[Code of Federal Regulations]
[Title 45, Volume 1]
[Revised as of October 1, 2001]
From the U.S. Government Printing Office via GPO Access
[CITE: 45CFR164.502]
[Page 688-691]
TITLE 45--PUBLIC WELFARE
SUBTITLE A--DEPARTMENT OF HEALTH
AND HUMAN SERVICES
PART 164--SECURITY AND PRIVACY--Table of Contents
Subpart E--Privacy of Individually Identifiable Health Information
Sec. 164.502 Uses and disclosures of protected health information: general rules.
(a) Standard. A covered entity may not use or disclose protected
health information, except as permitted or required by this subpart or
by subpart C of part 160 of this subchapter.
(1) Permitted uses and disclosures. A covered entity is permitted to
use or disclose protected health information as follows:
(i) To the individual;
[[Page 689]]
(ii) Pursuant to and in compliance with a consent that complies with
Sec. 164.506, to carry out treatment, payment, or health care
operations;
(iii) Without consent, if consent is not required under
Sec. 164.506(a) and has not been sought under Sec. 164.506(a)(4), to
carry out treatment, payment, or health care operations, except with
respect to psychotherapy notes;
(iv) Pursuant to and in compliance with a valid authorization under
Sec. 164.508;
(v) Pursuant to an agreement under, or as otherwise permitted by,
Sec. 164.510; and
(vi) As permitted by and in compliance with this section,
Sec. 164.512, or Sec. 164.514(e), (f), and (g).
(2) Required disclosures. A covered entity is required to disclose
protected health information:
(i) To an individual, when requested under, and required by
Sec. 164.524 or Sec. 164.528; and
(ii) When required by the Secretary under subpart C of part 160 of
this subchapter to investigate or determine the covered entity's
compliance with this subpart.
(b) Standard: Minimum necessary. (1) Minimum necessary applies. When
using or disclosing protected health information or when requesting
protected health information from another covered entity, a covered
entity must make reasonable efforts to limit protected health
information to the minimum necessary to accomplish the intended purpose
of the use, disclosure, or request.
(2) Minimum necessary does not apply. This requirement does not
apply to:
(i) Disclosures to or requests by a health care provider for
treatment;
(ii) Uses or disclosures made to the individual, as permitted under
paragraph (a)(1)(i) of this section, as required by paragraph (a)(2)(i)
of this section, or pursuant to an authorization under Sec. 164.508,
except for authorizations requested by the covered entity under
Sec. 164.508(d), (e), or (f);
(iii) Disclosures made to the Secretary in accordance with subpart C
of part 160 of this subchapter;
(iv) Uses or disclosures that are required by law, as described by
Sec. 164.512(a); and
(v) Uses or disclosures that are required for compliance with
applicable requirements of this subchapter.
(c) Standard: Uses and disclosures of protected health information
subject to an agreed upon restriction. A covered entity that has agreed
to a restriction pursuant to Sec. 164.522(a)(1) may not use or disclose
the protected health information covered by the restriction in violation
of such restriction, except as otherwise provided in Sec. 164.522(a).
(d) Standard: Uses and disclosures of de-identified protected health
information.(1) Uses and disclosures to create de-identified
information. A covered entity may use protected health information to
create information that is not individually identifiable health
information or disclose protected health information only to a business
associate for such purpose, whether or not the de-identified information
is to be used by the covered entity.
(2) Uses and disclosures of de-identified information. Health
information that meets the standard and implementation specifications
for de-identification under Sec. 164.514(a) and (b) is considered not to
be individually identifiable health information, i.e., de-identified.
The requirements of this subpart do not apply to information that has
been de-identified in accordance with the applicable requirements of
Sec. 164.514, provided that:
(i) Disclosure of a code or other means of record identification
designed to enable coded or otherwise de-identified information to be
re-identified constitutes disclosure of protected health information;
and
(ii) If de-identified information is re-identified, a covered entity
may use or disclose such re-identified information only as permitted or
required by this subpart.
(e)(1) Standard: Disclosures to business associates. (i) A covered
entity may disclose protected health information to a business associate
and may allow a business associate to create or receive protected health
information on its behalf, if the covered entity obtains satisfactory
assurance that the business associate will appropriately safeguard the
information.
(ii) This standard does not apply:
[[Page 690]]
(A) With respect to disclosures by a covered entity to a health care
provider concerning the treatment of the individual;
(B) With respect to disclosures by a group health plan or a health
insurance issuer or HMO with respect to a group health plan to the plan
sponsor, to the extent that the requirements of Sec. 164.504(f) apply
and are met; or
(C) With respect to uses or disclosures by a health plan that is a
government program providing public benefits, if eligibility for, or
enrollment in, the health plan is determined by an agency other than the
agency administering the health plan, or if the protected health
information used to determine enrollment or eligibility in the health
plan is collected by an agency other than the agency administering the
health plan, and such activity is authorized by law, with respect to the
collection and sharing of individually identifiable health information
for the performance of such functions by the health plan and the agency
other than the agency administering the health plan.
(iii) A covered entity that violates the satisfactory assurances it
provided as a business associate of another covered entity will be in
noncompliance with the standards, implementation specifications, and
requirements of this paragraph and Sec. 164.504(e).
(2) Implementation specification: documentation. A covered entity
must document the satisfactory assurances required by paragraph (e)(1)
of this section through a written contract or other written agreement or
arrangement with the business associate that meets the applicable
requirements of Sec. 164.504(e).
(f) Standard: Deceased individuals. A covered entity must comply
with the requirements of this subpart with respect to the protected
health information of a deceased individual.
(g)(1) Standard: Personal representatives. As specified in this
paragraph, a covered entity must, except as provided in paragraphs
(g)(3) and (g)(5) of this section, treat a personal representative as
the individual for purposes of this subchapter.
(2) Implementation specification: adults and emancipated minors. If
under applicable law a person has authority to act on behalf of an
individual who is an adult or an emancipated minor in making decisions
related to health care, a covered entity must treat such person as a
personal representative under this subchapter, with respect to protected
health information relevant to such personal representation.
(3) Implementation specification: unemancipated minors. If under
applicable law a parent, guardian, or other person acting in loco
parentis has authority to act on behalf of an individual who is an
unemancipated minor in making decisions related to health care, a
covered entity must treat such person as a personal representative under
this subchapter, with respect to protected health information relevant
to such personal representation, except that such person may not be a
personal representative of an unemancipated minor, and the minor has the
authority to act as an individual, with respect to protected health
information pertaining to a health care service, if:
(i) The minor consents to such health care service; no other consent
to such health care service is required by law, regardless of whether
the consent of another person has also been obtained; and the minor has
not requested that such person be treated as the personal
representative;
(ii) The minor may lawfully obtain such health care service without
the consent of a parent, guardian, or other person acting in loco
parentis, and the minor, a court, or another person authorized by law
consents to such health care service; or
(iii) A parent, guardian, or other person acting in loco parentis
assents to an agreement of confidentiality between a covered health care
provider and the minor with respect to such health care service.
(4) Implementation specification: Deceased individuals. If under
applicable law an executor, administrator, or other person has authority
to act on behalf of a deceased individual or of the individual's estate,
a covered entity must treat such person as a personal representative
under this subchapter, with respect to protected health information
relevant to such personal representation.
[[Page 691]]
(5) Implementation specification: Abuse, neglect, endangerment
situations. Notwithstanding a State law or any requirement of this
paragraph to the contrary, a covered entity may elect not to treat a
person as the personal representative of an individual if:
(i) The covered entity has a reasonable belief that:
(A) The individual has been or may be subjected to domestic
violence, abuse, or neglect by such person; or
(B) Treating such person as the personal representative could
endanger the individual; and
(ii) The covered entity, in the exercise of professional judgment,
decides that it is not in the best interest of the individual to treat
the person as the individual's personal representative.
(h) Standard: Confidential communications. A covered health care
provider or health plan must comply with the applicable requirements of
Sec. 164.522(b) in communicating protected health information.
(i) Standard: Uses and disclosures consistent with notice. A covered
entity that is required by Sec. 164.520 to have a notice may not use or
disclose protected health information in a manner inconsistent with such
notice. A covered entity that is required by Sec. 164.520(b)(1)(iii) to
include a specific statement in its notice if it intends to engage in an
activity listed in Sec. 164.520(b)(1)(iii)(A)-(C), may not use or
disclose protected health information for such activities, unless the
required statement is included in the notice.
(j) Standard: Disclosures by whistleblowers and workforce member
crime victims. (1) Disclosures by whistleblowers. A covered entity is
not considered to have violated the requirements of this subpart if a
member of its workforce or a business associate discloses protected
health information, provided that:
(i) The workforce member or business associate believes in good
faith that the covered entity has engaged in conduct that is unlawful or
otherwise violates professional or clinical standards, or that the care,
services, or conditions provided by the covered entity potentially
endangers one or more patients, workers, or the public; and
(ii) The disclosure is to:
(A) A health oversight agency or public health authority authorized
by law to investigate or otherwise oversee the relevant conduct or
conditions of the covered entity or to an appropriate health care
accreditation organization for the purpose of reporting the allegation
of failure to meet professional standards or misconduct by the covered
entity; or
(B) An attorney retained by or on behalf of the workforce member or
business associate for the purpose of determining the legal options of
the workforce member or business associate with regard to the conduct
described in paragraph (j)(1)(i) of this section.
(2) Disclosures by workforce members who are victims of a crime. A
covered entity is not considered to have violated the requirements of
this subpart if a member of its workforce who is the victim of a
criminal act discloses protected health information to a law enforcement
official, provided that:
(i) The protected health information disclosed is about the
suspected perpetrator of the criminal act; and
(ii) The protected health information disclosed is limited to the
information listed in Sec. 164.512(f)(2)(i).