DHHS POLICIES AND PROCEDURES

________________________________________________________________________________________________________________________

Section VIII:	Privacy and Security
Title:	Privacy Manual
Chapter:	Use and Disclosure Policies, Use and Disclosure
Current Effective Date:	5/1/05
Revision History:	3/16/04
Original Effective Date:	4/14/03

________________________________________________________________________________________________________________________

Purpose

The purpose of this policy is to set forth the NC Department of Health and Human Services (DHHS) requirements for privacy protections of individually identifiable health information by recognizing circumstances when it is permissible to use individually identifiable health information within an agency and when it is permissible to disclose individually identifiable health information outside an agency, including certain limitations and protections that must be applied to all health information.

This policy shall apply to any of the following DHHS agencies:

• HIPAA covered health care components and
• Internal business associates.

Background

The final Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule controls the use and disclosure of individually identifiable health information. Generally, covered health care components may not use or disclose individually identifiable health information except in ways identified in the Privacy Rule or when required or allowed by other federal or state laws. All other uses are prohibited and barriers must be established to prevent any use and disclosure other than those permitted. ‘Use’ and ‘disclosure’ are significant terms that distinguish sharing of information within an agency (use) from releasing information outside an agency (disclosure).

Policy

Basic Principle

DHHS agencies may not use or disclose individually identifiable health information except either:

• As this policy permits or requires or
• As the individual who is the subject of the information authorizes in writing (see DHHS Privacy Policy Use and Disclosure Policies, Authorizations).

It should be understood that throughout this policy whenever a ‘client’ is addressed, the client’s ‘personal representative’ (including a guardian) shall be treated the same as the client, when the client is unable to act for him/herself (see DHHS Privacy Policy Client Rights Policies, Personal Representatives).

Required Disclosures

HIPAA requires DHHS agencies to disclose individually identifiable health information in the following situations:

• To clients specifically when they request access to their health information (although there are exceptions that are identified in this policy), or when they request an accounting of disclosures of their health information (see DHHS Privacy Policies Client Rights Policies, Rights of Clientsand Use and Disclosure Policies, Accounting of Disclosures) and
• To the Secretary of the United States (US) Department of Health and Human Services (HHS) when undertaking a compliance investigation, review, or enforcement action.

Permitted Uses and Disclosures

HIPAA permits DHHS agencies to use and disclose individually identifiable health information without a client’s written authorization for the following purposes or situations:

• To a client (except as required for access and accounting of disclosures);
• Treatment, payment and health care operations (exceptions for DPH and MH/DD/SAS agencies; refer to DHHS Privacy Policy Use and Disclosure Policies, Consent for Treatment, Payment, and Health Care Operations);
• Incidental to an otherwise permitted use and disclosure;
• Limited data set [for research, public health, or health care operations (See DHHS Privacy Policy Use and Disclosure Policies, De-Identification of Health Information and Limited Data Sets)];
• Facility directories (unless a client opts out of the directory);
• Notification/involvement with family/others;
• Disaster relief;
• Required by law;
• Public Health activities;
• Abuse and neglect;
• Health oversight activities;
• Judicial and administrative proceedings (see DHHS Privacy Policy Administrative Policies, Legal Occurrences);
• Law enforcement purposes;
• To avert serious threat to health/safety;
• Specialized government functions;
• Workers’ Compensation; and
• Research with Institutional Review Board (IRB) approval (see DHHS Privacy Policy Use and Disclosure Policies, Research).

Agencies must rely on professional ethics and best judgment when deciding which of these permissive uses and disclosures to make.

Authorized Uses and Disclosures

DHHS agencies may use and disclose individually identifiable health information only with a client’s authorization for the following purposes or situations:

• To anyone, for any reason, that is not for treatment, payment, or health care operations; or otherwise permitted or required by state or federal law/regulation;
• If the individually identifiable health information to be used or disclosed is psychotherapy notes; and
• For marketing purposes (see DHHS Privacy Policies Use and Disclosure Policies, Marketing and Fundraising).

Limiting Uses and Disclosures to the Minimum Necessary

DHHS agencies must make reasonable efforts to use, disclose, and request only the minimum amount of individually identifiable health information needed to accomplish the intended purpose of the use, disclosure, or request for information, except for the following circumstances:

• Disclosure to or a request by a health care provider for treatment purposes;
• Disclosure to a client who is the subject of the information;
• Use or disclosure made pursuant to an authorization;
• Disclosure to HHS for complaint investigation, compliance review, or enforcement;
• Use or disclosure that is required by law; or
• Use or disclosure required for compliance with other HIPAA rules (see DHHS Privacy Policy Use and Disclosure Policies, Minimum Necessary).

Uses and Disclosures Subject to an Agreed Upon Restriction

Clients may request agencies to restrict all or a portion of their individually identifiable health information from specific uses or disclosures. DHHS agencies that have agreed to such restrictions are required to use and disclose the restricted information only as agreed upon (see DHHS Privacy Policy Client Rights Policies, Rights of Clients).

Uses and Disclosures of De-Identified Health Information

DHHS agencies that have created information that is not individually identifiable do not have to comply with the use and disclosure requirements, provided that:

• Disclosure of a code or other means of de-identification that can be used to re-identify the client, constitutes disclosure of individually identifiable health information; and
• If de-identified health information is re-identified, DHHS agencies must use or disclose such re-identified information only in accordance with the use and disclosure requirements in this policy (see DHHS Privacy Policy Use and Disclosure Policies, De-Identification of Health Information and Limited Data Sets).

Disclosures to Business Associates

DHHS agencies may disclose individually identifiable health information of clients to a business associate and may allow a business associate to create or receive a client’s individually identifiable health information on its behalf [see DHHS Privacy Policy Administrative Policies, Business Associates (Internal/External)].

Deceased Individuals

DHHS agencies must use and disclose individually identifiable health information of a deceased client in the same manner as if the client were still alive.

Personal Representative

DHHS agencies must use and disclose individually identifiable health information to a personal representative of a client in the same way as the agency would to the client, with two exceptions:

• If the client is an un-emancipated minors (under specific circumstances); and
• In abuse, neglect, and endangerment situations (see DHHS Privacy Policy Client Rights Policies, Personal Representatives).

Confidential Communications

DHHS agencies must make reasonable efforts to comply with requests from clients to disclose confidential communications by alternative means or methods (see DHHS Privacy Policy Client Rights Policies, Rights of Clients).

Use and Disclosure Consistent with Notice

DHHS agencies must use and disclose individually identifiable health information as described in the agency’s Notice of Privacy Practices (see DHHS Privacy Policy Client Rights Policies, Notice of Privacy Practices).

Disclosures by Whistleblowers and Workforce Member Crime Victims

DHHS agencies shall not be considered in violation of use and disclosure regulations if a member of its workforce or its business associate discloses individually identifiable health information “in good faith” to a health oversight agency or attorney retained by or on behalf of the individual; or if individually identifiable health information is disclosed to law enforcement by a workforce member who is a victim of crime, abuse, neglect, or domestic violence (see DHHS Privacy Policy Administrative Policies, Workforce).

Food and Drug Administration

DHHS agencies may use or disclose individually identifying health information to:

• Collect and report adverse events that are subject to the jurisdiction of the Food and Drug Administration (FDA) as related to the quality, safety, or effectiveness of such FDA-regulated products or activities;
• Enable product recalls, repairs, and replacements; and
• Conduct post-marketing surveillance.

Communicable Diseases

DHHS agencies shall disclose individually identifiable health information regarding a client(s) who has been exposed to a communicable disease or may otherwise be at risk of contracting or spreading a disease or condition, according to requirements set forth in Chapter 130A of the NC General Statutes (GS).

Employer

DHHS agencies may disclose individually identifiable health information to an employer about a client who is a member of the employer’s workforce if the employer has requested the agency conduct an evaluation relating to medical surveillance of the workplace or to evaluate the client for a work-related illness or injury. Information disclosed shall be limited to the work-related illness or injury of the client or to carry out its responsibilities for workplace medical surveillance (see DHHS Privacy Policy Administrative Policies, Workforce).

Implementation

DHHS agencies are required to develop procedures to implement the Department’s privacy policy regarding the use and disclosure of individually identifiable health information.

Required Disclosures – Client Authorization Not Required

DHHS agencies shall disclose individually identifiable health information to the client or to the Secretary of the US Department of Health and Human Services without client authorization, as required in this policy as follows:

1. Client
   
   Client rights provided by the HIPAA Privacy Rule require agencies to disclose individually identifiable health information to the client who is the subject of the information, unless an agency has a compelling reason not to do so (See DHHS Privacy Policy Client Rights Policies, Rights of Clients).



2. DHHS Secretary
   
   The HIPAA Privacy Rule requires agencies to disclose individually identifiable health information to the HHS Secretary, when requested, to determine compliance with the HIPAA Privacy Rule. Agencies are required to maintain proper records, and upon request of HHS, to submit compliance reports in such time and manner as determined by the HHS Secretary.
   
   During an investigation or compliance review, DHHS agencies must cooperate with HHS and the DHHS Privacy Officer shall be notified of such investigation or compliance review.
   
   
   • Agencies must permit access by HHS during normal business hours to its facilities, books, records, accounts, and other sources of information, including individually identifiable health information, that are pertinent to ascertaining compliance with the requirements or investigation of a complaint.
   • If HHS determines that serious circumstances exist, agencies must permit access by HHS at any time and without notice.
   • If any information required of DHHS agencies is in the exclusive possession of any other agency, institution, or person and the other agency, institution, or person fails or refuses to furnish the information, DHHS agencies must so certify and set forth what efforts it has made to obtain the information.
   
   
   Variations in requirements specific to disclosure to the Secretary of US HHS include the following:



• Written authorization from the client is not required for such disclosures.
• Disclosures to HHS are not subject to the minimum necessary requirements.
• Disclosures to HHS are required to be accounted for in the agency’s Accounting of Disclosures log.

Permitted Uses and Disclosures – Client Authorization Not Required

DHHS agencies shall use and disclose individually identifiable health information without client authorization only as permitted or required in this policy, or as required by other federal or state laws and regulations. Whenever North Carolina General Statutes and other federal regulations are more stringent than the HIPAA privacy rules, the more stringent requirement prevails.

Although client authorization is not required by law or regulation in the following circumstances, each agency should exercise professional judgment in determining whether to seek client involvement when using or disclosing that client’s confidential information.

1. Treatment Purposes
   
   Use
   
   Individually identifiable health information may be used (i.e., shared among designated staff) within a covered health care component to carry out treatment activities. DHHS agencies may use a client’s individually identifiable health information for its own treatment purposes, including coordination and management of health care services for clients.



• Use of individually identifiable health information by the workforce within an agency for treatment purposes does not require written authorization from the client.
• Use of individually identifiable health information by the workforce for treatment purposes is not subject to the minimum necessary requirements.
• Use of individually identifiable health information by the workforce for treatment purposes is not required to be accounted for in the agency’s Accounting of Disclosures log.
• Use of psychotherapy notes requires a written authorization from the client who is the subject of the notes.
  
  

  NOTE:

  One Client/One Record – Facilities within the Division of Mental Health, Developmental Disabilities and Substance Abuse Services (DMH/DD/SAS) shall share one client record for all treatment services rendered to each individual client within all Division facilities to coordinate treatment, payment, etc. The agency’s Consent for TPO allows the client record to be “used for treatment purposes” within all of the Division facilities. (The DMH/DD/SAS Client Records Manual for State Facilities, APSM 45-3 should be consulted in determining the procedures for sharing one health record per client.) Corporate Master Person Index: Facilities within Division of Mental Health, Developmental Disabilities, and Substance Abuse Services are required to furnish individually identifiable health information to the Department for the purpose of maintaining a database of clients served in the state facilities. State facilities may access this database only if such information is necessary for the appropriate and effective evaluation, care, and treatment of a client.

Disclosure

Individually identifiable health information may be disclosed (e.g., shared with other health care providers or human service agencies) outside a covered health care component to carry out treatment coordination and management between providers and for referrals to other health care providers for treatment purposes.


• Disclosure of individually identifiable health information by the workforce in an agency for treatment purposes does not require written authorization from the client.
• Disclosures of individually identifiable health information by the workforce in an agency to another health care provider for treatment purposes are not subject to the minimum necessary requirements.
• Disclosures of individually identifiable health information for treatment purposes are not required to be accounted for in the agency’s Accounting of Disclosures log.


2. Payment Purposes
   
   Use
   
   Individually identifiable health information may be used (i.e., shared among designated staff) within a covered health care component for payment purposes such as determining or fulfilling the agency’s responsibility for coverage and provision of benefits under a health plan; or to obtain or provide reimbursement for the provision of health care.
   
   
   • Use of individually identifiable health information by the workforce within an agency for payment purposes does not require written consent from a client.
   • Use of individually identifiable health information by the workforce within an agency for payment purposes is subject to the minimum necessary requirement.
   • Use of individually identifiable health information by the workforce within an agency for payment purposes is not required to be accounted for in the agency’s Accounting of Disclosures log.
   
   Disclosure
   
   Individually identifiable health information may be disclosed (e.g., shared with other payers, health care providers, or business associates) outside a covered health care component to carry out payment functions such as eligibility, billing, claims adjustment, and other collection activities.



• Disclosure of individually identifiable health information by the workforce outside the agency for payment purposes does not require written authorization from the client.
• Disclosure of individually identifiable health information by the workforce in an agency for payment purposes are subject to the minimum necessary requirements.
• Disclosure of individually identifiable health information by the workforce in an agency for payment purposes are not required to be accounted for in the agency’s Accounting of Disclosures log.


3. Health Care Operations
   
   Use
   
   Individually identifiable health information may be used (i.e., shared among designated staff) within a covered health care component for health care operation purposes such as conducting quality assessment and improvement activities, business planning and development, business management and administrative activities, student training, and credentialing.
   
   
   • Use of individually identifiable health information by the workforce within an agency for health care operation purposes does not require written consent from the client.
   • Use of individually identifiable health information by the workforce for health care operation purposes is subject to the minimum necessary requirements.
   • Use of individually identifiable health information by the workforce for health care operation purposes is not required to be accounted for in the agency’s Accounting of Disclosures log.
   
   Disclosure
   
   Individually identifiable health information may be disclosed (i.e., shared with entities) outside a covered health care component to carry out health care operation functions such as accreditation, licensure, conducting or arranging for medical review, auditing, or legal services that are necessary to run the agency and to support the core functions of health care treatment and payment.



• Disclosure of individually identifiable health information by the workforce in an agency for health care operation purposes does not require written authorization from the client.
• Disclosure of individually identifiable health information by the workforce in an agency for health care operation purposes is subject to the minimum necessary requirements.
• Disclosure of individually identifiable health information for health care operation purposes is not required to be accounted for in the agency’s Accounting of Disclosures log.

Permitted Uses and Disclosures – Client Written Authorization Not Required;
Opportunity for Client to Agree or Object – Required

DHHS agencies may use or disclose individually identifiable health information in certain circumstances, but agencies must allow clients the opportunity to agree, object, or restrict certain uses or disclosures of their individually identifiable health information, in advance of the agency’s use or disclosure. Such information must be documented in the client’s health record.

• Written authorization from a client is not required for such disclosure.
• Oral agreement or objection by a client is acceptable.
• Disclosures for which a client must have an opportunity to agree or object are subject to the minimum necessary requirements.
• Disclosures for which a client must have an opportunity to agree or object are not required to be accounted for in the agency’s Accounting of Disclosures log.

The following circumstances require agencies to provide clients with the opportunity to agree or object to the use or disclosure of their individually identifiable health information:

• Facility directory/emergency situations;
• Notification or involvement of family member, other relative, or close personal friend of a client in the client’s care or payment related to the client’s health care; and
• Disaster relief purposes.

1. Facility Directory/Emergency Situations
   
   DHHS facilities may use the following individually identifiable health information to maintain a directory of facility clients:
   
   
   • Client name;
   • Client location in facility;
   • Client condition (in general terms such as good, fair, poor); and
   • Client’s religious affiliation.
   
   DHHS facilities that maintain a facility directory must develop procedures for disclosing specific individually identifying health information about their clients. NCGS 122C-53(b) allows MH/DD/SAS facilities to disclose the fact of admission to a client’s next of kin, whenever the responsible professional determines that disclosure is in the best interest of the client. Otherwise, disclosure from a facility directory is allowed only upon authorization of the client. Facility procedures must specify the process used to protect the individually identifying health information maintained in the facility’s directory.
   
   If the opportunity to agree or object to a disclosure from the facility directory cannot be practically provided because of the client’s incapacity or an emergency treatment circumstance, agencies may use their best judgment considering what the client may have done in the past or how they believe the client would respond in the present situation. Agencies must inform the client of such use or disclosure and allow the client the opportunity to agree or object as soon as the emergency situation has passed and it becomes practicable to do so. Whenever a client opts out of the facility directory, the client’s information in the facility directory becomes protected health information.



2. Notification/Involvement with Family/Others
   
   In situations where individually identifiable health information of a client is being disclosed to a family member, other relative, or close personal friend of the client and the client is present, the agency must obtain the client’s agreement, provide the client with an opportunity to agree or object to the disclosure, or determine, based on the circumstances and using professional judgment, that the client would not object prior to the disclosure. If the client is not present or is incapacitated and cannot agree or object, the agency must use professional judgment to determine what is in the best interest of the client. In such instances, agencies must limit the information being disclosed to that which is directly relevant to the situation.




NOTE:

Chapter 122C of the NC General Statutes define specific circumstances and conditions when confidential information can be disclosed to family/others by MH/DD/SAS facilities. These facilities shall develop procedures consistent with NC state law.




3. Disaster Relief
   
   Use or disclosure of individually identifiable health information for disaster relief purposes (e.g., flood, hurricane, terrorism) must be determined based on professional judgment, taking into account the best interest of the client, and the determination that the requirements do not interfere with the ability to respond to the emergency circumstances.

Permitted Uses and Disclosures – Client Written Authorization Not Required;
Opportunity for Client to Agree or Object – Not Required

DHHS agencies may use or disclose individually identifiable health information without written authorization and without an opportunity for the client to agree, object, or restrict certain uses or disclosures of their individually identifiable health information in specific circumstances.

1. Required by Law
   
   DHHS agencies may use and disclose individually identifiable health information to the extent that such use or disclosure is required by law, and the use or disclosure complies with and is limited to the relevant requirements of such law. Legal mandates requiring use or disclosure of individually identifying health information may be based upon federal or state statutes/regulations, board of health rules, court orders, and subpoenas issued by a court or other similar judicial or administrative body.
   
   Examples of uses or disclosures required by law include the following:
   
   
   • The Chief Medical Examiner or a county medical examiner may demand the records of a patient who has died and whose death is under investigation (NCGS 130A-385).
   • Local health directors or the State Health Director may demand medical records pertaining to the diagnosis, treatment, or prevention of communicable disease (NCGS 130A-144(b)).
   • If a health care provider reports an event that may indicate an illness, condition, or health hazard caused by terrorism to a local health director or the State Health Director, the State Health Director or local health director may demand to see records that pertain to those reports (NCGS 130A-476).
   • Physicians must report known or suspected cases or outbreaks of reportable communicable diseases to the local health department (NCGS 130A-135)/
   • Physicians, local health departments, and DHHS shall, upon request and without consent, release immunization information to schools (public, private, or religious), licensed and registered childcare facilities, Head Start, colleges and universities, health maintenance organizations, and other state and local health departments outside North Carolina [NCGS 130A and 10A NC Administrative Code (AC) 41A].
   • Health care providers and administrators of health care facilities must report the following types of wounds/injuries to law enforcement authorities: wounds and injuries caused by firearms; illnesses caused by poisoning; wounds and injuries caused by knives or other sharp instruments if it appears to the treating physician that a criminal act was involved; any other wound, injury, or illness involving grave bodily harm if it appears to the treating physician that criminal violence was involved (NCGS 90-21.20).
   • All health care facilities and health care providers must report diagnoses of cancer to the central cancer registry (NCGS 130A-209).
   • State statutes require all live births, fetal deaths, and deaths, including required medical information related to births and medical certification of the cause of death, to be reported to the local registrar in the county where the birth or death occurred. Physicians, hospitals, medical facilities, birthing facilities, funeral directors, medical examiners, and others as specified are required to provide this information (NCGS 130A-90 - 130A-123).

     NOTE:

     Reports made to newspapers or other media regarding birth or death announcements requires authorization.

   
   
   Procedural Requirements
   
   Procedural requirements for disclosures required by law include the following:



• Written authorization from the client is not required for such disclosures; however, if authorization is obtained, verbal request and authorization is sufficient.
• Disclosures required by law are subject to the minimum necessary requirements unless the law specifies otherwise.
• Disclosures required by law are required to be accounted for in the agency’s Accounting of Disclosures logs.



2. Public Health Activities
   
   DHHS agencies shall develop procedures regarding disclosures for public health activities.
   
   There are specific laws that require information related to public health activities to be disclosed so those laws would fall under the “required by law” provisions noted in the corresponding section above. There are also some laws that permit information related to public health activities to be used or disclosed. DHHS agencies may disclose individually identifiable health information related to public health activities to a public health authority when such uses or disclosures are permitted under the law for:
   
   
   • Prevention and control of disease, injury, and disability;
   • Communicable disease notification;
   • Child abuse and neglect reporting;
   • FDA-regulated product or activity monitoring; and
   • Work-related illness or injury monitoring and workplace medical surveillance.
   
   
   Public health authorities may include the following organizations and individuals:
   
   
   • Federal: Components and officials of HHS including those within the Centers for Disease Control and Prevention (CDC) and the FDA.
     
     The American Association of Poison Control Centers is acting under a cooperative agreement with the CDC to conduct the toxic exposure surveillance system, thus is functioning as a public health authority.
   
   
   
   • State: Components and officials of NC DHHS (Division of Public Health), the NC Department of Environment and Natural Resources (DENR), and the NC Department of Agriculture, as well as parallel agencies in other states.
   
   
   
   • Local: Components and officials of local health departments and boards of health. Other non-traditional public health authorities might include a county sheriff’s office or a private, non-profit organization that is responsible for animal control activities such as rabies control. For child abuse and neglect reporting, the county departments of social services.
   
   
   
   • Other: An organization performing public health functions under a grant of authority from or contract with a public health agency [45 Code of Federal Regulations (CFR) 164.501] such as universities, community-based organizations, and others, who in these situations are considered public health authorities when performing public health activities.
   
   
   In addition to public health authorities, DHHS agencies may also disclose individually identifiable health information to an official of a foreign government agency that is acting in collaboration with a public health authority if the public health authority directs the agency to make such disclosure.
   
   For example, if the CDC is collaborating with public health officials in Canada while investigating a disease outbreak, a NC DHHS agency could disclose protected health information to a Canadian government agency if directed to do so by the CDC.
   
   
   Prevention and Control of Disease, Injury, and Disability; and Communicable Disease Notification
   
   Examples of uses or disclosures permitted for public health purposes for the “prevention and control of disease, injury, and disability; and communicable disease notification” include the following:
   
   
   
   • Health care providers are permitted to report any event that may indicate an illness, condition, or health hazard caused by terrorism to local health directors or the State Health Director (NCGS 130A-476).
   • Medical facilities are permitted to report certain communicable diseases to the local health director (NCGS 130A-137).
   • Hospitals and urgent care centers are permitted to participate in a program for reporting emergency department data to a program established by the State Health Director for public health surveillance purposes (NCGS 130A-476).
   • The State Center for Health Statistics is permitted to collect health data for various health-related research purposes on a voluntary basis – they cannot compel mandatory reporting (NCGS 130A-373).
   
   
   Child Abuse and Neglect Reporting
   
   Under North Carolina law, any person or institution who has cause to suspect that any juvenile is abused, neglected, or dependent, or has died as the result of maltreatment must make a report to the department of social services in the county where the child lives or is found (NCGS 7B-301).
   
   
   FDA-regulated Product or Activity Monitoring
   
   Agencies must disclose individually identifiable health information to the FDA when required to do so as related to the quality, safety, or effectiveness of such FDA-regulated products or activities. Agencies must ensure staff are aware of such requirements and shall develop a process for ensuring the reporting is handled according to agency requirements. Staff must be knowledgeable of such requirement and assured that the disclosure is not in violation of the agency’s privacy policies and procedures.
   
   
   Work-Related Illness or Injury Monitoring and Workplace Medical Surveillance
   
   DHHS physicians, medical facilities, and laboratories are required to report to the Department all cases of specified serious and preventable occupational injuries that occur while working on a farm, as well as specified serious and preventable occupational diseases and illnesses which result from exposure to a health hazard in the workplace. DHHS agencies shall ensure procedures are in place to report required injuries, diseases, and illnesses.
   
   DHHS agencies shall develop procedures regarding disclosures for “public health activities that may be made to an employer” about an individual who is a member of the employer’s workforce or an individual who is receiving health care at the request of the employer in the following circumstances:
   
   
   • To conduct an evaluation relating to medical surveillance of the workplace or
   • To evaluate whether the individual has a work-related illness or injury.
   
   
   

   The individually identifiable health information disclosed must directly relate to the above circumstances. DHHS agencies must provide the individual with a written notice that such information is disclosed to an employer, for public health activity purposes.
   
   
   Procedural Requirements
   
   Procedural requirements for disclosures for “public health activities” include the following:

• Written authorization from the client is not required.
• Disclosures are subject to the minimum necessary requirements, unless the law specifies otherwise.
• Disclosures are required to be accounted for in the agency’s Accounting of Disclosures log.



3. Adult Abuse and/or Neglect Reporting
   
   Under North Carolina law (Article 6, Chapter 108A), any person having reasonable cause to believe that a disabled adult is in need of protective services must make a report to the director of social services.
   
   In making such disclosure, agency staff shall promptly inform the client, in the exercise of professional judgment, that such a report has been or will be made, except if a qualified professional believes informing the client would place the client at risk of serious harm; or if it is determined by agency staff that informing a client’s personal representative would not be in the best interest of the client.
   
   Procedural Requirements
   
   Procedural requirements for disclosure when reporting “adult abuse and/or neglect” include the following:



• Written authorization from the client is not required.
• Individually identifiable health information disclosed for such purposes is not subject to the minimum necessary requirements, but professional judgment should be exercised in determining the information that is necessary to meet the purpose.
• Such disclosures are required to be accounted for in the agency’s Accounting of Disclosures log.



4. Health Oversight Activities
   
   DHHS agencies may disclose individually identifiable health information to a health oversight agency for health oversight activities authorized by law, including audits, investigations, inspections, licensure, or disciplinary actions, legal proceedings or actions, or other activities necessary for appropriate oversight of:
   
   
   • The health care system;
   • Eligibility programs;
   • Compliance with program standards; or
   • Compliance with civil rights laws.
   
   
   Exception: Investigation or other activity in which the client is the subject of the investigation or activity that is not directly related to the client’s health care, claim for benefits or receipt of public services is not considered a health oversight activity.
   
   
   Procedural Requirements
   
   Procedural requirements for disclosures related to “health oversight activities” include the following:



• Written authorization from the client is not required.
• Disclosures are not subject to the minimum necessary requirements.
• Disclosures are required to be accounted for in the agency’s Accounting of Disclosures log unless the health oversight activity is considered a health care operation. Health care operations may include accreditation, certification, peer review, licensing, or credentialing activities; conducting or arranging for medical reviews (e.g., death reviews); legal services; auditing functions, including fraud and abuse detection and compliance programs; and resolution of internal grievances.



5. Judicial and Administrative Proceedings
   
   DHHS agencies may disclose individually identifiable health information for judicial or administrative proceedings, as required by NC General Statutes, when the use or disclosure is made in response to a(n):
   
   
   • Court order;
   • Administrative tribunal order;
   • Subpoena;
   • Discovery request; or
   • Other lawful purpose.
   
   
   All disclosures made in judicial and administrative proceedings shall be made only after the identity and authority of any person requesting such disclosure has been verified, and the requisite documentation required for the disclosure has been obtained. A subpoena alone is not sufficient reason for disclosing confidential information. Both a subpoena and a court order must be issued to compel disclosure.
   
   Refer to the DHHS Privacy Policy Administrative Policies, Legal Occurrences for specific requirements when responding to lawful requests for individually identifiable health information.
   
   

   NOTE:

   There may be federal or state laws that are more restrictive than the requirements in this policy, in which case the more restrictive would apply.

   
   
   
   Procedural Requirements
   
   Procedural requirements for disclosures for “judicial and administrative proceedings” include the following:



• Written authorization from the client is not required.
• Disclosures are subject to the minimum necessary requirements, unless the law (including court orders) specifies otherwise.
• Disclosures are required to be accounted for in the agency’s Accounting of Disclosures log.



6. Law Enforcement Purposes
   
   DHHS agencies shall develop procedures that ensure staff is knowledgeable about disclosures that may be made for law enforcement purposes. Agencies may disclose individually identifiable health information without client authorization for the following law enforcement purposes as applicable:
   
   
   • A law which requires disclosure such as reporting of wounds;
   • Court order, court-ordered warrant, subpoena, or summons;
   • Grand Jury subpoena;
   • Administrative request including subpoena, summons, or civil or authorized demand; or
   • Similar process authorized by law.
   
   
   A subpoena alone is not sufficient reason for disclosing confidential information. Both a subpoena and a court order must be issued to compel disclosure.
   
   Agencies may also disclose limited information for identification and location purposes when requested by a law enforcement official f for the purpose of identifying or locating a suspect, fugitive, material witness, or missing person. Only the following information may be disclosed:
   
   
   • Name and address;
   • Date and place of birth;
   • Social Security Number;
   • ABO blood type and Rh factor;
   • Type of injury;
   • Date and time of treatment;
   • Date and time of death, if applicable; and
   • A description of physical characteristics.
   
   
   

   NOTE:

   There may be federal or state laws that are more restrictive than the requirements in this policy in which case the more restrictive would apply.

   
   
   
   Procedural Requirements
   
   Procedural requirements for disclosures for “law enforcement purposes” detailed in this section include the following:



• Written authorization from the client is not required.
  
  Exception: Individually identifiable health information related to DNA; dental records; or typing, samples, or analysis of body fluids or tissue may not be disclosed without client authorization.



• Disclosures are subject to the minimum necessary requirements, unless the law (including court orders) specifies otherwise.
• Disclosures are required to be accounted for in the agency’s Accounting of Disclosures log.
1. Victims of a Crime


DHHS agencies may disclose individually identifiable health information in response to a law enforcement official’s request for such information about a client who is, or is suspected to be, a victim of a crime if:
• The client agrees to the disclosure; or
• The agency is unable to obtain the client’s agreement because of incapacity or other emergency circumstances, provided that:
1. A violation has occurred;
2. Enforcement activity would be adversely affected if delayed; and
3. Disclosure is in the best interest of the client.
2. Crime on Premises
   
   DHHS agencies may disclose individually identifiable health information to a law enforcement official when the agency believes a crime (or threat of crime) has been committed on the premises or against agency staff. However, information disclosed must be limited to the circumstances and client status, including last known name and address.



3. Reporting Crime in Emergencies
   
   If staff in a DHHS agency provides emergency health care in response to a medical emergency off site, the agency may disclose individually identifiable health information to law enforcement officials if such disclosure appears necessary to alert law enforcement to:
   
   
   • The commission and nature of a crime;
   • The location and the victim of such crime; and
   • The identity, description, and perpetrator of such crime.
   
   
   If the agency believes that the medical emergency off site is the result of abuse or neglect of the individual in need of emergency health care, the agency must first use professional judgment to determine if disclosure of individually identifiable health information is in the best interest of the individual.


7. Avert Serious Threat to Health or Safety
   
   Agencies may use and disclose individually identifiable health information to avert a serious threat to health and safety whenever such use or disclosure is consistent with laws and ethical standards and the agency believes it is necessary to:
   
   
   • Prevent or lessen a serious and imminent threat to the health or safety of a person or to the public, and the disclosure is to a person or entity that may reasonably be able to prevent or lessen the threat; or
   • Assist law enforcement to identify or apprehend an individual:
   • Where it appears from all the circumstances that the client has escaped from a correctional institution or from lawful custody; or
   • Because of a statement by a client admitting participation in a violent crime that the agency reasonably believes may have caused serious physical harm to the victim.
   
   
   

   NOTE:

   Disclosure is NOT permitted if the agency learned such information when treating, counseling, or providing therapy for such criminal conduct; or if the client requested to be referred for treatment, counseling, or therapy for such criminal conduct.

   
   
   Information disclosed shall be limited to the client’s statement and the following identifying information:
   
   
   • Name and address;
   • Date and place of birth;
   • Social Security number;
   • ABO blood type and Rh factor;
   • Type of injury (if applicable);
   • Date and time of treatment;
   • Date and time of death (if applicable); and
   • A description of distinguishing physical characteristics.
   
   
   Any agency that uses or discloses such confidential information as described above shall be presumed to have acted in good faith and the belief is based upon the agency’s actual knowledge or in reliance on a credible representation by a person with apparent knowledge or authority.
   
   Such disclosures must be accounted for in the agency’s Accounting of Disclosures logs.



8. Specialized Government Functions


Unless otherwise prohibited by state or federal law, agencies may use or disclose individually identifiable health information for specialized government functions, as long as the identity of the individual representing such function is verified. Functions include:


• The Red Cross, Armed Forces personnel, or other authorized agents of the Armed Forces, if deemed necessary by appropriate military command;
• Authorized federal officials for the conduct of lawful intelligence, counter-intelligence, and other national security activities;
• Authorized federal officials for the provision of protecting the US President or foreign heads of state;
• Authorized federal officials for national security, which may include any of the agencies listed below.



• The Office of the Director of the Central Intelligence Agency (CIA)
• The Office of the Deputy Director of the CIA
• The National Intelligence Council (and other such offices as the Director may designate)
• The CIA
• The National Security Agency
• The Defense Intelligence Agency
• The National Imagery and Mapping Agency
• The National Reconnaissance Office
• Other offices within the Department of Defense for the collection of specialized national intelligence through reconnaissance programs
• The intelligence elements of the Army, Navy, Air Force, Marine Corps, Federal Bureau of Investigation, Department of the Treasury, and Department of Energy
• The Bureau of Intelligence and Research of the Department of State
• Other elements of any other department or agency as may be designated by the President, or designated jointly by the Director of Central Intelligence and the head of the department or agency concerned, as an element of the intelligence community


• The Department of State to make medical suitability determinations regarding required security clearance, mandatory service abroad, or for a family to accompany a Foreign Service member abroad;
• A correctional institution or law enforcement official with lawful custody of an inmate if necessary for the health and safety of such individual, other inmates, officers, or other employees at the correctional institution; and
• Government programs that provide public health benefits and governmental agencies administering such programs.


Procedural Requirements

Procedural requirements for disclosures for “specialized government functions” include the following:


• Written authorization from the client is not required.
• Disclosures are subject to the minimum necessary requirements, unless the law specifies otherwise.
• Disclosures are required to be accounted for in the agency’s Accounting of Disclosures log.



9. Workers’ Compensation
   
   Agencies may use or disclose individually identifiable health information as authorized by, and to the extent necessary to comply with laws relating to workers’ compensation or other similar programs established by law that provide benefits for work-related injuries or illness without regard to fault.



10. Research
    
    DHHS agencies may use and disclose individually identifiable health information for research purposes when done in accordance with DHHS Privacy Policy Use and Disclosure Policies, Research.



11. Other Requirements
1. De-Identification of Individually Identifiable Health Information
   
   Health information that does not identify an individual or where there is no reasonable basis to believe that the information can be used to identify an individual is not considered individually identifiable health information, and therefore does not require privacy protections (see DHHS Privacy Policy De-Identification of Health Information and Limited Data Sets for requirements for de-identifying individually identifiable health information).



2. Minimum Necessary (See DHHS Privacy Policy Use and Disclosure Policies, Minimum Necessary)



• Internal Use: Agencies must have written policies and procedures that regulate access to and use of written records and electronic data. Procedures must describe the method(s) for identifying staff classifications and determining the level of access to be afforded each class. Procedures must also specify the methodology for granting and denying access, including access for new hires and requirements when staff leaves the employ of the agency.



• External Disclosure: Agencies must have written policies and procedures that limit the individually identifiable health information disclosed outside the agency to the amount reasonably necessary to achieve the purpose of the disclosure.
  
  Procedures must specify agency staff who are designated to disclose confidential information and their responsibilities for ensuring only the minimally necessary information is disclosed.



• Requests: Agencies must implement procedures that limit any request for information to that which is minimally necessary, including routine and recurring requests. Procedures must distinguish requirements for routine and recurring requests from other requests for specific information. Requests for individually identifying health information as presented in a researcher’s documentation or on the representation of an IRB or a Privacy Board may be considered the minimum necessary information requested for research purposes. Disclosures to a financial institution are subject to the minimum necessary requirement and the agency must make its own assessment of the minimum necessary information required for the financial institutions purpose.



• Entire Record: Agencies should not use, disclose, or request an entire health record unless specifically justified as necessary to achieve the purpose. Procedures must specify staff responsibilities for ensuring only the minimally necessary information is disclosed from health records. Procedures must also detail the agency’s required process when it is determined the entire record must be disclosed.



3. Agreed Upon Restrictions/Confidential Communications
   
   Whenever an agency agrees with a client to restrict the use or disclosure of specific information or agrees to communicate with a client in a manner that is different from the usual, the agency must initiate procedures for informing any workforce members who could be in a position to use or disclose that restricted information. Procedures must specify how such information will be communicated to staff and how such disclosures will be monitored.



4. Business Associates [see DHHS Privacy Policy Administrative Policies, Business Associates (Internal/External)]



• Internal: Covered health care components within DHHS that are internal business associates with other covered health care components within DHHS are under the same privacy requirements and therefore do not require a written agreement that protects the confidentiality of the information shared between the two components.
  
  Covered health care components within DHHS that are internal business associates with other DHHS agencies that are not covered health care components must ensure the DHHS privacy policies apply to the internal business associate who will protect such information as if it were a covered component. Procedures must be written to describe the process used to determine the relationship between the two entities and measures to be taken to ensure the protection of the confidential information shared between the two entities.




NOTE:

Most DHHS privacy policies apply to both covered health care components and internal business associates.




• External: Covered health care components within DHHS that are business associates with other departments in state government or with contractors/vendors are required to develop procedures for entering into a Business Associate Memorandum of Understanding (for other departments in state government) or a Business Associate Addendum (for DHHS contractors/vendors).
  
  Procedures must be developed that specify the process, including the development of agreements that are required to ensure the protection of the confidential information shared between the two entities.



5. Deceased Individuals


Individually identifiable health information generated during the life of a deceased client shall be protected from unauthorized use and disclosure as long as an agency maintains the information. If an executor, administrator or other person has been authorized by law to act on behalf of a deceased client; such person shall be recognized as a personal representative of that client and shall authorize the use and disclosure of the decedent’s individually identifiable health information, if required. Agencies must develop and implement procedures that address the following disclosures:


• Disclosure to a coroner or medical examiner for identification of a deceased client or to determine cause of death is permitted without authorization. Agencies are not required to remove information about persons other than the client before disclosing the record.
• Disclosure of all individually identifiable health information, including psychotherapy notes, to a coroner or medical examiner is permitted without client authorization in order to determine cause of death; the minimum necessary requirement is not required in this situation.
• Disclosure to a coroner or medical examiner is required to be included in the agency’s Accounting of Disclosures.
• Disclosure to a funeral director, as necessary to carry out their duties with respect to a decedent is permitted without authorization. If necessary, individually identifiable health information may be disclosed prior to, and in reasonable anticipation of, the client’s death.
• Disclosure to an organ procurement organization or other entities engaged in the procurement, banking, or transplantation of cadaver organs, eyes, or tissue for the purpose of facilitating organ, eye, or tissue donation and transplantation is permitted without authorization.
• Use and disclosure of individually identifiable health information of deceased clients for research purposes is permitted without authorization from a personal representative or an Institution Review Board/Privacy Board provided the following information is obtained from the researcher:
1. Use and disclosure is solely for research on the individually identifiable health information of decedents;
2. Documentation regarding the decedent’s death; and
3. Representation that the individually identifiable health information is necessary for research purposes.



6. Personal Representative
   
   A personal representative is any adult who has decision-making capacity and who is willing to act on behalf of a client regarding the use and disclosure of the client’s individually identifiable health information. This would include an individual who has authority, by law or by agreement from the client receiving treatment, to act in the place of the client such as spouse, adult children, parents, legal guardians, or properly appointed agents (e.g., an individual who has been given a medical power of attorney). Procedures must be developed that address when a personal representative is required and the responsibilities of the agency when communicating with a personal representative. Procedures must also include communication requirements if the client is an un-emancipated minor or if the client has been abused, neglected, or has been in an endangerment situation and there is some question about the personal representative’s involvement in the care of the client (see DHHS Privacy Policy Client Rights Policies, Personal Representative for requirements regarding recognition of a personal representative for a client).



7. Notice of Privacy Practices Requirements
   
   The agency’s Notice of Privacy Practices must accurately reflect the agency’s policies and procedures for using and disclosing individually identifiable health information. Any change in existing policies or procedures requires a change in the agency’s Notice.
   
   Procedures must be written to specify how the agency’s Notice is developed, distributed, and updated (see DHHS Privacy Policy Client Rights Policies, Notice of Privacy Practices for specific requirements for developing and distributing the agency Notice).



8. Whistleblowers and Workforce Member Crime Victims
   
   A member of an agency’s workforce may use or disclose individually identifiable health information when a staff member or a business associate believes in good faith that the agency has engaged in conduct that is unlawful, violates professional or clinical standards, or there is potential danger to one or more clients, workers, or the public. Such information may be disclosed to a public health authority, health oversight agency, or healthcare accreditation organization without being a violation of the client’s privacy. Agencies must develop a procedure for staff to follow when disclosing individually identifying health information.
   
   A member of an agency’s workforce who is the victim of a criminal act may disclose a client’s individually identifying health information to a law enforcement officer when that client is the suspected perpetrator of the criminal act. Agencies must develop and inform staff of the procedures to follow when disclosing such information.
   
   Such use and disclosure does not violate the HIPAA Privacy Rule; however, agencies are responsible for ensuring its workforce is knowledgeable about such matters (see DHHS Privacy Policy Administrative Policies, Workforce for specific privacy requirements that staff must follow).
12. Fundraising
    
    DHHS agencies may use or disclose individually identifiable health information to a business associate or related foundation for the agency’s own fundraising purposes if the information is limited to demographic information and dates of health care provided and specified conditions are met. No other information such as the client’s diagnosis and treatment is allowed to be used or disclosed without specific authorization from the client or the client’s personal representative (see DHHS Privacy Policy Use and Disclosure Policies, Marketing and Fundraising for more specific requirements).



13. Identification Badges
    
    While employee identification badges serve an important function within an agency, wearing an identification badge that includes the name of the agency and the employee’s name and position while accompanying a client off the agency premises could be considered disclosure of confidential information. Such disclosure could be an embarrassment to the client or cause the client to feel his right to privacy has been compromised. Therefore, it is recommended that whenever an employee accompanies a client outside the agency the employee’s badge not be visible to the public (see DHHS Privacy Policy Administrative Policies, Privacy Safeguards).

Use and Disclosures – Client Authorization Required

Client authorization is required in the following circumstances:

• Any use or disclosure (unless allowed without authorization, as specified in this policy);
• Psychotherapy notes; and
• For marketing purposes.

1. Any Use or Disclosure
   
   Authorization allows for the use and disclosure of individually identifiable health information, as specified by a client, but authorization may be revoked by a client at any time.
   
   DHHS agencies shall ensure that a properly written and signed authorization by the client or the client’s personal representative is created prior to requesting individually identifying health information from another entity. Likewise, agencies must ensure that a properly written and signed authorization is received prior to responding to requests for disclosure of a client’s individually identifiable health information. Exceptions to this requirement are specified in this policy.
   
   In order to be considered valid, authorizations sent or received by DHHS agencies must contain specific elements and be written in plain language. An authorization may contain other elements or information in addition to the required elements; provided that such additional elements or information are not inconsistent with the required elements (see DHHS Privacy Policy Use and Disclosure Policies, Authorizations for authorization requirements and the required DHHS Authorization Form to be used by all DHHS divisions and offices).
   
   Agency procedures must include acceptable responses to requests for individually identifiable health information without an accompanying authorization from the client. If the agency can find no provision in state or federal law that allows such disclosure, agency staff should request that the requestor provide the legal authority that allegedly permits or requires the agency to disclose confidential information.
   
   Client Photographs
   
   Agencies that take photographs of clients for identification purposes must obtain the client’s consent prior to photographing. Photographs of clients may not be displayed in the facility or released outside of the agency without client authorization. Agencies may develop their own consent forms allowing the photograph(s) to be taken, but if there is a need to disclose the photograph(s), authorization must be obtained prior to disclosure.



2. Psychotherapy Notes
   
   Psychotherapy notes are notations that capture a therapist’s impressions about a client and contain details of conversations during a private counseling session or a group, joint, or family counseling session. Such notes are considered the therapist’s personal notes and are not maintained in the client’s health record, but are maintained separately by the therapist.
   
   In most cases, including disclosure to another health care provider for treatment, payment or health care operations, psychotherapy notes can only be released with client authorization. However, authorization for the use or disclosure of psychotherapy notes is not required in the following circumstances:
   
   
   • For use by the originator for treatment;
   • For use in education programs including residency or graduate training programs;
   • To defend a legal action brought by a client;
   • For purposes of HHS determining compliance with the HIPAA Privacy Rules;
   • As otherwise required by law;
   • By a health oversight agency for a lawful purpose related to oversight of a psychotherapist;
   • To a coroner or medical examiner for the purpose of identifying a deceased client, determining a cause of death, or other duties as required by law; or
   • To law enforcement in instances of permissible disclosure related to a serious or imminent threat to the health or safety of a person or the public.
   
   
   A client’s right to request access to his/her health care records does not apply to psychotherapy notes maintained by a psychotherapist. The client’s psychotherapist or physician must use professional judgment in determining whether a client should have access to psychotherapy notes.



3. Marketing
   
   Marketing involves communication about a product or service that encourages the purchase or use of a product or service. The following communications are NOT considered marketing:
   
   
   • Describing a product or service provided by the agency;
   • Reviewing treatment with a client;
   • Discussing case management or coordination of care; and
   • Recommending alternative treatments.
   
   
   DHHS agencies and its employees are not allowed to use or disclose a client’s individually identifiable health information for marketing purposes without the authorization of the client who is the subject of the information, or the client’s personal representative. This prohibition includes the disclosure, use, or selling of prescription drug patterns and the disclosure to any non-affiliated third party for use in telemarketing, direct mail marketing, or other marketing through e-mail to the client without client authorization.
   
   Any marketing arrangement between a DHHS agency and any other entity whereby the agency discloses confidential information to the other entity requires client authorization. If marketing is expected to result in direct or indirect remuneration to a DHHS agency from a third party, the remuneration must be stated in the authorization presented to the client for signature.
   
   Exception:Client authorization for marketing is not required when communication with the client is in the form of:
   
   
   • Face-to-face communication made by the DHHS agency with the client or
   • When a promotional gift of nominal value is provided by the agency.
   
   
   (See DHHS Privacy Policy Use and Disclosure Policies, Marketing and Fundraising for specific requirements for marketing.)



4. Verification
   
   DHHS agencies must obtain proper identification of all individuals, including clients, prior to allowing access to confidential information.
   
   Agencies must establish and implement written procedures that are reasonably designed to verify the identity and authority of the requestor where the agency does not know the person requesting the information. Knowledge of a person may take the form of:
   
   
   • A person known by the agency;
   • A phone or fax number known by the agency;
   • An address known by the agency; or
   • A place of business known by the agency.
   
   
   Where documentation, statements, or representations, whether oral or written, from the individual requesting individually identifiable health information is a condition of disclosure, the agency must obtain such documentation or representations prior to disclosing the requested information.
   
   When the person requesting individually identifying health information is a public official, or a person acting on behalf of a public official, the following procedures may be followed:
   
   
   • If the request is made in person, presentation of an agency identification badge, other official credentials, or other proof of government status is sufficient.
   • If the request is made in writing, the request should be on the appropriate government letterhead.
   • If the request is made by a person who is acting on behalf of a public official, a written statement on appropriate government letterhead that the person is acting under the government’s authority or other evidence or documentation of the agency such as contract for services, Memorandum of Understanding, or purchase order, that establishes that the person is acting on behalf of a public official.
   
   
   Verification of the authority of a public official or a person acting on behalf of a public official may be managed in the following manner:
   
   
   • A written statement of the legal authority under which the information is requested, or if a written statement would be impracticable, an oral statement of such legal authority; or
   • If a request is made pursuant to legal process, warrant, subpoena, order, or other legal process issued by a grand jury or a judicial or administrative tribunal is presumed to constitute legal authority.
   
   
   Agencies must establish procedures for disclosing individually identifiable health information that is required by law.
   
   Such procedures may include the establishment of a data use agreement that verifies the entity that will be receiving the confidential information (see DHHS Privacy Policy Use and Disclosure Policies, De-Identification of Health Information and Limited Data Sets for requirements for a data use agreement).
   
   Disclosures to the HHS Secretary for compliance purposes requires the agency to verify the identity of the requestor and their authority to access such individually identifiable health information, as would be required for any other law enforcement or oversight agency request for disclosure.
   
   Exception: If there is an imminent threat to safety, it is permissible to disclose confidential health information to prevent or lessen a serious or imminent threat to the health or safety of a person or the public if disclosure is made to a person reasonably able to prevent or lessen the threat. Under such circumstances, reasonable reliance on verbal representations is acceptable.
   
   Agencies are required to verify the identity of anyone who is acting on behalf of a client or who is assisting in an individual’s care before disclosing individually identifying health information. The client must identify anyone whom the client has authorized to receive the client’s individually identifiable health information.

Incidental to an Otherwise Permitted Use and Disclosure

Certain incidental uses and disclosures are permitted if they occur as a by-product of another permissible or required use or disclosure.

Such use and disclosures must be considered secondary in nature that cannot reasonably be prevented, are limited in nature, and occurs as a result of another use or disclosure that is permitted by the HIPAA Privacy Rule. For example, if a client is in an examining room and overhears a doctor talking to another client about his treatment, this would constitute incidental access to the health information being discussed.

• Incidental use and disclosure is permitted only if the underlying use and disclosure DOES NOT violate the HIPAA Privacy Rule.
• Reasonable safeguards that have taken into account the size of the agency, the nature of information it holds, any potential risks to clients’ privacy, and potential effects on clients’ care and treatment must be in place to limit the instances of incidental use and disclosure.
• An incidental disclosure is not an accidental disclosure and does not have to be accounted for in the accounting of disclosures logs.

Another incidental type of disclosure that is permitted involves visitors who are viewing an agency’s business processes that contain individually identifiable health information.

Whenever a DHHS agency allows another entity to inspect its business processes that contain individually identifiable health information (e.g., demonstration of agency’s software system), the agency is incidentally disclosing individually identifying health information without authorization and without statutory authority. Since such access to individually identifying health information is secondary to the purpose for which the visiting entity is inspecting the business process and since disclosure of such individually identifying health information cannot reasonably be prevented and is limited in nature, the agency shall demonstrate a good faith effort to keep individually identifying health information secure by informing visitors of confidential requirements and by requiring each visitor to sign a DHHS Pledge of Confidentiality form. Agencies must ensure that no individually identifiable health information leaves the agency premises in any documents or data.

Limited Data Set (Research, Public Health or Health Care Operations)

A subset of paper or electronic records containing individually identifiable health information that excludes those elements that could identify a client may be disclosed to a recipient who has entered into a data use agreement with a DHHS agency. Use or disclosure of a limited data set may only be used for the purposes of:

• Research;
• Public health; or
• Health care operations.

A limited data set requires that all direct identifiers be removed not only for the client, but also the client’s relatives, employers, or household members of the client. (See DHHS Privacy Policy, De-Identification of Health Information and Limited Data Sets for a list of required identifying data elements and the requirements for creating a limited data set and a data use agreement.)

Disclosure of a code or other means of record identification designed to enable coded or otherwise de-identified information to be re-identified constitutes disclosure of individually identifiable health information.

De-identified information that has been re-identified shall be disclosed only as permitted in DHHS policies.

DHHS covered health care components may create a limited data set or may allow their business associate to create a limited data set; however, the component’s business associate(s) may not disclose information in a limited data set without the DHHS agency’s approval.

Other State and Federal Laws

DHHS agencies are required to evaluate state and other federal laws that apply to their programs to determine whether there is a requirement conflict between specific laws and to determine which state or federal law is the more stringent, thereby taking precedence for requirements. Agency procedures must reflect implementation requirements of the state and federal laws with which the agency must comply.

News Media

DHHS agencies must develop procedures for responding to requests for disclosure of individually identifiable health information to the news media. The DHHS Public Affairs Office is generally responsible for responding to the news media for agencies within the Department; therefore, agency procedures must ensure staff is knowledgeable about actions to be taken in responding to inquiries from the news media. (See DHHS Communications Policy DHHS Media Training Manual for the Department’s requirements when responding to the media.)

References: DHHS Directive III-11; 45CFR 164.502, 164.504, 164.506, 164.508, 164.510, 164.512, 164.514; APSM 45-3; NCGS 7B-301, 90-21.20, 122C, 122C-53(b), 130A-101, 130A-115, 130A-135, 130A-137, 130A-144(b), 130A-209, 130A-373, 130A-385, 130A-476; NCGS Article 6, Chapter 108A

For Relevant Forms:

Pledge of Confidentiality Form

For questions or clarification on any of the information contained in this policy, please contact DHHS Privacy Officer For general questions about department-wide policies and procedures, contact the DHHS Policy Coordinator.