Basic Rule

Under HIPAA's Privacy Rule, covered research entities—and organizations that use or disclose individually identifiable health information from or on behalf of a covered entity—may use or disclose PHI only when this use or disclosure has been authorized by the individual, obtained under a waiver of authorization, or provided through the use of a limited data set.6 If the researcher is not a covered entity, he or she may still be affected by the Privacy Rule because he or she may not be able to obtain information from a covered entity unless these conditions are met. Furthermore, the Privacy Rule imposes a minimum necessary requirement on most uses and disclosures of PHI by a covered entity— that is, instead of using or disclosing all possible PHI, a covered entity may use or disclose only the PHI that is reasonably necessary to accomplish the purpose for which it is being used.7

Covered entities that fail to comply with the Privacy Rule may be subject to civil monetary penalties, criminal monetary penalties, and/or imprisonment. Notably, individually identifiable health information that is held by anyone other than a covered entity is not considered to be PHI and may be used or disclosed without regard to the Privacy Rule, although other applicable federal or state laws and regulations may limit the use or disclosure of such information.5

0 0

Post a comment