HIPAA RELEASE INFO ON SECTION THAT ATTORNEYS USE TO GET RECORDS ON CLIENTS

" §164.508 Uses and disclosures for which an authorization is required.

(a) Standard: authorizations for uses and disclosures.

(1) Authorization required: general rule. Except as otherwise permitted or required by this subchapter, a

covered entity may not use or disclose protected health information without an authorization that is valid under this

section. When a covered entity obtains or receives a valid authorization for its use or disclosure of protected health

information, such use or disclosure must be consistent with such authorization.

(2) Authorization required: psychotherapy notes. Notwithstanding any other provision of this subpart,

other than the transition provisions provided for in § 164.532, a covered entity must obtain an authorization for any

use or disclosure of psychotherapy notes, except:

(i) To carry out the following treatment, payment, or health care operations:

(A) Use by originator of the psychotherapy notes for treatment;

(B) Use or disclosure by the covered entity for its own training programs in which

students, trainees, or practitioners in mental health learn under supervision to practice or improve

their skills in group, joint, family, or individual counseling; or

brought by the individual; and

(ii) A use or disclosure that is required by § 164.502(a)(2)(ii) or permitted by § 164.512(a); §

164.512(d) with respect to the oversight of the originator of the psychotherapy notes; § 164.512(g)(1); or §

164.512(j)(1)(i).

(3) Authorization required: Marketing.

(i) Notwithstanding any provision of this subpart, other than the transition provisions in §

164.532, a covered entity must obtain an authorization for any use or disclosure of protected health

information for marketing, except if the communication is in the form of:

(A) A face-to-face communication made by a covered entity to an individual; or

(B) A promotional gift of nominal value provided by the covered entity.

(ii) If the marketing involves direct or indirect remuneration to the covered entity from a third

party, the authorization must state that such remuneration is involved.

(b) Implementation specifications: general requirements.

(1) Valid authorizations.

(i) A valid authorization is a document that meets the requirements in paragraphs (a)(3)(ii), (c)(1),

and (c)(2) of this section, as applicable.

(ii) A valid authorization may contain elements or information in addition to the elements required

by this section, provided that such additional elements or information are not inconsistent with the elements

required by this section.

(2) Defective authorizations. An authorization is not valid, if the document submitted has any of the

following defects:

(i) The expiration date has passed or the expiration event is known by the covered entity to have

occurred;

(ii) The authorization has not been filled out completely, with respect to an element described by

paragraph (c) of this section, if applicable;

(iii) The authorization is known by the covered entity to have been revoked;

(iv) The authorization violates paragraph (b)(3) or (4) of this section, if applicable;

(v) Any material information in the authorization is known by the covered entity to be false.

(3) Compound authorizations. An authorization for use or disclosure of protected health information may

not be combined with any other document to create a compound authorization, except as follows:

(i) An authorization for the use or disclosure of protected health information for a research study

may be combined with any other type of written permission for the same research study, including another

authorization for the use or disclosure of protected health information for such research or a consent to

participate in such research;

February 20, 2003 Page 33

(ii) An authorization for a use or disclosure of psychotherapy notes may only be combined with

another authorization for a use or disclosure of psychotherapy notes;

(iii) An authorization under this section, other than an authorization for a use or disclosure of

psychotherapy notes, may be combined with any other such authorization under this section, except when a

covered entity has conditioned the provision of treatment, payment, enrollment in the health plan, or

eligibility for benefits under paragraph (b)(4) of this section on the provision of one of the authorizations.

(4) Prohibition on conditioning of authorizations. A covered entity may not condition the provision to an

individual of treatment, payment, enrollment in the health plan, or eligibility for benefits on the provision of an

authorization, except:

(i) A covered health care provider may condition the provision of research-related treatment on

provision of an authorization for the use or disclosure of protected health information for such research

under this section;

(ii) A health plan may condition enrollment in the health plan or eligibility for benefits on

provision of an authorization requested by the health plan prior to an individual's enrollment in the health

plan, if:

(A) The authorization sought is for the health plan’s eligibility or enrollment

determinations relating to the individual or for its underwriting or risk rating determinations; and

(B) The authorization is not for a use or disclosure of psychotherapy notes under

paragraph (a)(2) of this section; and

(iii) A covered entity may condition the provision of health care that is solely for the purpose of

creating protected health information for disclosure to a third party on provision of an authorization for the

disclosure of the protected health information to such third party.

(5) Revocation of authorizations. An individual may revoke an authorization provided under this section at

any time, provided that the revocation is in writing, except to the extent that:

(i) The covered entity has taken action in reliance thereon; or

(ii) If the authorization was obtained as a condition of obtaining insurance coverage, other law

provides the insurer with the right to contest a claim under the policy or the policy itself.

(6) Documentation. A covered entity must document and retain any signed authorization under this section

as required by § 164.530(j).

(1) Core elements. A valid authorization under this section must contain at least the following elements:

(i) A description of the information to be used or disclosed that identifies the information in a

specific and meaningful fashion.

(ii) The name or other specific identification of the person(s), or class of persons, authorized to

make the requested use or disclosure.

(iii) The name or other specific identification of the person(s), or class of persons, to whom the

covered entity may make the requested use or disclosure.

(iv) A description of each purpose of the requested use or disclosure. The statement “at the

request of the individual” is a sufficient description of the purpose when an individual initiates the

authorization and does not, or elects not to, provide a statement of the purpose.

(v) An expiration date or an expiration event that relates to the individual or the purpose of the use

or disclosure. The statement “end of research study.” “none,” or similar language is sufficient if the

authorization is for a use and disclosure of protected health information for research, including the creation

and maintenance of a research database or research repository.

(vi) Signature of the individual and date. If the authorization is signed by a personal representative

of the individual, a description of such representative’s authority to act for the individual must also be

provided.

(2) Required statements. In addition to the core elements, the authorization must contain statements

adequate to place the individual on notice of all of the following:

(i) The individual’s right to revoke the authorization in writing, and either:

(A) The exceptions to the right to revoke and a description of how the individual may

revoke the authorization; or

(B) To the extent that the information in paragraph (c)(2)(i)(A) of this section is included

in the notice required by § 164.520, a reference to the covered entity’s notice.

(ii) The ability or inability to condition treatment, payment, enrollment or eligibility for benefits on

the authorization, by stating either:

February 20, 2003 Page 34

(A) The covered entity may not condition treatment, payment, enrollment or eligibility for

benefits on whether the individual signs the authorization when the prohibition on conditioning of

authorizations in paragraph (b)(4) of this section applies; or

(B) The consequences to the individual of a refusal to sign the authorization when, in

accordance with paragraph (b)(4) of this section, the covered entity can condition treatment,

enrollment in the health plan, or eligibility for benefits on failure to obtain such authorization.

(iii) The potential for information disclosed pursuant to the authorization to be subject to

redisclosure by the recipient and no longer be protected by this rule.

(3) Plain language requirement. The authorization must be written in plain language.

(4) Copy to the individual. If a covered entity seeks an authorization from an individual for a use or

disclosure of protected health information, the covered entity must provide the individual with a copy of the signed

authorization.

§ 164.510 Uses and disclosures requiring an opportunity for the individual to agree or to object.

A covered entity may use or disclose protected health information, provided that the individual is informed in

advance of the use or disclosure and has the opportunity to agree to or prohibit or restrict the disclosure in

accordance with the applicable requirements of this section. The covered entity may orally inform the individual of

and obtain the individual’s oral agreement or objection to a use or disclosure permitted by this section.

(a) Standard: use and disclosure for facility directories.

(1) Permitted uses and disclosure. Except when an objection is expressed in accordance with paragraphs

(a)(2) or (3) of this section, a covered health care provider may:

(i) Use the following protected health information to maintain a directory of individuals in its

facility:

(A) The individual’s name;

(B) The individual’s location in the covered health care provider’s facility;

specific medical information about the individual; and

(D) The individual’s religious affiliation; and

(ii) Disclose for directory purposes such information:

(A) To members of the clergy; or

(B) Except for religious affiliation, to other persons who ask for the individual by name.

(2) Opportunity to object. A covered health care provider must inform an individual of the protected health

information that it may include in a directory and the persons to whom it may disclose such information (including

disclosures to clergy of information regarding religious affiliation) and provide the individual with the opportunity to

restrict or prohibit some or all of the uses or disclosures permitted by paragraph (a)(1) of this section.

(3) Emergency circumstances.

(i) If the opportunity to object to uses or disclosures required by paragraph (a)(2) of this section

cannot practicably be provided because of the individual’s incapacity or an emergency treatment

circumstance, a covered health care provider may use or disclose some or all of the protected health

information permitted by paragraph (a)(1) of this section for the facility’s directory, if such disclosure is:

(A) Consistent with a prior expressed preference of the individual, if any, that is known to

the covered health care provider; and

(B) In the individual’s best interest as determined by the covered health care provider, in

the exercise of professional judgment.

(ii) The covered health care provider must inform the individual and provide an opportunity to

object to uses or disclosures for directory purposes as required by paragraph (a)(2) of this section when it

becomes practicable to do so.

(b) Standard: uses and disclosures for involvement in the individual’s care and notification purposes.

(1) Permitted uses and disclosures.

(i) A covered entity may, in accordance with paragraphs (b)(2) or (3) of this section, disclose to a

family member, other relative, or a close personal friend of the individual, or any other person identified by

the individual, the protected health information directly relevant to such person’s involvement with the

individual’s care or payment related to the individual’s health care.

(ii) A covered entity may use or disclose protected health information to notify, or assist in the

notification of (including identifying or locating), a family member, a personal representative of the

individual, or another person responsible for the care of the individual of the individual’s location, general

February 20, 2003 Page 35

condition, or death. Any such use or disclosure of protected health information for such notification

purposes must be in accordance with paragraphs (b)(2), (3), or (4) of this section, as applicable.

(2) Uses and disclosures with the individual present. If the individual is present for, or otherwise available

prior to, a use or disclosure permitted by paragraph (b)(1) of this section and has the capacity to make health care

decisions, the covered entity may use or disclose the protected health information if it:

(i) Obtains the individual’s agreement;

(ii) Provides the individual with the opportunity to object to the disclosure, and the individual does

not express an objection; or

(iii) Reasonably infers from the circumstances, based the exercise of professional judgment, that

the individual does not object to the disclosure.

(3) Limited uses and disclosures when the individual is not present. If the individual is not present, or the

opportunity to agree or object to the use or disclosure cannot practicably be provided because of the individual’s

incapacity or an emergency circumstance, the covered entity may, in the exercise of professional judgment,

determine whether the disclosure is in the best interests of the individual and, if so, disclose only the protected health

information that is directly relevant to the person’s involvement with the individual’s health care. A covered entity

may use professional judgment and its experience with common practice to make reasonable inferences of the

individual’s best interest in allowing a person to act on behalf of the individual to pick up filled prescriptions,

medical supplies, X-rays, or other similar forms of protected health information.

(4) Use and disclosures for disaster relief purposes. A covered entity may use or disclose protected health

information to a public or private entity authorized by law or by its charter to assist in disaster relief efforts, for the

purpose of coordinating with such entities the uses or disclosures permitted by paragraph (b)(1)(ii) of this section.

The requirements in paragraphs (b)(2) and (3) of this section apply to such uses and disclosure to the extent that the

covered entity, in the exercise of professional judgment, determines that the requirements do not interfere with the

ability to respond to the emergency circumstances.

§ 164.512 Uses and disclosures for which an authorization or opportunity to agree or object is not

required.

A covered entity may use or disclose protected health information without the written authorization of the individual,

as described in § 164.508, or the opportunity for the individual to agree or object as described in § 164.510, in the

situations covered by this section, subject to the applicable requirements of this section. When the covered entity is

required by this section to inform the individual of, or when the individual may agree to, a use or disclosure

permitted by this section, the covered entity’s information and the individual’s agreement may be given orally.

(a) Standard: uses and disclosures required by law.

(1) A covered entity may use or disclose protected health information to the extent that such use or

disclosure is required by law and the use or disclosure complies with and is limited to the relevant requirements of

such law.

(2) A covered entity must meet the requirements described in paragraph (c), (e), or (f) of this section for

uses or disclosures required by law.

(b) Standard: uses and disclosures for public health activities.

(1) Permitted disclosures. A covered entity may disclose protected health information for the public health

activities and purposes described in this paragraph to:

(i) A public health authority that is authorized by law to collect or receive such information for the

purpose of preventing or controlling disease, injury, or disability, including, but not limited to, the reporting

of disease, injury, vital events such as birth or death, and the conduct of public health surveillance, public

health investigations, and public health interventions; or, at the direction of a public health authority, to an

official of a foreign government agency that is acting in collaboration with a public health authority;

(ii) A public health authority or other appropriate government authority authorized by law to

receive reports of child abuse or neglect;

(iii) A person subject to the jurisdiction of the Food and Drug Administration (FDA) with respect

to an FDA-regulated product or activity for which that person has responsibility, for the purpose of

activities related to the quality, safety or effectiveness of such FDA-related product or activity. Such

purposes include:

(A) To collect or report adverse events (or similar activities with respect to food or

dietary supplements), product defects or problems (including problems with the use or labeling of

a product), or biological product deviations;

(B) To track FDA- regulated products;

February 20, 2003 Page 36

and notifying individuals who have received products that have been recalled, withdrawn, or are

the subject of the lookback); or

(D) To conduct post marketing surveillance;

(iv) A person who may have been exposed to a communicable disease or may otherwise be at risk

of contracting or spreading a disease or condition, if the covered entity or public health authority is

authorized by law to notify such person as necessary in the conduct of a public health intervention or

investigation; or

(v) An employer, about an individual who is a member of the workforce of the employer, if:

(A) The covered entity is a covered health care provider who is a member of the

workforce of such employer or who provides health care to the individual at the request of the

employer:

(1) To conduct an evaluation relating to medical surveillance of the workplace;

(2) To evaluate whether the individual has a work-related illness or injury;

(B) The protected health information that is disclosed consists of findings concerning a

work-related illness or injury or a workplace-related medical surveillance;

CFR parts 1904 through 1928, 30 CFR parts 50 through 90, or under state law having a similar

purpose, to record such illness or injury or to carry out responsibilities for workplace medical

surveillance; and

(D) The covered health care provider provides written notice to the individual that

protected health information relating to the medical surveillance of the workplace and work-related

illnesses and injuries is disclosed to the employer:

(1) By giving a copy of the notice to the individual at the time the health care is

provided; or

(2) If the health care is provided on the work site of the employer, by posting the

notice in a prominent place at the location where the health care is provided.

(2) Permitted uses. If the covered entity also is a public health authority, the covered entity is permitted to

use protected health information in all cases in which it is permitted to disclose such information for public health

activities under paragraph (b)(1) of this section."</