45 CFR 164.506 - Uses and disclosures to carry out treatment, payment, or health care operations.
(a)Standard: Permitted uses and disclosures. Except with respect to uses or disclosures that require an authorization under § 164.508(a)(2) through (4) or that are prohibited under § 164.502(a)(5)(i), a covered entity may use or disclose protected health information for treatment, payment, or health care operations as set forth in paragraph (c) of this section, provided that such use or disclosure is consistent with other applicable requirements of this subpart.
(b)Standard: Consent for uses and disclosures permitted.
(1) A covered entity may obtain consent of the individual to use or disclose protected health information to carry out treatment, payment, or health care operations.
(2) Consent, under paragraph (b) of this section, shall not be effective to permit a use or disclosure of protected health information when an authorization, under § 164.508, is required or when another condition must be met for such use or disclosure to be permissible under this subpart.
(c)Implementation specifications: Treatment, payment, or health care operations.
(1) A covered entity may use or disclose protected health information for its own treatment, payment, or health care operations.
(2) A covered entity may disclose protected health information for treatment activities of a health care provider.
(3) A covered entity may disclose protected health information to another covered entity or a health care provider for the payment activities of the entity that receives the information.
(4) A covered entity may disclose protected health information to another covered entity for health care operations activities of the entity that receives the information, if each entity either has or had a relationship with the individual who is the subject of the protected health information being requested, the protected health information pertains to such relationship, and the disclosure is:
(i) For a purpose listed in paragraph (1) or (2) of the definition of health care operations; or
(ii) For the purpose of health care fraud and abuse detection or compliance.
(5) A covered entity that participates in an organized health care arrangement may disclose protected health information about an individual to other participants in the organized health care arrangement for any health care operations activities of the organized health care arrangement.
Title 45 published on 01-Feb-2018 05:06
The following are ALL rules, proposed rules, and notices (chronologically) published in the Federal Register relating to 45 CFR Part 164 after this date.
GPO FDSys XML | Text type regulations.gov FR Doc. 2014-02280 RIN 0938-AQ38 CMS-2319-F DEPARTMENT OF HEALTH AND HUMAN SERVICES, Office of the Secretary, Centers for Medicare & Medicaid Services Final rule. Effective Date: These regulations are effective on April 7, 2014. HIPAA covered entities must comply with the applicable requirements of this final rule by October 6, 2014. 42 CFR Part 493 This final rule amends the Clinical Laboratory Improvement Amendments of 1988 (CLIA) regulations to specify that, upon the request of a patient (or the patient's personal representative), laboratories subject to CLIA may provide the patient, the patient's personal representative, or a person designated by the patient, as applicable, with copies of completed test reports that, using the laboratory's authentication process, can be identified as belonging to that patient. Subject to conforming amendments, the final rule retains the existing provisions that require release of test reports only to authorized persons and, if applicable, to the persons responsible for using the test reports and to the laboratory that initially requested the test. In addition, this final rule amends the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule to provide individuals (or their personal representatives) with the right to access test reports directly from laboratories subject to HIPAA (and to direct that copies of those test reports be transmitted to persons or entities designated by the individual) by removing the exceptions for CLIA-certified laboratories and CLIA-exempt laboratories from the provision that provides individuals with the right of access to their protected health information. These changes to the CLIA regulations and the HIPAA Privacy Rule provide individuals with a greater ability to access their health information, empowering them to take a more active role in managing their health and health care.
GPO FDSys XML | Text type regulations.gov FR Doc. 2014-00055 RIN DEPARTMENT OF HEALTH AND HUMAN SERVICES, Office of the Secretary Notice of proposed rulemaking. Submit comments on or before March 10, 2014. 45 CFR Part 164 The Department of Health and Human Services (HHS or “the Department”) is issuing this notice of proposed rulemaking to modify the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule to expressly permit certain HIPAA covered entities to disclose to the National Instant Criminal Background Check System (NICS) the identities of individuals who are subject to a Federal “mental health prohibitor” that disqualifies them from shipping, transporting, possessing, or receiving a firearm. The NICS is a national system maintained by the Federal Bureau of Investigation (FBI) to conduct background checks on persons who may be disqualified from receiving firearms based on federally prohibited categories or State law. Among the persons subject to the Federal mental health prohibitor are individuals who have been involuntarily committed to a mental institution; found incompetent to stand trial or not guilty by reason of insanity; or otherwise have been determined by a court, board, commission, or other lawful authority to be a danger to themselves or others or to lack the mental capacity to contract or manage their own affairs, as a result of marked subnormal intelligence or mental illness, incompetency, condition, or disease. Under this proposal, only covered entities with lawful authority to make adjudication or commitment decisions that make individuals subject to the Federal mental health prohibitor, or that serve as repositories of information for NICS reporting purposes, would be permitted to disclose the information needed for these purposes. This disclosure would be restricted to limited demographic and certain other information and would not include medical records, or any mental health information beyond the indication that the individual is subject to the Federal mental health prohibitor. HHS notes that the Department of Justice (DOJ) has proposed clarifications to the regulatory definitions relevant to the Federal mental health prohibitor. The DOJ proposal is published elsewhere in this issue of the Federal Register . While commenters should consider this proposed regulation in light of the clarifications proposed in DOJ's proposal, we note that those clarifications would not change how this proposed HIPAA permission would operate.
GPO FDSys XML | Text type regulations.gov FR Doc. 2013-13472 RIN 0945-AA03 DEPARTMENT OF HEALTH AND HUMAN SERVICES, Office of the Secretary Final rule. This final rule is effective on June 7, 2013. 45 CFR Parts 160 and 164 These technical corrections address certain inadvertent errors and omissions in the HIPAA Privacy, Security, and Enforcement Rules that are located at 45 CFR parts 160 and 164.
GPO FDSys XML | Text type regulations.gov FR Doc. 2013-09602 RIN DEPARTMENT OF HEALTH AND HUMAN SERVICES, Office of the Secretary Advance notice of proposed rulemaking. Submit comments on or before June 7, 2013. 45 CFR Parts 160 and 164 On January 16, 2013, President Barack Obama announced a series of Executive Actions to reduce gun violence in the United States, including efforts to improve the Federal government's background check system for the sale or transfer of firearms by licensed dealers, called the National Instant Criminal Background Check System (NICS). Among those persons disqualified from possessing or receiving firearms under Federal law are individuals who have been involuntarily committed to a mental institution; found incompetent to stand trial or not guilty by reason of insanity; or otherwise have been determined, through a formal adjudication process, to have a severe mental condition that results in the individuals presenting a danger to themselves or others or being incapable of managing their own affairs (referred to below as the “mental health prohibitor”). Concerns have been raised that, in certain states, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule may be a barrier to States' reporting the identities of individuals subject to the mental health prohibitor to the NICS. The Department of Health and Human Services (HHS or “the Department”), which administers the HIPAA regulations, is issuing this Advance Notice of Proposed Rulemaking (ANPRM) to solicit public comments on such barriers to reporting and ways in which these barriers can be addressed. In particular, we are considering creating an express permission in the HIPAA rules for reporting the relevant information to the NICS by those HIPAA covered entities responsible for involuntary commitments or the formal adjudications that would subject individuals to the mental health prohibitor, or that are otherwise designated by the States to report to the NICS. In addition, we are soliciting comments on the best methods to disseminate information on relevant HIPAA policies to State level entities that originate or maintain information that may be reported to NICS. Finally, we are soliciting public input on whether there are ways to mitigate any unintended adverse consequences for individuals seeking needed mental health services that may be caused by creating express regulatory permission to report relevant information to NICS. The Department will use the information it receives to determine how best to address these issues.
GPO FDSys XML | Text type regulations.gov FR Doc. 2013-01073 RIN 0945-AA03 DEPARTMENT OF HEALTH AND HUMAN SERVICES, Office of the Secretary Final rule. Effective date: This final rule is effective on March 26, 2013. Compliance date: Covered entities and business associates must comply with the applicable requirements of this final rule by September 23, 2013. 45 CFR Parts 160 and 164 The Department of Health and Human Services (HHS or “the Department”) is issuing this final rule to: Modify the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Enforcement Rules to implement statutory amendments under the Health Information Technology for Economic and Clinical Health Act (“the HITECH Act” or “the Act”) to strengthen the privacy and security protection for individuals' health information; modify the rule for Breach Notification for Unsecured Protected Health Information (Breach Notification Rule) under the HITECH Act to address public comment received on the interim final rule; modify the HIPAA Privacy Rule to strengthen the privacy protections for genetic information by implementing section 105 of Title I of the Genetic Information Nondiscrimination Act of 2008 (GINA); and make certain other modifications to the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules (the HIPAA Rules) to improve their workability and effectiveness and to increase flexibility for and decrease burden on the regulated entities.