(a) General privacy protection. — Protected health information is not public information as defined at § 10002 of Title 29 and may not be disclosed without the informed consent of the individual (or the individual's lawful representative) who is the subject of the information except as expressly provided by statute. Whenever disclosure of protected health information is made pursuant to this subchapter, such disclosure shall be accompanied by a statement concerning the Department of Health and Social Services' disclosure policy.
(b) Scope of disclosure. — Protected health information shall be disclosed with the informed consent of the individual who is the subject of the information to any person and for any purpose for which the disclosure is authorized pursuant to informed consent.
(c) Nonidentifiable information. — Any disclosure of protected health information permitted by this subchapter shall be disclosed in a nonidentifiable form whenever possible, consistent with the accomplishment of legitimate public health purposes, except when the disclosure is authorized through the informed consent of the person who is the subject of the information. Any disclosures of protected health information permitted by this subchapter shall also be limited to the minimum amount of information which the person making the disclosure reasonably believes is necessary to accomplish the purpose of the disclosure, except when the disclosure is authorized through the informed consent of the individual who is the subject of the information.
(d) Disclosure without informed consent. — Protected health information may be disclosed without the informed consent of the individual who is the subject of the information where any of the following disclosures are made:
(1) Directly to the individual.
(2) To appropriate federal agencies or authorities as permitted by federal or state law and for law-enforcement purposes in accordance with 45 C.F.R. Parts 160, 162, and 164.
(3) To health-care personnel to the extent necessary in an emergency to protect the health or life of the person who is the subject of the information from serious, imminent harm.
(4) To the public safety authority during a public health emergency in accord with the uses described in § 1211 of this title.
(5) In the course of any judicial or administrative proceeding in accordance with 45 C.F.R. Parts 160, 162, and 164, or pursuant to a court order to avert a clear danger to the individual or the public health.
(6) To the Child Death Review Commission or to the Child Protection Accountability Commission.
(7) To the Division of Health Care Quality in cases where the Division is engaged in an investigation or survey involving the care or treatment of an individual at a facility licensed by the Division, and the individual has been admitted to a hospital from the facility or discharged from a hospital to the facility. The Division of Health Care Quality is an entity charged with helping to safeguard the health and safety of patients. It shall be recognized as a “public health authority” and as a “health oversight agency,” and it shall be recognized in the performance of its functions as a peer review organization or auditor or evaluator with respect to such aspects of health-care delivery systems or providers.
(8) Pursuant to § 2005 of this title.
(9) For research, regardless of the source of funding of the research, provided that the researcher provides documentation that an alteration to or waiver, in whole or in part, of the individual authorization required by subsection (a) of this section for use or disclosure of protected health information has been approved by the applicable privacy board in accordance with HIPAA regulations. Said approval shall not be granted until the Board has determined all of the following:
a. The use or disclosure of protected health information involves no more than a minimal risk to the privacy of individuals, based on, at least, the presence of the following elements:
1. An adequate plan to protect the identifiers from improper use and disclosure;
2. An adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research, unless there is a health or research justification for retaining the identifiers or such retention is otherwise required by law; and
3. Adequate written assurances that the protected health information will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research study, or for other research for which the use or disclosure of protected health information would be permitted by this subpart;
b. The research could not practicably be conducted without the waiver or alteration; and
c. The research could not practicably be conducted without access to and use of the protected health information.
(10) For patient treatment and care coordination, defined as the provision, coordination, or management of health-care and related services by 1 or more health-care providers, including the coordination or management of health care by a health-care provider with a third party; consultation between health-care providers relating to a patient; or the referral of a patient for health care from 1 health-care provider to another.
(11) To a health plan, health-care clearinghouse, business associate, or health-care provider, as each is defined by 45 C.F.R. Part 160, to use only in accordance with federal law for transactions that transmit information between 2 parties to carry out financial or administrative activities related to health care, health-care operations, and health insurance, as set forth in 45 C.F.R Parts 160, 162, and 164.
(12) To the Drug Overdose Fatality Review Commission.
(13) To the Prescription Monitoring Program.
(14) As permitted by federal law, including regulations.
(e) Deceased individuals. — Nothing in this subchapter shall prohibit the disclosure of protected health information:
(1) In a certificate of death, autopsy report or related documents prepared under applicable laws or regulations;
(2) For the purposes of identifying a deceased individual;
(3) For the purposes of determining a deceased individual's manner of death by a medical examiner; or
(4) To provide necessary information about a deceased individual who is a donor or prospective donor of an anatomical gift.
(f) Informed consent by others. — When an individual who is the subject of protected health information is not competent or is otherwise legally unable to give informed consent for the disclosure of protected health information, informed consent may be given by the individual's parents, legal guardians or other persons lawfully authorized to make health-care decisions for the individual.
(g) Secondary disclosures. — No person to whom protected health information has been disclosed pursuant to this subchapter shall disclose the information to another person except as authorized by this subchapter. This section shall not apply to:
(1) The individual who is the subject of the information;
(2) The individual's parents, legal guardians or other persons lawfully authorized to make healthcare decisions for the individual where the individual who is the subject of the information is unable to give legal consent pursuant to subsection (f) of this section; or
(3) Any person who is specifically required by federal or state law to disclose the information.
(h) Upon written request of an individual to a medical laboratory for a copy of the results of a laboratory examination of that individual, the medical laboratory shall provide a copy of those results that are sought to that individual. The medical laboratory may require a reasonable copying fee for copying and transmitting the records.
(i) The Child Death Review Commission and the Child Protection Accountability Commission are charged with helping to safeguard the health and safety of children. Each shall be recognized as a “health oversight agency,” and as a “public health authority,” and each shall be recognized in the performance of its functions as a peer review organization or auditor or evaluator with respect to any aspect of health-care delivery systems or providers.