Show Menu
Cheatography

HIPAA Disclosure Chart Cheat Sheet (DRAFT) by [deleted]

HIPAA Disclosure Chart

This is a draft cheat sheet. It is a work in progress and is not finished yet.

The Privacy Rule

The Privacy Rule, as well as all the Admini­str­ative Simpli­fic­ation rules, apply to health plans, health care cleari­ngh­ouses, and to any health care provider who transmits health inform­ation in electronic form in connection with transa­ctions for which the Secretary of HHS has adopted standards under HIPAA (the “covered entiti­es”).

HIPAA Privacy Basics

Author­ization

A covered entity must obtain the indivi­dual’s written author­ization for any use or disclosure of protected health inform­ation that is not for treatment, payment or health care operations or otherwise permitted or required by the Privacy Rule.44 A covered entity may not condition treatment, payment, enroll­ment, or benefits eligib­ility on an individual granting an author­iza­tion, except in limited circum­sta­nces.

An author­ization must be written in specific terms. It may allow use and disclosure of protected health inform­ation by the covered entity seeking the author­iza­tion, or by a third party. Examples of disclo­sures that would require an indivi­dual’s author­ization include disclo­sures to a life insurer for coverage purposes, disclo­sures to an employer of the results of a pre-em­plo­yment physical or lab test, or disclo­sures to a pharma­ceu­tical firm for their own marketing purposes

Consent

The Privacy Rule permits, but does not require, a covered entity volunt­arily to obtain patient consent for uses and disclo­sures of protected health inform­ation for treatment, payment, and health care operat­ions. Covered entities that do so have complete discretion to design a process that best suits their needs.
 

Allowed with patient consent

Trea­tment
Paym­ent
Health care Operat­ions
 
Direct treatment
 
QA and QI
Population-based
Training
Planning
Management
Administrative
Due diligence
Resolution of grievances
Statis­tical analyses
Insurance related
Accreditation
Certification
Licensing
Credentialing
Compliance
Legal/­aud­iting

Allowed with patient author­ization

Marketing use
Employment determinations
Psycho­therapy notes for treatment, payment or health care operations

No consent or author­ization needed

Fundraising
Facility directories
Indirect treatment
Inmates
Emergency treatment
If required by law
Public health activities
Reporting victims of abuse, neglect or violence to authorities
Health oversight activities