District Ethics and Compliance Program

Approved By: SWTC EMS Board of Directors             Date: March 22, 2011

Required PHI Disclosures

SWTC EMS is required by the Privacy Rule to disclose PHI in only two instances: 1) when an individual has a right to access his or her PHI (see previous paragraph); and 2) when DHHS needs PHI to determine compliance with the Privacy Rule [45 CFR § 164.502(a)(2)]. Certain other uses and disclosures of PHI may be permitted without authorization, but are not required by the Privacy Rule.

​Permitted PHI Disclosures Without Authorization

SWTC EMS may use and disclose PHI, with certain limits and protections, for TPO activities [45 CFR § 164.506]. Certain other permitted uses and disclosures for which authorization is not required follow. This information will only be disclosed if de-identified information cannot be reasonably used. The Privacy Rule text and OCR guidance should be consulted for a full understanding of the following:

• Required by law. Disclosures of PHI are permitted when required by other laws, whether federal, tribal, state, or local.
• Public health. PHI can be disclosed to public health authorities and their authorized agents for public health purposes including but not limited to public health surveillance, investigations, and interventions.
• Health research. A covered entity can use or disclose PHI for research without authorization under certain conditions, including 1) if it obtains documentation of a waiver from an institutional review board (IRB) or a privacy board, according to a series of considerations; 2) for activities preparatory to research; and 3) for research on a decedent's information.
• Abuse, neglect, or domestic violence. PHI may be disclosed to report abuse, neglect, or domestic violence under specified circumstances.
• Law enforcement. SWTC EMS may, under specified conditions, disclose PHI to law enforcement officials pursuant to a court order, subpoena, or other legal order, to help identify and locate a suspect, fugitive, or missing person; to provide information related to a victim of a crime or a death that may have resulted from a crime, or to report a crime.
• Judicial and administrative proceedings. A covered entity may disclose PHI in the course of a judicial or administrative proceeding under specified circumstances or other written legal order such as a written administrative request. See 45 CFR §§ 164.512(e) and (f).
• Cadaveric organ, eye, or tissue donation purposes. Organ-procurement agencies may use PHI for the purposes of facilitating transplant.
• Oversight. SWTC EMS may usually disclose PHI to a health oversight agency for oversight activities authorized by law.
• Worker's compensation. The Privacy Rule permits disclosure of work-related health information as authorized by, and to the extent necessary to comply with, workers' compensation programs.

Other Authorized Disclosures

A valid written authorization is required for any use or disclosure of PHI that is not required or otherwise permitted without authorization by the Privacy Rule. In general, these authorizations must

• Specifically identify the PHI to be used or disclosed;
• Provide the names of persons or organizations, or classes of persons or organizations, who will receive, use, or disclose the PHI;
• State the purpose for each request;
• Notify individuals of their right to refuse to sign the authorization without negative consequences to treatment, payment, or health plan enrollment or benefit eligibility, except under specific circumstances;
• Be signed and dated by the individual or the individual's personal representative;
• Be written in plain language;
• Include an expiration date or event;
• Notify the individual of the right to revoke authorization at any time in writing, and how to exercise that right, and any applicable exceptions to that right under the Privacy Rule; and
• Explain the potential for the information to be subject to redisclosure by recipient and no longer protected by the Privacy Rule.

To receive PHI for public health purposes, public health authorities must verify their status and identity as public health authorities under the Privacy Rule. To verify its identity, an agency could provide any one of the following:

• If the request is made in person, presentation of an agency identification badge, other official credentials, or other proof of government status;
• If the request is in writing, the request is on the appropriate government letterhead;
• If the disclosure is to a person acting on behalf of a public health authority, a written statement on appropriate government letterhead that the person is acting under the government's authority [45 CFR § 164.514(h)(2)].

Accounting for Disclosures

SWTC EMS will to provide an individual, upon request, with an accounting of certain disclosures of PHI. SWTC EMS is not required to account for all disclosures of PHI. For example, an accounting is not required for disclosures made

• Prior to the covered entity's compliance date;
• For TPO purposes;
• To the individual or pursuant to the individual's written authorization; or
• As part of a limited data set.

However, usually an accounting is required for disclosures made without authorization, including public health purposes.

The following information will be provided if required:

1. Date
2. PHI disclosed
3. Identity of the recipient of the PHI,
4. Purpose of the disclosure.
5. If multiple disclosures to the same recipient for the same purpose, only the recipient of such repetitive disclosures, the purpose of the disclosure, the PHI routinely disclosed and the date of the first and last disclosure and a description of the frequency.