Standard for HIPAA Minimum Necessary Uses and Disclosures of PHI

Standard

1. Receiving a Request for Medical Records: Requests for medical records shall be managed by the HIPAA Covered Entity Unit’s HIPAA Compliance Coordinator. Other staff members shall not release PHI without the approval of the respective HIPAA Compliance Coordinator.
2. Disclosures to Persons Involved with an Individual’s Care:
   1. Ohio University may disclose to a family member, other relative, close friend, or any other person identified by the individual, PHI:
      1. That is directly relevant to that person’s involvement with the individual’s care or payment for care; or
      2. To notify such person of the individual’s location, general condition, or death. 
   2. If the individual is present, or otherwise available prior to a permitted disclosure, then OU may use or disclose the PHI only if Ohio University:
      1. Obtains the individual’s agreement;
      2. Provides the individual with either a written or oral opportunity to object to the disclosure, and the individual does not express either a written or oral objection; or
      3. May reasonably infer from the circumstances, based on the exercise of professional judgement that the individual does not object to the disclosure.
   3. Ohio University may, in the exercise of professional judgement, determine whether the disclosure is in the best interest of the individual, and if so, disclose only PHI which is directly relevant to the individual’s involvement with the individual’s care if:
      1. The individual is not present;
      2. The opportunity to agree/object to the use or disclosure cannot practicably be provided because of the individual’s incapacity; or
      3. In an emergency.
   4. If the individual is deceased, Ohio University may disclose to a family member, or other person identified in paragraph (2)(a) of these procedures who were involved in the individual’s care or payment for health care prior to the individual’s death, PHI of the individual that is relevant to such person’s involvement, unless doing so is inconsistent with any prior expressed preference of the individual that is known to Ohio University.

3. Confirming Identity: Prior to any permitted disclosure, Ohio University shall take reasonable steps to confirm the identity of an individual’s family member or friend.  Ohio University is permitted to rely on the circumstances as confirmation of involvement in care.

   For example, the fact that a person accepts an individual as a patient of Ohio University and visits weekly is sufficient confirmation of involvement of the individual’s care.

4. Uses and Disclosures for Which Authorization Is Not Required: The HIPAA Compliance Coordinator or designee may use or disclose PHI without the written authorization of the individual, or the opportunity to agree or object, in the following situations:
   1. Disaster relief. Ohio University may use and disclose PHI to assist in disaster relief efforts.
   2. Victims of abuse, neglect, or domestic violence. Ohio University may disclose PHI to appropriate authorities as required by law to report abuse, neglect, or domestic violence.
   3. Judicial/administrative proceedings. Ohio University may disclose PHI in the course of any judicial or administrative proceeding as allowed or required by law, or as directed by a proper court order.
   4. Law enforcement. Ohio University may disclose PHI for law enforcement purposes as required by law or in response to a valid subpoena. Examples include in response to a warrant or subpoena for the purpose of identifying or locating a suspect, witness, or missing person.
   5. Public health. Ohio University may disclose PHI to public health or legal authorities charged with preventing or controlling disease, injury or disability. For example, Ohio University may disclose to the FDA, or to a person or entity subject to the jurisdiction of the FDA, health information relative to adverse events with respect to food, supplements, product and product defects, or post marketing surveillance information to enable product recalls, repairs, or replacement.
   6. Health oversight. Federal law allows Ohio University to release PHI to appropriate health oversight agencies for health oversight activities. For example, Ohio University may disclose PHI to the U.S. Department of Labor for activities authorized by law, including audits and investigations.
   7. Transfer of information at death. In certain circumstances, Ohio University may disclose PHI to funeral directors, medical examiners, and coroners to carry out their duties consistent with applicable law.
   8. Organ procurement organizations. Consistent with applicable law, Ohio University may disclose PHI to organ procurement organizations or other entities engaged in the procurement, banking, or transplantation of organs for the purposes of tissue donation and transplant.
   9. Serious threat. To avert a serious threat to health or safety, Ohio University may disclose PHI consistent with applicable law to prevent or lessen a serious, imminent threat to the health or safety of a person of the public.
   10. Specialized government functions. Ohio University may disclose PHI for specialized government functions as authorized by law such as to Armed Forces personnel, for national security purposes, or to public assistance program personnel.
   11. Workers’ compensation. Ohio University may disclose PHI to the extent authorized by and to the extent necessary to comply with laws relating to workers’ compensation or other similar programs established by law.
   12. Fundraising communications.Ohio University may use, or disclose to a business associate or an institutionally related foundation, certain PHI for the purpose of raising funds for its own benefit. With each fundraising communication, Ohio University must provide the individual with a clear and conspicuous opportunity to elect not to receive any further fundraising communications.

Definitions

• HIPAA Compliance Coordinator: The individual within each Ohio University HIPAA Covered Entity Unit responsible for ensuring the unit’s conformance with Ohio University’s HIPAA Privacy Standards & Procedures as outlined in Ohio University’s Standard for HIPAA Compliance Coordinators. 

References

• 45 CFR § § 164.502(a); 506; 508; 510; 512; 514(g), (h)
• Policy 03.001 General Policy on Health Insurance Portability and Accountability Act (HIPAA) Compliance
• Ohio University HIPAA Standards
• Ohio University Standard HIPAA Compliance Coordinators 

Governance

This standard will be reviewed and approved by the University HIPAA Steering Committee, and other key stakeholders in the interest of ensuring the privacy and security of individual’s health information, as deemed appropriate based on the current regulatory requirement mandates.