Actual Text of the Law

GENERAL ADMINISTRATIVE REQUIREMENTS 45 -CFR  160GPO.Gov

SECURITY AND PRIVACY 45 CFR – 164GPO.gov

gpo.gov/
US Government Printing Office

45 CFR Parts 160, 162, and 164 SUMMARY:
This final rule adopts standards for the security of electronic protected health information to be implemented by health plans, health care clearinghouses, and certain health care providers.  (HIPAA).

Health Insurance Reform: Security 45 CFR Parts 160, 162, and 164 Standards; Final Rule Federal Register

§ 164.312 Technical safeguards. (iv) (c) (2)(d) (page 46) Standard: Person or entity authentication. Implement procedures to verify that a person or entity seeking access to electronic protected  health information is the one claimed.  Sample implementation  1 2 Voice Recognition

Code of Federal Regulations
Subpart C—Security Standards for the Protection of Electronic Protected Health Information

§ 164.302   Applicability.
§ 164.304   Definitions.
§ 164.306   Security standards: General rules.
§ 164.308   Administrative safeguards.
§ 164.310   Physical safeguards.
§ 164.312   Technical safeguards.
§ 164.314   Organizational requirements.

Sec. 164.506  Consent for uses or disclosures to carry out treatment, payment, or health care operations.

 

Sec. 164.502 Uses and disclosures of Protected health information:
general rules.

(a) Standard. A covered entity may not use or disclose protected
health information, except as permitted or required by this subpart or
by subpart C of part 160 of this subchapter.
(1) Permitted uses and disclosures. A covered entity is permitted to use or disclose protected health information as follows:
(i) To the individual;
(ii) Pursuant to and in compliance with a consent that complies with
Sec. 164.506, to carry out treatment, payment, or health care operations;

Sec. 160.103  Individually identifiable health information PHI)  is information that is a subset of health information, including demographic information collected from an individual, and:
(1) Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and
(2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and
(i) That identifies the individual; or
(ii) With respect to which there is a reasonable basis to believe the information can be used to identify the individual.

TITLE 45–PUBLIC WELFARE

AND HUMAN SERVICES

PART 164–SECURITY AND PRIVACY–Table of Contents

Subpart E–Privacy of Individually Identifiable Health Information

Sec. 164.506  Consent for uses or disclosures to carry out treatment, payment, or health care operations.

(a) Standard: Consent requirement. (1) Except as provided in
paragraph (a)(2) or (a)(3) of this section, a covered health care
provider must obtain the individual’s consent, in accordance with this
section, prior to using or disclosing protected health information to
carry out treatment, payment, or health care operations.
(2) A covered health care provider may, without consent, use or
disclose protected health information to carry out treatment, payment,
or health care operations, if:
(i) The covered health care provider has an indirect treatment
relationship with the individual; or
(ii) The covered health care provider created or received the
protected health information in the course of providing health care to
an individual who is an inmate.
(3)(i) A covered health care provider may, without prior consent, use or disclose protected health information created or received under paragraph (a)(3)(i)(A)-(C) of this section to carry out treatment, payment, or health care operations:
(A) In emergency treatment situations, if the covered health care provider attempts to obtain such consent as soon as reasonably practicable after the delivery of such treatment;
(B) If the covered health care provider is required by law to treat
the individual, and the covered health care provider attempts to obtain
such consent but is unable to obtain such consent; or
(C) If a covered health care provider attempts to obtain such consent from the individual but is unable to obtain such consent due to substantial barriers to communicating with the individual, and the covered health care provider determines, in the exercise of professional
judgment, that the individual’s consent to receive treatment is clearly inferred from the circumstances.
(ii) A covered health care provider that fails to obtain such consent in accordance with paragraph (a)(3)(i) of this section must document its attempt to obtain consent and the reason why consent was not obtained.
(4) If a covered entity is not required to obtain consent by
paragraph (a)(1) of this section, it may obtain an individual’s consent
for the covered entity’s own use or disclosure of protected health
information to carry out treatment, payment, or health care operations,
provided that such consent meets the requirements of this section.
(5) Except as provided in paragraph (f)(1) of this section, a
consent obtained by a covered entity under this section is not effective
to permit another covered entity to use or disclose protected health
information.
(b) Implementation specifications: General requirements. (1) A
covered health care provider may condition treatment on the provision by
the individual of a consent under this section.
(2) A health plan may condition enrollment in the health plan on the
provision by the individual of a consent under this section sought in
conjunction with such enrollment.
(3) A consent under this section may not be combined in a single
document with the notice required by Sec. 164.520.
(4)(i) A consent for use or disclosure may be combined with other
types of written legal permission from the individual (e.g., an informed
consent for treatment or a consent to assignment of benefits), if the
consent under this section:
(A) Is visually and organizationally separate from such other
written legal permission; and
(B) Is separately signed by the individual and dated.
(ii) A consent for use or disclosure may be combined with a research
authorization under Sec. 164.508(f).

[[Page 701]]

(5) An individual may revoke a consent under this section at any
time, except to the extent that the covered entity has taken action in
reliance thereon. Such revocation must be in writing.
(6) A covered entity must document and retain any signed consent
under this section as required by Sec. 164.530(j).
(c) Implementation specifications: Content requirements. A consent
under this section must be in plain language and:
(1) Inform the individual that protected health information may be
used and disclosed to carry out treatment, payment, or health care
operations;
(2) Refer the individual to the notice required by Sec. 164.520 for
a more complete description of such uses and disclosures and state that
the individual has the right to review the notice prior to signing the
consent;
(3) If the covered entity has reserved the right to change its
privacy practices that are described in the notice in accordance with
Sec. 164.520(b)(1)(v)(C), state that the terms of its notice may change
and describe how the individual may obtain a revised notice;
(4) State that:
(i) The individual has the right to request that the covered entity
restrict how protected health information is used or disclosed to carry
out treatment, payment, or health care operations;
(ii) The covered entity is not required to agree to requested
restrictions; and
(iii) If the covered entity agrees to a requested restriction, the
restriction is binding on the covered entity;
(5) State that the individual has the right to revoke the consent in
writing, except to the extent that the covered entity has taken action
in reliance thereon; and
(6) Be signed by the individual and dated.
(d) Implementation specifications: Defective consents. There is no
consent under this section, if the document submitted has any of the
following defects:
(1) The consent lacks an element required by paragraph (c) of this
section, as applicable; or
(2) The consent has been revoked in accordance with paragraph (b)(5)
of this section.
(e) Standard: Resolving conflicting consents and authorizations. (1)
If a covered entity has obtained a consent under this section and
receives any other authorization or written legal permission from the
individual for a disclosure of protected health information to carry out
treatment, payment, or health care operations, the covered entity may
disclose such protected health information only in accordance with the
more restrictive consent, authorization, or other written legal
permission from the individual.
(2) A covered entity may attempt to resolve a conflict between a
consent and an authorization or other written legal permission from the
individual described in paragraph (e)(1) of this section by:
(i) Obtaining a new consent from the individual under this section
for the disclosure to carry out treatment, payment, or health care
operations; or
(ii) Communicating orally or in writing with the individual in order
to determine the individual’s preference in resolving the conflict. The
covered entity must document the individual’s preference and may only
disclose protected health information in accordance with the
individual’s preference.
(f)(1) Standard: Joint consents. Covered entities that participate
in an organized health care arrangement and that have a joint notice
under Sec. 164.520(d) may comply with this section by a joint consent.
(2) Implementation specifications: Requirements for joint consents.
(i) A joint consent must:
(A) Include the name or other specific identification of the covered
entities, or classes of covered entities, to which the joint consent
applies; and
(B) Meet the requirements of this section, except that the
statements required by this section may be altered to reflect the fact
that the consent covers more than one covered entity.
(ii) If an individual revokes a joint consent, the covered entity
that receives the revocation must inform the other entities covered by
the joint consent of the revocation as soon as practicable.

Effective Date Note: At 67 FR 53268, Aug. 14, 2002, Sec. 164.506 was
revised, effective Oct. 15,

[[Page 702]]

2002. For the convenience of the user, the revised text is set forth as
follows:

Sec. 164.506  Uses and disclosures to carry out treatment, payment, or
health care operations.

(a) Standard: Permitted uses and disclosures. Except with respect to
uses or disclosures that require an authorization under
Sec. 164.508(a)(2) and (3), a covered entity may use or disclose
protected health information for treatment, payment, or health care
operations as set forth in paragraph (c) of this section, provided that
such use or disclosure is consistent with other applicable requirements
of this subpart.
(b) Standard: Consent for uses and disclosures permitted. (1) A
covered entity may obtain consent of the individual to use or disclose
protected health information to carry out treatment, payment, or health
care operations.
(2) Consent, under paragraph (b) of this section, shall not be
effective to permit a use or disclosure of protected health information
when an authorization, under Sec. 164.508, is required or when another
condition must be met for such use or disclosure to be permissible under
this subpart.
(c) Implementation specifications: Treatment, payment, or health
care operations.
(1) A covered entity may use or disclose protected health
information for its own treatment, payment, or health care operations.
(2) A covered entity may disclose protected health information for
treatment activities of a health care provider.
(3) A covered entity may disclose protected health information to
another covered entity or a health care provider for the payment
activities of the entity that receives the information.
(4) A covered entity may disclose protected health information to
another covered entity for health care operations activities of the
entity that receives the information, if each entity either has or had a
relationship with the individual who is the subject of the protected
health information being requested, the protected health information
pertains to such relationship, and the disclosure is:
(i) For a purpose listed in paragraph (1) or (2) of the definition
of health care operations; or
(ii) For the purpose of health care fraud and abuse detection or compliance.
(5) A covered entity that participates in an organized health care arrangement may disclose protected health information about an individual to another covered entity that participates in the organized health care arrangement for any health care operations activities of the organized health care arrangement.

 

Title 45: Public Welfare

Browse Previous | Browse Next

PART 5b—PRIVACY ACT REGULATIONS

Section Contents
§ 5b.1   Definitions.
§ 5b.2   Purpose and scope.
§ 5b.3   Policy.
§ 5b.4   Maintenance of records.
§ 5b.5   Notification of or access to records.
§ 5b.6   Special procedures for notification of or access to medical records.
§ 5b.7   Procedures for correction or amendment of records.
§ 5b.8   Appeals of refusals to correct or amend records.
§ 5b.9   Disclosure of records.
§ 5b.10   Parents and guardians.
§ 5b.11   Exempt systems.
§ 5b.12   Contractors.
§ 5b.13   Fees.
Appendix A to Part 5b—Employee Standards of Conduct
Appendix B to Part 5b—Routine Uses Applicable to More Than One System of Records Maintained by HHS
Appendix C to Part5b—Delegations of Authority [Reserved]

 

Related Pages in Privacy – HIPAA Section