Opportunity to agree or object to the disclosure of PHI (Informal permission may be obtained by asking the individual outright, or by circumstances that clearly give the individual the opportunity to agree, acquiesce, or object).
Treatment, payment, and healthcare operations.Disclosure to the individual (if the information is required for access or accounting of disclosures, the entity MUST disclose to the individual).Top of Page Permitted Uses and DisclosuresĪ covered entity is permitted, but not required, to use and disclose protected health information, without an individual’s authorization, for the following purposes or situations: These functions, activities, or services include claims processing, data analysis, utilization review, and billing. Business associates: A person or organization (other than a member of a covered entity’s workforce) using or disclosing individually identifiable health information to perform or provide functions, activities, or services for a covered entity.In most instances, healthcare clearinghouses will receive individually identifiable health information only when they are providing these processing services to a health plan or healthcare provider as a business associate. Healthcare clearinghouses: Entities that process nonstandard information they receive from another entity into a standard (i.e., standard format or data content), or vice versa.Exception: A group health plan with fewer than 50 participants that is administered solely by the employer that established and maintains the plan is not a covered entity.Health plans also include employer-sponsored group health plans, government- and church-sponsored health plans, and multi-employer health plans. Health plans include health, dental, vision, and prescription drug insurers health maintenance organizations (HMOs) Medicare, Medicaid, Medicare+Choice, and Medicare supplement insurers and long-term care insurers (excluding nursing home fixed-indemnity policies). Health plans: Entities that provide or pay the cost of medical care.These transactions include claims, benefit eligibility inquiries, referral authorization requests, and other transactions for which HHS has established standards under the HIPAA Transactions Rule. Healthcare providers: Every healthcare provider, regardless of size of practice, who electronically transmits health information in connection with certain transactions.The following types of individuals and organizations are subject to the Privacy Rule and considered covered entities: