Uses and Disclosures of PHI
A covered entity may not use or disclose protected health
information (PHI) unless:
- The Privacy Rule requires the use or disclosure;
- The Privacy Rule permits the use or disclosure; or
- The individual
who is the subject of the information (or the individual's personal representative) authorizes the use or disclosure in writing.
In
addition, a covered entity must make
reasonable efforts and implement policies and procedures to use, disclose, and
request only the minimum amount of protected health information needed to
accomplish the intended purpose of the use, disclosure, or request. This
is called the "minimum necessary standard."
Required Disclosures
A
covered entity must disclose
protected health information in only two
situations:
- To
individuals (or their personal representatives) specifically when they
request access to, or an accounting of disclosures of, their protected
health information; and
- To
HHS when it is undertaking a compliance investigation or review, or an
enforcement action.