March 2, 2022
3
OCR enforces the HIPAA Privacy, Security and Breach Notification Rules,
4
which establish
requirements with respect to the use, disclosure, and protection of protected health information
(PHI) by covered entities and business associates;
5
provide health information privacy and
security protections; and establish rights for individuals with respect to their PHI.
6
OCR reminds covered entities (health plans, health care providers, health care clearinghouses)
and business associates that the HIPAA Privacy Rule permits, but does not require, covered
entities and business associates to disclose PHI about an individual, without the individual’s
authorization,
7
when such disclosure is required by another law and the disclosure complies with
the requirements of the other law.
8
This “required by law” exception to the authorization
requirement is limited to “a mandate contained in law that compels an entity to make a use or
disclosure of PHI and that is enforceable in a court of law.”
9
Where a disclosure is required by
law, the disclosure is limited to the relevant requirements of such law.
10
Disclosures of PHI that
do not meet the “required by law definition” or exceed what is required by such law do not
qualify as permissible disclosures under this exception.
HIPAA prohibits disclosure of gender affirming care that is PHI without an
individuals’ consent
11
except in limited circumstances.
If you believe that your (or someone else’s) health privacy rights have been violated, visit the
OCR complaint portal to file a complaint online.
DISCLAIMER: The contents of this document do not have the force and effect of law and are
not meant to bind the public in any way. This document is intended only to provide clarity to the
public regarding existing requirements under the law or the Departments’ policies.
To obtain this information in an alternate format, contact the HHS Office for Civil Rights at
(800)
368-1019, TDD toll-free: (800) 537-7697, or by emailing
[email protected]. Language assistance services for OCR matters are available and provided free of charge.
4
45 C.F.R. Parts 160 and 164, Subparts A, C, D, and E.
5
See 45 C.F.R. 160.103 (“covered entity” and ‘business associate” definitions).
6
See 45 C.F.R. 160.103 (“protected health information” and “individually identifiable health information”
definitions).
7
See 45 C.F.R. 164.508(c) (HIPAA authorization required elements).
8
45 C.F.R. 164.512(a)(1).
9
45 C.F.R. 164.103 (“required by law” definition). Required by law includes, but is not limited to, court orders and
10
45 C.F.R. 164.512(a)(1).
11
For purposes of this guidance, “consent” refers to a valid HIPAA authorization. See 45 C.F.R. 164.508.
court-ordered warrants; subpoenas or summons issued by a court, grand jury, a governmental or tribal inspector
general, or an administrative body authorized to require the production of information; a civil or an authorized
investigative demand; Medicare conditions of participation with respect to health care providers participating in the
program; and statutes or regulations that require the production of information, including statutes or regulations that
require such information if payment is sought under a government program providing public benefits.