HIPAA Policy Section 4.3: Uses and Disclosures Required by Law
System shall permit uses and disclosures of PHI without prior written authorization to the extent that such uses and disclosures are required by law and comply with and are limited to the relevant requirements of such law. All Uses and Disclosures made pursuant to this section must be in consultation with the Privacy Officer according to these procedures.
System may Use and Disclose PHI without prior written authorization to the extent that such Uses and Disclosures are required by law and comply with and are limited to the relevant requirements of such law. The Minimum Necessary Standard does not apply to Disclosures that are required by law and are made according to this Policy.
- Definition of “Required by Law.” For purposes of this Manual, the term “required by law” means a mandate contained in law that compels System to make a Use or Disclosure of PHI and is enforceable in a court of law. The term includes, but is not limited to statutes or regulations that require the production of information, including statutes or regulations that require such information if payment is sought under a government program providing public benefits.
- Mandatory versus Permissive Legal Requirements . System shall identify whether a requested Use or Disclosure is required by law and the relevant requirements of such law and comply with such requirements when Using or Disclosing PHI pursuant to that law.
System may require the requestor to provide proof that the requested information is required to be disclosed by System. If System determines that a Use or Disclosure is required by law, System shall Use or Disclose the PHI that the law requires be Used or Disclosed as requested. If System determines the requested Use or Disclosure is merely permitted, and not required, by law, System shall determine if the Use or Disclosure is permitted under another section of this Manual as a permissible Disclosure and follow all requirements set forth in that section.
- If System determines that the Use or Disclosure is not required by law and is not permitted under another section of this Manual, System must obtain an authorization from the Individual who is the subject of the PHI; ￼￼ De-identify the information before Using or Disclosing it; require the requestor to obtain the authorization of the Individual or require the requestor to provide a court order or other legal process that would authorize System to release the information.
- No Duty To Disclose. This Section does not create any duty or obligation to Use or Disclose PHI to a requestor. Rather, this Section permits System to Use or Disclose PHI when System is required by law to do so.
45 C.F.R. §§ 164.501, 164.512(a) (2001)
65 Fed. Reg. 82462, 82485, 82524-25, 82666-68 (Dec. 28, 2000); 67 Fed. Reg. 53182, 53195, 53198-99, 53208 (Aug. 14, 2002)