The HIPAA Privacy Rule does not require that patients provide written or verbal authorization prior to some uses or disclosures of their protected health information. UW-Madison follows HIPAA regulations regarding when patient authorization, written or verbal, is not required prior to certain uses or disclosures of their protected health information.
Note that special rules apply to records or information concerning HIV status, substance abuse treatment and mental health. Unless otherwise specified, the information below applies to general treatment records and information (i.e. excludes HIV status, substance abuse treatment and mental health). Contact the HIPAA Privacy Officer or the UW Office of Legal Affairs for more information.
Under the HIPAA Privacy Rule, the following uses and disclosures do not require obtaining patient authorization or providing the patient with an opportunity to agree or object to the use or disclosure:
- Use for Treatment, Payment, or Health Care Operations.
Use of PHI for treatment, payment, or health care operations (as defined above), within the UW HCC or the UW ACE, does not require patient authorization or providing the patient an opportunity to agree or to object.
Except for uses for treatment, these uses are subject to the minimum necessary standard (see UW-109 Minimum Necessary Standard).
- Disclosure for Treatment, Payment, and Health Care Operations
- PHI concerning HIV test results and substance abuse treatment does require written patient authorization for disclosure or release.
- PHI may be disclosed without patient authorization or providing an opportunity to agree or to object in the following situations:
- PHI may be disclosed by an individual within the UW HCC or UW ACE for its own treatment activities. In addition, PHI may be disclosed to another health care provider for its treatment activities.
- PHI may be disclosed by an individual within the UW HCC or UW ACE for its own payment activities. In addition, PHI may be disclosed to another covered entity (e.g., health care provider or health plan) for that entity’s payment activities.
- PHI may be disclosed by an individual within the UW HCC or UW ACE for certain health care operations of another health care provider or health plan, if the other provider or health plan also has a relationship with the patient who is the subject of the PHI. Health care operations include teaching/training, conducting quality assessment and improvement activities and reviewing the competence or qualifications of health care professionals.
- It is not required that disclosures for treatment, payment, and health care operations be included in the accounting of disclosures (see UW-119 Requests by Patients for an Accounting of Certain Disclosures).
- The minimum necessary standard does not apply to disclosures for treatment purposes to other health care providers, but does apply to the other disclosures listed in this section “II” (see UW-109 Minimum Necessary Standard).
- Other Uses and Disclosures That Do Not Require Patient Authorization or Patient Opportunity to Agree or Object
Uses and Disclosures Required by Law
(Note: the minimum necessary standard does not apply to uses and disclosures required by law.)
- In response to a court order (may disclose only the PHI expressly authorized by such order, and may include HIV status, substance abuse treatment or mental health).
- In response to a written request by a federal or state agency to perform a legally authorized function, such as management audits, financial audits, program monitoring and evaluation, and investigation of patient complaints.
- In response to a request by a county agency or other investigating agency for investigation of elder abuse or by a county protective services agency for investigation of suspected abuse of a vulnerable adult.
- In response to a request by the designated protection and advocacy agency for the purpose of protecting and advocating the rights of a person with developmental disability or mental illness.
- To a county department, a sheriff or police department or a district attorney for purposes reporting suspected child abuse.
- In response to a request by a county department, a sheriff or police department or a district attorney for purposes investigating suspected child abuse/neglect or for purposes of prosecution of alleged child abuse/neglect, if the person conducting the investigation or prosecution identifies the subject of the record by name.
- To school district employee or agent, if the employee or agent has responsibility for preparation or storage of patient health care records or if access to the patient health care records is a requirement of state or federal law.
- To the Department of Health Services or to a sheriff, police department or district attorney for investigation of death of patients related to the uses of physical restraints or psychotropic medications or suicides.
- To a coroner, deputy coroner, medical examiner, or medical examiner assistant for purposes of completing a death certificate.
- To a funeral director for medical certification of cause of death on death certificate.
- To a coroner, deputy coroner, medical examiner or medical examiner assistant for purposes of reporting and investigating deaths which are unexplained, unusual or suspicious, homicides, suicides, deaths following an abortion, deaths due to poisoning, and deaths following accidents.
- To the appropriate organ procurement organization, disclosure may be made regarding patient deaths.
- To the police department or county sheriff’s office, disclosure must be made regarding gunshot wounds, any wound if there is reasonable cause to believe that wound occurred as the result of a crime, and burns if there is reasonable cause to believe that the burn occurred as a result of a crime.
- To the local health officer or to the Department of Health Services, disclosure may be made regarding:
- Communicable disease cases and deaths (including all reportable conditions listed in Chapter HFS 145, Appendix A);
- Sexually transmitted disease cases;
- Sexually transmitted disease cases in which there has been cessation or refusal of treatment.
- To the state epidemiologist, disclosure may be made regarding positive HIV test results and persons significantly exposed.
- To the Wisconsin Department of Health Services, disclosure may be made regarding:
- Birth defects;
- Lead poisoning cases;
- Induced abortions;
- Cancer and precancerous cases;
- Deaths of patient admitted to any facility or unit providing treatment of alcoholic, drug dependent, mentally ill or developmentally disabled persons for which there is reasonable cause to believe that the death was related to the use of physical restraint or a psychotropic medication or that the death was a suicide; and
- Caregiver misconduct.
- To the U.S. Food and Drug Administration, disclosure may be made regarding adverse device and drug events.
- To a Worker’s Compensation carrier for a person who has filed a Worker’s Compensation claim.
Uses and Disclosures Permitted by Law
(Note: the minimum necessary standard applies to the following uses and disclosures.)
- To the Wisconsin Department of Transportation, disclosure may be made regarding impaired drivers (report must be made by a physician).
- To law enforcement officials (or another person reasonably able to prevent or lessen the threat), disclosure may be made regarding serious or imminent threats to the health or safety of a person or the public.
- To researchers if the IRB has granted a waiver of authorization.
- To a prisoner’s health care provider, the medical staff of a prison or jail in which a prisoner is confined, or the receiving institution intake staff at a prison or jail to which a prisoner is being transferred.
- The disclosures of PHI in the categories listed above in I. and II., including verbal disclosures, must be included in an accounting of disclosures, if requested by a patient (see UW-119 Requests by Patients for an Accounting of Certain Disclosures).
- Contact the UW-Madison Privacy Officer with questions about the need for patient authorization for other types of disclosures.
Consequences for Non-Compliance
Failing to comply with this policy may result in discipline for the individual(s) responsible for such non-compliance.
Further, the US Department Health and Human Services (HHS) Office for Civil Rights (OCR) is responsible for enforcing the HIPAA Privacy and Security Rules, and an individual’s non-compliance may result in institutional noncompliance and/or an investigation by OCR. OCR attempts to resolve investigations by obtaining voluntary compliance and entering into Corrective Action Plans and Resolution Agreements. Failures to comply with HIPAA or cooperate with OCR in an investigation may result in civil and/or criminal penalties.
Additional information may be found at www.compliance.wisc.edu/hipaa.