Use and Disclosure Limit -- Medical Records

The HIPAA regulations, 45 C.F.R. 164.502-514, prohibit disclosures in some circumstances and allow them in others:

• Required Disclosures: A covered entity is required to disclose protected health information to the individual, when requested pursuant to 164.524 or 528; and to Secretary of Health and Human Services to investigate compliance.
   
• Allowable Disclosures: A covered entity may disclose protected health information to the individual; in certain cases with the individual's consent; and for enumerated purposes, including for treatment, payment, or health care operations; to public health authorities; and for health care oversight purposes. Covered entities must make reasonable efforts to limit the amount of protected health information used or disclosed to the minimum necessary to accomplish the intended purpose of the request. The minimum necessary requirement does not apply to the use or disclosure of protected health information to individuals, for treatment purposes, or when requested by the Secretary or required by law. (164.502.)
   
• Restrictions: An individual can request restrictions on the uses and disclosures of his or her protected health information, but the covered entity is not required to agree to the restrictions. No restriction will prevent disclosures to ensure compliance with HIPAA regulations or disclosure required by law. (164.522(a).) A covered entity is bound by its agreement to restrictions pursuant to 164.522(a) not to use or disclose protected health information.
   
• Authorization Required: "Except as otherwise permitted or required by this subchapter, a covered entity may not use or disclose protected health information without an authorization that is valid under the section." (164.508(a)(1).) Such an authorization must contain a specific description of the information to be used or disclosed, the name of the person authorized to use the requested information, a description of the purpose of the use requested, an expiration date, and the signature of the individual and the date.
   
• Deidentified Information: (164.514.)
   
• Business Associates: A covered entity may disclose protected health information to business associates if the business associate appropriately safeguards the information.