[Code of Federal Regulations]
[Title 45, Volume 1]
[Revised as of October 1, 2001]
From the U.S. Government Printing Office via GPO Access
[CITE: 45CFR164.512]
[Page 702-711]
TITLE 45--PUBLIC WELFARE
SUBTITLE A--DEPARTMENT OF HEALTH
AND HUMAN SERVICES
PART 164--SECURITY AND PRIVACY--Table of Contents
Subpart E--Privacy of Individually Identifiable Health Information
Sec. 164.512 Uses and disclosures for which consent, an authorization, or opportunity to agree or object is not required.
A covered entity may use or disclose protected health information
without the written consent or authorization of the individual as
described in Secs. 164.506 and 164.508, respectively, or the opportunity
for the individual to agree or object as described in Sec. 164.510, in
the situations covered by this section, subject to the applicable
requirements of this section. When the covered entity is required by
this section to inform the individual of, or when the individual may
agree to, a use or disclosure permitted by this section, the covered
entity's information and the individual's agreement may be given orally.
(a) Standard: Uses and disclosures required by law. (1) A covered
entity may
[[Page 703]]
use or disclose protected health information to the extent that such use
or disclosure is required by law and the use or disclosure complies with
and is limited to the relevant requirements of such law.
(2) A covered entity must meet the requirements described in
paragraph (c), (e), or (f) of this section for uses or disclosures
required by law.
(b) Standard: uses and disclosures for public health activities. (1)
Permitted disclosures. A covered entity may disclose protected health
information for the public health activities and purposes described in
this paragraph to:
(i) A public health authority that is authorized by law to collect
or receive such information for the purpose of preventing or controlling
disease, injury, or disability, including, but not limited to, the
reporting of disease, injury, vital events such as birth or death, and
the conduct of public health surveillance, public health investigations,
and public health interventions; or, at the direction of a public health
authority, to an official of a foreign government agency that is acting
in collaboration with a public health authority;
(ii) A public health authority or other appropriate government
authority authorized by law to receive reports of child abuse or
neglect;
(iii) A person subject to the jurisdiction of the Food and Drug
Administration:
(A) To report adverse events (or similar reports with respect to
food or dietary supplements), product defects or problems (including
problems with the use or labeling of a product), or biological product
deviations if the disclosure is made to the person required or directed
to report such information to the Food and Drug Administration;
(B) To track products if the disclosure is made to a person required
or directed by the Food and Drug Administration to track the product;
(C) To enable product recalls, repairs, or replacement (including
locating and notifying individuals who have received products of product
recalls, withdrawals, or other problems); or
(D) To conduct post marketing surveillance to comply with
requirements or at the direction of the Food and Drug Administration;
(iv) A person who may have been exposed to a communicable disease or
may otherwise be at risk of contracting or spreading a disease or
condition, if the covered entity or public health authority is
authorized by law to notify such person as necessary in the conduct of a
public health intervention or investigation; or
(v) An employer, about an individual who is a member of the
workforce of the employer, if:
(A) The covered entity is a covered health care provider who is a
member of the workforce of such employer or who provides a health care
to the individual at the request of the employer:
(1) To conduct an evaluation relating to medical surveillance of the
workplace; or
(2) To evaluate whether the individual has a work-related illness or
injury;
(B) The protected health information that is disclosed consists of
findings concerning a work-related illness or injury or a workplace-
related medical surveillance;
(C) The employer needs such findings in order to comply with its
obligations, under 29 CFR parts 1904 through 1928, 30 CFR parts 50
through 90, or under state law having a similar purpose, to record such
illness or injury or to carry out responsibilities for workplace medical
surveillance;
(D) The covered health care provider provides written notice to the
individual that protected health information relating to the medical
surveillance of the workplace and work-related illnesses and injuries is
disclosed to the employer:
(1) By giving a copy of the notice to the individual at the time the
health care is provided; or
(2) If the health care is provided on the work site of the employer,
by posting the notice in a prominent place at the location where the
health care is provided.
(2) Permitted uses. If the covered entity also is a public health
authority, the covered entity is permitted to use protected health
information in all cases in which it is permitted to disclose
[[Page 704]]
such information for public health activities under paragraph (b)(1) of
this section.
(c) Standard: Disclosures about victims of abuse, neglect or
domestic violence. (1) Permitted disclosures. Except for reports of
child abuse or neglect permitted by paragraph (b)(1)(ii) of this
section, a covered entity may disclose protected health information
about an individual whom the covered entity reasonably believes to be a
victim of abuse, neglect, or domestic violence to a government
authority, including a social service or protective services agency,
authorized by law to receive reports of such abuse, neglect, or domestic
violence:
(i) To the extent the disclosure is required by law and the
disclosure complies with and is limited to the relevant requirements of
such law;
(ii) If the individual agrees to the disclosure; or
(iii) To the extent the disclosure is expressly authorized by
statute or regulation and:
(A) The covered entity, in the exercise of professional judgment,
believes the disclosure is necessary to prevent serious harm to the
individual or other potential victims; or
(B) If the individual is unable to agree because of incapacity, a
law enforcement or other public official authorized to receive the
report represents that the protected health information for which
disclosure is sought is not intended to be used against the individual
and that an immediate enforcement activity that depends upon the
disclosure would be materially and adversely affected by waiting until
the individual is able to agree to the disclosure.
(2) Informing the individual. A covered entity that makes a
disclosure permitted by paragraph (c)(1) of this section must promptly
inform the individual that such a report has been or will be made,
except if:
(i) The covered entity, in the exercise of professional judgment,
believes informing the individual would place the individual at risk of
serious harm; or
(ii) The covered entity would be informing a personal
representative, and the covered entity reasonably believes the personal
representative is responsible for the abuse, neglect, or other injury,
and that informing such person would not be in the best interests of the
individual as determined by the covered entity, in the exercise of
professional judgment.
(d) Standard: Uses and disclosures for health oversight activities.
(1) Permitted disclosures. A covered entity may disclose protected
health information to a health oversight agency for oversight activities
authorized by law, including audits; civil, administrative, or criminal
investigations; inspections; licensure or disciplinary actions; civil,
administrative, or criminal proceedings or actions; or other activities
necessary for appropriate oversight of:
(i) The health care system;
(ii) Government benefit programs for which health information is
relevant to beneficiary eligibility;
(iii) Entities subject to government regulatory programs for which
health information is necessary for determining compliance with program
standards; or
(iv) Entities subject to civil rights laws for which health
information is necessary for determining compliance.
(2) Exception to health oversight activities. For the purpose of the
disclosures permitted by paragraph (d)(1) of this section, a health
oversight activity does not include an investigation or other activity
in which the individual is the subject of the investigation or activity
and such investigation or other activity does not arise out of and is
not directly related to:
(i) The receipt of health care;
(ii) A claim for public benefits related to health; or
(iii) Qualification for, or receipt of, public benefits or services
when a patient's health is integral to the claim for public benefits or
services.
(3) Joint activities or investigations. Nothwithstanding paragraph
(d)(2) of this section, if a health oversight activity or investigation
is conducted in conjunction with an oversight activity or investigation
relating to a claim for public benefits not related to health, the joint
activity or investigation is considered a health oversight activity for
purposes of paragraph (d) of this section.
[[Page 705]]
(4) Permitted uses. If a covered entity also is a health oversight
agency, the covered entity may use protected health information for
health oversight activities as permitted by paragraph (d) of this
section.
(e) Standard: Disclosures for judicial and administrative
proceedings.
(1) Permitted disclosures. A covered entity may disclose protected
health information in the course of any judicial or administrative
proceeding:
(i) In response to an order of a court or administrative tribunal,
provided that the covered entity discloses only the protected health
information expressly authorized by such order; or
(ii) In response to a subpoena, discovery request, or other lawful
process, that is not accompanied by an order of a court or
administrative tribunal, if:
(A) The covered entity receives satisfactory assurance, as described
in paragraph (e)(1)(iii) of this section, from the party seeking the
information that reasonable efforts have been made by such party to
ensure that the individual who is the subject of the protected health
information that has been requested has been given notice of the
request; or
(B) The covered entity receives satisfactory assurance, as described
in paragraph (e)(1)(iv) of this section, from the party seeking the
information that reasonable efforts have been made by such party to
secure a qualified protective order that meets the requirements of
paragraph (e)(1)(v) of this section.
(iii) For the purposes of paragraph (e)(1)(ii)(A) of this section, a
covered entity receives satisfactory assurances from a party seeking
protecting health information if the covered entity receives from such
party a written statement and accompanying documentation demonstrating
that:
(A) The party requesting such information has made a good faith
attempt to provide written notice to the individual (or, if the
individual's location is unknown, to mail a notice to the individual's
last known address);
(B) The notice included sufficient information about the litigation
or proceeding in which the protected health information is requested to
permit the individual to raise an objection to the court or
administrative tribunal; and
(C) The time for the individual to raise objections to the court or
administrative tribunal has elapsed, and:
(1) No objections were filed; or
(2) All objections filed by the individual have been resolved by the
court or the administrative tribunal and the disclosures being sought
are consistent with such resolution.
(iv) For the purposes of paragraph (e)(1)(ii)(B) of this section, a
covered entity receives satisfactory assurances from a party seeking
protected health information, if the covered entity receives from such
party a written statement and accompanying documentation demonstrating
that:
(A) The parties to the dispute giving rise to the request for
information have agreed to a qualified protective order and have
presented it to the court or administrative tribunal with jurisdiction
over the dispute; or
(B) The party seeking the protected health information has requested
a qualified protective order from such court or administrative tribunal.
(v) For purposes of paragraph (e)(1) of this section, a qualified
protective order means, with respect to protected health information
requested under paragraph (e)(1)(ii) of this section, an order of a
court or of an administrative tribunal or a stipulation by the parties
to the litigation or administrative proceeding that:
(A) Prohibits the parties from using or disclosing the protected
health information for any purpose other than the litigation or
proceeding for which such information was requested; and
(B) Requires the return to the covered entity or destruction of the
protected health information (including all copies made) at the end of
the litigation or proceeding.
(vi) Nothwithstanding paragraph (e)(1)(ii) of this section, a
covered entity may disclose protected health information in response to
lawful process described in paragraph (e)(1)(ii) of this section without
receiving satisfactory assurance under paragraph (e)(1)(ii)(A) or (B) of
this section, if the covered entity makes reasonable efforts to provide
notice to the individual sufficient to meet the requirements of
paragraph (e)(1)(iii) of this section or to seek a qualified protective
order sufficient to
[[Page 706]]
meet the requirements of paragraph (e)(1)(iv) of this section.
(2) Other uses and disclosures under this section. The provisions of
this paragraph do not supersede other provisions of this section that
otherwise permit or restrict uses or disclosures of protected health
information.
(f) Standard: Disclosures for law enforcement purposes. A covered
entity may disclose protected health information for a law enforcement
purpose to a law enforcement official if the conditions in paragraphs
(f)(1) through (f)(6) of this section are met, as applicable.
(1) Permitted disclosures: Pursuant to process and as otherwise
required by law. A covered entity may disclose protected health
information:
(i) As required by law including laws that require the reporting of
certain types of wounds or other physical injuries, except for laws
subject to paragraph (b)(1)(ii) or (c)(1)(i) of this section; or
(ii) In compliance with and as limited by the relevant requirements
of:
(A) A court order or court-ordered warrant, or a subpoena or summons
issued by a judicial officer;
(B) A grand jury subpoena; or
(C) An administrative request, including an administrative subpoena
or summons, a civil or an authorized investigative demand, or similar
process authorized under law, provided that:
(1) The information sought is relevant and material to a legitimate
law enforcement inquiry;
(2) The request is specific and limited in scope to the extent
reasonably practicable in light of the purpose for which the information
is sought; and
(3) De-identified information could not reasonably be used.
(2) Permitted disclosures: Limited information for identification
and location purposes. Except for disclosures required by law as
permitted by paragraph (f)(1) of this section, a covered entity may
disclose protected health information in response to a law enforcement
official's request for such information for the purpose of identifying
or locating a suspect, fugitive, material witness, or missing person,
provided that:
(i) The covered entity may disclose only the following information:
(A) Name and address;
(B) Date and place of birth;
(C) Social security number;
(D) ABO blood type and rh factor;
(E) Type of injury;
(F) Date and time of treatment;
(G) Date and time of death, if applicable; and
(H) A description of distinguishing physical characteristics,
including height, weight, gender, race, hair and eye color, presence or
absence of facial hair (beard or moustache), scars, and tattoos.
(ii) Except as permitted by paragraph (f)(2)(i) of this section, the
covered entity may not disclose for the purposes of identification or
location under paragraph (f)(2) of this section any protected health
information related to the individual's DNA or DNA analysis, dental
records, or typing, samples or analysis of body fluids or tissue.
(3) Permitted disclosure: Victims of a crime. Except for disclosures
required by law as permitted by paragraph (f)(1) of this section, a
covered entity may disclose protected health information in response to
a law enforcement official's request for such information about an
individual who is or is suspected to be a victim of a crime, other than
disclosures that are subject to paragraph (b) or (c) of this section,
if:
(ii) The individual agrees to the disclosure; or
(iii) The covered entity is unable to obtain the individual's
agreement because of incapacity or other emergency circumstance,
provided that:
(A) The law enforcement official represents that such information is
needed to determine whether a violation of law by a person other than
the victim has occurred, and such information is not intended to be used
against the victim;
(B) The law enforcement official represents that immediate law
enforcement activity that depends upon the disclosure would be
materially and adversely affected by waiting until the individual is
able to agree to the disclosure; and
(C) The disclosure is in the best interests of the individual as
determined by the covered entity, in the exercise of professional
judgment.
[[Page 707]]
(4) Permitted disclosure: Decedents. A covered entity may disclose
protected health information about an individual who has died to a law
enforcement official for the purpose of alerting law enforcement of the
death of the individual if the covered entity has a suspicion that such
death may have resulted from criminal conduct.
(5) Permitted disclosure: Crime on premises. A covered entity may
disclose to a law enforcement official protected health information that
the covered entity believes in good faith constitutes evidence of
criminal conduct that occurred on the premises of the covered entity.
(6) Permitted disclosure: Reporting crime in emergencies. (i) A
covered health care provider providing emergency health care in response
to a medical emergency, other than such emergency on the premises of the
covered health care provider, may disclose protected health information
to a law enforcement official if such disclosure appears necessary to
alert law enforcement to:
(A) The commission and nature of a crime;
(B) The location of such crime or of the victim(s) of such crime;
and
(C) The identity, description, and location of the perpetrator of
such crime.
(ii) If a covered health care provider believes that the medical
emergency described in paragraph (f)(6)(i) of this section is the result
of abuse, neglect, or domestic violence of the individual in need of
emergency health care, paragraph (f)(6)(i) of this section does not
apply and any disclosure to a law enforcement official for law
enforcement purposes is subject to paragraph (c) of this section.
(g) Standard: Uses and disclosures about decedents. (1) Coroners and
medical examiners. A covered entity may disclose protected health
information to a coroner or medical examiner for the purpose of
identifying a deceased person, determining a cause of death, or other
duties as authorized by law. A covered entity that also performs the
duties of a coroner or medical examiner may use protected health
information for the purposes described in this paragraph.
(2) Funeral directors. A covered entity may disclose protected
health information to funeral directors, consistent with applicable law,
as necessary to carry out their duties with respect to the decedent. If
necessary for funeral directors carry out their duties, the covered
entity may disclose the protected health information prior to, and in
reasonable anticipation of, the individual's death.
(h) Standard: Uses and disclosures for cadaveric organ, eye or
tissue donation purposes. A covered entity may use or disclose protected
health information to organ procurement organizations or other entities
engaged in the procurement, banking, or transplantation of cadaveric
organs, eyes, or tissue for the purpose of facilitating organ, eye or
tissue donation and transplantation.
(i) Standard: Uses and disclosures for research purposes. (1)
Permitted uses and disclosures. A covered entity may use or disclose
protected health information for research, regardless of the source of
funding of the research, provided that:
(i) Board approval of a waiver of authorization. The covered entity
obtains documentation that an alteration to or waiver, in whole or in
part, of the individual authorization required by Sec. 164.508 for use
or disclosure of protected health information has been approved by
either:
(A) An Institutional Review Board (IRB), established in accordance
with 7 CFR lc.107, 10 CFR 745.107, 14 CFR 1230.107, 15 CFR 27.107, 16
CFR 1028.107, 21 CFR 56.107, 22 CFR 225.107, 24 CFR 60.107, 28 CFR
46.107, 32 CFR 219.107, 34 CFR 97.107, 38 CFR 16.107, 40 CFR 26.107, 45
CFR 46.107, 45 CFR 690.107, or 49 CFR 11.107; or
(B) A privacy board that:
(1) Has members with varying backgrounds and appropriate
professional competency as necessary to review the effect of the
research protocol on the individual's privacy rights and related
interests;
(2) Includes at least one member who is not affiliated with the
covered entity, not affiliated with any entity conducting or sponsoring
the research, and not related to any person who is affiliated with any
of such entities; and
(3) Does not have any member participating in a review of any
project in
[[Page 708]]
which the member has a conflict of interest.
(ii) Reviews preparatory to research. The covered entity obtains
from the researcher representations that:
(A) Use or disclosure is sought solely to review protected health
information as necessary to prepare a research protocol or for similar
purposes preparatory to research;
(B) No protected health information is to be removed from the
covered entity by the researcher in the course of the review; and
(C) The protected health information for which use or access is
sought is necessary for the research purposes.
(iii) Research on decedent's information. The covered entity obtains
from the researcher:
(A) Representation that the use or disclosure is sought is solely
for research on the protected health information of decedents;
(B) Documentation, at the request of the covered entity, of the
death of such individuals; and
(C) Representation that the protected health information for which
use or disclosure is sought is necessary for the research purposes.
(2) Documentation of waiver approval. For a use or disclosure to be
permitted based on documentation of approval of an alteration or waiver,
under paragraph (i)(1)(i) of this section, the documentation must
include all of the following:
(i) Identification and date of action. A statement identifying the
IRB or privacy board and the date on which the alteration or waiver of
authorization was approved;
(ii) Waiver criteria. A statement that the IRB or privacy board has
determined that the alteration or waiver, in whole or in part, of
authorization satisfies the following criteria:
(A) The use or disclosure of protected health information involves
no more than minimal risk to the individuals;
(B) The alteration or waiver will not adversely affect the privacy
rights and the welfare of the individuals;
(C) The research could not practicably be conducted without the
alteration or waiver;
(D) The research could not practicably be conducted without access
to and use of the protected health information;
(E) The privacy risks to individuals whose protected health
information is to be used or disclosed are reasonable in relation to the
anticipated benefits if any to the individuals, and the importance of
the knowledge that may reasonably be expected to result from the
research;
(F) There is an adequate plan to protect the identifiers from
improper use and disclosure;
(G) There is an adequate plan to destroy the identifiers at the
earliest opportunity consistent with conduct of the research, unless
there is a health or research justification for retaining the
identifiers, or such retention is otherwise required by law; and
(H) There are adequate written assurances that the protected health
information will not be reused or disclosed to any other person or
entity, except as required by law, for authorized oversight of the
research project, or for other research for which the use or disclosure
of protected health information would be permitted by this subpart.
(iii) Protected health information needed. A brief description of
the protected health information for which use or access has been
determined to be necessary by the IRB or privacy board has determined,
pursuant to paragraph (i)(2)(ii)(D) of this section;
(iv) Review and approval procedures. A statement that the alteration
or waiver of authorization has been reviewed and approved under either
normal or expedited review procedures, as follows:
(A) An IRB must follow the requirements of the Common Rule,
including the normal review procedures (7 CFR 1c.108(b), 10 CFR
745.108(b), 14 CFR 1230.108(b), 15 CFR 27.108(b), 16 CFR 1028.108(b), 21
CFR 56.108(b), 22 CFR 225.108(b), 24 CFR 60.108(b), 28 CFR 46.108(b), 32
CFR 219.108(b), 34 CFR 97.108(b), 38 CFR 16.108(b), 40 CFR 26.108(b), 45
CFR 46.108(b), 45 CFR 690.108(b), or 49 CFR 11.108(b)) or the expedited
review procedures (7 CFR 1c.110, 10 CFR 745.110, 14 CFR 1230.110, 15 CFR
27.110, 16 CFR 1028.110, 21 CFR 56.110, 22 CFR 225.110, 24 CFR 60.110,
28 CFR 46.110, 32 CFR 219.110, 34 CFR 97.110, 38 CFR 16.110, 40 CFR
26.110, 45
[[Page 709]]
CFR 46.110, 45 CFR 690.110, or 49 CFR 11.110);
(B) A privacy board must review the proposed research at convened
meetings at which a majority of the privacy board members are present,
including at least one member who satisfies the criterion stated in
paragraph (i)(1)(i)(B)(2) of this section, and the alteration or waiver
of authorization must be approved by the majority of the privacy board
members present at the meeting, unless the privacy board elects to use
an expedited review procedure in accordance with paragraph (i)(2)(iv)(C)
of this section;
(C) A privacy board may use an expedited review procedure if the
research involves no more than minimal risk to the privacy of the
individuals who are the subject of the protected health information for
which use or disclosure is being sought. If the privacy board elects to
use an expedited review procedure, the review and approval of the
alteration or waiver of authorization may be carried out by the chair of
the privacy board, or by one or more members of the privacy board as
designated by the chair; and
(v) Required signature. The documentation of the alteration or
waiver of authorization must be signed by the chair or other member, as
designated by the chair, of the IRB or the privacy board, as applicable.
(j) Standard: Uses and disclosures to avert a serious threat to
health or safety. (1) Permitted disclosures. A covered entity may,
consistent with applicable law and standards of ethical conduct, use or
disclose protected health information, if the covered entity, in good
faith, believes the use or disclosure:
(i)(A) Is necessary to prevent or lessen a serious and imminent
threat to the health or safety of a person or the public; and
(B) Is to a person or persons reasonably able to prevent or lessen
the threat, including the target of the threat; or
(ii) Is necessary for law enforcement authorities to identify or
apprehend an individual:
(A) Because of a statement by an individual admitting participation
in a violent crime that the covered entity reasonably believes may have
caused serious physical harm to the victim; or
(B) Where it appears from all the circumstances that the individual
has escaped from a correctional institution or from lawful custody, as
those terms are defined in Sec. 164.501.
(2) Use or disclosure not permitted. A use or disclosure pursuant to
paragraph (j)(1)(ii)(A) of this section may not be made if the
information described in paragraph (j)(1)(ii)(A) of this section is
learned by the covered entity:
(i) In the course of treatment to affect the propensity to commit
the criminal conduct that is the basis for the disclosure under
paragraph (j)(1)(ii)(A) of this section, or counseling or therapy; or
(ii) Through a request by the individual to initiate or to be
referred for the treatment, counseling, or therapy described in
paragraph (j)(2)(i) of this section.
(3) Limit on information that may be disclosed. A disclosure made
pursuant to paragraph (j)(1)(ii)(A) of this section shall contain only
the statement described in paragraph (j)(1)(ii)(A) of this section and
the protected health information described in paragraph (f)(2)(i) of
this section.
(4) Presumption of good faith belief. A covered entity that uses or
discloses protected health information pursuant to paragraph (j)(1) of
this section is presumed to have acted in good faith with regard to a
belief described in paragraph (j)(1)(i) or (ii) of this section, if the
belief is based upon the covered entity's actual knowledge or in
reliance on a credible representation by a person with apparent
knowledge or authority.
(k) Standard: Uses and disclosures for specialized government
functions. (1) Military and veterans activities. (i) Armed Forces
personnel. A covered entity may use and disclose the protected health
information of individuals who are Armed Forces personnel for activities
deemed necessary by appropriate military command authorities to assure
the proper execution of the military mission, if the appropriate
military authority has published by notice in the Federal Register the
following information:
[[Page 710]]
(A) Appropriate military command authorities; and
(B) The purposes for which the protected health information may be
used or disclosed.
(ii) Separation or discharge from military service. A covered entity
that is a component of the Departments of Defense or Transportation may
disclose to the Department of Veterans Affairs (DVA) the protected
health information of an individual who is a member of the Armed Forces
upon the separation or discharge of the individual from military service
for the purpose of a determination by DVA of the individual's
eligibility for or entitlement to benefits under laws administered by
the Secretary of Veterans Affairs.
(iii) Veterans. A covered entity that is a component of the
Department of Veterans Affairs may use and disclose protected health
information to components of the Department that determine eligibility
for or entitlement to, or that provide, benefits under the laws
administered by the Secretary of Veterans Affairs.
(iv) Foreign military personnel. A covered entity may use and
disclose the protected health information of individuals who are foreign
military personnel to their appropriate foreign military authority for
the same purposes for which uses and disclosures are permitted for Armed
Forces personnel under the notice published in the Federal Register
pursuant to paragraph (k)(1)(i) of this section.
(2) National security and intelligence activities. A covered entity
may disclose protected health information to authorized federal
officials for the conduct of lawful intelligence, counter-intelligence,
and other national security activities authorized by the National
Security Act (50 U.S.C. 401, et seq.) and implementing authority (e.g.,
Executive Order 12333).
(3) Protective services for the President and others. A covered
entity may disclose protected health information to authorized federal
officials for the provision of protective services to the President or
other persons authorized by 18 U.S.C. 3056, or to foreign heads of state
or other persons authorized by 22 U.S.C. 2709(a)(3), or to for the
conduct of investigations authorized by 18 U.S.C. 871 and 879.
(4) Medical suitability determinations. A covered entity that is a
component of the Department of State may use protected health
information to make medical suitability determinations and may disclose
whether or not the individual was determined to be medically suitable to
the officials in the Department of State who need access to such
information for the following purposes:
(i) For the purpose of a required security clearance conducted
pursuant to Executive Orders 10450 and 12698;
(ii) As necessary to determine worldwide availability or
availability for mandatory service abroad under sections 101(a)(4) and
504 of the Foreign Service Act; or
(iii) For a family to accompany a Foreign Service member abroad,
consistent with section 101(b)(5) and 904 of the Foreign Service Act.
(5) Correctional institutions and other law enforcement custodial
situations. (i) Permitted disclosures. A covered entity may disclose to
a correctional institution or a law enforcement official having lawful
custody of an inmate or other individual protected health information
about such inmate or individual, if the correctional institution or such
law enforcement official represents that such protected health
information is necessary for:
(A) The provision of health care to such individuals;
(B) The health and safety of such individual or other inmates;
(C) The health and safety of the officers or employees of or others
at the correctional institution;
(D) The health and safety of such individuals and officers or other
persons responsible for the transporting of inmates or their transfer
from one institution, facility, or setting to another;
(E) Law enforcement on the premises of the correctional institution;
and
(F) The administration and maintenance of the safety, security, and
good order of the correctional institution.
(ii) Permitted uses. A covered entity that is a correctional
institution may use protected health information of individuals who are
inmates for any purpose for which such protected health information may
be disclosed.
[[Page 711]]
(iii) No application after release. For the purposes of this
provision, an individual is no longer an inmate when released on parole,
probation, supervised release, or otherwise is no longer in lawful
custody.
(6) Covered entities that are government programs providing public
benefits. (i) A health plan that is a government program providing
public benefits may disclose protected health information relating to
eligibility for or enrollment in the health plan to another agency
administering a government program providing public benefits if the
sharing of eligibility or enrollment information among such government
agencies or the maintenance of such information in a single or combined
data system accessible to all such government agencies is required or
expressly authorized by statute or regulation.
(ii) A covered entity that is a government agency administering a
government program providing public benefits may disclose protected
health information relating to the program to another covered entity
that is a government agency administering a government program providing
public benefits if the programs serve the same or similar populations
and the disclosure of protected health information is necessary to
coordinate the covered functions of such programs or to improve
administration and management relating to the covered functions of such
programs.
(l) Standard: Disclosures for workers' compensation. A covered
entity may disclose protected health information as authorized by and to
the extent necessary to comply with laws relating to workers'
compensation or other similar programs, established by law, that provide
benefits for work-related injuries or illness without regard to fault.