Page 70 - Privacy_Program
P. 70
DISCLOSING PHI FOR REGULATORY AND LEGAL PURPOSES [DP163]
Back to Table of Contents
Scope: Enterprise
Distribution: Executive Leadership Team; Director of Information Technology, Privacy and Data Security; All Employees
with Access to Protected Health Information (includes Contractors, temporary employees and Interns)
Purpose: To clarify when the organization can disclose Protected Health Information for regulatory or legal purposes.
External Regulation or Standard: 45 C.F.R. §164.512 (a) ‐ uses and disclosures required by law; 45 C.F.R. §164.512(f) ‐
disclosures for law enforcement purposes; 45 C.F.R. §164.512(e) ‐ disclosures for judicial and administrative proceedings; 45
C.F.R. §164.512(c)
(c) ‐ disclosures about victims of abuse, neglect or domestic violence; 45 C.F.R. §164.512(l) ‐ disclosures for workers’
compensation; 45 C.F.R. §164.512(g) ‐ uses and disclosures about decedents
Who is Statement Policy, Standard, or Procedure Statement
Responsible Number
Employees and Others DP163.1 If federal, state, or local law requires a use or disclosure of Protected Health
with Access to Protected Information (PHI), the organization may use or disclose PHI to the extent that the
Health Information (PHI) use or disclosure complies with such law and is limited to the requirements of
such law.
Employees and others DP163.2 The organization will refer to specific policies and procedures to determine
with Access to PHI whether or not the organization must obtain authorization, or give the
participant the opportunity to agree or object to use or disclose PHI.
Employees and others DP163.3 In the event that two or more laws or regulations governing the same use or
with Access to PHI disclosure conflict, the organization will comply with the more restrictive laws
or regulations.
Employees and Others DP163.4 The organization may use or disclose PHI to the extent that such use or disclosure
with Access to PHI is required by law including, but not limited to:
DP163.4a (a) For public health activities required by law;
DP163.4b (b) For disclosures about victims of abuse, neglect, or domestic violence;
DP163.4c (c) In order to comply with judicial release;
DP163.4d (d) To comply with law enforcement;
DP163.4e (e) For health release;
DP163.4f (f) To avert a serious threat to health or safety; and
DP163.4g (g) To comply with special government functions or requests.
Director of DP163.5 The organization may disclose PHI without participant authorization in
Information compliance with and as limited by the relevant requirements of a court order,
Technology, Privacy court‐ordered warrant, a subpoena or summons issued by a judicial officer, or a
and Data Security grand jury subpoena.
with Privacy Steering
Committee and/or
Legal as needed
Director of DP163.6 The organization may disclose requested PHI pursuant to an administrative
Information request made by a law enforcement official, including an administrative
Technology, Privacy subpoena or summons, a civil or an authorized investigative demand, or similar
and Data Security process authorized under law, under the following conditions:
with Privacy Steering
Committee and/or
Legal as needed
GES CONFIDENTIAL 66
