph. (3) Implementation specifications: Uses and disclosures. A group health plan may: (i) Disclose protected health information to a plan sponsor to carry out plan administration functions that the plan sponsor performs only consistent with the provisions of paragraph (f)(2) of this section; (ii) Not permit a health insurance issuer or HMO with respect to the group health plan to disclose protected health information to the plan sponsor except as permitted by this paragraph; (iii) Not disclose and may not permit a health insurance issuer or HMO to disclose protected health information to a plan sponsor as otherwise permitted by this paragraph unless a statement required by § 164.520(b)(1)(iii)(C) is included in the appropriate notice; and (iv) Not disclose protected health information to the plan sponsor for the purpose of employment-related actions or decisions or in connection with any other benefit or employee benefit plan of the plan sponsor. Do group health plan documents restrict the use and disclosure of PHI to the plan sponsor?



Obtain and evaluate group health plan documents to determine if they restrict the use and disclosure of PHI to the plan sponsor consistent with the established performance criterion.

Privacy §164.504(g) Requirements for a covered entity with multiple covered functions §164.504(g) - Requirements for a covered entity with multiple covered functions. (1) A covered entity that performs multiple covered functions that would make the entity any combination of a health plan, a covered health care provider, and a health care clearinghouse, must comply with the standards, requirements, and implementation specifications of this subpart, as applicable to the health plan, health care provider, or health care clearinghouse covered functions performed. (2 )A covered entity that performs multiple covered functions may use or disclose the protected health information of individuals who receive the covered entity's health plan or health care provider services, but not both, only for the purposes related to the appropriate function being performed. For entities that perform multiple covered functions, are uses and disclosures of PHI only for the purpose related to the appropriate functions being performed?

Inquire of management.



Obtain and evaluate whether the policies and procedures restrict the uses and disclosures of PHI to only the purpose related to the appropriate function being performed.

Privacy §164.506(a) Permitted uses and disclosures §164.506(a) - Uses and disclosures to carry out treatment, payment, or health care operations. Except with respect to uses or disclosures that require an authorization under § 164.508(a)(2) through (4) or that are prohibited under § 164.502(a)(5)(i), a covered entity may use or disclose protected health information for treatment, payment, or health care operations as set forth in paragraph (c) of this section, provided that such use or disclosure is consistent with other applicable requirements of this subpart. Do policies and procedures exist for the use or disclosure of PHI for treatment, payment, or health care operations?

Inquire of management.



Obtain and review policies and procedures regarding use or disclosure of PHI for treatment, payment, or health care operations.

Privacy §164.506(b); (b)(1); and (b)(2) Consent for uses and disclosures §164.506(b) - Standard: Consent for uses and disclosures permitted.



§164.506(b)(1) A covered entity may obtain consent of the individual to use or disclose protected health information to carry out treatment, payment, or health care operations.



§164.506(b)(2) Consent, under paragraph (b) of this section, shall not be effective to permit a use or disclosure of protected health information when an authorization, under §164.508, is required or when another condition must be met for such use or disclosure to be permissible under this subpart. Does the entity obtain the individual's consent for uses and disclosures?



Obtain samples of completed consents, if any, and patient intake materials and review to determine if its use is consistent with the established performance criterion.

Privacy §164.508(a)(1-3) and §164.508(b)(1-2) Authorizations for uses and disclosures is required §164.508(a)(1) Authorization required: General rule.

Except as otherwise permitted or required by this subchapter, a covered entity may not use or disclose protected health information without an authorization that is valid under this section. When a covered entity obtains or receives a valid authorization for its use or disclosure of protected health information, such use or disclosure must be consistent with such authorization.



§164.508(a)(2) Authorization required: Psychotherapy notes.

(i) Notwithstanding any provision of this subpart, other than the transition provisions in §164.532, a covered entity must obtain an authorization for any use or disclosure of psychotherapy notes, except:

(i) To carry out the following treatment, payment, or health care operations:

(A) Use by the originator of the psychotherapy notes for treatment;

(B) Use or disclosure by the covered entity for its own training programs in which students, trainees, or practitioners in mental health learn under supervision to practice or improve their skills in group, joint, family, or individual counseling; or

(C) Use or disclosure by the covered entity to defend itself in a legal action or other proceeding brought by the individual; and

(ii) A use or disclosure that is required by § 164.502(a)(2)(ii) or permitted by § 164.512(a); § 164.512(d) with respect to the oversight of the originator of the psychotherapy notes; § 164.512(g)(1); or § 164.512(j)(1)(i).



§164.508(a)(3) Authorization required: Marketing.

(i)Notwithstanding any provision of this subpart, other than the transition provisions in §164.532, a covered entity must obtain an authorization for any use or disclosure of protected health information for marketing, except if the communication is in the form of:

(A) A face-to-face communication made by a covered entity to an individual; or (B) a promotional gift of nominal value provided by the covered entity.

(ii) If the marketing involves financial remuneration, as defined in paragraph (3) of the definition of marketing at § 164.501, to the covered entity from a third party, the authorization must state that such remuneration is involved.



§164.508(a)(4) Authorization required: Sale of protected health information.

(i) Notwithstanding any provision of this subpart, other than the transition provisions in § 164.532, a covered entity must obtain an authorization for any disclosure of protected health information which is a sale of protected health information, as defined in § 164.501 of this subpart.

(ii) Such authorization must state that the disclosure will result in remuneration to the covered entity.



§164.508(b)(1) Valid authorizations.

(i) A valid authorization is a document that meets the requirements in paragraphs (a)(3)(ii), (a)(4)(ii), (c)(1), and (c)(2) of this section, as applicable.

(ii) A valid authorization may contain elements or information in addition to the elements required by this section, provided, that such additional elements or information are not inconsistent with the elements required by this section.



§164.508(b)(2) Defective authorizations. An authorization is not valid, if the document submitted has any of the following defects:

(i) The expiration data has passed or the expiration event is known by the covered entity to have occurred;

(ii) The authorization has not been filled out completely, with respect to an element described by paragraph (c) of this section, if applicable;

(iii) The authorization is known by the covered entity to have been revoked;

(iv) The authorization violates paragraph (b)(3) or (4) of this section, if applicable;

(v) Any material information in the authorization is known by the covered entity to be false. What policies and procedures exist for obtaining a valid authorization when required?

Do policies and procedures exist to determine when authorization is required?



Obtain and review against the established performance criterion the policies and procedures for obtaining a valid authorization as required by the standard:

-Documentation of covered entity policy and procedures

-Documentation that a standard covered entity authorization, if any, is valid



Obtain and evaluate a sample of authorizations obtained to permit disclosures for consistency with the established performance criterion and entity-established policies and procedures.

For providers only: obtain and review all relevant patient intake forms for both inpatient and outpatient services, including consent and authorization forms, if any, to assess whether the provider's practice is to use a consent when an authorization would be required for any use or disclosure of information pursuant to the consent.

Privacy §164.508(b)(3) Compound authorizations -- Exceptions §164.508(b)(3) Compound authorizations. An authorization for use or disclosure of protected health information may not be combined with any other document to create a compound authorization, except as follows:

(i) An authorization for the use or disclosure of protected health information for a research study may be combined with any other type of written permission for the same or another research study. This exception includes combining an authorization for the use or disclosure of protected health information for a research study with another authorization for the same research study, with an authorization for the creation or maintenance of a research database or repository, or with consent to participate in research. Where a covered health care provider has conditioned the provision of research-related treatment on the provision of one of the authorizations, as permitted under paragraph (b)(4)(i) of this section, any compound authorization created under this paragraph must clearly differentiate between the conditioned and unconditioned components and provide the individual with an opportunity to opt in to the research activities described in the unconditioned authorization.

(ii) An authorization for a use or disclosure of psychotherapy notes may only be combined with another authorization for a use or disclosure of psychotherapy notes.

(iii) An authorization under this section, other than an authorization for a use or disclosure of psychotherapy notes, may be combined with any other such authorization under this section, except when a covered entity has conditioned the provision of treatment, payment, enrollment in the health plan, or eligibility for benefits under paragraph (b)(4) of this section on the provision of one of the authorizations. The prohibition in this paragraph on combining authorizations where one authorization conditions the provision of treatment, payment, enrollment in a health plan, or eligibility for benefits under paragraph (b)(4) of this section does not apply to a compound authorization created in accordance with paragraph (b)(3)(i) of this section. Does the covered entity use or disclose PHI for the purpose of research, conducts research, provides psychotherapy services, and uses compound authorizations?



Obtain and review a sample of used compound authorizations, if any.

Evaluate such authorizations in relation to the established performance criterion:

-Compound authorizations for the same research study

-difference between conditioned and unconditioned components

-Use or disclosure of psychotherapy notes and

-Any other prohibition required under the established performance criterion

Privacy §164.508(b)(4) Prohibition on conditioning of authorizations §164.508(b)(4) Prohibition on conditioning of authorizations. A covered entity may not condition the provision to an individual of treatment, payment, enrollment in the health plan, or eligibility for benefits on the provision of an authorization, except:

(i) A covered health care provider may condition the provision of research-related treatment on provision of an authorization for the use or disclosure of protected health information for such research under this section;

(ii) A health plan may condition enrollment in the health plan or eligibility for benefits on provision of an authorization requested by the health plan prior to an individual's enrollment in the health plan, if:

(A) The authorization sought is for the health plan's eligibility or enrollment determinations relating to the individual or for its underwriting or risk rating determinations; and

(B) The authorization is not for a use or disclosure of psychotherapy notes under paragraph (a)(2) of this section; and

(iii) A covered entity may condition the provision of health care that is solely for the purpose of creating protected health information for disclosure to a third party on provision of an authorization for the disclosure of the protected health information to such third party. Does the covered entity condition treatment, payment, enrollment, or eligibility on receipt of an authorization? If so, does one of the limited exceptions apply?



Obtain and review policies and procedures related to seeking authorizations from individuals.

Obtain and review a sample of conditioned authorizations to assess whether the exceptions listed in the established performance criterion have been applied consistent with its requirements.

Privacy §164.508(b)(6) and §164.508(c)(1-4) Uses and Disclosures for which an Authorization is Required – Documentation and Content §164.508(b)(6) Documentation. A covered entity must document and retain any signed authorization under this section as required by §164.530(j).



§164.508(c) Implementation specifications: Core elements and requirements. (1) Core elements. A valid authorization under this section must contain at least the following elements:

(i) A description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion.

(ii) The name or other specific identification of the person(s), or class of persons, authorized to make the requested use or disclosure.

(iii) The name or other specific identification of the person(s), or class of persons, to whom the covered entity may make the requested use or disclosure.

(iv) A description of each purpose of the requested use or disclosure. The statement “at the request of the individual” is a sufficient description of the purpose when an individual initiates the authorization and does not, or elects not to, provide a statement of the purpose.

(v) An expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure. The statement “end of the research study,” “none,” or similar language is sufficient if the authorization is for a use or disclosure of protected health information for research, including for the creation and maintenance of a research database or research repository.

(vi) Signature of the individual and date. If the authorization is signed by a personal representative of the individual, a description of such representative's authority to act for the individual must also be provided.

§164.508(c)(2) Required Statements. In addition to the core elements, the authorization must contain statements adequate to place the individual on notice of all of the following:

(i) The individual's right to revoke the authorization in writing and either:

(ii) The ability or inability to condition treatment, payment, enrollment or eligibility for benefits on the authorization.

(iii) The potential for information disclosed pursuant to the authorization to be subject to redisclosure by the recipient can no longer be protected by this subpart.

§164.508(c)(3) The authorization must be written in plain language.

§164.508(c)(4) If a covered entity seeks an authorization from an individual for a use or disclosure of protected health information, the covered entity must provide the individual with a copy of the signed authorization. Does the covered entity document and retain signed, valid authorizations?



Obtain and review a sample of authorizations used as the basis for making uses and disclosures to determine if the authorizations are valid.

Privacy §164.510(a)(1) and §164.510(a)(2) Use and Disclosure for Facility Directories; Opportunity to Object §164.510(a) Standard: Use and disclosure for facility directories. (1) Permitted uses and disclosure. Except when an objection is expressed in accordance with paragraph (a)(2) or (3) of this section, a covered health care provider may:

(i) Use the following protected health information to maintain a directory of individuals in its facility:

(A) The individual's name;

(B) The individual's location in the covered health care provider's facility;

(C) The individual's condition described in general terms that does not communicate specific medical information about the individual; and

(D) The individual's religious affiliation; and

(ii) Use or disclose for directory purposes such information:

(A) To member of the clergy; or

(B) Except for religious affiliation, to other persons who ask for the individual by name.

(2) Opportunity to object. A covered health care provider must inform an individual of the protected health information that it may include in a directory and the persons to whom it may disclose such information (including disclosures to clergy of information regarding religious affiliation) and provide the individual with the opportunity to restrict or prohibit some or all of the uses or disclosures permitted by paragraph (a)(1) of this section. Does the entity maintain a directory of individuals in its facility?



Obtain and review policies and procedures that address determining if the individual has objected to uses and disclosures for facility directories and for documenting such determination.



Obtain and review a sample of the directory of individuals in the entity's facility that exists on the specified date and related documentation of individual objections. Evaluate the content against documentation of individual objections and against the listed content criteria.

Privacy §164.510(a)(3) Uses and Disclosures for Facility Directories in Emergency Circumstances §164.510(a)(3) Emergency circumstances. (i) If the opportunity to object to uses or disclosures required by paragraph (a)(2) of this section cannot practicably be provided because of the individual's incapacity or an emergency treatment circumstance, a covered health care provider may use or disclose some or all of the protected health information permitted by paragraph (a)(1) of this section for the facility's directory, if such disclosure is: (A) Consistent with a prior expressed preference of the individual, if any, that is known to the covered health care provider; and (B) In the individual's best interest as determined by the covered health care provider, in the exercise of professional judgment. (ii) The covered health care provider must inform the individual and provide an opportunity to object to uses or disclosures for directory purposes as required by paragraph (a)(2) of this section when it becomes practicable to do so. Do policies and procedures exist to use or disclose PHI for the facility directory in emergency circumstances?



Obtain and review the policies and procedures used to disclose PHI for the facility directory due to an emergency circumstance.

Privacy §164.510(b)(1) Permitted uses and disclosures §164.510(b) Standard: Uses and disclosures for involvement in the individual's care and notification purposes

(1) Permitted uses and disclosures. (i) A covered entity may, in accordance with paragraphs (b)(2), (b)(3), or (b)(5) of this section, disclose to a family member, other relative, or a close personal friend of the individual, or any other person identified by the individual, the protected health information directly relevant to such person’s involvement with the individual’s health care or payment related to the individual’s health care.

(ii) A covered entity may use or disclose protected health information to notify, or assist in the notification of (including identifying or locating), a family member, a personal representative of the individual, or another person responsible for the care of the individual of the individual's location, general condition, or death. Any such use or disclosure of protected health information for such notification purposes must be in accordance with paragraphs (b)(2), (b)(3), (b)(4), or (b)(5) of this section, as applicable. What policies and procedures exist for disclosing PHI to family members, relatives, close personal friends, or other persons identified by the individual?



Obtain and review policies and procedures for such disclosures.

Privacy §164.510(b)(2) Uses and disclosures with the individual present §164.510(b) Standard: Uses and disclosures for involvement in the individual's care and notification purposes

(2) Uses and disclosures with the individual present. If the individual is present for, or otherwise available prior to, a use or disclosure permitted by paragraph (b)(1) of this section and has the capacity to make health care decisions, the covered entity may use or disclose the protected health information if it:

(i) Obtains the individual's agreement;

(ii) Provides the individual with the opportunity to object to the disclosure, and the individual does not express an objection; or

(iii) Reasonably infers from the circumstances, based on the exercise of professional judgment, that the individual does not object to the disclosure. Under what circumstances does the covered entity disclose PHI to persons involved in the individual's care when the individual is present?



Obtain and review policies and procedures for determining or inferring individual agreement or lack of objection to disclosure of PHI with the individual present.

Privacy §164.510(b)(3) Limited uses and disclosures when the individual is not present §164.510(b)(3) Limited uses and disclosures when the individual is not present. If the individual is not present, or the opportunity to agree or object to the use or disclosure cannot practicably be provided because of the individual’s incapacity or an emergency circumstance, the covered entity may, in the exercise of professional judgment, determine whether the disclosure is in the best interests of the individual and, if so, disclose only the protected health information that is directly relevant to the person’s involvement with the individual’s care or payment related to the individual’s health care or needed for notification purposes. A covered entity may use professional judgment and its experience with common practice to make reasonable inferences of the individual's best interest in allowing a person to act on behalf of the individual to pick up filled prescription, medical supplies, X-rays, or other similar forms of protected health information. Do policies and procedures exist for disclosing only information relevant to the person's involvement in the individual's health care when the individual is not present and in related situations?



Obtain and review the policies and procedures used for disclosing only information relevant to the person's involvement with the individual's health care.

Privacy §164.510(b)(4) Uses and disclosures for disaster relief purposes §164.510(b) Standard: Uses and disclosures for involvement in the individual's care and notification purposes

(4) Uses and disclosures for disaster relief purposes. A covered entity may use or disclose protected health information to a public or private entity authorized by law or by its charter to assist in disaster relief efforts, for the purpose of coordinating with such entities the uses or disclosures permitted by paragraph (b)(1)(ii) of this section. The requirements in paragraphs (b)(2), (b)(3) or (b)(5) of this section apply to such uses and disclosures to the extent that the covered entity, in the exercise of professional judgment, determines that the requirements do not interfere with the ability to respond to the emergency circumstances. Do policies and procedures exist for disclosing PHI to a public or private entity authorized by law or by its charter to assist in disaster relief efforts? Obtain and review policies and procedures in relation to such use or disclosure.

Privacy §164.510(b)(5) Uses and disclosures when the individual is deceased 164.510(b) Standard: Uses and disclosures for involvement in the individual's care and notification purposes (5) Uses and disclosures when the individual is deceased. If the individual is deceased, a covered entity may disclose to a family member, or other persons identified in paragraph (b)(1) of this section who were involved in the individual’s care or payment for health care prior to the individual’s death, protected health information of the individual that is relevant to such person’s involvement, unless doing so is inconsistent with any prior expressed preference of the individual that is known to the covered entity. Does the covered entity disclose the PHI of deceased individuals in accordance with the established performance criterion?

Obtain and review policies and procedures related to documenting the individual’s prior expressed preference and relationship of family members and other persons to the individual’s care or payment for care, consistent with the established performance criterion.

Note: any information that would otherwise constitute PHI of a decedent under §160.201 ceases to be PHI 50 years after the death of the decedent.

Privacy §164.512(a) Uses and disclosures required by law §164.512(a)(1) - A covered entity may use or disclose protected health information to the extent that such use or disclosure is required by law and the use or disclosure complies and is limited to the relevant requirements of such law.



§164.512(a)(2) - A covered entity must meet the requirements described in paragraph (c), (e), or (f) of this section for uses or disclosures required by law. Does the covered entity use and disclose PHI pursuant to requirements of other law? If so, are such uses and disclosures made consistent with the requirements of this performance criterion as well as the applicable requirements related to victims of abuse, neglect or domestic violence, pursuant to judicial and administrative proceedings and law enforcement purposes of this section? Obtain and review policies and procedures for uses and disclosures required by law.

Privacy §164.512(b) Uses and disclosures for public health activities §164.512(b) Standard: Uses and disclosures for public health activities.

(1) Permitted uses and disclosures. A covered entity may use or disclose protected health information for the public health activities and purposes described in this paragraph to:

(i) A public health authority that is authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury, or disability, including, but not limited to, the reporting of disease, injury, vital events such as birth or death, and the conduct of public health surveillance, public health investigations, and public health interventions; or, at the direction of a public health authority, to an official of a foreign government agency that is acting in collaboration with a public health authority;

(ii) A public health authority or other appropriate government authority authorized by law to receive reports of child abuse or neglect.

(iii) A person subject to the jurisdiction of the Food and Drug Administration (FDA) with respect to an FDA-regulated products or activity for which that person has responsibility, for the purpose of activities related to the quality, safety or effectiveness of such FDA-regulated product or activity. Such purposes include:

(A) To collect or report adverse events (or similar activities with respect to food or dietary supplements), product defects or problems (including problems with the use or labeling of a product), or biological product deviations; (B) To track FDA-regulated products; (C) To enable product recalls, repairs, or replacement, or look back (including locating and notifying individuals who have received products that have been, withdrawn, or are the subject of look back); or (D) To conduct post marketing surveillance; (iv) A person who may have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading a disease or condition, if the covered entity or public health authority is authorized by law to notify such person as necessary in the conduct of a public health intervention or investigation; or

(v) An employer, about an individual who is a member of the workforce of the employer, if:

(A) The covered entity is a covered health care provider who provides health care to the individual at the request of the employer:

(1) To conduct an evaluation relating to medical surveillance of the workplace; or

(2) To evaluate whether the individual has a work-related illness or injury;

(B) The protected health information that is disclosed consists of findings concerning a work-related illness or injury or a workplace-related medical surveillance;

(C) The employer needs such findings in order to comply with its obligations, under 29 CFR parts 1904 through 1928, 30 CFR parts 50 through 90, or under state law having a similar purpose, to record such illness or injury or to carry out responsibilities for workplace medical surveillance; and

(D) The covered health care provider provides written notice to the individual that protected health information relating to the medical surveillance of the workplace and work-related illnesses and injuries is disclosed to the employer:

(1) By giving a copy of the notice to the individual at the time the health care is provided; or

(2) If the health care is provided on the work site of the employer, by posting the notice in a prominent place at the location where the health care is provided.

(vi) A school, about an individual who is a student or prospective student of the school, if:

(A) The protected health information that is disclosed is limited to proof of immunization;

(B) The school is required by State or other law to have such proof of immunization prior to admitting the individual; and (C) The covered entity obtains and documents the agreement to the disclosure from either:

(1) A parent, guardian, or other person acting in loco parentis of the individual, if the individual is an unemancipated minor; or

(2) The individual, if the individual is an adult or emancipated minor.

(2) Permitted uses. If the covered entity also is a public health authority, the covered entity is permitted to use protected health information in all cases in which it is permitted to disclose such information for public health activities under paragraph (b)(1) of this section. Are policies and procedures in place that specify how the covered entity uses or disclosures PHI for public health activities consistent with this standard?

Obtain and review policies and procedures in relation to the established performance criterion regarding permitted uses and disclosures for public health activities.



Obtain and review a sample of such uses and disclosures, to include uses and disclosures to an employer about an individual who is a member of the workforce of the employer, and determine whether all criteria were met.

Privacy §164.512(c) Disclosures about victims of abuse, neglect or domestic violence §164.512(c) Standard: Disclosures about victims of abuse, neglect or domestic violence

(1) Permitted disclosures. Except for reports of child abuse or neglect permitted by paragraph (b)(1)(ii) of this section, a covered entity may disclose protected health information about an individual whom the covered entity reasonably believes to be a victim of abuse, neglect, or domestic violence to a government authority, including a social service or protective services agency, authorized by law to receive reports of such abuse, neglect, or domestic violence: (i) To the extent the disclosure is required by law and the disclosure complies with and is limited to the relevant requirements of such law; (ii) If the individual agrees to the disclosure; or (iii) To the extent the disclosure is expressly authorized by statute or regulation and: (A) The covered entity, in the exercise of professional judgment, believes the disclosure is necessary to prevent serious harm to the individual or other potential victims; or (B) If the individual is unable to agree because of incapacity, a law enforcement or other public official authorized to receive the report represents that the protected health information for which disclosure is sought is not intended to be used against the individual and that an immediate enforcement activity that depends upon the disclosure would be materially and adversely affected by waiting until the individual is able to agree to the disclosure.



§164.512(c)(2) Informing the individual. A covered entity that makes a disclosure permitted by paragraph (c)(1) of this section must promptly inform the individual that such a report has been or will be made, except if: (i) The covered entity, in the exercise of professional judgment, believes informing the individual would place the individual at risk of serious harm; or (ii) The covered entity would be informing a personal representative, and the covered entity reasonably believes the personal representative is responsible for the abuse, neglect, or other injury, and that informing such person would not be in the best interests of the individual as determined by the covered entity, in the exercise of professional judgment. How does the covered entity determine whether and how to make disclosures about victims of abuse, neglect, or domestic violence consistent with this standard?



Obtain and review policies and procedures. When and in what instances will the individual be notified that a disclosure has been or will be made?



Privacy §164.512(d) Uses and disclosures for health oversight activities §164.512(d) Standard: Uses and disclosures for health oversight activities

(1) Permitted disclosures. A covered entity may disclose protected health information to a health oversight agency for oversight activities authorized by law, including audits; civil, administrative, or criminal investigations; inspections; licensure or disciplinary actions; civil, administrative, or criminal proceedings or actions; or other activities necessary for appropriate oversight of:

(i) The health care system;

(ii) Government benefit programs for which health information is relevant to beneficiary eligibility;

(iii) Entities subject to government regulatory programs for which health information is necessary for determining compliance with program standards; or

(iv) Entities subject to civil rights laws for which health information is necessary for determining compliance.



§164.512(d)(2) Exception to health oversight activities. For the purpose of the disclosures permitted by paragraph (d)(1) of this section, a health oversight activity does not include an investigation or other activity in which the individual is the subject of the investigation or activity and such investigation or other activity does not arise out of and is not directly related to:

(i) The receipts of health care;

(ii) A claim for public benefits related to health; or

(iii) Qualification for, or receipt of, public benefits or services when a patient's health is integral to the claim for public benefits or services.



§164.512(d)(3) Joint activities or investigations. Notwithstanding paragraph (d)(2) of this section, if a health oversight activity or investigation is conducted in conjunction with an oversight activity or investigation relating to a claim for public benefits not related to health, the joint activity or investigation is considered a health oversight activity for purposes of paragraph (d) of this section.



§164.512(d)(4) Permitted uses. If a covered entity also is a health oversight agency, the covered entity may use protected health information for health oversight activities as permitted by paragraph (d) of this section. Is PHI used or disclosed for health oversight activities consistent with the established performance criterion?



Obtain and review policies and procedures for using or disclosing PHI for health oversight activities.



Obtain a sample of disclosures made for this purpose and verify that the established performance criterion have been met.

Regarding §164.512(d)(4), is the covered entity also a health oversight agency? If so, is PHI used for health oversight activities conducted by the covered entity?



If yes, obtain and review policies and procedures for using PHI for health oversight activities conducted by the covered entity and determine whether they are consistent with the requirements of the established performance criterion.



Obtain a sample of uses made for this purpose and verify that the established performance criterion have been met.

Privacy §164.512(e) Disclosures for judicial and administrative proceedings §164.512(e)(1) Permitted disclosures. A covered entity may disclose protected health information in the course of any judicial or administrative proceeding:

(i) In response to an order of a court or administrative tribunal, provided that the covered entity discloses only the protected health information expressly authorized by such order; or

(ii) In response to a subpoena, discovery request, or other lawful process, that is not accompanied by an order of a court or administrative tribunal, if:

(A) The covered entity receives satisfactory assurance, as described in paragraph (e)(1)(iii) of this section, from the party seeking the information that reasonable efforts have been made by such party of the protected health information that has been requested has been given notice of the request; or

(B) The covered entity receives satisfactory assurance, as described in paragraph (e)(1)(iv) of this section, from the party seeking the information that reasonable efforts have been made by such party to secure a qualified protective order that meets the requirements of paragraph (e)(1)(v) of this section.

(iii) For the purposes of paragraph (e)(1)(ii)(A) of this section, a covered entity receives satisfactory assurances from a party seeking protected health information if the covered entity receives from such party a written statement and accompanying documentation demonstrating that:

(A) The party requesting such information has made a good faith attempts to provide written notice to the individual (or, if the individual's location is unknown, to mail a notice to the individual's last known address);

(B) The notice included sufficient information about the litigation or proceeding in which the protected health information is requested to permit the individual to raise an objection to the court or administrative tribunal; and

(C) The time for the individual to raise objections to the court or administrative tribunal has elapsed, and

(1) No objections were filed; or

(2) All objections filed by the individual have been resolved by the court or the administrative tribunal and the disclosures being sought are consistent with such resolution.

(iv) For the purpose of paragraph (e)(1)(ii)(B) of this section, a covered entity receives satisfactory assurance from a party seeking protected health information, if the covered entity receives from such party a written statement and accompanying documentation demonstrating that:

(A) The parties to the dispute given rise to the request for information have agreed to a qualified protective order and have presented it to the court or administrative tribunal with jurisdiction over and dispute; or

(B) The party seeking the protected health information has requested a qualified protective order from such court or administrative tribunal.

(v) For purpose of paragraph (e)(1) of this section, a qualified protective order means, with respect to protected health information requested under paragraph (e)(1)(ii) of this section, an order of a court of an administrative tribunal stipulation by the parties to the litigation or administrative proceeding that:

(A) Prohibits the parties from using or disclosing the protected health information for any purpose other than the litigation or proceeding for which such information was requested; and

(B) Requires the return to the covered entity or destruction of the protected health information (including all copies made) at the end of the litigation or proceeding.

(vi) Notwithstanding paragraph (e)(1)(ii) of this section, a covered entity may disclose protected health information in response to lawful process described in paragraph (e)(1)(ii) of this section without receiving satisfactory assurance under paragraph (e)(1)(ii)(A) or (B) of this section, if the covered entity makes reasonable efforts to provide notice to the individual sufficient to meet the requirements of paragraph (e)(1)(iii) of this section or to seek a qualified protective order sufficient to meet the requirements of paragraph (e)(1)(v) of this section.

(2) Other uses and disclosures under this section. The provisions of this paragraph do not supersede other provisions of this section that otherwise permit or restrict uses or disclosures of protected health information. Do policies and procedures exist related to making disclosures in the course of any judicial or administrative proceeding to limit such disclosures to those permitted by the established performance criterion?

Obtain and review policies and procedures related to disclosures of PHI made pursuant to judicial and administrative proceedings.

Obtain and review a sample of disclosures and the corresponding court orders, subpoenas, or discovery requests for judicial and administrative proceedings. Elements to consider include, but are not limited to, whether

the disclosure of PHI:

-Is in response to an order of a court or administrative tribunal

-Is in response to a subpoena, discovery request, or other lawful process.

Verify disclosure of PHI in the course of any judicial or administrative proceeding is appropriate. Elements to consider should consist of the established performance criterion and include, but are not limited to:

-A court order requesting a response

-A subpoena.

Privacy §164.512(f)(1) Disclosures for law enforcement purposes §164.512(f) Standard: Disclosures for law enforcement purposes. A covered entity may disclose protected health information for a law enforcement purpose to a law enforcement official if the conditions in paragraphs (f)(1) through (f)(6) of this section are met, as applicable.

(1) Permitted disclosures: Pursuant to process and as otherwise required by law. A covered entity may disclose protected health information:

(i) As required by law including laws that require the reporting of certain types of wounds or other physical injuries, except for laws subject to paragraph (b)(1)(ii) or (c)(1)(i) of this section; or

(ii) In compliance with and as limited by the relevant requirements of:

(A) A court order or court-ordered warrant, or a subpoena or summons issued by a judicial officer;

(B) A grand jury subpoena; or

(C) An administrative request, including an administrative subpoena or summons, a civil or an authorized investigative demands, or similar process authorized under law, provided that:

(1) The information sought is relevant and material to a legitimate law enforcement inquiry;

(2) The request is specific and limited in scope to the extent reasonably practicable in light of the purpose for which the information is sought; and

(3) De-identified information could not reasonably be used. Have disclosures made by the covered entity for law enforcement purposes been consistent with the performance criterion?

Obtain and review policies and procedures related to disclosures of PHI for law enforcement purposes against the established performance criterion.



Obtain and review a sample, as available, of disclosures and the corresponding court orders, subpoenas, discovery requests, etc., and determine if such disclosures are consistent with the established performance criterion.

Privacy §164.512(f)(2) Disclosures for law enforcement purposes - for identification and location - §164.512(f)(2) Permitted disclosures: Limited information for identification and location purposes. Except for disclosures required by law as permitted by paragraph (f)(1) of this section, a covered entity may disclose protected health information in response to a law enforcement official's request for such information for the purpose of identifying or locating a suspect, fugitive, material witness, or missing person, provided that:

(i) The covered entity may disclose only the following information:

(A) Name and address;

(B) Date and place of birth;

(C) Social security number;

(D) ABO blood type and rh factor;

(E) Type of injury;

(F) Date and time of treatment;

(G) Date and time of death, if applicable; and

(H) A description of distinguishing physical characteristics, including height, weight, gender, race, hair and eye color, presence or absence of facial hair (beard or moustache), scars, and tattoos.

(ii) Except as permitted by paragraph (f)(2)(i) of this section, the covered entity may not disclose for the purpose of identification or location under paragraph (f)(2) of this section any protected health information related to the individual's DNA or DNA analysis, dental records, or typing, samples or analysis of blood fluids or tissue. Are disclosures made to law enforcement for identification and location purposes by the covered entity consistent with the limitations listed in the established performance criterion?



Obtain and review policies and procedures related to disclosures of PHI to law enforcement officials for identification and location purposes.

Obtain and review a sample of responses to law enforcement officials request for PHI for identification and location purposes and assess whether the disclosures were consistent with the established performance criterion.

Privacy §164.512(f)(3) Disclosures for law enforcement purposes-- PHI of a possible victim of a crime §164.512(f)(3) Permitted disclosure: Victims of a crime. Except for disclosures required by law as permitted by paragraph (f)(1) of this section, a covered entity may disclose protected health information in response to a law enforcement official's request for such information about an individual who is or is suspected to be a victim of a crime, other than disclosures that are subject to paragraph (b) or (c) of this section, if:

(i) The individual agrees to the disclosure; or

(ii) The covered entity is unable to obtain the individual's agreement because of incapacity or other emergency circumstance, provided that:

(A) The law enforcement official represents that such information is needed to determine whether a violation of law by a person other than the victim has occurred, and such information is not intended to be used against the victim;

(B) The law enforcement official represents that immediate law enforcement activity that depends upon the disclosure would be materially and adversely affected by waiting until the individual is able to agree to the disclosure; and

(C) The disclosure is in the best interest of the individual as determined by the covered entity, in the exercise of professional judgment. Are policies and procedures consistent with the established performance criterion regarding the conditions in which the covered entity may disclose PHI of a possible victim of a crime in response to a law enforcement official's request?



Obtain and review policies and procedures related to such disclosures of PHI to law enforcement. If any, obtain and review a sample of responses to a law enforcement official's request to determine whether disclosure was made consistent with the established performance criterion.

Privacy §164.512(f)(4) Disclosures for law enforcement purposes-- an individual who has died as a result of suspected criminal conduct §164.512(f)(4) Permitted disclosure: Decedents. A covered entity may disclose protected health information about an individual who has died to a law enforcement official for the purpose of alerting law enforcement of the death of the individual if the covered entity has a suspicious that such death may have resulted from criminal conduct. Are policies and procedures in place to determine when it is permitted to disclose PHI to law enforcement about an individual who has died as a result of suspected criminal conduct?

Obtain and review policies and procedures related to disclosures of PHI to law enforcement officials that address the requirement.

Obtain and review documentation of such a disclosure, if available. Elements to consider include, but are not limited to, documentation of:

-Whether the entity exercised professional judgment

-Whether the entity believes in good faith that there was evidence of criminal conduct.

Privacy §164.512(f)(5) Disclosures for law enforcement purposes: crime on premises §164.512(f)(5) Permitted disclosure: Crime on premises. A covered entity may disclose to a law enforcement official protected health information that the covered entity believes in good faith constitutes evidence of criminal conduct that occurred on the premises of the covered entity. Are policies and procedures in place to determine when it is permitted to disclose PHI about an individual who may have committed a crime on the premises?



Determine whether policies and procedures related to disclosures of PHI to law enforcement officials address the established performance criterion.

Obtain and review a disclosure, if available. Elements to consider include, but are not limited to, documentation of:

-Whether the entity exercised professional judgment

-Whether the entity believes in good faith that there was evidence of criminal conduct that occurred on its premises.



Privacy §164.512(f)(6) Disclosures for law enforcement purposes §164.512(f)(6) Permitted disclosure: Reporting crime in emergencies.

(i) A covered health care provider providing emergency health care in response to a medical emergency, other than such emergency on the premises of the covered health care provider, may disclose protected health information to a law enforcement official if such disclosure appears necessary to alert law enforcement to: (A) The commission and nature of a crime; (B) The location of such crime or of the victim(s) of such crime; and (C) The identity, description, and location of the perpetrator of such crime.

(ii) If a covered health care provider believes that the medical emergency described in paragraph (f)(6)(i) of this section is the result of abuse, neglect, or domestic violence of the individual in need of emergency health care, paragraph (f)(6)(i) of this section does not apply and any disclosure to a law enforcement official for law enforcement purposes is subject to paragraph (c) of this section. Are policies and procedures in place to determine what information about a medical emergency is necessary to disclose to alert law enforcement?

Determine whether policies and procedures related to disclosures of PHI to law enforcement officials address the established performance criterion.

Obtain and review a sample of such disclosures. Elements to consider include, but are not limited to, whether the disclosure:

-Indicates the commission and nature of the crime

-Includes the location of the crime or the victim(s) of the crime

-Includes the identity, description, and location of the perpetrator of the crime.

Privacy §164.512(g) Uses and disclosures about decedents §164.512(g) Standard: Uses and disclosures about decedents.

(1) Coroners and medical examiners. A covered entity may disclose protected health information to a coroner or medical examiner for the purpose of identifying a deceased person, determining a cause of death, or other duties as authorized by law. A covered entity that also performs the duties of a coroner or medical examiner may use protected health information for the purposes described in this paragraph.



§164.512(g)(2) Funeral directors. A covered entity may disclose protected health information to funeral directors, consistent with applicable law, as necessary to carry out their duties with respect to the decedent. If necessary for funeral directors to carry out their duties, the covered entity may disclose the protected health information prior to, and in reasonable anticipation of, the individual's death. Are policies and procedures consistent with the established performance criterion for disclosing PHI to (1) a coroner or medical examiner; and (2) a funeral director?



Obtain and review policies and procedures related to disclosures of PHI to coroners and medical examiners and funeral directors.

Obtain and review a sample of such disclosures. Elements to consider include, but are not limited to, whether the purpose of disclosure is:

-To identify a deceased person

-To determine the cause of death.

-Authorized by law.



Information elements to consider include, but are not limited to, whether the information disclosed is limited to:

-Name of deceased person

-Cause of death

-Compliance with such law.

Privacy §164.512(h) Uses and disclosures for cadaveric organ, eye or tissue donation §164.512(h) Standard: Uses and disclosures for cadaveric organ, eye or tissue donation purposes. A covered entity may use or disclose protected health information to organ procurement organizations or other entities engaged in the procurement, banking, or transplantation of cadaveric organs, eyes, or tissue for the purpose of facilitating organ, eye or tissue donation and transplantation. Is the covered entity’s process for disclosing PHI to organ procurement organizations or other entities engaged in the procurement consistent with the established performance criterion?



Obtain and review policies and procedures related to disclosures of PHI for purposes of cadaveric organ, eye, or tissue donation.

Obtain and review a sample of disclosures of PHI to organ procurement organizations to determine whether such disclosures are consistent with the policies and procedures and the established performance criterion.

Privacy §164.512(i)(1) Uses and disclosures for research purposes -- Permitted Uses and Disclosures §164.512(i) Standard: Uses and disclosures for research purposes (1) Permitted uses and disclosures. A covered entity may use or disclose protected health information for research, regardless of the source of funding of the research, provided that:

(i) Board approval of a waiver of authorization. The covered entity obtains documentation that an alteration to or waiver, in whole or in part, of the individual authorization required by §164.508 for use or disclosure of protected health information has been approved by either:

(A) An Institutional Review Board (IRB), established in accordance with7 CFR lc.107, 10 CFR 745.107, 14 CFR 1230.107, 15 CFR 27.107, 16 CFR 1028.107, 21 CFR 56.107, 22 CFR 225.107, 24 CFR 60.107, 28 CFR 46.107, 32 CFR 219.107, 34 CFR 97.107, 38 CFR 16.107, 40 CFR 26.107, 45 CFR 46.107, 45 CFR 690.107, or 49 CFR 11.107; or

(B) A privacy board that:

(1) Has members with varying backgrounds and appropriate professional competency as necessary to review the effect of the research protocol on the individual's privacy rights and related interests;

(2) Includes at least one member who is not affiliated with the covered entity, not affiliated with any entity conducting or sponsoring the research, and not related to any person who is affiliated with any of such entities; and

(3) Does not have any member participating in a review of any project in which the member has a conflict of interest.

(ii) Reviews preparatory to research. The covered entity obtains from the researcher representations that:

(A) Uses or disclosures is sought solely to review protected health information as necessary to prepare a research protocol or for similar purposes preparatory to research;

(B) No protected health information is to be removed from the covered entity by the researcher in the course of the review; and

(C) The protected health information for which use or access is sought is necessary for the research purposes.

(iii) Research on decedent's information. The covered entity obtains from the researchers:

(A) Representation that the use or disclosure sought is solely for research on the protected health information or decedents;

(B) Documentation, at the request of the covered entity, of the death of such individuals; and

(C) Representation that the protected health information for which use or disclosure is sought is necessary for the research purposes. Does the covered entity use or disclose PHI for research purposes? Inquire of management.



For entities that conduct research using or disclosing PHI, obtain and review related policies and procedures.



Elements to consider include, but are not limited to, how the entity:

-Obtains documentation that an alteration to a required authorization, or waiver of the authorization, has been approved by an IRB or appropriately configured privacy board

-Obtains from the researchers the required representations regarding reviews preparatory to research on decedents.

Verify if the entity obtained the necessary authorization and/or waiver to conduct the research. Elements to consider include, but are not limited to:

-Board approval of a waiver of authorization

- Whether the use or disclosure is solely to review PHI as necessary to prepare a research protocol

-Representation that the use or disclosure is solely for research on the PHI of decedents.

Privacy §164.512(i)(2) Uses and disclosures for research purposes -- Documentation of Waiver Approval §164.512(i) Standard: Uses and disclosures for research purposes (2) Documentation of waiver approval. For a use or disclosure to be permitted based on documentation of approval of an alteration or waiver, under paragraph (i)(1)(i) of this section, the documentation must include all of the following:

(i) Identification of IRB or date of action - A statement identifying the institutional review board or privacy board and the date on which the alteration or waiver of authorization was approved;

(ii) Waiver criteria - A statement that the institutional review board or privacy board has determined that the alteration or waiver, in whole or in part, of authorization satisfies the following criteria:

(A) The use or disclosure of protected health information involves no more than a minimal risk to the privacy of individuals, based on, at least, the presence of the following elements;

(1) An adequate plan to protect the Identifiers from improper use and disclosure;

(2) An adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research, unless there is a health or research justification for retaining the identifiers or such retention is otherwise required by law; and

(3) Adequate written assurances that the protected health information will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research study, or for other research for which the use or disclosure of protected health information would be permitted by this subpart;

(B) The research could not practicably be conducted without the waiver or alteration; and

(C) The research could not practicably be conducted without access to and use of the protected health information.

(iii) Protected health information needed - A brief description of the protected health information for which use or access has been determined to be necessary by the institutional review board or privacy board, pursuant to paragraph (i)(2)(ii)(C) of this section;

(iv) Review and approval procedures - A statement that the alteration or waiver of authorization has been reviewed and approved under either normal or expedited review procedures, as follows:

(A) An institutional review board must follow the requirements of the Common Rule, including the normal review procedures or the expedited review procedures: 7 CFR 1c.108(b), 10 CFR 745.108(b), 14 CFR 1230.108(b), 15 CFR 27.108(b), 16 CFR 1028.108(b), 21 CFR 56.108(b22 CFR 225.108(b), 24 CFR 60.108(b), 28 CFR 46.108(b), 32 CFR 219.108(b), 34 CFR 97.108(b),38 CFR 16.108(b), 40 CFR 26.108(b), 45 CFR 46.108(b), 45 CFR 690.108(b), or 49 CFR 11.108(b)) or the expedited review procedures (7 CFR 1c.110, 10 CFR 745.110, 14 CFR 1230.110, 15 CFR27.110, 16 CFR 1028.110, 21 CFR 56.110, 22 CFR 225.110, 24 CFR 60.110, 28 CFR 46.110, 32 CFR 219.110, 34 CFR 97.110, 38 CFR 16.110, 40 CFR 26.110, 45 CFR 46.110, 45;

(B) A privacy board must review the proposed research at convened meetings at which a majority of the privacy board members are present, including at least one member who satisfies the criterion stated in paragraph (i)(1)(i)(b)(2) of this section, and the alteration or waiver of authorization must be approved by the majority of the privacy board members present at the meeting, unless the privacy board elects to use an expedited review procedures in accordance with paragraph (i)(2)(iv)(C) of this section;

(C) A privacy board may use an expedited review procedure if the research involves no more than minimal risk to the privacy of the individuals who are the subject of the protected health information for which use or disclosure is being sought. If the privacy board elects to use an expedited review procedure, the review and approval of the alteration or waiver of authorization may be carried out by the chair of the privacy board, or by one or more members of the privacy board as designated by the chair; and

(v) Required signature - The documentation of the alteration or waiver of authorization must be signed by the chair or other member, as designated by the chair, of the institutional review board or the privacy board, as applicable. Do policies and procedures exist to determine what documentation of approval or waiver is needed to permit a use or disclosure and to apply that determination?

Obtain and review policies and procedures against established performance criterion. Is the entity using or disclosing PHI consistent with requirements for documentation of a waiver approval? Verify that the documentation of any approval or waiver contains all the information necessary to permit a use or disclosure. Elements to consider include, but are not limited to:

-A statement identifying IRB and the date on which the alteration or waiver of authorization was approved

-Whether IRB determined that the alteration or waiver satisfied the criteria listed in the standard, including determination of no more than minimal risk to privacy, adequate plan to protect identifiers, adequate plan to destroy identifiers, etc.

Privacy §164.512(k)(1) Uses and disclosures for specialized government functions -- Military §164.512(k) Standard: Uses and disclosures for specialized government functions.

(1) Military and veterans activities

(i) Armed Forces personnel. A covered entity may use or disclose the protected health information of individuals who are Armed Forces personnel for activities deemed necessary by appropriate military command authorities to assure the proper execution of the military mission, if the appropriate military authority has published by notice in the Federal Register the following information:

(A) Appropriate military command authorities; and

(B) The purposes for which the protected health information may be used or disclosed.

(ii) Separation or discharge from military service. A covered entity that is a component of the Departments of Defense or Homeland Security may disclose to the Department of Veterans Affairs (DVA) the protected health information of an individual who is a member of the Armed Forces upon the separation or discharge of the individual from military service for the purpose of a determination by DVA of the individual’s eligibility for or entitlement to benefits under laws administered by the Secretary of Veterans Affairs.

(iii) Veterans. A covered entity that is a component of the Department of Veterans Affairs may use and disclose protected health information to components of the Department that determine eligibility for or entitlement to, or that provide, benefits under the laws administered by the Secretary of Veterans Affairs.

(iv) Foreign military personnel. A covered entity may use or disclose the protected health information of individuals who are foreign military personnel to their appropriate foreign military authority for the same purposes for which uses and disclosures are permitted for Armed Forces personnel under the notice published in the Federal Register pursuant to paragraph (k)(1)(i) of this section. Does the covered entity disclose PHI of individuals for military and veterans activities consistent with the established performance criterion?

Obtain and review policies and procedures related to disclosures of PHI for purposes of military and veterans’ activities.

Obtain and review a list of uses and disclosures for military and veterans activities. Elements to consider are, 1) whether the entity is a component of the DoD, HSA; or VA; and 2) include whether the disclosure relates to:

- Armed force personnel

- Separated or discharged military service personnel

- A veteran

- Foreign military personnel.



. Elements to consider include, but are not limited to:

-Whether the activities deemed necessary by appropriate military command authorities

-Whether the purpose is to determine the individual's eligibility for or entitlement to benefits under laws.

Privacy §164.512(k)(2) Uses and disclosures for specialized government functions -- National Security and intelligence activities §164.512(k)(2) National security and intelligence activities. A covered entity may disclose protected health information to authorized federal officials for the conduct of lawful intelligence, counter-intelligence, and other national security activities authorized by the National Security Act (50 U.S.C. 401, et seq.) and implementing authority (e.g., Executive Order 12333). How would the covered entity respond to a request for PHI from Federal officials for intelligence and other national security activities?



Obtain and review policies and procedures related to disclosures of PHI for national security purposes.

Privacy §164.512(k)(3) Uses and disclosures for specialized government functions -- Protective Services §164.512(k)(3) Protective services for the President and others. A covered entity may disclose protected health information to authorized Federal officials for the provision of protective services to the President or other persons authorized by 18 U.S.C. 3056 or to foreign heads of state or other persons authorized by 22 