Question: When may a covered health care provider disclose protected health information, without an authorization or business associate agreement, to a medical device company representative?
HIPAA Weekly Advisor, February 9, 2004
Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!
Question: When may a covered health care provider disclose protected health information, without an authorization or business associate agreement, to a medical device company representative?
Answer: Providers can disclose PHI to medical device companies without authorization for treatment, payment, or health care operations (45 CFR 164.506(c)(1)). They can also release PHI for the treatment or payment purposes of device companies that also provide health care (45 CFR 164.506(c)(2), (3)). Additionally, providers can make disclosures, without an authorization, to device companies or others subject to the jurisdiction of the Food and Drug Administration (FDA) for activities related to the quality, safety, or effectiveness of an FDA-regulated product or activity. See 45 CFR 164.512(b)(1)(iii) and the frequently asked questions on public health disclosures for more information.
In certain situations, a provider may disclose PHI to a medical device company without an individual's written authorization only if the medical device company is a health care provider. A medical device company meets the privacy rule's definition of "health care provider" if it furnishes, bills, or is paid for "health care" in the normal course of business. "Health care" under the rule means care, services or supplies related to the health of an individual. Thus, a device manufacturer is a health care provider under the privacy rule if it needs PHI to counsel a surgeon on or determine the appropriate size or type of prosthesis for the surgeon to use during a patient's surgery, or otherwise assists the doctor in adjusting a device for a particular patient.
The Office for Civil Rights in the Department of Health and Human Services last week added this item to its list of frequently asked questions on HIPAA.
Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!
Related Products
Most Popular
- Articles
-
- Q/A: Volume requirement for reporting hydration services
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- Catch up on what's new with injections and infusions
- Topic: CMS, OESS post new security compliance review information, checklist
- Capturing all necessary codes for IUD insertion and removal can be challenging
- HIPAA Q&A: Level of encryption needed for email
- What does case-mix index mean to you?
- Identify potential Medicaid RAC target areas
- QA:Coding multiple initial infusions
- OB services: Coding inside and outside of the package
- E-mailed
-
- Q/A: Volume requirement for reporting hydration services
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- HIPAA Q&A: Level of encryption needed for email
- Q&A: Follow CMS' coding guidelines when using modifier -25
- CMS has reformulated payments for some bilateral procedures
- Catch up on what's new with injections and infusions
- New conflicts of interest create new challenges
- Q/A. One injection code or two?
- What does case-mix index mean to you?
- ED-to-inpatient transfers are flawed with safety gaps
- Searched