Health Care Availability and Access Committee
Adopted in House Comm. on Mar 03, 2004
|
|||||||
| |||||||
| |||||||
1 | AMENDMENT TO HOUSE BILL 4059
| ||||||
2 | AMENDMENT NO. ______. Amend House Bill 4059, AS AMENDED, in | ||||||
3 | Section 5, Sec. 367.4, by replacing all of subsections (b) | ||||||
4 | through (f) with the following:
| ||||||
5 | " Summary health information" means information that may be
| ||||||
6 | individually identifiable health information and
(i) that | ||||||
7 | summarizes the claims history, claims expenses, or type of
| ||||||
8 | claims experienced by individuals for whom a plan sponsor has | ||||||
9 | provided
health benefits under a group health plan and
(ii) | ||||||
10 | from which the information described in subdivision (d)(2)(i)
| ||||||
11 | has been deleted, except that the geographic information | ||||||
12 | described in
subdivision (d)(2)(i)(B) need only be aggregated | ||||||
13 | to the level of a 5-digit zip code.
| ||||||
14 | (b) Except as otherwise
provided in this subsection, a | ||||||
15 | group health plan, in order
to disclose protected health | ||||||
16 | information to the plan sponsor or to
provide for or permit the | ||||||
17 | disclosure of protected health information to
the plan sponsor | ||||||
18 | by a health insurance issuer or health maintenance organization | ||||||
19 | with respect to the
group health plan, must ensure that the | ||||||
20 | plan documents restrict uses and
disclosures of such | ||||||
21 | information by the plan sponsor consistent with the
| ||||||
22 | requirements of this Section. | ||||||
23 | The group health plan, or a health insurance issuer or | ||||||
24 | health maintenance organization with
respect to the group | ||||||
25 | health plan, shall disclose summary health
information to the | ||||||
26 | plan sponsor if the plan sponsor requests the
summary health |
| |||||||
| |||||||
1 | information for the purpose of (i) obtaining premium bids from | ||||||
2 | health plans for providing health
insurance coverage under the | ||||||
3 | group health plan or (ii) modifying, amending, or terminating | ||||||
4 | the group health plan. | ||||||
5 | The plan documents of the group health plan must be amended | ||||||
6 | to
incorporate provisions to do the following: | ||||||
7 | (1) Establish the permitted and required uses and | ||||||
8 | disclosures of
such information by the plan sponsor, | ||||||
9 | provided that such permitted and
required uses and | ||||||
10 | disclosures may not be inconsistent with this Section. | ||||||
11 | (2) Provide that the group health plan will disclose | ||||||
12 | protected
health information to the plan sponsor only upon | ||||||
13 | receipt of a
certification by the plan sponsor that the | ||||||
14 | plan documents have been
amended to incorporate the | ||||||
15 | following provisions and that the plan
sponsor agrees to: | ||||||
16 | (A) Not use or further disclose the information | ||||||
17 | other than as
permitted or required by the plan | ||||||
18 | documents or as required by law. | ||||||
19 | (B) Ensure that any agents, including a | ||||||
20 | subcontractor, to whom it
provides protected health | ||||||
21 | information received from the group health
plan agree | ||||||
22 | to the same restrictions and conditions that apply to | ||||||
23 | the
plan sponsor with respect to such information. | ||||||
24 | (C) Not use or disclose the information for | ||||||
25 | employment-related
actions and decisions or in | ||||||
26 | connection with any other benefit or
employee benefit | ||||||
27 | plan of the plan sponsor. | ||||||
28 | (D) Report to the group health plan any use or | ||||||
29 | disclosure of the
information that is inconsistent | ||||||
30 | with the uses or disclosures provided
for of which it | ||||||
31 | becomes aware. | ||||||
32 | (E) Make available protected health information. | ||||||
33 | (F) Make available protected health information | ||||||
34 | for amendment, and
incorporate any amendments to |
| |||||||
| |||||||
1 | protected health information. | ||||||
2 | (G) Make available the information required to | ||||||
3 | provide an accounting
of disclosures. | ||||||
4 | (H) Make its internal practices, books, and | ||||||
5 | records relating to the
use and disclosure of protected | ||||||
6 | health information received from the
group health plan | ||||||
7 | available to the Director for purposes of determining
| ||||||
8 | compliance by the group health plan with this Section. | ||||||
9 | (I) If feasible, return or destroy all protected | ||||||
10 | health information
received from the group health plan | ||||||
11 | that the sponsor still maintains in
any form and retain | ||||||
12 | no copies of such information when no longer needed
for | ||||||
13 | the purpose for which disclosure was made, except that, | ||||||
14 | if such
return or destruction is not feasible, limit | ||||||
15 | further uses and
disclosures to those purposes that | ||||||
16 | make the return or destruction of the
information | ||||||
17 | infeasible. | ||||||
18 | (J) Ensure that the adequate separation required | ||||||
19 | in paragraph
(3) is established. | ||||||
20 | (3) Provide for adequate separation between the group | ||||||
21 | health plan
and the plan sponsor. The plan documents must | ||||||
22 | do the following: | ||||||
23 | (A) Describe those employees or classes of | ||||||
24 | employees or other
persons under the control of the | ||||||
25 | plan sponsor to be given access to the
protected health | ||||||
26 | information to be disclosed, provided that any | ||||||
27 | employee
or person who receives protected health | ||||||
28 | information relating to payment
under, health care | ||||||
29 | operations of, or other matters pertaining to the
group | ||||||
30 | health plan in the ordinary course of business must be | ||||||
31 | included in
such description. | ||||||
32 | (B) Restrict the access to and use by such | ||||||
33 | employees and other
persons described in subparagraph | ||||||
34 | (A) of this paragraph (3) to the
plan administration |
| |||||||
| |||||||
1 | functions that the plan sponsor performs for the
group | ||||||
2 | health plan. | ||||||
3 | (C) Provide an effective mechanism for resolving | ||||||
4 | any issues of
noncompliance by persons described in | ||||||
5 | subparagraph (A) of this paragraph (3) with the plan | ||||||
6 | document provisions required by this subsection.
| ||||||
7 | (c) Standard: de-identification of protected health | ||||||
8 | information.
Health information that does not identify an | ||||||
9 | individual and with respect
to which there is no reasonable | ||||||
10 | basis to believe that the information
can be used to identify | ||||||
11 | an individual is not individually identifiable
health | ||||||
12 | information. | ||||||
13 | (d) Implementation specifications: requirements for de-
| ||||||
14 | identification of protected health information. A covered | ||||||
15 | entity may
determine that health information is not | ||||||
16 | individually identifiable
health information only if: | ||||||
17 | (1) A person with appropriate knowledge of and | ||||||
18 | experience with
generally accepted statistical and | ||||||
19 | scientific principles and methods for
rendering | ||||||
20 | information not individually identifiable: | ||||||
21 | (A) Applying such principles and methods, | ||||||
22 | determines that the risk
is very small that the | ||||||
23 | information could be used, alone or in
combination with | ||||||
24 | other reasonably available information, by an
| ||||||
25 | anticipated recipient to identify an individual who is | ||||||
26 | a subject of the
information; and | ||||||
27 | (B) Documents the methods and results of the | ||||||
28 | analysis that justify
such determination; or | ||||||
29 | (2)(i) The following identifiers of the individual or | ||||||
30 | of relatives,
employers, or household members of the | ||||||
31 | individual, are removed: | ||||||
32 | (A) Names; | ||||||
33 | (B) All geographic subdivisions smaller than a | ||||||
34 | State, including
street address, city, county, |
| |||||||
| |||||||
1 | precinct, zip code, and their equivalent
geocodes, | ||||||
2 | except for the initial 3 digits of a zip code if,
| ||||||
3 | according to the current publicly available data from | ||||||
4 | the Bureau of the
Census: | ||||||
5 | (i) The geographic unit formed by combining | ||||||
6 | all zip codes with the
same 3 initial digits | ||||||
7 | contains more than 20,000 people; and
| ||||||
8 | (ii) The initial 3 digits of a zip code for all | ||||||
9 | such geographic
units containing 20,000 or fewer | ||||||
10 | people is changed to 000; | ||||||
11 | (C) All elements of dates (except year) for dates | ||||||
12 | directly related
to an individual, including birth | ||||||
13 | date, admission date, discharge date,
date of death; | ||||||
14 | and all ages over 89 and all elements of dates | ||||||
15 | (including
year) indicative of such age, except that | ||||||
16 | such ages and elements may be
aggregated into a single | ||||||
17 | category of age 90 or older; | ||||||
18 | (D) Telephone numbers; | ||||||
19 | (E) Fax numbers;
| ||||||
20 | (F) Electronic mail addresses; | ||||||
21 | (G) Social security numbers; | ||||||
22 | (H) Medical record numbers; | ||||||
23 | (I) Health plan beneficiary numbers; | ||||||
24 | (J) Account numbers; | ||||||
25 | (K) Certificate/license numbers; | ||||||
26 | (L) Vehicle identifiers and serial numbers, | ||||||
27 | including license plate
numbers; | ||||||
28 | (M) Device identifiers and serial numbers; | ||||||
29 | (N) Web Universal Resource Locators (URLs); | ||||||
30 | (O) Internet Protocol (IP) address numbers; | ||||||
31 | (P) Biometric identifiers, including finger and | ||||||
32 | voice prints; | ||||||
33 | (Q) Full face photographic images and any | ||||||
34 | comparable images; and |
| |||||||
| |||||||
1 | (R) Any other unique identifying number, | ||||||
2 | characteristic, or code,
except as permitted by | ||||||
3 | subsection (i) of this Section; and | ||||||
4 | (ii) The covered entity does not have actual knowledge | ||||||
5 | that the
information could be used alone or in combination | ||||||
6 | with other information
to identify an individual who is a | ||||||
7 | subject of the information. | ||||||
8 | (e) Implementation specifications: re-identification. A | ||||||
9 | covered
entity may assign a code or other means of record | ||||||
10 | identification to
allow information de-identified under this | ||||||
11 | Section to be re-identified
by the covered entity, provided | ||||||
12 | that: | ||||||
13 | (1) Derivation. The code or other means of record | ||||||
14 | identification is
not derived from or related to | ||||||
15 | information about the individual and is
not otherwise | ||||||
16 | capable of being translated so as to identify the
| ||||||
17 | individual; and | ||||||
18 | (2) Security. The covered entity does not use or | ||||||
19 | disclose the code
or other means of record identification | ||||||
20 | for any other purpose, and does
not disclose the mechanism | ||||||
21 | for re-identification. | ||||||
22 | (f)(1) Standard: minimum necessary requirements. In order | ||||||
23 | to comply
with this Section, a covered entity must meet the
| ||||||
24 | requirements of subdivisions (f)(2) through (f)(5) of this | ||||||
25 | Section with
respect to a request for, or the use and | ||||||
26 | disclosure of, protected health
information. | ||||||
27 | (2) Implementation specifications: minimum necessary | ||||||
28 | uses of
protected health information. | ||||||
29 | (i) A covered entity must identify: | ||||||
30 | (A) Those persons or classes of persons, as | ||||||
31 | appropriate, in its
workforce who need access to | ||||||
32 | protected health information to carry out
their | ||||||
33 | duties; and
| ||||||
34 | (B) For each such person or class of persons, the |
| |||||||
| |||||||
1 | category or
categories of protected health information | ||||||
2 | to which access is needed and
any conditions | ||||||
3 | appropriate to such access. | ||||||
4 | (ii) A covered entity must make reasonable efforts to | ||||||
5 | limit the
access of such persons or classes identified in | ||||||
6 | subdivision (f)(2)(i)(A)
of this Section to protected | ||||||
7 | health information consistent with
subdivision | ||||||
8 | (f)(2)(i)(B) of this Section. | ||||||
9 | (3) Implementation specification: Minimum necessary | ||||||
10 | disclosures of
protected health information. | ||||||
11 | (i) For any type of disclosure that it
makes on a | ||||||
12 | routine and recurring basis, a covered entity must | ||||||
13 | implement
policies and procedures (which may be | ||||||
14 | standard protocols) that limit the
protected health | ||||||
15 | information disclosed to the amount reasonably
| ||||||
16 | necessary to achieve the purpose of the disclosure. | ||||||
17 | (ii) For all other disclosures, a covered entity | ||||||
18 | must: | ||||||
19 | (A) Develop criteria designed to limit the | ||||||
20 | protected health
information disclosed to the | ||||||
21 | information reasonably necessary to
accomplish the | ||||||
22 | purpose for which disclosure is sought; and | ||||||
23 | (B) Review requests for disclosure on an | ||||||
24 | individual basis in
accordance with such criteria. | ||||||
25 | (iii) A covered entity may rely, if such reliance | ||||||
26 | is reasonable
under the circumstances, on a requested | ||||||
27 | disclosure as the minimum
necessary for the stated | ||||||
28 | purpose when: | ||||||
29 | (A) Making disclosures to public officials, if | ||||||
30 | the public official represents that the | ||||||
31 | information
requested is the minimum necessary for | ||||||
32 | the stated purpose or purposes; | ||||||
33 | (B) The information is requested by another | ||||||
34 | covered entity; |
| |||||||
| |||||||
1 | (C) The information is requested by a | ||||||
2 | professional who is a member
of its workforce or is | ||||||
3 | a business associate of the covered entity for
the | ||||||
4 | purpose of providing professional services to the | ||||||
5 | covered entity, if
the professional represents | ||||||
6 | that the information requested is the
minimum | ||||||
7 | necessary for the stated purpose or purposes; or | ||||||
8 | (D) Documentation or representations that | ||||||
9 | comply with the applicable
requirements have been | ||||||
10 | provided by a person
requesting the information | ||||||
11 | for research purposes. | ||||||
12 | (4) Implementation specifications: Minimum necessary | ||||||
13 | requests for
protected health information. | ||||||
14 | (i) A covered entity must limit any
request for | ||||||
15 | protected health information to that which is | ||||||
16 | reasonably
necessary to accomplish the purpose for | ||||||
17 | which the request is made,
when requesting such | ||||||
18 | information from other covered entities. | ||||||
19 | (ii) For a request that is made on a routine and | ||||||
20 | recurring basis, a
covered entity must implement | ||||||
21 | policies and procedures (which may be
standard | ||||||
22 | protocols) that limit the protected health information
| ||||||
23 | requested to the amount reasonably necessary to | ||||||
24 | accomplish the purpose
for which the request is made. | ||||||
25 | (iii) For all other requests, a covered entity | ||||||
26 | must: | ||||||
27 | (A) Develop criteria designed to limit the | ||||||
28 | request for protected
health information to the | ||||||
29 | information reasonably necessary to accomplish
the | ||||||
30 | purpose for which the request is made; and | ||||||
31 | (B) Review requests for disclosure on an | ||||||
32 | individual basis in
accordance with such criteria. | ||||||
33 | (5) Implementation specification: Other content | ||||||
34 | requirement. For all
uses, disclosures, or requests to |
| |||||||
| |||||||
1 | which the requirements in this subsection
(f) apply, a | ||||||
2 | covered entity may not use, disclose, or
request an entire | ||||||
3 | medical record, except when the entire medical record
is | ||||||
4 | specifically justified as the amount that is reasonably | ||||||
5 | necessary to
accomplish the purpose of the use, disclosure, | ||||||
6 | or request. | ||||||
7 | (g)(1) Standard: Limited data set. A covered entity may use | ||||||
8 | or
disclose a limited data set that meets the requirements of | ||||||
9 | subdivisions
(g)(2) and (g)(3) of this Section if the covered | ||||||
10 | entity enters into a
data use agreement with the limited data | ||||||
11 | set recipient in accordance
with subdivision (g)(4) of this | ||||||
12 | Section. | ||||||
13 | (2) Implementation specification: Limited data set. A | ||||||
14 | limited data
set is protected health information that | ||||||
15 | excludes the following direct
identifiers of the | ||||||
16 | individual or of relatives, employers, or household
| ||||||
17 | members of the individual: | ||||||
18 | (i) Names; | ||||||
19 | (ii) Postal address information, other than town | ||||||
20 | or city, State, and
zip code;
| ||||||
21 | (iii) Telephone numbers; | ||||||
22 | (iv) Fax numbers;
| ||||||
23 | (v) Electronic mail addresses; | ||||||
24 | (vi) Social security numbers; | ||||||
25 | (vii) Medical record numbers; | ||||||
26 | (viii) Health plan beneficiary numbers; | ||||||
27 | (ix) Account numbers; | ||||||
28 | (x) Certificate/license numbers; | ||||||
29 | (xi) Vehicle identifiers and serial numbers, | ||||||
30 | including license plate
numbers; | ||||||
31 | (xii) Device identifiers and serial numbers; | ||||||
32 | (xiii) Web Universal Resource Locators (URLs); | ||||||
33 | (xiv) Internet Protocol (IP) address numbers; | ||||||
34 | (xv) Biometric identifiers, including finger and |
| |||||||
| |||||||
1 | voice prints; and | ||||||
2 | (xvi) Full face photographic images and any | ||||||
3 | comparable images. | ||||||
4 | (3) Implementation specification: Permitted purposes | ||||||
5 | for uses and
disclosures. | ||||||
6 | (i) A covered entity may use or disclose a limited | ||||||
7 | data set
under subdivision (g)(1) of this Section only | ||||||
8 | for the purposes of
research, public health, or health | ||||||
9 | care operations. | ||||||
10 | (ii) A covered entity may use protected health | ||||||
11 | information to create
a limited data set that meets the | ||||||
12 | requirements of subdivision (g)(2) of
this Section, or | ||||||
13 | disclose protected health information only to a
| ||||||
14 | business associate for such purpose, whether or not the | ||||||
15 | limited data set
is to be used by the covered entity. | ||||||
16 | (4) Implementation specifications: Data use agreement. | ||||||
17 | (i)
Agreement required. A covered entity may use or | ||||||
18 | disclose a limited data
set under subdivision (g)(1) of | ||||||
19 | this Section only if the covered entity
obtains | ||||||
20 | satisfactory assurance, in the form of a data use | ||||||
21 | agreement that
meets the requirements of this Section, | ||||||
22 | that the limited data set
recipient will only use or | ||||||
23 | disclose the protected health information for
limited | ||||||
24 | purposes. | ||||||
25 | (ii) Contents. A data use agreement between the | ||||||
26 | covered entity and
the limited data set recipient must: | ||||||
27 | (A) Establish the permitted uses and | ||||||
28 | disclosures of such information
by the limited | ||||||
29 | data set recipient, consistent with subdivision | ||||||
30 | (g)(3) of
this Section. The data use agreement may | ||||||
31 | not authorize the limited data
set recipient to use | ||||||
32 | or further disclose the information in a manner
| ||||||
33 | that would violate the requirements of this | ||||||
34 | subpart, if done by the
covered entity; |
| |||||||
| |||||||
1 | (B) Establish who is permitted to use or | ||||||
2 | receive the limited data
set; and | ||||||
3 | (C) Provide that the limited data set | ||||||
4 | recipient will: | ||||||
5 | (1) Not use or further disclose the | ||||||
6 | information other than as
permitted by the data | ||||||
7 | use agreement or as otherwise required by law; | ||||||
8 | (2) Use appropriate safeguards to prevent | ||||||
9 | use or disclosure of the
information other than | ||||||
10 | as provided for by the data use agreement; | ||||||
11 | (3) Report to the covered entity any use or | ||||||
12 | disclosure of the
information not provided for | ||||||
13 | by its data use agreement of which it
becomes | ||||||
14 | aware; | ||||||
15 | (4) Ensure that any agents, including a | ||||||
16 | subcontractor, to whom it
provides the limited | ||||||
17 | data set agrees to the same restrictions and
| ||||||
18 | conditions that apply to the limited data set | ||||||
19 | recipient with respect to
such information; | ||||||
20 | and | ||||||
21 | (5) Not identify the information or | ||||||
22 | contact the individuals. | ||||||
23 | (iii) Compliance. | ||||||
24 | (A) A covered entity is not in compliance with | ||||||
25 | the
standards in this subsection (g) if the covered | ||||||
26 | entity knew of
a pattern of activity or practice of | ||||||
27 | the limited data set recipient that
constituted a | ||||||
28 | material breach or violation of the data use | ||||||
29 | agreement,
unless the covered entity took | ||||||
30 | reasonable steps to cure the breach or
end the | ||||||
31 | violation, as applicable, and, if such steps were | ||||||
32 | unsuccessful: | ||||||
33 | (1) Discontinued disclosure of protected | ||||||
34 | health information to the
recipient; and |
| |||||||
| |||||||
1 | (2) Reported the problem to the Secretary. | ||||||
2 | (B) A covered entity that is a limited data set | ||||||
3 | recipient and
violates a data use agreement will be | ||||||
4 | in noncompliance with the
standards, | ||||||
5 | implementation specifications, and requirements of | ||||||
6 | this subsection
(g). | ||||||
7 | (h)(1) Standard: Uses and disclosures for fundraising. A | ||||||
8 | covered
entity may use, or disclose to a business associate or | ||||||
9 | to an
institutionally related foundation, the following | ||||||
10 | protected health
information for the purpose of raising funds | ||||||
11 | for its own benefit,
without an authorization meeting | ||||||
12 | requirements adopted by the Department: | ||||||
13 | (i) Demographic information relating to an | ||||||
14 | individual; and | ||||||
15 | (ii) Dates of health care provided to an | ||||||
16 | individual. | ||||||
17 | (2) Implementation specifications: Fundraising | ||||||
18 | requirements. | ||||||
19 | (i) The
covered entity may not use or disclose | ||||||
20 | protected health information for
fundraising purposes | ||||||
21 | as otherwise permitted by subdivision (h)(1) of this
| ||||||
22 | Section. | ||||||
23 | (ii) The covered entity must include in any | ||||||
24 | fundraising materials it
sends to an individual under | ||||||
25 | this paragraph a description of how the
individual may | ||||||
26 | opt out of receiving any further fundraising
| ||||||
27 | communications. | ||||||
28 | (iii) The covered entity must make reasonable | ||||||
29 | efforts to ensure that
individuals who decide to opt | ||||||
30 | out of receiving future fundraising
communications are | ||||||
31 | not sent such communications. | ||||||
32 | (i) Standard: Uses and disclosures for underwriting and | ||||||
33 | related
purposes. If a health plan receives protected heath | ||||||
34 | information for the
purpose of underwriting, premium rating, or |
| |||||||
| |||||||
1 | other activities relating to
the creation, renewal, or | ||||||
2 | replacement of a contract of health insurance
or health | ||||||
3 | benefits, and if such health insurance or health benefits are
| ||||||
4 | not placed with the health plan, such health plan may not use | ||||||
5 | or
disclose such protected health information for any other | ||||||
6 | purpose, except
as may be required by law. | ||||||
7 | (j)(1) Standard: Verification requirements. Prior to any | ||||||
8 | disclosure
permitted by this Section, a covered entity must: | ||||||
9 | (i) Verify
the identity of a person requesting | ||||||
10 | protected health information and the
authority of any | ||||||
11 | such person to have access to protected health
| ||||||
12 | information under this Section, if the identity or any | ||||||
13 | such authority of
such person is not known to the | ||||||
14 | covered entity; and | ||||||
15 | (ii) Obtain any documentation, statements, or | ||||||
16 | representations,
whether oral or written, from the | ||||||
17 | person requesting the protected health
information | ||||||
18 | when such documentation, statement, or representation | ||||||
19 | is a
condition of the disclosure under this Section. | ||||||
20 | (2) Implementation specifications: Verification. | ||||||
21 | (i) Conditions on
disclosures. If a disclosure is | ||||||
22 | conditioned by this subpart on
particular | ||||||
23 | documentation, statements, or representations from the | ||||||
24 | person
requesting the protected health information, a | ||||||
25 | covered entity may rely,
if such reliance is reasonable
| ||||||
26 | under the circumstances, on documentation, statements, | ||||||
27 | or
representations that, on their face, meet the | ||||||
28 | applicable requirements. | ||||||
29 | (ii) Identity of public officials. A covered | ||||||
30 | entity may rely, if
such reliance is reasonable under | ||||||
31 | the circumstances, on any of the
following to verify | ||||||
32 | identity when the disclosure of protected health
| ||||||
33 | information is to a public official or a person acting | ||||||
34 | on behalf of the
public official: |
| |||||||
| |||||||
1 | (A) If the request is made in person, | ||||||
2 | presentation of an agency
identification badge, | ||||||
3 | other official credentials, or other proof of
| ||||||
4 | government status; | ||||||
5 | (B) If the request is in writing, the request | ||||||
6 | is on the appropriate
government letterhead; or | ||||||
7 | (C) If the disclosure is to a person acting on | ||||||
8 | behalf of a public
official, a written statement on | ||||||
9 | appropriate government letterhead that
the person | ||||||
10 | is acting under the government's authority or | ||||||
11 | other evidence
or documentation of agency, such as | ||||||
12 | a contract for services, memorandum
of | ||||||
13 | understanding, or purchase order, that establishes | ||||||
14 | that the person is
acting on behalf of the public | ||||||
15 | official. | ||||||
16 | (iii) Authority of public officials. A covered | ||||||
17 | entity may rely, if
such reliance is reasonable under | ||||||
18 | the circumstances, on any of the
following to verify | ||||||
19 | authority when the disclosure of protected health
| ||||||
20 | information is to a public official or a person acting | ||||||
21 | on behalf of the
public official: | ||||||
22 | (A) A written statement of the legal authority | ||||||
23 | under which the
information is requested, or, if a | ||||||
24 | written statement would be
impracticable, an oral | ||||||
25 | statement of such legal authority; | ||||||
26 | (B) If a request is made pursuant to legal | ||||||
27 | process, warrant,
subpoena, order, or other legal | ||||||
28 | process issued by a grand jury or a
judicial or | ||||||
29 | administrative tribunal is presumed to constitute | ||||||
30 | legal
authority. | ||||||
31 | (iv) Exercise of professional judgment. The | ||||||
32 | verification
requirements of this subsection (n) are | ||||||
33 | met if the covered entity relies on
the exercise of | ||||||
34 | professional judgment in making a use or disclosure or |
| |||||||
| |||||||
1 | acts on a good faith belief in making a
disclosure. ".
|