Disclosures of PHI as Permitted or Required by Law

From University of Nebraska Medical Center
Jump to navigation Jump to search
Human Resources   Safety/Security   Research Compliance   Compliance   Privacy/Information Security   Business Operations   Intellectual Property   Faculty

Identification Card | Secure Area Card Access | Privacy/Confidentiality | Computer Use/Electronic Information | Retention and Destruction/Disposal of Private and Confidential Information | Use and Disclosure of Protected Health Information | Notice of Privacy Practices | Access to Designated Record Set | Accounting of PHI Disclosures | Patient/Consumer Complaints | Vendors | Fax Transmissions | Psychotherapy Notes | Facility Security | Conditions of Treatment Form | Informed Consent for UNMC Media | Transporting Protected Health Information | Honest Broker | Social Security Number | Third Party Registry | Information Security Awareness and Training | Patient Privacy Investigations and Levels of Violation | Use and Disclosure of PHI for Training Health Care Professionals | Disclosures of PHI as Permitted or Required by Law | Disclosure of PHI for Law Enforcement Purposes

Policy No.: 6304
Effective Date: Draft 10/28/22
Revised Date:
Revised Date:

Policy on Disclosures of PHI as Permitted or Required by Law

Basis for Policy

To establish guidelines for the disclosure of PHI as permitted or required by law in accordance with HIPAA and University of Nebraska Medical Center (UNMC) policies.


UNMC shall disclose Protected Health Information (PHI) as permitted or required by law in accordance with the requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and UNMC policies to maintain confidentiality of PHI and protect patient privacy.


Disclosures of PHI may be made without a written Individual authorization for the following purposes. Any other disclosures not described below cannot be made unless specifically authorized by another UNMC policy, the Privacy Office, or General Counsel’s office. Unless otherwise provided by UNMC Policy No. 6057, Use and Disclosure of Protected Health Information, all disclosures of PHI permitted by this policy or any other UNMC policy are limited to the minimum necessary to accomplish the intended purpose of the use, disclosure or request. All disclosures, regardless if a written Individual authorization is required or not for any given disclosure, must be documented in the EMR. If a written Individual authorization is required, such authorization must be included in the patient’s medical record.

Disclosures required by law, to the extent the disclosure complies with and is limited to the relevant requirements of such law. Examples of these types of disclosures include:

  • reports of suspected or observed child abuse or neglect (See Nebraska Medicine policies: Reporting Abuse, Neglect or Injury policy, PE 03; Infant Drug Testing Guidelines for Providers policy, SH21, and Drug Testing Guidelines for Providers: Pregnant and Postpartum Patients policy, AD48);
  • wounds of violence” – excluding sexual assaults (See Nebraska Medicine Reporting Abuse, Neglect or Injury policy, PE 03);
  • sexual assaults involving serious bodily injury or any bodily injury inflicted by a deadly weapon (See Nebraska Medicine Reporting Abuse, Neglect or Injury policy, PE 03);
  • disclosures for judicial or administrative proceedings pursuant to a court or administrative tribunal order or subpoena;
    • In response to an order of a court or administrative tribunal, disclose only the PHI expressly authorized by such order.
    • Before responding to a subpoena, discovery request, or other lawful process that is not accompanied by an order of a court or administrative tribunal, UNMC must receive either:
      • satisfactory written assurance from the party seeking the PHI, demonstrating that:
        • The party has made a good faith attempt to give or mail notice to the Individual that a request has been made for the Individual’s PHI;
        • The notice included sufficient information about litigation or proceeding in which the PHI is requested to permit the Individual to object to the court or administrative tribunal;
        • The time to object has expired; and
        • The Individual did not file any objections with the court or administrative tribunal or the court or administrative tribunal resolved all objections and the disclosures being sought are consistent with the resolution; or
      • a written statement and accompanying documentation from the party seeking the PHI that demonstrates:
        • The party and the Individual have agreed to a QPO and presented it to the court or administrative tribunal with jurisdiction over the dispute giving rise to the request for PHI; or
        • The party has requested a QPO from the court or administrative tribunal.
    • Disclosures of PHI pursuant to either of the options above must be limited to the requested information.
    • Forward any order of a court or administrative tribunal or any subpoena, discovery request, or other lawful process that is not accompanied by an order of a court or administrative tribunal to the Health Information Management department (HIM) for processing. For urgent requests that cannot wait for HIM, contact Risk (consult Web On Call or the hospital operator to reach on-call Risk staff) or General Counsel’s office with any questions.

Disclosures may be made to the following persons/entities for the following public health activities, provided such disclosures fall within your job responsibilities:

  • to a public health authority authorized by law to collect or receive PHI for the purpose of preventing or controlling disease, injury or disability, including, but not limited to, the reporting of disease, injury, vital events such as birth or death and the conduct of public health surveillance, public health investigations and public health interventions (examples of public health authorities include: state and local health departments; the Food and Drug Administration (FDA); the Centers for Disease Control and Prevention; and the Occupational Safety and Health Administration (OSHA));
  • to a person subject to the jurisdiction of the FDA with respect to an FDA-regulated product or activity for which that person has responsibility, for the purpose of activities related to the quality, safety or effectiveness of such FDA-regulated product or activity (examples of such purposes include: to collect or report adverse events, product defects or problems (including problems with the use or labeling of a product), or biological product deviations; to track FDA-regulated products; to enable product recalls, repairs, or replacement, or lookback (including locating and notifying Individuals who have received products that have been recalled, withdrawn, or are the subject of lookback); or, to conduct post-marketing surveillance);

to a person who may have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading a disease or condition, if UNMC or public health authority is authorized by law to notify such person as necessary in the conduct of a public health intervention or investigation;

  • to an employer, about an Individual who is a member of the Workforce of the employer, if:
    • UNMC provides health care to the Individual at the request of the employer:
      • to conduct an evaluation relating to medical surveillance of the workplace; or
      • to evaluate whether the Individual has a work-related illness or injury;
    • the PHI that is disclosed consists of findings concerning a work-related illness or injury or a workplace-related medical surveillance;
    • the employer needs such findings in order to comply with its required federal reporting obligations (or similar reporting obligations under state law) to record such illness or injury or to carry out responsibilities for workplace medical surveillance; and
    • UNMC provides written notice to the Individual that PHI relating to the medical surveillance of the workplace and work-related illnesses and injuries is disclosed to the employer:
      • By giving a copy of the notice to the Individual at the time the health care is provided; or
      • If the health care is provided on the work site of the employer, by posting the notice in a prominent place at the location where the health care is provided.

Disclosures to a school, limited to proof of immunization of a student or prospective student that the school is required by law to obtain prior to admitting the Individual, and UNMC has obtained and documented agreement from the parent or legal guardian, or the Individual (if the Individual is an adult or emancipated minor). Reports of suspected abuse, neglect or domestic violence made to governmental agencies authorized by law to receive such reports (excluding reports required under the first public health bullet above (for the purpose of preventing or controlling disease, injury or disability)), provided one of the following conditions applies:

  • the Individual agrees to the disclosure; or
  • to the extent the disclosure is expressly authorized by statute or regulation and:
    • The provider, in the exercise of professional judgment, believes the disclosure is necessary to prevent serious harm to the Individual or other potential victims; or
    • If the Individual is unable to agree because of incapacity, a law enforcement or other public official authorized to receive the report represents that the PHI for which disclosure is sought is not intended to be used against the Individual and that an immediate enforcement activity that depends upon the disclosure would be materially and adversely affected by waiting until the Individual is able to agree to the disclosure.

The Individual shall be promptly informed that such a report has been or will be made, unless:

  • Staff, in the exercise of professional judgment, believes informing the Individual would place the Individual at risk of serious harm; or
  • Staff would be informing a personal representative who staff reasonably believes is responsible for the abuse, neglect, or other injury, and that informing such person would not be in the best interests of the Individual as determined by staff, in the exercise of professional judgment.

Disclosures for law enforcement purposes (see UNMC Policy No. 6304, Disclosure of PHI for Law Enforcement Purposes); Disclosures to a health oversight agency for oversight activities authorized by law, including: audits; civil, administrative, or criminal investigations; inspections; licensure or disciplinary actions; civil, administrative, or criminal proceedings or actions; or other activities necessary for appropriate oversight of:

  • The health care system;
  • Government benefit programs for which health information is relevant to beneficiary eligibility;
  • Entities subject to government regulatory programs for which health information is necessary for determining compliance with program standards; or
  • Entities subject to civil rights laws for which health information is necessary for determining compliance.

For purposes of this policy, a health oversight activity generally does not include an investigation or other activity in which the Individual is the subject of the investigation or activity and such investigation or other activity does not arise out of and is not directly related to:

  • The receipt of health care;
  • A claim for public benefits related to health; or
  • Qualification for, or receipt of, public benefits or services when an Individual's health is integral to the claim for public benefits or services.

Disclosure about decedents to a coroner or medical examiner for the purpose of identifying a deceased person, determining a cause of death, or other duties as authorized by law. Disclosures to funeral directors as required by law as necessary to carry out their duties regarding decedents. In Nebraska, funeral directors in charge of the funeral of any person who dies in Nebraska are to cause a death certificate to be filled out. That form must include a statement of the cause of death made by the physician, physician assistant, or nurse practitioner who last attended the deceased. Disclosures for cadaveric organ, eye or tissue donation to organ procurement organizations. Disclosures to prevent or lessen a serious and imminent threat to the health or safety of a person or the public consistent with applicable law, when believed in good faith to be necessary as follows:

  • to prevent or lessen a serious and imminent threat to the health or safety of a person or the public and such disclosure of PHI is to a person or persons reasonably able to prevent or lessen the threat (e.g., the target of the threat, family members, school administrators, risk management, and/or law enforcement). If law enforcement is to be contacted, first contact campus Public Safety (unless the threat is immediate, in which case law enforcement should be contacted immediately).
  • for law enforcement authorities to identify or apprehend an Individual, either
    • because of a statement by an Individual admitting participation in a violent crime that staff reasonably believes may have caused serious physical harm to the victim (unless staff learns of this statement in the course of treatment to affect the propensity to commit the criminal conduct that is the basis for this disclosure, or counseling, or therapy (or through an Individual’s request to initiate or to be referred for such treatment, counseling or therapy), in which case such use or disclosure of PHI may NOT be made); or
    • where it appears from all the circumstances that the Individual has escaped from a correctional institution or from lawful custody.
    • Unless there is a serious and imminent threat to the health or safety of a person or the public (in which case, see that section above), contact the Privacy Office, General Counsel’s office and/or Risk prior to making disclosures that are intended to enable law enforcement to identify or apprehend an Individual pursuant to the two bullets in this section above.

Uses and disclosures for specialized government functions.

  • To officials of the Department of State for the purpose of medical suitability determinations.

Note: Staff should not proactively alert military command authority regarding the voluntary treatment or admission of active military personnel unless the Individual presents a serious and imminent threat to the Individual or others (see the first bullet under serious and imminent threat section above for more details on this point).

  • National security and intelligence activities. Disclosure of PHI to authorized Federal officials for the conduct of lawful intelligence, counter-intelligence, and other national security activities authorized by the National Security Act (and its implementing authority.
  • Protective services for the President and others. PHI may be disclosed to authorized Federal officials for the provision of protective services to the President or other legally authorized persons.
  • Refer any questions about any of the above provisions and all other requests for government uses not clearly covered by this or another UNMC policy to the Privacy Office or General Counsel’s office.

Disclosures for workers' compensation. UNMC may disclose PHI as authorized by and to the extent necessary to comply with laws relating to workers' compensation or other similar programs, established by law, that provide benefits for work-related injuries or illness without regard to fault. Per state law, information disclosed should be limited to only that information relevant to the injury. A workers’ compensation plan’s request for “all medical records” should generally be denied unless the services to the Individual were limited to one episode of care related to the injury.



The person who is the subject of the PHI. Personal representatives of the Individual have the same rights as the Individual under HIPAA (i.e., they “step into the shoes” of the Individual). Personal representatives include the legal guardian and anyone else authorized by law to act on behalf of the Individual. (See Nebraska Medicine Consents and Permits policy, MS14.)

Protected Health Information (PHI)

Individually identifiable health information including demographic information, collected from an Individual, whether oral or recorded in any medium, that:

  • is created or received by UNMC/ACE; and
  • relates to the past, present or future physical or mental health or condition of an Individual; the provision of health care to an Individual; or the past, present or future payment for the provision of health care to an Individual and identifies the Individual or with respect to which there is a reasonable basis to believe the information can be used to identify the Individual.

PHI includes genetic information, which includes information about the following items (and excludes information about an Individual’s sex or age):

  • an Individual’s genetic tests;
  • the genetic tests of an Individual’s family members; or
  • the manifestation of a disease or disorder in such Individual’s family members (i.e., family medical history).

PHI excludes:

  • individually identifiable health information of a person who has been deceased for more than fifty (50) years.
  • education records covered by the Family Educational Rights and Privacy Act (FERPA); and
  • employment records held by UNMC in its role as employer.

Qualified Protective Order (QPO)

An order of a court or of an administrative tribunal or a stipulation by the parties to litigation or an administrative proceeding that:

  • prohibits the parties from using or disclosing PHI for any purpose other than the litigation or proceeding for which such information was requested; and
  • requires the return (to UNMC) or destruction of the PHI (including all copies made) at the end of the litigation or proceeding.


Employees, medical staff, volunteers, trainees and other persons whose conduct, in the performance of work for Nebraska Medicine/UNMC, is under the direct control of Nebraska Medicine/UNMC, whether or not they are paid by Nebraska Medicine/UNMC.

Additional Information

This page maintained by dkp.