Section 13: Releases & Disclosures Requiring No Authorization
HIPAA requires UT Dallas to have policies and procedures addressing Uses and Disclosures that are permitted by other laws which are not pre-empted by HIPAA. The Callier Center shall conduct Uses and Disclosures of PHI that are permitted by law in the absence of an Authorization for routine Uses without specific approval from the Privacy Officer but shall obtain such approval prior to any non-routine Use or Disclosure of PHI under this Section 13. With the exception of releases requested by the Patient and Releases Pursuant to a Court all Uses and Disclosures described in this section are considered to be permitted, as opposed to required, by law.
1. Routine Uses and Disclosures Exempt from Prior Approval.
Offices that maintain PHI as the Business Associate of a Covered Entity may Use and Disclose PHI routinely as provided by the terms of the Business Associate Agreement in place between the Office and the Covered Entity without seeking prior approval of the Privacy Officer.
The Callier Center may Use or Disclose PHI without an Authorization and without seeking prior approval by the Privacy Officer under any of the following circumstances, each of which shall be considered a “routine” Use or Disclosure, subject to the Verification requirements of Section 17 and, with the exception of releases under subparagraphs a, b, and c of this Subsection 1, the Minimum Necessary requirements of Section 5 of this Manual.
- a. Disclosure of a Patient’s Own PHI to that Patient or at the written direction of that Patient.
- b. Uses or Disclosures for the Purpose of Conducting Treatment: The Center may Use or Disclose PHI in order to conduct Treatment.
- c. Uses or Disclosures for the Purpose of Conducting Payment Operations: The Center may Use or Disclose PHI in order to conduct Payment operations.
- d. Uses or Disclosure for the Purpose of Conducting Health Care Operations: University may Use or Disclose PHI in order to conduct Health Care Operations, provided that any Use or Disclose PHI in connection with underwriting activities is subject to the prohibition on use of Genetic information. Health Care Operations include Disease Management as defined by the HIPAA Privacy Rules. Health Care Operations do not including Marketing.
- e. Uses and Disclosures for Health Oversight Activities: The Center may disclose PHI to a Health Oversight Agency for oversight activities authorized by law (including audits; civil, administrative, or criminal investigations; inspections; licensure or disciplinary actions; civil, administrative, or criminal proceedings or actions; or other activities necessary for appropriate oversight of the health care system, government benefit programs for which health information is relevant to beneficiary eligibility, entities subject to government regulatory programs for which health information is necessary for determining compliance with program standards, and entities subject to civil rights laws for which health information is necessary for determining compliance, provided that such health oversight activity arises out of, or is directly related to: (i) the receipt of health care; (ii) a claim for public benefits related to health; (iii) qualification for, or receipt of, public benefits or services when a patient’s health is integral to the claim for public benefits or services; or (iv) a claim for public benefits not related to health, if such activity is conducted in conjunction with an activity described by one of the preceding Clauses (i), (ii), or (iii).
- f. Disclosures for Workers’ Compensation: The Center may disclose PHI as authorized by, and to the extent necessary to, comply with laws relating to workers compensation or other similar programs, established by law, that provide benefits for work-related injuries or illness without regard to fault.
- g. Disclosure of Limited Data Sets: The Center may disclose a Limited Data Set for the purpose of Health Care Operations, research activities, and public health activities if the recipient has entered into a data use agreement that complies with this Manual.
Notwithstanding the above, a Use or Disclosure of PHI that constitutes a Patient’s entire medical record or psychotherapy notes shall not be considered to be made under “routine” circumstances.
2. Uses and Disclosures of PHI for Third Party Judicial or Administrative Proceedings.
In considering whether to approve a non-routine Disclosure under this subsection 2, the Verification requirements of Section 17 and the Minimum Necessary requirements of Section 5 of this Policy must be met in the absence of an Authorization or a court or administrative order.
- a. Court Orders: The Center shall disclose PHI in response to a court order or administrative tribunal of competent jurisdiction provided that the Center discloses only the PHI expressly authorized by such order. When a request is made pursuant to a court order or administrative tribunal, the Center may disclose the information requested without any additional process.
- b. Qualified Protective Order: the Center may disclose PHI in response to a subpoena, discovery request, or other lawful process regarding a matter to which the Center is not a party, that is not accompanied by an Authorization or court order or administrative tribunal and for which the Center receives a written statement and accompanying documentation demonstrating that: (A) the parties to the dispute giving rise to the request for information have agreed to a qualified protective order (a “qualified protective order” is a court order or administrative tribunal or a stipulation by the parties to the litigation or administrative proceeding that (I) prohibits the parties from Using or Disclosing the PHI for any purpose other than the litigation or proceeding for which such information was requested and (II) requires the PHI, including all copies made, to be returned to the Center or destroyed at the end of the litigation or proceeding) and have presented the order to the court or administrative tribunal with jurisdiction over the dispute; or (B) the party seeking the PHI has requested a qualified protective order from such court or administrative tribunal.
- c. Written Notice: the Center may disclose PHI in response to a subpoena; discovery request; or other lawful process that is not accompanied by an Authorization or order of a court or administrative tribunal, if University receives from the party seeking the PHI a written statement and accompanying documentation demonstrating that (A) the party seeking the PHI has made a good faith attempt to provide written notice to the Patient who is the subject of the PHI or, if the subject’s location is unknown, to mail a notice to the subject’s last known address, (B) the notice included sufficient information about the litigation or proceeding in which the PHI is requested to permit the subject to raise an objection to the court or administrative tribunal, and (C) the time for the subject to raise objections to the court or administrative tribunal has elapsed and either (I) no objections were filed or (II) all objections filed by the subject have been resolved by the court or administrative tribunal and the Disclosures being sought are consistent with such resolution;
- d. The Center’s Efforts: the Center may disclose PHI in response to a subpoena, discovery request, or other lawful process that is not accompanied by an Authorization or court order or administrative tribunal, if the Center makes reasonable efforts to provide written notice to the subject, as described above, or to seek a qualified protective order, as defined above in (b).
All actions taken by the Center pursuant to this subsection shall only be taken upon consultation with legal counsel.
3. Uses and Disclosures of PHI Requiring Prior Approval.
- a. Uses and Disclosures for Public Health Activities: In considering whether to approve a non-routine Use or Disclosure, the Minimum Necessary requirements of Section 5 of this Policy must be met in the absence of an Authorization or a court or administrative order.
- b. Disease Prevention: to a Public Health Authority that is authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury, or disability (including, but not limited to, the reporting of disease, injury, vital events such as birth or death, and the conduct of public health surveillance, public health investigations, and public health interventions) or, at the direction of a Public Health Authority, an official of a foreign government agency that is acting in collaboration with the Public Health Authority;
- c. Reporting Child Abuse or Neglect: to a Public Health Authority or other appropriate government authority authorized by law to receive reports of child abuse or neglect;
- d. Disease Control: when a person who may have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading a disease or condition if the Center or a Public Health Authority is authorized by law to notify such person as necessary in the conduct of a public health intervention or investigation.
- e. Disclosures for Law Enforcement Purposes: the Center may Disclose an Patient’s PHI to a law enforcement official under any of the following circumstances:
- i. Court Order: In compliance with and as limited by the relevant requirements of a court order, a court-ordered warrant, a subpoena or summons issued by a judicial officer, a grand jury subpoena, or—if (A) the PHI sought is relevant and material to a legitimate law enforcement inquiry, (B) the request is specific and limited in scope to the extent reasonably practicable in light of the purpose for which the PHI is sought, and (C) de-identified Information could not reasonably be used—an administrative request (including an administrative subpoena or summons, a civil or an authorized investigative demand, or similar process authorized under law);
- ii. Using PHI for Identification or Location: In response to a law enforcement official’s request for such PHI for the purpose of identifying or locating a suspect, fugitive, material witness, or missing person;
- iii. Alerting of Death: For the purpose of alerting law enforcement of the Patient’s death, if the Center suspects that such death resulted from criminal conduct; or
- iv. Alerting of Criminal Conduct: Due to the Center’s good faith belief that such PHI constitutes evidence of criminal conduct that occurred in connection with Treatment obtained through the Center.
- f. Uses and Disclosures Due to Imminent Threat to Health or Safety: the Center may, consistent with applicable law and standards of ethical conduct, Use or Disclose PHI if the Center in good faith, including reliance on actual knowledge or on a credible representation by a person with apparent knowledge or authority, believes the Use or Disclosure is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public and involves PHI, Disclosed to a person or persons reasonably able to prevent or lessen the threat, including the target of the threat.
- g. Uses and Disclosures Required by Military Authority: the Center may Use or Disclose the PHI of Patients who are Armed Forces personnel, or foreign military personnel, for activities deemed necessary by appropriate military command authorities to assure the proper execution of a military mission, if the appropriate military authority has published by notice in the Federal Register (i) the appropriate military command authorities and (ii) the purposes for which the PHI may be Used or Disclosed.
- h. Uses and Disclosures for National Security Activities: the Center may disclose PHI to authorized federal officials for the conduct of lawful intelligence, counter-intelligence, and other national security activities authorized by the National Security Act (50 U.S.C. § 401 et seq.) and implementing authority (e.g., Executive Order 12333).
- i. Disclosures to Coroners and Medical Examiners: the Center may disclose PHI, to a coroner or medical examiner for the purpose of identifying a deceased person, determining a cause of death, or other duties as authorized by law. In connection with such disclosure, the Center shall be required to redact identifying information about persons other than the deceased Patient.
- j. Disclosures to Funeral Directors: the Center may disclose a Patient’s PHI to funeral directors, consistent with applicable law, as necessary to carry out their duties with respect to the Patient after his death, or prior to and in reasonable anticipation of the Patient’s death.
HIPAA Regulatory Citation: 45 CFR § 164.512
Revised: 05/15/2015, 04/13/2013
Reviewed: 03/21/2021, 08/13/2015
Donise W. Pearson, HIPAA Privacy Officer
UT Dallas Callier Center