How can privacy rights be waived

Among other limited purposes, a covered entity may use or disclose PHI without an Authorization, as follows:. With some exceptions, the Privacy Rule imposes a minimum necessary requirement on all permitted uses and disclosures of PHI by a covered entity.

This means that a covered entity must apply policies and procedures, or criteria it has developed, to limit certain uses or disclosures of PHI, including those for research purposes, to "the information reasonably necessary to accomplish the purpose [of the sought or requested use or disclosure]. For nonroutine disclosures and requests, a covered entity must review each disclosure or request individually against criteria it has developed.

There are several exceptions to the minimum necessary requirements that may affect researchers Sections The minimum necessary standard does not apply to the following:. Unless otherwise excepted, covered entities are required to implement policies and procedures or establish criteria that limit the PHI used, disclosed, or requested to the minimum amount reasonably necessary to achieve the purposes e.

These covered entity policies and procedures will apply to researchers who are members of the covered entity's workforce and may apply to business associates.

The Privacy Rule does not require a covered entity to independently determine, in all instances, whether a request for PHI meets the minimum necessary requirement. As relevant here, the Privacy Rule permits the covered entity to rely, when reasonable, on a request for disclosure of PHI as the minimum necessary when making permitted disclosures to public officials, disclosing information requested by another covered entity, or when disclosing PHI to researchers who have documentation of an IRB or Privacy Board waiver or alteration of Authorization or certain other representations permitted by the Privacy Rule, which are discussed in detail in related publications, Institutional Review Boards and the HIPAA Privacy Rule and Privacy Boards and the HIPAA Privacy Rule.

Key Points: The Privacy Rule provides individuals with certain rights about how their health information is used and disclosed as well as how they can gain access to health records and information about when their PHI was released without their permission. The Privacy Rule describes how covered entities can implement these rights while maintaining the integrity of the research project.

In addition to establishing conditions for the use and disclosure of PHI, the Privacy Rule establishes certain rights of individuals with respect to their health information. Covered entities must provide individuals with written notice of the entity's privacy practices and the individual's privacy rights.

In addition, the Rule permits individuals to gain access to, request amendment of, request restrictions on, and request confidential communication of certain records related to their health care.

Individuals are also given the right to request and receive a written account from a covered entity of when and why their PHI has been disclosed without their Authorization, except under limited circumstances. Individuals also have the right to complain to the covered entity and to the Secretary of Health and Human Services if they believe a violation of the Privacy Rule has occurred.

With few exceptions, the Privacy Rule guarantees individuals access to their medical records and other types of health information to the extent the information is maintained by the covered entity or its business associate within a designated record set.

Research records maintained by a covered entity may be part of a designated record set if, for example, the records are medically related or are used to make decisions about research participants. An individual's right to receive an accounting of disclosures unless an exception applies starts with the covered entity's compliance date and goes back 6 years from the date of the request, not including periods prior to the compliance date.

A covered entity must therefore keep records of such PHI disclosures for 6 years. The Privacy Rule allows three methods for accounting for research-related disclosures that are made without the individual's Authorization or other than a limited data set: 1 A standard approach, 2 a multiple-disclosures approach, and 3 an alternative for disclosures involving 50 or more individuals.

Whatever approach is selected, the accounting is made in writing and provided to the requesting individual. Accounting reports to individuals may include results from more than one accounting method. Multiple disclosures accounting is permissible if the covered entity has made multiple disclosures of PHI to the same person or entity for a single purpose under Sections For each disclosure, the following must be included:. If a covered entity has made disclosures regarding 50 or more individuals for a particular research project under Section If the covered entity uses the alternative accounting method, it must, if requested to by the individual, assist the individual in contacting the research sponsor and the researcher.

Such assistance, however, is limited to those situations in which there is a reasonable likelihood that the individual's PHI was actually disclosed for the research protocol or activity. This website is currently in the process of being updated. Educational Materials. Institutional Review Boards. De-identifying Protected Health Information Under the Privacy Rule Covered entities may use or disclose health information that is de-identified without restriction under the Privacy Rule.

Under this method, the identifiers that must be removed are the following: Names. All geographic subdivisions smaller than a state, including street address, city, county, precinct, ZIP Code, and their equivalent geographical codes, except for the initial three digits of a ZIP Code if, according to the current publicly available data from the Bureau of the Census: The geographic unit formed by combining all ZIP Codes with the same three initial digits contains more than 20, people.

The initial three digits of a ZIP Code for all such geographic units containing 20, or fewer people are changed to All elements of dates except year for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates including year indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older.

Telephone numbers. Facsimile numbers. Electronic mail addresses. Social security numbers. Medical record numbers. Health plan beneficiary numbers. Account numbers. Vehicle identifiers and serial numbers, including license plate numbers. Device identifiers and serial numbers. Web universal resource locators URLs.

Internet protocol IP address numbers. Biometric identifiers, including fingerprints and voiceprints. Full-face photographic images and any comparable images. Any other unique identifying number, characteristic, or code, unless otherwise permitted by the Privacy Rule for re-identification. Requires the covered entity to obtain Authorization for research use or disclosure of PHI unless a regulatory permission applies.

The IRB must ensure that informed consent will be sought from, and documented for, each prospective subject or the subject's legally authorized representative, in accordance with, and to the extent required by, HHS regulations.

If specified criteria are met, the IRB may waive the requirements for either obtaining informed consent or documenting informed consent. The IRB must review and approve the Authorization form if it is combined with the informed consent document. The IRB must ensure that informed consent will be sought from, and documented for, each prospective subject or the subject's legally authorized representative, in accordance with, and to the extent required by, FDA regulations.

If specified criteria are met, the requirements for either obtaining informed consent or documenting informed consent may be waived. The Privacy Rule permits a covered entity to reasonably rely on the determination of an IRB or Privacy Board, if the covered entity obtains appropriate documentation of such determination.

Each institution is responsible for safeguarding the rights and welfare of human subjects and for complying with the HHS Protection of Human Subjects Regulations. With the approval of HHS, an institution participating in a cooperative project may enter into a joint review arrangement, rely upon the review of another qualified IRB, or make similar arrangements for avoiding duplication of effort.

Allows waiver or alteration of Authorization when IRB or Privacy Board deems the following criteria are met: 1 Use or disclosure involves no more than minimal risk to the privacy of individuals because of the presence of at least the following elements: a An adequate plan to protect health information identifiers from improper use or disclosure, b an adequate plan to destroy identifiers at the earliest opportunity absent a health or research justification or legal requirement to retain them, and c adequate written assurances that the PHI will not be used or disclosed to a third party except as required by law, for authorized oversight of the research study, or for other research uses and disclosures permitted by the Privacy Rule; 2 research could not practicably be conducted without the waiver or alteration; and 3 research could not practicably be conducted without access to and use of PHI.

This would be a required subsection b 2 disclosure. FLRA , U. FEMA , No. FBI , Akmal v. HHS , No. July 8, ; Kassel v. HEW , F. Newspapers, Inc. After DOJ v. In DOJ v. In light of Reporters Comm. Commerce , F. Veneman , F. BIA , No. Idaho Mar. X, No. As a result of Reporters Comm.

See U. Circuit has held that the required FOIA disclosure exception cannot be invoked unless an agency actually has a FOIA request in hand; not all courts agree. The Court of Appeals for the District of Columbia Circuit significantly limited the utility of subsection b 2 as a defense by holding that subsection b 2 cannot be invoked unless an agency actually has a FOIA request in hand. Bartel v. In one case prior to Bartel , it similarly had been held that subsection b 2 was not available as a defense for the disclosure of information in the absence of a FOIA request.

Zeller v. Other courts have not followed the rule in Bartel , however, and do not require agencies to have a FOIA request in hand to raise a b 2 defense. See Cochran v. However, because the D. V, No. Memorandum from Robert P. The District Court for the District of Columbia twice has applied this public domain aspect of Bartel. In Tripp v. In Chang v. Id ; see also Russo , F. The routine use disclosure exception is broad and was designed to allow disclosures other than intra-agency disclosures.

The routine use exception, because of its potential breadth, is one of the most controversial provisions in the Act. The trend in recent cases is toward a narrower construction of the exception. The White House directed the OMB to issue additional guidance regarding the routine use exception in an executive memorandum on privacy sent to the heads of executive departments and agencies in See also U. XIX, No. DOD , No. Shayesteh v. The routine use disclosure exception requires an agency to: 1 publish the routine use to provide constructive notice; and 2 disclose records only when compatible with the purpose for which the record was collected; some courts also have required agencies to provide actual notice in accordance with subsection e 3 C.

An agency must meet two requirements for a proper routine use disclosure under this exception: 1 an agency must publish the routine use in the Federal Register to provide constructive notice; and 2 the disclosure of the record must be compatible with the purpose for which the record was collected.

The Court of Appeals for the Ninth Circuit has added a third requirement for this exception, which the Court of Appeals for the District of Columbia Circuit subsequently adopted: actual notice at the time the information is collected from the individual of the purpose s for which the information will be used. See 5 U. Before relying on the routine use disclosure exception, an agency must publish in the Federal Register each routine use, including the categories of users and the purpose of such use.

Krohn v. The scope of the routine use disclosure exception is limited to the published terms of the claimed routine use. Naval Air Station, Pensacola, Fla. Supply Ctr. In other words, a particular disclosure is unauthorized if it does not fall within the clear terms of the routine use. Walters , F. DHS , No. Ohio Feb. FAA , No. Bechhoefer v. DEA , U. CS, slip op. When interpreting a claimed routine use, courts have generally deferred to agency interpretation. See Air Force v.

United States , 27 F. Stafford , F. But see NLRB v. Tillerson , F. United States, F. Truesdale , F. DHS F. Quinn v. The Court of Appeals for the D. Whatever the merit of the decisions of prior courts that have held …that a finding of a substantial similarity of purpose might be appropriate in the non-labor law context in order to effectuate congressional intent, the compatibility requirement imposed by section a a 7 cannot be understood to prevent an agency from disclosing to a union information as part of the collective bargaining process.

Pontecorvo v. First, in the context of investigations or prosecutions, law enforcement agencies routinely may share law enforcement records with one another. Second, agencies routinely may disclose to law enforcement agencies for purposes of investigation or prosecution any records indicating a possible violation of law regardless of the purpose for collection if the head of the law enforcement agency specifically requests the record in writing from the agency that maintains the record.

These compatible use disclosures to law enforcement agencies have been criticized on the ground that they circumvent the more restrictive requirements of subsection b 7. They never have been challenged successfully on that basis, however. Indeed, courts routinely have upheld disclosures made pursuant to such routine uses.

Pavlock , F. Grimes , No. The courts have found, however, that a disclosure does not fall within a compatible routine use if the agency is not sharing with a law enforcement agency in the context of an investigation or prosecution, there is no possible violation of law, or the law enforcement agency head has not specifically requested the record in writing.

For example, a disclosure is not compatible if it is made to agencies other than the appropriate ones. See Dick v. Similarly, disclosures are not compatible with a routine use if the record does not reveal a potential violation of law. In Covert , F. Covert , F. EDCV , slip op. Prior to Covert , no other court had required actual notice. Since Krohn v. Although initially agencies published broad routine uses, they have been narrowed since the District Court for the District of Columbia issued its decision in Krohn v.

Britt , F. The courts generally have found that disclosing information is pursuant to a compatible routine use when the information furthered an investigation or enabled either agency to fulfill its mission. IRS , B. Iowa ; Alphin v. Judicial Conference of the United States , F. Miller , F. Mueller , No. Smith , No. CR, slip op. Sussman v. Similarly, the courts have concluded that where an individual is applying for a benefit, program, or position, an agency may disclose information during the application process as a compatible routine use.

Puerta v. Rice , No. Labor , F. June 12, ; Blazy v. Tenet , F. May 12, ; Magee v. Brunotte v. The courts also have determined that disclosure to other parties in litigation constitutes a compatible routine use. Burnett v. Holde r, WL D. United States , WL N. OPM , F. Frank , No. Disclosures to Congress also have been deemed compatible routine uses by the courts. See Gowan v.

Runyon , 60 F. The Ninth and D. Circuits also require that an agency give actual notice to an individual at the time the information is collected in accordance with the notice requirements of subsection e 3 C.

Stafford v. Donley , F. Thompson v. Some, but not all, courts of appeals have required agencies to invoke the routine use disclosure exception to disclose certain records to unions. Four courts have required an agency to invoke a routine use to permit disclosure to unions of names of employees on the theory that refusal to so disclose was an unfair labor practice under the National Labor Relations Act.

See NLRB v. NLRB v. Circuit has held that the routine use disclosure exception does not permit disclosures solely based on a federal subpoena, as such disclosures are not permitted under the court order disclosure exception.

Circuit concluded that a routine use for complying with a subpoena was inconsistent with the Privacy Act. See Doe v. Notwithstanding the required FOIA disclosure and the consumer reporting agency disclosure exceptions, the Privacy Act disclosure provision does not provide for nonconsensual disclosures that are governed by other statutes, and agencies should rely on the routine use disclosure exception for such disclosures.

The Privacy Act does not provide for nonconsensual disclosures that are governed by other statutes except for the FOIA subsection b 2 and the Debt Collection Act subsection b Zahedi v.

The law enforcement request disclosure exception allows certain disclosures, upon written request, to another agency or instrumentality for civil or criminal law enforcement purposes.

A request for records under the subsection b 7 exception must be for civil or criminal law enforcement purposes. See United States v.

Collins , F. The request must be submitted in writing and generally must be from the head of the agency or instrumentality. Naval Air Station , F. Supervisor of DEA , F. Lora v. INS , No. See Schwarz v. May 10, ; DePlanche v. This construction, while sensible as a policy matter, appears to conflict with the actual wording of subsection b 8 , although the wording of this provision is not precise.

The congressional disclosure exception does not authorize the disclosure of a record to an individual Member of Congress acting on his or her own behalf, or on behalf of a constituent. This exception allows for disclosure of records to Congress but does not authorize the disclosure of a Privacy Act-protected record to an individual Member of Congress acting on his or her own behalf or on behalf of a constituent.

Dearment , No. June 3, ; cf. Chang v. See generally U. The Second Circuit has held that an agency may disclose records consistent with the congressional disclosure exception, even if the agency knew or reasonably should have known that the information would subsequently become public.

Subsection b 11 permits a court of competent jurisdiction to order disclosure of Privacy Act protected information that would otherwise be prohibited from disclosure without prior written consent of the individual to whom the record pertains. As a general proposition, the Privacy Act does not act as a shield against discovery of relevant records that are otherwise protected under the Privacy Act, and the records may become discoverable through litigation if ordered by a court.

Laxalt v. Great Lakes Edu. Loan Services, Inc. Sotelo , No. June 18, ; Ayers v. Lee , No. Brennan , No. Ohio July 6, ; United States v. Revland, No. Gowrish , No. June 27, ; Rogers v. England , F. June 23, ; Martin v. United States , 1 Cl. The court order disclosure exception does not, itself, confer federal jurisdiction or create a right of action to obtain a court order. Nor does this exception confer federal jurisdiction or create a right of action to obtain a court order for the disclosure of records.

See Sheetz v. Indeed, courts have routinely upheld disclosures made pursuant to such routine uses. Pavlock , F. Grimes , No. In Covert v. Covert , F. Prior to Covert , no other court had ever so held. See the additional discussion under subsection e 3 , below. In Doe v. In light of Doe v. Stephens , the decision in Fields v. Leuver , No. SA, slip op. In Krohn v. See Jackson v.

Britt , F. Numerous types of information sharing between agencies and with organizations or individuals have been upheld as valid routine uses. IRS , B. Iowa ; Mount v. Judicial Conference of the United States , F. Miller , F. Collins , F. Mueller , No. Rice , No. OPM , F. Labor , F. June 12, ; Contursi v. May 12, ; Magee v. Runyon , 60 F.

Smith , No. CR, slip op. July 25, discussing disclosure of rap sheet to local police department ; Ely v. Sussman v. Four courts have required an agency to invoke its routine use to permit disclosure to unions of names of employees on the theory that refusal to so disclose was an unfair labor practice under the National Labor Relations Act. See NLRB v. NLRB v. Apart from the FOIA see subsection b 2 and the Debt Collection Act see subsection b 12 , the Privacy Act makes no provision for any nonconsensual disclosures that are provided for by other statutes.

Zahedi v. Note that the request must be submitted in writing and generally must be from the head of the agency or instrumentality. See Doe v. Naval Air Station , F. Supervisor of DEA , F. Lora v. INS , No. For cases discussing this provision, see Schwarz v. May 10, ; and DePlanche v. This construction, while certainly sensible as a policy matter, appears to conflict somewhat with the actual wording of subsection b 8.

This exception does not authorize the disclosure of a Privacy Act-protected record to an individual Member of Congress acting on his or her own behalf or on behalf of a constituent. June 3, ; cf. Chang v. This exception — like the subsection b 3 routine use exception — has generated a great deal of uncertainty.

Revland, No. England , F. June 27, ; Martin v. United States , 1 Cl. June 23, See e. Burge , No. Koch Foods of Miss. Lahood, No. C, U. May 29, Sheetz v. Marti , No. Contracting, Inc. SSA , No. Ricoma v. Standard Fire Ins. Astrue , No.

Prior to Doe v. DiGenova , a split of authority existed on this point. Compare Bruce v. Atlanta Gas Light Co. United States Lines , No. Moore v. Note that an agency cannot avoid the result in Doe v. DiGenova by relying on a routine use that seeks to authorize disclosure pursuant to a subpoena. Unlike similar provisions in other federal confidentiality statutes, see , e.

However, several courts have addressed the issue with varying degrees of clarity. See Laxalt v. May 13, citing Laxalt in determining relevance of personnel files ; Bosaw v. NTEU , F. Rather, the D. Vanderbilt Co. July 8, ; SEC v. Gowrish , No. May 12, ; Stiward v. May 12, ; Lynn v. Radford , No. Cornejo , No. May 6, ; Forrest v. Sullivan , F. Engels , F. Shad , F. Regan , No. United States , 68 F. Courts have also assessed whether orders should be granted by balancing the potential harm to the affected party from disclosure without restrictions and the need of the requesting party for the particular information.

See Perry v. Battelle Energy Alliance , No. Idaho Oct. Housing Act] outweighs any privacy interests, especially in light of the Protective Order and other steps, such as redaction, that can be taken to reduce privacy concerns. Benavides , F. Modern Select Ins. Sutherland , No. Meyer , No. Becker , No. Hounshel v. Idaho Sept. FDK Am. Donley , No. Kovzan , No. Winter , F. Chromatex, Inc. Hawk , No. Gonzales , No. May 28, ordering defendant to provide United States Marshals Service with addresses of individually named defendants for service of process on behalf of inmate and ordering that addresses be safeguarded by Marshals Service ; Hernandez , No.

Shinseki , No. Hull , Misc. Watt , No. Bolger , No. Grzegorek , F. Brown v. Narvais , No. McCausland , No. Jacobs v. Schiffer , F. In some instances, it even may be appropriate for a court to entirely deny discovery. June 30, ; Oslund v.

Padberg v. McGrath-McKenchnie , No. Dillon , F. In Redland Soccer Club, Inc. See also Long Island Sav. Bank v. United States , 63 Fed. However, the nonconsensual public filing of protected records with a court, during the course of litigation, does constitute a subsection b disclosure. Thus, such public filing is proper only if it is undertaken pursuant to: 1 the subsection b 3 routine use exception previously discussed , or 2 the subsection b 11 court order exception.

Where the routine use exception is unavailable, an agency should obtain a subsection b 11 court order permitting such public filing. However, in light of Laningham , No. Perkins v. One of the few Privacy Act decisions to even mention this oft-overlooked requirement is Laxalt v. See F. Mason v. Bend Cmty. Lohrenz v. Donnelly , F.