HIPAA Policy Section 4.8: Review of Requests for Use or Disclosure Requiring Approval by the Privacy Officer
System may Use or Disclose PHI only if such Use or Disclosure is permissible under the HIPAA Privacy Standards. Unless a Use or Disclosure is categorized as “routine” under Section 4.4(1) or exempt under Section 4.4(2) of this Policy, a request for Use or Disclosure must be approved by the Privacy Officer.
4.8(1) Review of Intended Use or Disclosure of PHI
- Upon notification of an intended Use or Disclosure of PHI that is not deemed routine, the Privacy Officer shall determine if the information to be Used or Disclosed is PHI. If the information is PHI, the Privacy Officer shall determine whether the intended Use or Disclosure is a required Disclosure in accordance with Section 4.3 of this Policy or a permissible Use or Disclosure in accordance with Section 4.4 of this Policy or some other provision of this Manual.
- Upon a determination by the Privacy Officer that System must make a required Disclosure or Use, the Privacy Officer or a designee shall communicate the determination to the Individual who requested it.
- If the determination is not required, the Privacy Officer shall make a determination as to the requested Use or Disclosure as required by this Manual, System Administration’s applicable policies and procedures and the HIPAA Privacy Rule. The determination shall be communicated to the requesting Individual by the Privacy Officer or a designee as soon as administratively practical.
- The communication must inform the Individual either that the Use or Disclosure can be made; or, if the information cannot be Disclosed, inform the requestor that to make such Use or Disclosure, an Authorization from each Individual who is a subject of the PHI must first be obtained.