Reminder: The legacy One Portal is available until 9/23. Visit the new One Portal

Communications Permitted or Required by Law

You may use or disclose PHI to the extent that a use or disclosure is required by law and the use or disclosure complies with the requirement of the law.

The Privacy Rule protects individually identifiable health information from uses and disclosures that unnecessarily compromise the privacy of an individual. The Rule is carefully designed to protect the privacy of health information, while allowing important health care communications to occur.

Disclosures about or to:

Disclosures to a Public Health Authority or Government Authority Authorized by Law to Receive Reports of Child Abuse or Neglect

A clinician may disclose PHI to an authority authorized by law to receive reports of child abuse or neglect. No conditions apply under the Privacy Rule. Follow the requirements of state law.

Disclosures About Victims of Abuse, Neglect or Domestic Violence

A clinician may disclose PHI about an individual whom the clinician reasonably believes to be a victim of abuse, neglect or domestic violence to government authority, including a social service or protective services agency, authorized by law to receive reports of such abuse, neglect or domestic violence ONLY after the clinician:

  • Informs the individual and the individual agrees to the disclosure
  • The clinician is excepted from informing the individual if:
    • in the exercise of professional judgment, the clinician believes informing the individual would place the individual at risk of serious harm, or
    • the clinician would be informing a personal representative, and the clinician reasonably believes the personal representative is responsible for the abuse, neglect, or other injury and that informing such person would not be in the best interests of the individual as determined by the clinician in the exercise of professional judgment.

AND

  • The disclosure is only made to the extent required by applicable law and is limited to relevant requirements
  • The disclosure is made to the extent expressly authorized by statute or regulation and:
    • the clinician in the exercise of professional judgment, believes the disclosure is necessary to prevent serious harm to the individual or other potential victims; or
    • if the individual is unable to agree because of incapacity, and the law enforcement or other public official authorized to receive the report represents that the PHI for which disclosure is sought is not intended to be used against the individual and that an immediate enforcement activity that depends upon the disclosure would be materially and adversely affected by waiting until the individual is able to agree to the disclosure.

Disclosures for Law Enforcement Purposes

Clinicians or designated personnel can disclose PHI as required by law for the reporting of certain types of wounds or other physical injuries.

The Health Information Management (HIM) Department can disclose PHI in compliance with and as limited by the relevant requirements of:

  • A court order or court-ordered warrant, or a subpoena or summons issued by a judicial officer;
  • A grand jury subpoena; or
  • An administrative request, including an administrative subpoena or summons, a civil or an authorized investigative demand, or similar process authorized under law, provided that:
    • the information sought is relevant and material to a legitimate law enforcement inquiry;
    • the request is specific and limited in scope to the extent reasonably practicable in light of the purpose for which the information is sought; and
    • de-identified information could not reasonably be used.

Decedents

Clinicians or the HIM Department may disclose PHI about an individual who has died to a law enforcement official for the purpose of alerting law enforcement of the death of the individual if the clinician has suspicion that such death may have resulted from criminal conduct.

Crime on Premises

Clinicians or other designated personnel may disclose PHI, in good faith, to law enforcement officials regarding a crime that they feel constitutes evidence of criminal conduct that occurred on the premises of the facility.

Reporting Crime in Emergencies

A clinician providing emergency health care in response to an emergency on the premises of the facility may disclose PHI to a law enforcement official if such disclosure appears necessary to alert law enforcement to:

  • The commission and nature of a crime (not as a result of abuse, neglect or domestic violence);
  • The location of such crime or of the victim(s) of such crime; and
  • The identity, description, and location of the perpetrator of such crime.

Uses and Disclosures to Avert a Serious Threat to Health or Safety

Clinicians or designated personnel may, consistent with applicable law and standards of ethical conduct, use or disclose PHI, if the clinician or designated person, in good faith, believes the use or disclosure:

  • Is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public; and
  • Is to a person or persons reasonably able to prevent or lessen the threat, including the target of the threat; or
  • Is necessary for law enforcement authorities to identify or apprehend an individual:
    • because of a statement by an individual admitting participation in a violent crime (except if the statement was learned during treatment, counseling or therapy or referral to such) that the covered entity reasonably believes may have caused serious physical harm to the victim; or
    • where it appears from all the circumstances that the individual has escaped from a correctional institution or from lawful custody, as those terms listed in the definition section.

Correctional Institutions and Other Law Enforcement Custodial Situations

Clinicians or the HIM Department may disclose to a correctional institution or a law enforcement official having lawful custody of an inmate or other individual PHI about such inmate or individual, if the correctional institution or such law enforcement official represents that such PHI is necessary for:

  • The provision of health care to such individuals;
  • The health and safety of such individual or other inmates;
  • The health and safety of the officers or employees of or others at the correctional institution;
  • The health and safety of such individuals and officers or other persons responsible for the transporting of inmates or their transfer from one institution, facility, or setting to another;
  • Law enforcement on the premises of the correctional institution; and
  • The administration and maintenance of the safety, security, and good order of the correctional institution.

For the purposes of this provision, an individual is no longer an inmate when released on parole, probation, supervised release, or otherwise is no longer in lawful custody.

Disclosures for Disaster Relief Purposes

A clinician or appropriate designee may use or disclose minimum necessary PHI to a public or private entity authorized by law or by its charter (e.g., American Red Cross) to assist in disaster relief efforts. It is unnecessary to obtain a patient’s permission to share the information if doing so would interfere with the organization’s ability to respond to the emergency.

For disaster relief purposes, a clinician or appropriate designee can use or disclose PHI as necessary to identify, locate and notify, a family member, a guardian, a personal representative of the individual, or another person responsible for the care of the individual of the individual's location, general condition or death. Conditions apply to the use or disclosure of PHI for disaster relief purposes, to the extent practicable. In accordance with the Privacy Rule, the clinician or appropriate designee must obtain the individual's agreement or objection to the disclosure of PHI to family, friends or other individuals involved in their care if:

  • the individual is present (or otherwise available prior to the disclosure) and has the capacity to make health care decisions.
  • In the exercise of professional judgment, the clinician determines that the requirements do not interfere with the ability to respond to the emergency circumstances.
  •  in cases when the individual is not present or is incapacitated, the clinician in the exercise of professional judgment can determine whether the disclosure is in the best interests of the individual and, if so, disclose only the PHI that is directly relevant to the person's involvement with the individual's health care.

Unless the patient has requested that information be withheld (i.e., opted-out of facility directory), information about their general condition (good, fair, serious, critical, deceased) and their location may be released to other third parties, but only if the third party inquiry specifically provides the patient’s name. This is the maximum information that may be released under this provision of the law, however, it is recommended to use discretion when exercising this authority. For example, disclosing this information to the media would likely not comply with the HIPAA “minimum necessary” standard. And of course, a hospital should not notify other third parties of a patient’s death before the next-of-kin is notified.

While the HIPAA Privacy Rule is not suspended during a declared emergency, the Secretary of HHS may waive certain provisions of the Privacy Rule under the Project Bioshield Act of 2004 (PL 108-276) and section 1135(b)(7) of the Social Security Act. The Secretary of HHS may also waive sanctions and penalties against a covered hospital that does not comply with the following provisions of the HIPAA Privacy Rule during a declared emergency:

  • The requirements to obtain a patient's agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b);
  • The requirement to honor a request to opt out of the facility directory. See 45 CFR 164.510(a);
  • The requirement to distribute a notice of privacy practices. See 45 CFR 164.520;
  • The patient's right to request privacy restrictions. See 45 CFR 164.522(a); OR
  • The patient's right to request confidential communications. See 45 CFR 164.522(b).

When the Secretary issues such a waiver, it only applies:

  1. In the emergency area and for the emergency period identified in the public health emergency declaration;
  2. To hospitals that have instituted a disaster protocol; and
  3. For up to 72 hours from the time the hospital implements its disaster protocol.

When the Presidential or Secretarial declaration terminates, a hospital must then comply with all the requirements of the Privacy Rule for any patient still under its care, even if 72 hours has not elapsed since implementation of its disaster protocol.

Regardless of the activation of an emergency waiver, the HIPAA Privacy Rule permits disclosures for treatment purposes and certain disclosures to disaster relief organizations. For instance, the Privacy Rule allows covered entities to share patient information with the American Red Cross so it can notify family members of the patient’s location.  See 45 CFR 164.510(b)(4). 

NOTICE: There is no process to waive penalties for violations of state health information privacy laws.

Reference: California Civil Code Sections 56.10(c)(15), 56.1007, and 56.16; 45 C.F.R. Section 164.510 (a) and (b)(4)

Disclosures To a Public Health Authority

Designated departments or individuals may disclose PHI to public health authorities, as defined in the Privacy Rule, that are authorized by law to collect or receive information for the purpose of preventing or controlling disease, injury, or disability, including, but not limited to:

  • The reporting of disease, injury, vital events such as birth or death, and the conduct of public health surveillance, public health investigations, and public health interventions; or
  • At the direction of a public health authority, to an official of a foreign government agency that is acting in collaboration with a public health authority (45 CFR 164.512(b)(1)(i))

The Privacy Rule defines “public health authority” as an agency or authority of the United States, a State, a territory, a political subdivision of a State or territory, or an Indian tribe, or a person or entity acting under a grant of authority from or contract with such public agency, including the employees or agents of such public agency or its contractors or persons or entities to whom it has granted authority, that is responsible for public health matters as part of its official mandate.

Designated departments or individuals may disclose PHI to a public health authority or other appropriate government authority authorized by law to collect or receive the information it is requesting for the stated public health purpose (e.g., reports of child abuse or neglect).

The Privacy Rule imposes certain requirements and conditions on these disclosures, such as that the covered entity must make reasonable efforts to limit the PHI disclosed to the minimum necessary to accomplish the intended purpose of the disclosure.

Designated departments or individuals may disclose PHI to a person or persons subject to the jurisdiction of the Food and Drug Administration (FDA) with respect to an FDA-regulated product or activity for which that person has responsibility, for the purpose of activities related to the quality, safety or effectiveness of such FDA-regulated product or activity. Examples include:

  • To collect or report adverse events (or similar activities with respect to food or dietary supplements), product defects or problems (including problems with the use or labeling of a product), or biological product deviations;
  • To track FDA-regulated products;
  • To enable product recalls, repairs or replacements, or lookback (including locating and notifying individuals who have received products that have been recalled, withdrawn, or are the subject of lookback); or
  • To conduct post marketing surveillance;

Designated departments or individuals may disclose PHI to a person who may have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading a disease or condition, if the department is authorized by law to notify such person as necessary in the conduct of a public health intervention.

Disclosures to a Health Oversight Agency

Departments may disclose PHI to a health oversight agency for oversight activities authorized by law, including:

  • Audits;
  • Civil, administrative, or criminal investigations;
  • Inspections;
  • Licensure or disciplinary actions;
  • Civil, administrative, or criminal proceedings or actions; or
  • Other activities necessary for appropriate oversight of:
    • the health care system;
    • government benefit programs for which health information is relevant to beneficiary eligibility;
    • entities subject to government regulatory programs for which health information is necessary for
    • determining compliance with program standards; and
    • entities subject to civil rights laws for which health information is necessary for determining compliance.

A health oversight agency is an agency or authority of a government or public agency authorized by law to oversee:

  • The health care system (whether public or private)
  • Government programs in which health information is necessary to determine eligibility or compliance, or
  • To enforce civil rights laws for which health information is relevant.

Examples of health oversight agencies that conduct oversight activities relating to the health care system include:

  • State insurance commissions
  • State health professional licensure agencies
  • CMS Quality Improvement Organizations
  • Offices of Inspectors General of Federal Agencies
  • Department of Justice
  • State Medicaid Fraud Control Units
  • Defense Criminal Investigative Services
  • The Pension and Welfare Benefit Administration
  • The HHS Office for Civil Rights
  • Food and Drug Administration

Examples of government programs in which health information is necessary to determine eligibility or compliance or to enforce civil rights laws for which health information is relevant include:

  • Occupational Health and Safety Administration (state and federal)
  • Environmental Protection Agency
  • Social Security Administration
  • Accrediting entities are NOT health oversight agencies.

A health oversight activity does not include an investigation or other activity in which the individual is the subject of the investigation or other activity and such investigation or other activity does not arise out of and is not directly related to:

  • The receipt of health care;
  • A claim for public benefits related to health; or
  • Qualification for, or receipt of, public benefits or services when a patient's health is integral to the claim for public benefits or services.

Disclosures To Coroners, Medical Examiners and Funeral Directors

Designated departments and personnel may disclose PHI to a coroner or medical examiner for the purpose of identifying a deceased person, determining a cause of death, or other duties as authorized by law.

Designated departments and personnel may disclose PHI to funeral directors, consistent with applicable law, as necessary to carry out their duties with respect to the decedent. If necessary for funeral directors to carry out their duties, designated departments or personnel may disclose the PHI prior to, and in reasonable anticipation of, the individual's death.

Uses and Disclosures To Organ Procurement Organizations

Appropriate departments and designated personnel may use or disclose PHI to organ procurement organizations or other entities engaged in the procurement, banking, or transplantation of cadaveric organs, eyes, or tissue for the purpose of facilitating organ, eye or tissue donation and transplantation.

Uses and Disclosures for Research

The LLU Institutional Review Board (IRB) is the authorized body that makes determinations on whether certain activity meets the regulatory definition of research and whether patient authorization must be obtained or can be waived in accordance with applicable law (e.g. Common Law, Privacy Rule). Activity that is subject to IRB approval includes but is not limited to research preparation (e.g., databases to prepare a research protocol, feasibility studies, identification of potential research subjects), record, decedent and clinical research. Activities that would normally be considered a health care operation (e.g., quality assurance, population-based studies) have the potential to become a research activity if the information gleaned from an otherwise health care operation activity is further developed for or contributes to generalizable knowledge. Requests for PHI which pertain to an activity relating to research must be forwarded to the IRB Administrator in the Office of Sponsored Research, 909-558-4531, extension 44531 for review and approval. Students, physicians and health care professionals that gather data obtained through routine business activities (e.g., patient care or health care operations) for the purpose of any research activity without first obtaining approval from the IRB are in violation of policy.

In some cases, the IRB may waive the authorization requirement. The IRB adheres to applicable laws and regulations pertaining to when an authorization can be waived. If the IRB waives the authorization requirement, the Privacy Rule's requirement for the tracking of disclosures applies. Processes for tracking disclosures for research will be maintained by the IRB Administrator in conjunction with the HIM Department.

Previous | TOC | Next

notification_important One Portal Maintenance
We’re cleaning up One Portal and removing outdated content to improve your experience. For more info or help, contact us.

We’re Stronger Together

We're building the future of clinical care and education to better serve our community.

Learn How