New York State Office of Mental Health HIPAA Preemption Analysis

Also see: OMH Official Policy Manual QA-515

MHL §33.13(a): Patient or client (defined MHL §33.16(5)): means an individual concerning whom a clinical record is maintained or possessed by a facility as defined in §33.16(3).

14 NYCRR §505.4(k): Protected individuals means a person who is the subject of an HIV-related test or who has been diagnosed as having HIVinfection, AIDS or HIV-related illness.

With regard to the regulatory term "protected individuals," again, State law applies and is not preempted because the Federal law is not contrary to State law; the term "individual" in Federal law includes the term "protected individual" as HIVrelated information is within the definition of PHI.

MHL §33.13(a): Clinical record contains information on all matters relating to the admission, legal status, care, and treatment of the patient or client and shall include all pertinent documents relating to the patient or client.

OMH Guidebook(Appendix J): Clinical records do not include incident reports.

Education Law §6527: Neither the proceedings nor the records relating to performance of a medical or dental malpractice prevention program nor any report required by DOH pursuant to section 2805-l of the PHL, including the investigation of an incident pursuant to section 29.29 of the MHL shall be subject to disclosure under Article 31 of the CPLR except as provided by any other provision of law.

Case Law: (1) Reports contained in psychiatric hospital's investigation file…including two incident reports by designated staff persons, and incident or investigation report prepared by state agency, related to investigation of allegations….which were required to be reported to the Department of Health, and thus were incident reports exempt from disclosure in action brought by patient against hospital. Katherine F. ex rel. Perez v. State, 94 N.Y.2d 200, 700 N.Y.S.2d 231, 723 N.E.2d 1016 (1999).

(2) Incident reports made by employees at state mental health facility in connection with treatment of severely retarded patient and of other residents at facility, were part of procedure intended to reduce patient and employee injuries,and thus were obtained or maintained pursuant to review procedure and were privileged from discovery under Education Law in action brought by administrator of estate of patient for injuries sustained by patient while at facility. Finnegan v. State, 179 Misc. 2d 694, 686 N.Y.S. 2d 589 (1999)

(3) Investigation report prepared on behalf of OMH by consultant did not relate to patient's care and treatment, a requirement in order to consider it part of the clinical record, but rather found that it revealed the methodology and manner in which the patient received treatment. This characterized it as a quality assurance document, rather than part of the clinical record releaseable to patient under the Freedom of Information Act. Zabielski v. Stone (2002)

OMH Guidebook(Appendix J): Clinical records do not include educational records

MHL §33.16(f): Applicability of federal law. Whenever federal law or applicable federal regulations restrict, or as a condition for the receipt of federal aid require, that the release of clinical records or information be more restrictive than is provided under this section, the provisions of federal law or federal regulations shall be controlling.

20 U.S.C. §1232g (FERPA): provides parents of students and eligible students with privacy protections and rights for the records of students maintained by federally funded educational agencies or institutions or persons acting for these agencies or institutions.

MHL §33.13(b): (Effective until June 30, 2005) The Commissioners may require that statistical information about patient or clients be reported to the offices.

(Effective June 30, 2005) The Commissioners may require that statistical information about patient or clients be reported to the offices. Names of patients treated at outpatient or nonresidential facilities, at hospitals licensed by OMH and at general hospitals shall not be required as part of any such reports.

§164.512(a): A covered entity may use or disclose PHI to the extent that such use or disclosure is required by law and the use or disclosure complies with and is limited to the relevant requirements of such law.

§164.512(d) A covered entity may disclose PHIto a health oversight agency for oversight activities authorized by law.

§164.501: Health oversight agency means an agency or authority of the United States, a State, a territory, a political subdivision of a State or territory…or a person or entity operating under a grant of authority from or contract with such public agency…that is authorized by law to oversee the health care system (whether public or private) or government programs in which health information is necessary to determine eligibility or compliance, or to enforce civil rights laws for which health information is relevant.

As health oversight agencies, the Commissioners of OMH and OMRDD can request statistical information that is PHI as part of its regulatory and licensing oversight function.

MHL §33.13(c)(1): Clinical records shall

be released w/out patient consentpursuant to a court order after a finding that the interests of justice significantly outweigh the need for confidentiality

CPLR§4507: "privilege" or exempt certain patient information held by physicians, RNs, LPNs, registered psychologists, and registered social workers, from testimonial disclosure

MHL §33.13(c)(2):Clinical records shall be released w/out patient consent to Mental Hygiene Legal Services

MHL §47.03: MHLS has authority to be granted access to all books, records, and data necessary for it to carry out its functions, provided that where federal regulations restrict a facility re: release of info in the clinical record of a patient or restrict disclosure of identity of patient or access to the patient to a greater extent than allowed under this law, the federal regulations shall be controlling.

MHL §9.11: (effective until 7/1/04): Except as to informal patients and patients admitted pursuant to section 9.39 or 9.40, the director of a hospital shall, within 5 days…..after the admission of any patient, forward to MHLS a record of such patient and shall simultaneously forward to the department such information from the record as the commissioner by regulation shall require. Such information from the record in the department shall only be accessible in the manner set forth in section 33.13.

MHL §9.11: (effective 7/1/04): Except as to informal patients and patients admitted pursuant to section 9.39, the director of a hospital shall, within 5 days…..after the admission of any patient, forward to MHLS a record of such patient and shall simultaneously forward to the department such information from the record as the commissioner by regulation shall require. Such information from the record in the department shall only be accessible in the

§164.502(g):A "personal representative" can fulfill the role of the individual about whom PHI pertains if the representative has authority to act on behalf of the individual in making decisions about health care.

§164.508(a)(1): Except as otherwise permitted or required by this subchapter, a covered entity may not use or disclose PHI without an authorization that is valid under this section. (p. 82811:1)

Other notifications, such as the requirement in MHL §29.29 for facilities to notify the MHLS of all reported allegations of patient abuse or neglect within 3 working days, and disclosures required throughout Article 9 (e.g.MHL §9.09,9.11,9.25, 9.31, 9.33), are not preempted and are therefore permitted under the "required by law" exemption to HIPAA since the use or disclosure is required by law. This, however, is not a general rule under MHL §47.03.

MHL §33.13(c)(3) An attorney representing a patient on the matter of his involuntary hospitalization can be provided access to the patient's clinical record.

MHL §33.13(c)(4): Records can be released to CQC or other person/agency under contract with CQC to provide protection and advocacyservices as provided for by federal law, irrespective of patient consent.

MHL §45.09:(a) The commission, any member or any employee designated by the commission, must be granted access at any and all times to any mental hygiene facility or adult home or residence for adults in which 25 % of more residents have at any time received or are receiving services from a mental hygiene provider which is licensed, operated, or funded by OMH or OMRDD in order to carry out the functions of the commission as provided for in section 45.10 of this article….ad to all books, records and data pertaining to any such facility deemed necessary for carrying out the commission's functions, powers and duties.

§164.512(d)(3) PHI may be disclosed to health oversight agencies for oversight activities authorized by law, including licensure or disciplinary actions, …or other activities necessary for the oversight of the health care system… (p. 82814:2)

MHL §33.13(c)5): Records can be released to the Medical Review Board of the State Commission of Corrections, when requested in connection with a patient death, or with patient consent and in exercise of its statutory duties.

§164.506 A covered entity must obtain the consent of a patient to use or disclose PHI for treatment, payment, or health care operations purposes (p.82810:1)

§164.508(a)(1): Except as otherwise permitted or required by this subchapter, a covered entity may not use or disclose PHI without an authorization that is valid under this section. (p. 82811:1)

§164.512(g) PHI about decedents can be released to a coroner or medical examiner for the purpose of identifying a deceased person, determining a cause of death, or other duties as authorized by law. PHI may also be released to funeral directors to carry out their duties with respect to a decedent.

§164.512(d): PHI can be released to health oversight agencies for oversight activities authorized by law, including administrative investigations.

MHL §33.13(c)(6)::Patient information can be released to an endangered individual and a law enforcement official when a treating psychatrist or psychologist has determined that a patient presents a "serious & imminent" danger to that individual.

MHL §33.13(c)(7) Patient information can be released, with consent of the patient or of someone authorized to act on patient's behalf, to persons/entities who have a demonstrable need for such information provided such disclosure will not reasonably be expected to be detrimental to the patient or others.

MHL §33.13(c)(8): Patient information can be disclosed (irrespective of patient consent) to the State Board for Professional Medical Conduct, the Office of Professional Discipline, or their respective representatives when the Board or Office has requested such information in the exercise of its statutory function, powers and duties (provided, however, that no such information may be released when the patient is also the subject of the Board's inquiry, except pursuant to a court order).

§164.501: Health oversight agency means an agency or authority of the United States, a State, a territory, a political subdivision of a State or territory…or a person or entity operating under a grant of authority from or contract with such public agency….that is authorized by law to oversee the health care system (whether public or private) or government programs in which health information is necessary to determine eligibility or compliance, or to enforce civil rights laws for which health information is relevant.

MHL §33.13(c)(9)(i):With consent of appropriate Commissioner,Patient information may be disclosed w/out patient consent to governmental agencies, insurance companies, and other third parties requiring information necessary for payment. Such information shall be limited to the information required.

Note: Recent amendments eliminate this requirement.

§164.506(c):(1) A covered entity may use/disclose PHI for its own treatment, payment, or health care operations. (2) A covered entity may disclose PHI for treatment activities of a health care provider. (3) A covered entity may disclose PHI to another covered entity or health care provider for the payment activities of the entity that receives the information…. revised 8/02

MHL §33.13(c)(9)(ii) With consent of appropriate Commissioner, patient information may be disclosed to persons and agencies needing information to locate missing persons or to governmental agencies in connection with criminal investigations, such information to be limited to identifying data concerning hospitalization.

MHL §33.13(c)(9)(iii)With consent of appropriate Commissioner, patient information can be released to "qualified researchers" (certain persons licensed under the Education Law or other persons deemed competent/qualified by IRB or other human research committee constituted by OMH) when approved by the IRB or other committee constituted by OMH under certain circumstances.

Note: recent amendments modify this requirement to streamline reviews, but do not remove requirement for IRB approval.

Note: current OMH/RFMH practice is to obtain specific patient "consent" (really an authorization).

MHL §33.13(c)(9)(iv) With consent of appropriate Commissioner, patient information may be disclosed w/out patient consent to a coroner, a county medical examiner, or the chief medical examiner for NYC upon the request of a facility director that an investigation be conducted into the death of a patient about whom the facility maintains such information. Disclosure limited to necessary information.

MHL §33.13(c)(9)(v): With consent of appropriate Commissioner, patient information may be released to appropriate persons & entities when necessary to prevent imminent serious harm to the patient or another person

Note: It should be noted that HIPAA would limit uses/disclosures to someone other than the target of the threat if the information was learned in the course of treatment to affect the propensity to commit the criminal conduct forming the basis for the disclosure, e.g. sex offender treatment.

MHL §33.13(c)(9)(vi): With consent of appropriate Commissioner, patient information may be released to a district attorney when such request is in connection with and necessary to the furtherance of a criminal investigation of patient/client abuse.

§164.512(f)(1): A covered entity may disclose PHI for a law enforcement purpose to a law enforcement official…(i) in compliance with and as limited by the relevant requirements of:(A) a court order or court-ordered subpoena or summons issued by a judicial officer; (B) a grand jury subpoena; or(C) an administrative request, including an administrative subpoena or summons, a civil or an authorized investigative demand, or similar process authorized under law, provided that:(1) the information sought is relevant and material to a legitimate law enforcement inquiry;(2)the request is specific and limited in scope to the extent reasonably practicable in light of the purpose for which the information is sought; and(3)de-identified information could not reasonably be used.

§164.512(f)(3): ….a covered entity may disclose PHI in response to a law enforcement official's request for such information about an individual who is or is suspected to be a victim of a crime, other than disclosures subject to paragraphs (b)and(c) of this section, if: (i) the individual agrees to the disclosure; or (ii)the covered entity is unable to obtain the individual's agreement because of incapacity or other emergency circumstance, provided that (A) the law enforcement official represents that such information is needed to determine whether a violation of law by a person other than the victim has occurred; and such information is not intended to be used against the victim; (B) the law enforcement official represents that immediate law enforcement activity that depends upon the disclosure would materially and adversely be affected by waiting until the individual is able to agree to the disclosure; and (C) the disclosure is in the best interests of the individual as determined by the covered entity, in the exercise of professional judgment.

Note: Other disclosures to district attorneys may be authorized if otherwise required by law.

MHL §33.13(c)(10): Patient information necessary for making a determination regarding a current inmate's health care, security, safety or ability to participate in programs may be disclosed to a correctional facility when the chief administrative officer has requested same. Information released may be limited to a summary of the record.

Division of Parole: Patient information can be disclosed to DoP when it has requested same with respect to a person under its jurisdiction or when the inmate is within 2 weeks of release from a state correctional facility.

It is noted that an individual is no longer considered an "inmate" when released on parole, probation, supervised release, or is no longer in lawful custody.( p. 82818:1,2)

However, for disclosures to DoP with regard to persons who have been released to parole, the NYS Statute is preempted and consent or authorization for release of PHI is required.

MHL §33.13(c)(11)

MHL §33.16(a)(6)

Patient information can be released, irrespective of patient consent, to a patient, guardian appointed pursuant to Section 17-A of the Surrogate's Court Procedure Act, or committee for an incompetent, or parent/guardian of an infant or other legally appointed guardian of an infant, or a parent, spouse or adult child of an adult patient who may be entitled to request access to a record pursuant to Section 33.16 of the MHL.

§164.502(g) Requires covered entities to treat "personal representatives" as the individual for purposes of HIPAA rights (e.g.signing consents ,authorizations, access, copying, and correction). Personal representatives include: (1) with respect to adults and emancipated minors, personal representatives who have under applicable law authority to act on behalf of an adult or emancipated minor in making decisions relating to health care; (2) with respect to unemancipated minors, a parent, guardian, or other person acting in loco parentis provided that when a minor lawfully obtains a health care service without the consent of or notification to a parent, guardian or other person acting in loco parentis, the minor shall have the exclusive right to exercise the rights of an individual with respect to the PHI relating to such care; (3) with respect to deceased persons, an executor, administrator, or other person authorized under applicable law to act on behalf of the decedent's estate. (p. 82492:3)

MHL §33.13(c)(12): Patient information can be disclosed to a Director of Community Services when in connection with "the exercise of his statutory functions, powers and duties pursuant to MHL §41.13" which authorizes the provision of local services to the mentally disabled in order to assure appropriateness and continuity of services for those in need of such services.

§164.501: Health oversight agency means an agency or authority of the United States, a State, a territory, a political subdivision of a State or territory…or a person or entity operating under a grant of authority from or contract with such public agency….that is authorized by law to oversee the health care system (whether public or private) or government programs in which health information is necessary to determine eligibility or compliance, or to enforce civil rights laws for which health information is relevant.

§164.512(k): A covered entity that is a government agency administering a government program providing public benefits may disclose PHI relating to the program to another covered entity that is a government agency administering a government program providing public benefits if the programs serve the same or similar populations and the disclosure of PHI is necessary to coordinate the covered functions of such programs or to improve administration and management relating to the covered functions of such programs.

Note: for supporting reference regarding a determination that the Director of Community Services constitutes a health oversight agency, see Mental Hygiene Law Article 41 and 14 NYCRR §102.7.

MHL §33.13(c)(13): Patient information can be released to DCJS for the sole purpose of providing, facilitating, evaluating or auditing access by the Commissioner of OMH to criminal history information pursuant to MHL §7.09.

MHL §7.09(j): The Commissioner of OMH is authorized to have access to criminal history information contained in the central datafacility established by DCJS; summary reports can be included in patient records for purposes of making decisions regarding care and treatment, health and safety, privileges and discharge planning for patients admitted to/retained in hospitals operated by OMH.

§164.501: Required by law means a mandate contained in law that compels a covered entity to make a use or disclosure of protected health information and that is enforceable in a court of law. Required by law includes, but is not limited to, court orders and court ordered warrants, subpoenas or summons issued by a court, grand jury, a governmental or tribal inspector general, or an administrative body authorized to require the production of information; a civil or an authorized investigative demand; Medicare conditions of participation with respect to health care providers participating in the program; and statutes or regulations that require the production of information, including statutes or regulations that require such information if payment is sought under a government program providing public benefits.

§164.512(a): A covered entity may use or disclose PHI to the extent that such use or disclosure is required by law and the use or disclosure complies with and is limited to the relevant requirements of such law.

§164.512(k)(5): A covered entity may disclose PHI about an inmate or individual in lawful custody to a correctional institution or a law enforcement official having lawful custody of such individual about such inmate or individual if the PHI is necessary for(1) the provision of health care to the person; (2) the health and safety of the person or other inmates; (3) the health and safety of officers/employees; (4) the health and safety of those transporting/transferring the person; (5) law enforcement on the premises of the correctional institution; (6) administration and good order of the institution.

§164.501: Correctional institution: means any penal or correctional facility, jail, reformatory, detention center, or residential community program …for the confinement or rehabilitation of persons charged with or convicted of criminal offense or other persons held in lawful custody. Other persons held in lawful custody includes juvenile offenders adjuducated delinquent, aliens detained awaiting deportation, persons committed to mental institutions through the criminal justice system, witnesses, or others awaiting charges or trial.

To the extent the information disclosed by OMH is information regarding an inmate, and the disclosures to DCJS are necessary in order for the administration and good order of the facility (e.g. to evaluate and audit OMH's access to the information, HIPAA would permit OMH to disclose PHI about inmates back to DCJS.

Note: A government agency to-government agency MOU may need to be executed and/or amended , as applicable, to reflect Business Associate requirements of HIPAA.

MHL §33.13(d) Patient information can be shared among facilities or others providing services for such patients pursuant to an approved local or unified services plan, or pursuant to agreement with Department of Mental Hygiene. Hospital. Emergency rooms (Article 28) can exchange, electronically or otherwise, information with other Article 28 hospital emergency rooms and/or hospitals licensed/operated by OMH. Information disclosed must continue to be treated as confidential and any limitations imposed on the party giving the information shall apply to the party receiving the information.

§164.506 A covered entity must obtain the consent of a patient to use or disclose PHI for treatment, payment, or health care operations purposes (p.82810:1)

OCR HIPAA Implementation Guidance: (7/01) "Q: Will the consent requirement restrict the ability of providers to consult with other providers about a patient's condition?

A: No. A provider with a direct treatment relationship with a patient would have to have initially obtained consent to use that patient's health information for treatment purposes. Consulting with another health care provider about the patient's case falls within the definition of "treatment" and, therefore, is permissible. If the provider being consulted does not otherwise have a direct treatment relationship with the patient, that provider does not need to obtain the patient's consent to engage in the consultation.

Note: Recent amendments eliminate this requirement.

§164.506(c):(1) A covered entity may use/disclose PHI for its own treatment, payment, or health care operations. (2) A covered entity may disclose PHI for treatment activities of a health care provider. (3) A covered entity may disclose PHI to another covered entity or health care provider for the payment activities of the entity that receives the information…. revised 8/02

MHL §33.13(e): Clinical information tending to identify patients and clinical records maintained at a facility not operated by OMH shall not be a public record and shall not be released to any person or facility outside of such facility except pursuant to subdivisions (b),(c) or (d) of this section (see analysis for each of these subdivisions, infra) . The director of such a facility may consent to the release of such information and records, subject to regulation by the Commissioner, pursuant to the exceptions stated in subdivision (c) of this section (infra), provided that, for the purpose of this subdivision, such consent shall be deemed to be the consent otherwise required of the Commissioner pursuant to subdivision (c) of this section. Nothing in this subdivision shall be construed to limit, restrict, or otherwise affect access to such clinical information or records by the mental hygiene legal service, the commission on quality of care for the mentally disabled or the offices when such access is authorized elsewhere in law.

§164.502(a): A covered entity may not use or disclose PHI except as permitted or required by this subpart or subpart C of part 160 of this subchapter.

§164.506 A covered entity must obtain the consent of a patient to use or disclose PHI for treatment, payment, or health care operations purposes (p.82810:1)

Note: Recent amendments eliminate this requirement.

§164.506(c):(1) A covered entity may use/disclose PHI for its own treatment, payment, or health care operations. (2) A covered entity may disclose PHI for treatment activities of a health care provider. (3) A covered entity may disclose PHI to another covered entity or health care provider for the payment activities of the entity that receives the information…. revised 8/02

§164.508(a)(1): Except as otherwise permitted or required by this subchapter, a covered entity may not use or disclose PHI without an authorization that is valid under this section. (p. 82811:1)

MHL §33.13(f): Any disclosure made pursuant to this section shall be limited to that information necessary in light of the reason for disclosure. Information so disclosed shall be kept confidential by the party receiving such information and the limitations on disclosure in this section shall apply to such party. Except for disclosures made to the mental hygiene legal service, to persons reviewing information or records in the ordinary course of insuring that a facility is in compliance with applicable quality of care standards, or to governmental agencies requiring information necessary for payments to be made to or on behalf of patients pursuant to contract or in accordance with law, a notation of all such disclosures shall be placed in the clinical record of that individual who shall be informed of all such disclosures upon request; provided, however, that for disclosures made to insurance companies licensed pursuant to the insurance law, such a notation need only be entered at the time the disclosure is first made.

§164.528: Accounting of disclosures of PHI

(a)(1): An individual has a right to receive an accounting of disclosures of PHI made by a covered entity in the 6 years prior to the date on which the accounting is required, except for disclosures: (i) to carry out treatment, payment, and health care operations; (ii) to individuals of PHI about them; (iii) for the facility's directory or to persons involved in the individual's care or other notification purposes; (iv) for national security or intelligence purposes; (v) to correctional institutions or law enforcement officials; or (vi) which occurred prior to the compliance date for the covered entity.

(b)(2) Content of the accounting: For each disclosure, the accounting must include: (i) date of disclosure; (ii) name and, if known, address of the recipient of the PHI; (iii) brief description of the PHI disclosed; (iv) brief statement of the purpose of the disclosure that reasonably informs the individual of the basis for the disclosure. If, during the period of the accounting, the covered entity has made multiple disclosures of PHI to the same person or entity for a single purpose pursuant to and in compliance with a valid consent under HIPAA or where a consent, authorization, or an opportunity to agree or object is not required, the accounting may provide: (i) the information required to be included in the accounting for the first disclosure during the accounting period; (ii) the frequency, periodicity or number of the disclosures made during the accounting period and (iii) the date of the last disclosure during such accounting period.

State law requires a notation be made of disclosures in the patient record, except for disclosures that can be characterized as those for treatment, payment, or health care operations purposes. This is consistent with HIPAA, and thus State law applies. State law also requires that patients be informed of disclosures upon request, which is also consistent with HIPAA. However, HIPAA preempts some aspects of State law with regard to the necessary content in accountings of disclosures, since the Federal regulations go further in specifying the information that must be included in the accounting.

May be addressed in individual NYS OMH facility policies.

Not specifically addressed in NYS Mental Hygiene Law

Not specifically addressed in NYS Mental Hygiene Law

(Note: will be addressed in pending OMH Official Policy PC-450; Patient Death, but disclosures will be required to be in concert with state and federal law and regulations)

Not specifically addressed in NYS Mental Hygiene Law

Not specifically addressed in NYS Mental Hygiene Law

Not specifically addressed in NYS Mental Hygiene Law

Not specifically addressed in NYS Mental Hygiene Law

Not specifically addressed in NYS Mental Hygiene Law

MHL §33.16(a)(1): Clinical record means any information concerning or relating to the examination or treatment of an identifiable patient or client maintained or possessed by a facility which has treated or is treating such patient or client, except data disclosed to a practitioner in confidence by other persons on the express condition that such data would never be disclosed to the patient or client or other persons, provided that such data has never been disclosed by the practitioner or a facility to any other person. If at any time such data is disclosed (unless the disclosure is made pursuant to MHL §33.13, to practitioners as part of consultation or referral, to the statewide planning and research cooperative system, or to the committee or a court pursuant to MHL §33.16, or to an insurance carrier insuring, or an attorney consulted by, a facility) it is considered clinical records.

(ii) The enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or

(iii) Used, in whole or in part, by or for the covered entity to make decisions about individuals.

(2) …the term record means any item, collection, or grouping of information that includes protected health information and is maintained, collected, used, or disseminated by or for a covered entity.

§164.524(a)(2)(v): an individual's access may be denied if the PHI was obtained from someone other than a health care provider under a promise of confidentiality….

§164.524(a)(1) excludes the following from access by an individual:

(i) Psychotherapy notes;

(ii) Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding; and

(iii) Protected health information maintained by a covered entity that is:

(A) Subject to the Clinical Laboratory Improvements Amendments of 1988 to the extent the provision of access to the individual would be prohibited by law; or

(B) Exempt from the Clinical Laboratory Improvements Amendments of 1988.

65 Fed. Reg. 82605, 82606 (December 28, 2000): peer review or other quality assurance files which are used only to improve patient care at the facility, and not to make decisions about individuals, are not part of that facility's designated record set.

MHL §33.16(a)(5): Patient or client means an individual concerning whom a clinical record is maintained or possessed by a facility as defined in paragraph 3 of this subdivision.

MHL §33.16(a)(6): Qualified person means (1) any properly identified patient or client; (2) guardian of a mentally retarded or developmentall disabled person; (3) committee for an incompetent; (4) parent of an infant; (5) guardian of an infant; or (6) a prent, spouse, or adult child of an adult patient or client who may be entitled to request access to a clinical record pursuant to MHL §33.16(b)(4).

§164.502(g) (1) :A "personal representative" can fulfill the role of the individual about whom PHI pertains; (2) If, under applicable law, a person has authority to act on behalf of an individual who is an adult or an emancipated minor im making decisions related to health care, a covered entity must treat such person as a personal representative with respect to PHI relevant to such personal representation.

MHL §33.16(b)(1): Upon the written request of any patient/client (or other qualified person) a facility shall provide an opportunity within 10 days for that individual to inspect any clinical record concerning or relating to the examination or treatment of that individual in the possession of such facility (subject to applicable access conditions or limitations)

§164.524(b)(2): The covered entity must act on a request for access no later than 30 days after receipt of the request.

1. With regard to the type of information for which a patient can request access, State law and HIPAA are similar.

2. State law prevails with regard to timelines in which a covered entity must act on a request for access; State law requires that such action within a 10 day period and HIPAA permits 30 days; thus, State law prevails here.

3. State law does not include a requirement for patients to be advised of the need to make written requests for access; HIPAA prevails in this regard.

4. State law is more stringent than HIPAA in that it does not limit access to psychotherapy notes; however, it must be noted, that in the State operated and licensed NYS mental health system, the presence of any information that would constitute "psychotherapy notes" does not, as a practical matter, exist since by regulation, all information from which decisions are to be made about a patient must be included in the patient's clinical record.

MHL §33.16(b)(2): Upon the written request of a committee for an incompetent or guardian of the person of a mentally retarded or developmentally disabled person …. a facility shall provide an opportunity within 10 days for that individual to inspect any clinical record concerning or relating to the examination or treatment of that individual in the possession of such facility. Provided, however, in the case of any guardian to inspect the clinical record concerning a client 18 years of age or older, the facility shall notify the client of such request.

§164.524(b)(2): The covered entity must act on a request for access no later than 30 days after receipt of the request.

1. With regard to the type of information for which a committee/guardian can request access, State law and HIPAA are similar.

2. State law prevails with regard to timelines in which a covered entity must act on a request for access; State law requires that such action within a 10 day period and HIPAA permits 30 days; thus, State law prevails here.

3. State law does not include a requirement for patients to be advised of the need to make written requests for access; HIPAA prevails in this regard.

4. HIPAA does not require an individual be notified if a personal representative requests access to his/her record; State law does. In this regard, State law is more stringent and thus prevails.

5. State law is more stringent than HIPAA in that it does not limit access to psychotherapy notes; however, it must be noted, that in the State operated and licensed NYS mental health system, the presence of any information that would constitute "psychotherapy notes" does not, as a practical matter, exist since by regulation, all information from which decisions are to be made about a patient must be included in the patient's clinical record.

MHL §33.16(b)(3): Upon the written request of a parent of an infant or guardian of an infant…. a facility shall provide an opportunity within 10 days for that individual to inspect any clinical record concerning or relating to the examination or treatment of that individual in the possession of such facility. Provided, however,that such parent or guardian shall not be entitled to inspect or make copies of any clinical record concerning the care and treatment of an infant where the treating practitioner determines that access to the information requested by such person would have a detrimental effect on the practitioner's professional relationship with the infant, or the care and treatment of the infant or on the infant's relationship with his/her parent or guardian.

§164.524(b)(2): The covered entity must act on a request for access no later than 30 days after receipt of the request.

§164.524(a)(3)(iii) A covered entity may deny an individual access, provided that the individual is given a right to have such denials reviewed in the following circumstances: (iii) The request for access is made by the individual's personal representative and a licensed health care professional has determined, in the exercise of professional judgment, that the provision of access to such personal representative is reasonably likely to cause substantial harm to the individual or another person.

1. With regard to the type of information for which a parent/guardian of an infant can request access, State law and HIPAA are similar.

2. State law prevails with regard to timelines in which a covered entity must act on a request for access; State law requires that such action within a 10 day period and HIPAA permits 30 days; thus, State law prevails here.

3. State law does not include a requirement for patients to be advised of the need to make written requests for access; HIPAA prevails in this regard.

4. State law and HIPAA are consistent in that both permit denial of access in the case of likelihood to cause harm to the individual or another person. State law permits review of such denials via MHL §33.16 (c)(4). Hence, State law is not contrary to HIPAA and State law prevails.

5. State law is more stringent than HIPAA in that it does not limit access to psychotherapy notes; however, it must be noted, that in the State operated and licensed NYS mental health system, the presence of any information that would constitute "psychotherapy notes" does not, as a practical matter, exist since by regulation, all information from which decisions are to be made about a patient must be included in the patient's clinical record.

MHL §33.16(b)(4): Upon the written request of a parent of an adult patient, or spouse or adult child of a patient,…. a facility shall provide an opportunity within 10 days for that individual to inspect any clinical record concerning or relating to the examination or treatment of that individual, which the parent, spouse or child is authorized by law to provide consent or is being requested to provide such consent, in the possession of such facility. Provided, however, that such parent, spouse, or child shall not be entitled to inspect or make copies of any clinical record concerning the care and treatment of an individual where the treating practitioner determines that access to the information requested by such person would have a detrimental effect on the practitioner's professional relationship with the individual, or the care and treatment of the individual or on the individual's relationship with his/her parent, spouse, or child. Any inspection shall be limited to that information which is relevant in light of the reason for such inspection.

§164.524(b)(1): The covered entity must permit an individual to request access to inspect or obtain a copy of the PHI about the individual that is maintained in a designated record set. The covered entity may require individuals to make requests for access in writing, provided that it informs individuals of such a requirement.

§164.524(b)(2): The covered entity must act on a request for access no later than 30 days after receipt of the request.

§164.524(a)(3)(iii) A covered entity may deny an individual access, provided that the individual is given a right to have such denials reviewed in the following circumstances: (iii) The request for access is made by the individual's personal representative and a licensed health care professional has determined, in the exercise of professional judgment, that the provision of access to such personal representative is reasonably likely to cause substantial harm to the individual or another person.

1. With regard to the type of information for which a parent, spouse, child can request access, State law and HIPAA are similar.

2. State law prevails with regard to timelines in which a covered entity must act on a request for access; State law requires that such action within a 10 day period and HIPAA permits 30 days; thus, State law prevails here.

3. HIPAA and State law are consistent in terms of permitting parents of adult patients, or their spouse or adult child to request access in that State law only permits such access if such person is authorized by law to consent to treatment (i.e., is authorized to make health care decisions for the individual, as is required by HIPAA).

4. State law and HIPAA are consistent in that both permit denial of access in the case of likelihood to cause harm to the individual or another person. State law permits review of such denials via MHL §33.16 (c)(4). Hence, State law is not contrary to HIPAA and State law prevails.

5. HIPAA does not limit access to records by personal representatives to that which is relevant in light of the reason for inspection, as does State law in this subdivision. HIPAA indicates that for purposes of access, personal representatives "stand in the shoes" of individuals; therefore, it is reasonable to conclude that to the extent that a personal representative is requesting disclosure of information on behalf of a patient, and for the same purpose and to the same extent that the patient would do so, State law and HIPAA are consistent and State law prevails.

6. State law is more stringent than HIPAA in that it does not limit access to psychotherapy notes; however, it must be noted, that in the State operated and licensed NYS mental health system, the presence of any information that would constitute "psychotherapy notes" does not, as a practical matter, exist since by regulation, all information from which decisions are to be made about a patient must be included in the patient's clinical record.

MHL §33.16(b)(5)

A facility shall furnish, upon the written request of a qualified person, within a reasonable time, a copy of any clinical record requested which the person is authorized to inspect.

§164.524(c)(1): The covered entity must provide the access requested by individuals, including inspection or obtaining a copy, or both, of the PHI about them in designated record sets.

(c)(2)(i): The covered entity must provide the individual with access to the PHI in the form or format requested by the individual, if it is readily producible in such form or format; if not, a readable hard copy form or such other form or format as agreed to by the covered entity and the individual.

1. As a technical matter, State law is actually more stringent on its face since it does not limit access to psychotherapy notes; however, it must be noted, that in the State operated and licensed NYS mental health system, the presence of any information that would constitute "psychotherapy notes" does not, as a practical matter, exist since by regulation, all information from which decisions are to be made about a patient must be included in the patient's clinical record.

2. Unless the facility has previously notified the qualified person that his/her request for access must be in writing, restricting actionable requests to written ones is contrary to HIPAA; hence this provision of State law would be preempted.

3. State law provisions which leave as the only option for providing access as via a copy of the information is inconsistent with HIPAA's provisions authorizing individuals to dictate the form or format of their PHI, if readily producible as such. Therefore, this provision of HIPAA also prevails.

MHL §33.16(b)(6) (a) The facility may impose a reasonable charge for all inspections and copies; i.e., a maximum of 75 ¢ per page. A qualified person shall not be denied access to the clinical record solely because of inability to pay.

(b) …for copies requested by an attorney or another person or insurer representing or acting on behalf of the patient or his/her estate, the provider may impose a reasonable charge for all inspections and copies, not to exceed the costs incurred by such provider, however, the reasonable charge for paper copies shall not exceed 1 per page for paper copies and 2 per page for microfilm or microfiche copies.

MHL §33.16(b)(7)

A facility may place reasonable limitations on the time, place, and frequency of any inspection of clinical records.

MHL §33.16(b)(8)

A treating practitioner may request the opportunity to review the patient information with the qualified person requesting such information, but such review shall not be a prerequisite for furnishing the record.

MHL §33.16(b)(9): A facility may make available for inspection either the original or a copy of the clinical records.

(c)(2)(i): The covered entity must provide the individual with access to the PHI in the form or format requested by the individual, if it is readily producible in such form or format; if not, a readable hard copy form or such other form or format as agreed to by the covered entity and the individual.

Additionally, State law is silent with regard to authorizing individuals to dictate the form or format of their PHI, if readily producible as such. Therefore, this provision of HIPAA also prevails.

MHL §33.16(c)(1): Upon the written request by a qualified person to inspect or copy the clinical record maintained by a facility, the facility shall inform the treating practitioner of the request. The treating practitioner may review the information requested. Unless the treating practitioner determines that the requested review of the clinical record can reasonably be expected to cause substantial and identifiable harm to the patient or others that would outweigh the qualified person's right of access, review of such record shall be permitted or copies provided.

§164.524(a)(3) Reviewable grounds for denial: A covered entity may deny an individual access, but must be given a right to have such denials reviewed in 3 circumstances (i) when access would be reasonably likely to endanger the life or physical safety of the individual or another person; (ii) when the PHI makes reference to another person and a licensed health care professional has determined, in the exercise of professional judgment, that the access requested is reasonably likely to cause substantial harm to such other person; or (iii) the request for access is made by the individual's personal representative and a licensed health care professional has determined, in the exercise of professional judgment, that the provision of access to such personal representative is reasonably likely to cause substantial harm to the individual or another person.

re: (a)(3)(iii) Preamble: Under this reason for denial, covered entities may not deny access on the basis of the sensitivity of the health information or the potential for causing emotional or psychological harm.

MHL §33.16(c)(2): A patient over the age of 12 may be notified of any request by a qualified person to review his/her record and if the patient objects to disclosure, the facility, in consultation with the practitioner, may deny the request.

MHL §33.16(c)(3): If, after consideration of all the attendant facts and circumstances, the practitioner/treating practitioner determines that the requested review of all or part of the clinical record can reasonably be expected to cause substantial and identifiable harm to the patient or others, or would have a detrimental effect, the facility may deny access to all or part of the record and may grant access to a prepared summary of the record. In making such determination, the practitioner/treating practitioner may consider, among other things, the following: (1) the need for, and the fact of, continuing care & treatment; (2) the extent to which the knowledge of the information contained in the clinical record may be harmful to the health and safety of the patient or others; (3) the extent to which the clinical record contains sensitive information disclosed in confidence to the practitioner/treating practitioner by family members, friends, and other persons, (4) the extent to which the clinical record contains sensitive information disclosed in confidence to the practitioner/treating practitioner by the patient which would be injurious to the patient's relationships with other persons except where the patient is requesting information about him/herself; and (5) in the case of a minor making a request for access, the age of the patient.

§164.524(a)(3) Reviewable grounds for denial: A covered entity may deny an individual access, but must be given a right to have such denials reviewed in 3 circumstances (i) when access would be reasonably likely to endanger the life or physical safety of the individual or another person; (ii) when the PHI makes reference to another person and a licensed health care professional has determined, in the exercise of professional judgment, that the access requested is reasonably likely to cause substantial harm to such other person; or (iii) the request for access is made by the individual's personal representative and a licensed health care professional has determined, in the exercise of professional judgment, that the provision of access to such personal representative is reasonably likely to cause substantial harm to the individual or another person.

re: (a)(3)(iii) Preamble: Under this reason for denial, covered entities may not deny access on the basis of the sensitivity of the health information or the potential for causing emotional or psychological harm.

1. In cases where HIPAA would allow a denial of access yet State law permits a summary rather than a complete denial, State law is more stringent and prevails.

2. To the extent that the qualified person is a parent or guardian of an infant, or a parent, spouse, or adult child of an adult patient who is authorized by law to make health decisions for the patient State law is not preempted.

3. However, to the extent that the request is being made by the patient and there is no possibility of a threat to the life or physical safety of the patient or others, (unless the patient is an inmate, e.g., a person committed to a psychiatric institution via criminal court order) HIPAA is more stringent than State law in that it provides a greater right of access to the patient. Hence, in this circumstance, State law would be preempted.

*Note: In cases where a treating practitioner/practitioner believes there is a substantial threat to the emotional health of the patient, it would not be contrary to HIPAA if the patient consents to waive access to certain parts of, or temporarily delay his/her access, to the records.

MHL §33.16(c)(4): In the event of a denial of access, the qualified person shall be informed by the facility of such denial, and of the qualified person's right to obtain, without cost, a review of the denial by the appropriate clinical record access review committee.

If such a review is requested, the facility will, within 10 days of its receipt thereof, transmit the record to the chairman of the appropriate committee with a statement indicating why access was denied. After an in camera review, and after providing all parties an opportunity to be heard, the committee shall promptly make a determination whether review of the records is likely to cause substantial and identifiable harm to the patient or others which outweighs the qualified person's right of access, or whether the requested review would have a detrimental effect (as defined in subdivision (b) of this section). If the committee determines the request for access should be granted, the committee shall notify all parties and the access shall be granted.

§164.524(d)(4): If the individual has requested a review of a denial, the covered entity must designate a licensed health care professional, who was not directly involved in the denial to review the decision to deny access. The covered entity must promptly refer a request for review to such designated reviewing official. The designating reviewing official must determine, within a reasonable period of time, whether or not to deny the access requested. The covered entity must promptly provide written notice to the individual of the determination of the designated reviewing official and take other action as required to carry out the designated reviewing official's determination.

1. Under State law, review is done without cost to the patient; HIPAA is silent on this point. As to this provision, State law prevails as it provides more rights/greater access to PHI to the individual.

2. State law is more stringent with regard to putting a time limit of 10 days within which to facilitate review; HIPAA merely sets a general obligation to do so "promptly." Hence, State law prevails here.

3. State law provisions which require that the information and a statement setting forth the reasons why access was denied permit the reviewing entity to be privy to a greater pool of information than does HIPAA, which merely requires that the request be referred. Furthermore, State law allows all parties to be heard and requires in camera review of materials; HIPAA is silent with regard to due process requirements. These provisions could facilitate an individual's greater access to information, and therefore these State law provisions prevail.

4. State law requires that a written decision by the review committee be given promptly. HIPAA indicates the decision must be given in a reasonable period of time, and does not indicate the decision must be given in writing. While HIPAA indicates the individual is to be promptly notified of the decision and State law is silent on this point, the requirement for the written decision to be "given promptly," can reasonably be interpreted to mean that the individual is to be promptly notified. Therefore, these provisions do not appear inconsistent and State law is not preempted.

5. HIPAA requires that the individual be notified of the decision; State law requires all parties to be so notified. Inasmuch as it is possible for a covered entity to comply with both provisions, State law is not preempted.

6. State law requires that if access is granted, the provider must grant access. HIPAA required the covered entity to take action to carry out the determination; these provisions are consistent and State law is not preempted.

MHL §33.16(c)(5): If, after review by the clinical access committee, access is denied in whole or part, the committee shall notify the person of his/her right to seek judicial review of the determination. Within 30 days of receiving notification of the decision, the qualified person may commence, upon notice, a special proceeding in supreme court for a judgment requiring the provider to make the record available for inspection/copying. The court, upon such application and in camera review (including the determination and record of the committee), and after providing all parties an opportunity to be heard, shall determine if a reasonable basis exists for denial of access. The relief shall be limited to a judgment requiring the facility to make the records available to the qualified person for inspection/copying.

MHL §33.16(d): The Commissioners of OMH, OMRDD , and OASAS must appoint clinical record access review committees to hear appeals of the denial of access to patient records as provided for in subdivision (c) of this section. Members of the committees must be appointed by the respective Commissioners. The Committees shall consist of no fewer than 3, nor no more than 5, persons. The Commissioners must promulgate rules and regulations to effect this section.

14 NYCRR §633.4(a)(10)(ii): The Clinical Access Review Committee shall consist of an OMRDD attorney; an OMRDD practitioner, and a representative of the voluntary provider agency community. The chairperson shall be an OMRDD attorney, and requests for review of denial of access shall be addressed to the Office of Counsel for OMRDD .

Note, however, that OMRDD regulations are preempted by HIPAA because its specification of the composition of its Clinical Access Review Committees is inconsistent with HIPAA. OMH and OASAS may wish to develop regulations which properly reflect HIPAA to ensure State law is consistently interpreted.

MHL §33.16(f): Whenever federal law or applicable federal regulations restrict, or as a condition of federal aid require, that the release of clinical records or information be more restrictive than is provided under this section, the provisions of federal law or federal regulation shall be controlling.

MHL §33.16(g): A qualified person may challenge the accuracy of information maintained in the clinical record and may require that a brief written statement prepared by him/her concerning the challenged information be inserted into the clinical record. This statement shall become a permanent part of the record and shall be released whenever the clinical record at issue is released. This subdivision shall apply only to factual statements and shall not include a provider's observations, inferences or conclusions. A facility may place reasonable restrictions on the time and frequency of any challenges to accuracy.

(ii) The enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or

(iii) Used, in whole or in part, by or for the covered entity to make decisions about individuals.

(2) …the term record means any item, collection, or grouping of information that includes protected health information and is maintained, collected, used, or disseminated by or for a covered entity.

§164.526(a)(1),(2): (1) An individual has the right to have a covered entity amend PHI or a record about the individual in a designated record set for as long as the PHI is maintained in the designated record set.

(2) Denial of amendment. A covered entity may deny an individual's request for amendment if it determines the PHI or record…(1) was not created by the covered entity, unless the individual provides a reasonable basis to believe that the originator of the PHI is no longer available to act on the requested amendment; (2) is not part of the designated record set; (3) would not be available for inspection under the access provision; or (4) is accurate and complete.

Preamble: Many commenters strongly encouraged the Secretary to adopt "appendment" rather than "amendment and correction" procedures. They argued that the term "correction" implies a deletion of information….appendment rather than correction procedures will ensure the integrity of the medical record and allow subsequent health care providers access to the original information as well as the appended information……We agree…..we have revised the rule..in order to clarify that covered entities are not required by this rule to delete any information from the designated record set. We do not intend to alter medical record retention laws or current practice, except to require covered entities to append information as requested to ensure that a record is accurate and complete. (p. 82736:1)

1. Right to amend: Not preempted. A State law would be preempted if more greatly restricted the right of amendment than does HIPAA. The State statute permits challenges to accuracy by "qualified persons," similar to the HIPAA provisions permitting amendment by "individuals," which term includes "personal representatives." Further, both laws permit "appending" to records, rather than deleting/correcting records. State law ensures the amended information is protected to the same degree as the clinical record, consistent with HIPAA provisions. Under State law, "challenging the accuracy of information" is the functional equivalent of amending.

2. Timely action by covered entity: State law does not contain time requirements for responding to requests for amendment/challenge to accuracy. Therefore, the time requirements in HIPAA should be referred to as an outside parameter within which a response should be provided.

3. Making the amendment. State law contains no comparable provisions; hence, HIPAA applies.

4. Informing the individual. State law contains no comparable provisions; hence, HIPAA applies.

5. Informing others. State law contains no comparable provisions; hence, HIPAA applies.

6. Denial. State law contains no comparable provisions; hence, HIPAA applies.

7. Statement of disagreement. State law contains no comparable provisions regarding statements of disagreement with amendment denials; hence, HIPAA applies.

8. Rebuttal Statement. State law contains no comparable provisions; hence, HIPAA applies.

9. Recordkeeping. State law contains no comparable provisions; hence, HIPAA applies.

10. Future Disclosures: State law contains no comparable provisions; hence, HIPAA applies.

11. Actions on Notices of Amendments. State law contains no comparable provisions; hence, HIPAA applies.

12. Documentation: State law contains no comparable provisions; hence, HIPAA applies.

§164.526(c)(1): Making the amendment. The covered entity must make the appropriate amendment to the PHI or record that is the subject of the request, by, at a minimum, identifying the records in the designated record set that are affected by the amendment and appending or otherwise providing a link to the location of the amendment.

§164.526(c)(2): Informing the individual. The covered entity must timely inform the individual that the amendment is accepted and obtain the individual's identification of and agreement to have the covered entity notify relevant persons with whom the amendment needs to be shared.

§164.526(c)(3): Informing others. The covered entity must make reasonable efforts to inform and provide the amendment within a reasonable time to persons identified by the individual as having received PHI abut the individual and needing the amendment, and persons, including business associates, that the covered entity knows have the PHI which is the subject of the amendment and that may have relied or could forseeably rely, on such information to the detriment of the individual.

§164.526(d)(1): Denial. The covered entity must provide the individual with a timely, written denial. The denial must be in plain language and contain: () the basis for the denial, (2) the individual's right to submit a written statement of disagreement, and how to file such a statement; (3) a statement that, if the individual does not submit a statement of disagreement, the individual may request that the covered entity provide the individual's request for amendment and the denial with any future disclosures of the PHI; and (4) the covered entity's complaint procedures or how to file a complaint with the Secretary under HIPAA.

§164.526(d)(2): Statement of disagreement: The covered entity must permit the individual to submit to the covered entity a written statement disagreeing with the denial of all or part of a requested amendment and the basis of such disagreement. The covered entity may reasonably limit the length of a statement or disagreement.

§164.526(d)(3) Rebuttal statement. The covered entity may prepare a written rebuttal to the individual's statement of disagreement and provide a copy of such written rebuttal to the individual.

§164.526(d)(4): Recordkeeping. The covered entity must, as appropriate, identify the record or PHI in the designated record set that is the subject of the disputed amendment and append or otherwise link the individual's request for an amendment, the denial of the request, the statement of disagreement, if any, and the rebuttal statement, if any, to the designated record set.

§164.526(d)(5) Future disclosures. If a statement of disagreement has been submitted by the individual, the covered entity must include the material appended, or at the election of the covered entity, a summary of any such information, with any subsequent disclosure of the PHI to which the disagreement relates. If the individual has not submitted a written statement of disagreement, the covered entity must include the individual's request for amendment and its denial, or an accurate summary of such information, with subsequent disclosure of the PHI only if the individual has properly requested such action. When a subsequent disclosure is made using a standard transaction (as defined in 45 CFR Part 162) that does not permit the additional material to be included with the disclosure, the covered entity may separately transmit the material required, as applicable, to the recipient of the standard transaction.

§164.526(e) Actions on Notices of Amendments. A covered entity that is informed by another covered entity of an amendment to the individual's PHI must amend the individual's PHI in the designated record set.

§164.526(f): Documentation. A covered entity must document titles of the persons/offices responsible for receiving and processing requests for amendments by individuals and retain the documentation according to the requirements of HIPAA.

MHL §33.16(i): Nothing contained in this section shall restrict, expand, or in any way limit the disclosure of any information pursuant to articles 23, 31, and 45 of the Civil Practice Law and Rules or Section 677 of the County Law.

§164.512(e): PHI can be released w/out patient consent in the course of any judicial or administrative proceeding(1)in response to an order of a court or administrative tribunal, provided release is limited to that PHI expressly authorized in the order; or(2) in response to a subpoena, discovery request, or other lawful process if the covered entity has made reasonable efforts to give the patient notice of the request or the covered entity is assured that reasonable efforts have been made to secure a qualified protective order. (p.82814: 3)

§160.103: Covered entity means: (1) a health plan; (2) a health care clearinghouse; (3) a health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter.

(c) …The mental health practitioner shall fully document the reasons for his/her determinations. Such documentation shall be included in the minor's clinical record….As clinically appropriate, notice of a determination made pursuant to subparagraph (iii) of paragraph 3 of this subdivision shall be provided to the parent/guardian.

Recently Adopted Amendments:

§164.502: (g)(1)(ii) Implementation specification: unemancipated minors…(A).A covered entity may disclose PHI about an unemancipated minor to a parent, guardian, or other person acting in loco parentis if the applicable provision of State law or other law, including applicable case law, permits or requires such disclosure, and (B) a covered entity may not disclose PHI about about an unemancipated minor to a parent, guardian, or other person acting in loco parentis if the applicable provision of State law or other law, including applicable case law, prohibits such disclosure.

Note: Recent amendments eliminate this requirement.

§164.506(c):(1) A covered entity may use/disclose PHI for its own treatment, payment, or health care operations. (2) A covered entity may disclose PHI for treatment activities of a health care provider. (3) A covered entity may disclose PHI to another covered entity or health care provider for the payment activities of the entity that receives the information…. revised 8/02