Uses and Disclosures of Protected Health Information
ScopePolicy Statement
Reason for the Policy
Definitions
Sanctions
History
Related Information
Effective: 07/01/2013
Last Updated: 04/02/2025
Responsible University Office:
Office of the Chief Privacy Officer
Responsible University Administrator:
Chief Privacy Officer
mawerlin@iu.edu
Policy Contact:
HIPAA Privacy Officer
HIPAA Security Officer
hipaa@iu.edu
Many policies are quite lengthy. Please check the page count before deciding whether to print.
This policy applies to the workforce members in the designated Indiana University (IU) HIPAA Covered Healthcare Components and Critical Health Data Areas, anyone rendering services as a Business Associate, and anyone who creates, receives, maintains, or transmits Protected Health Information (PHI) in any capacity at IU, including, but not limited to, faculty, staff, students, trainees, volunteers, visiting scholars, and third-party agents. For the purposes of this policy, all of the above will be referred to as workforce members.
Workforce members will appropriately use and disclose PHI for purposes permitted or required under the HIPAA and HITECH Acts, and other applicable rules, regulations, and laws. In some circumstances, Indiana State law may be more stringent and may preempt HIPAA.
When using or disclosing PHI or when requesting PHI from another covered entity or business associate, workforce members will make reasonable efforts to limit the PHI to the minimum amount necessary to accomplish the intended purpose of the use, disclosure, or request. It is important to note: Minimum necessary does not apply to uses and disclosures for treatment purposes.
Workforce members may generally use and disclose PHI for treatment, payment, and health care operations without the individual’s authorization and without providing the individual with an opportunity to agree or object.
Workforce members may use and/or disclose PHI when permitted or required to do so by federal, state or local law. This may be done in the following circumstances without the individual’s authorization and without providing the individual an opportunity to agree or object.
A signed authorization shall be obtained from an individual before using or disclosing that individual’s PHI, unless otherwise permitted or required as described in this policy. Authorizations shall also be obtained prior to using and disclosing PHI for research purposes, except for very limited circumstances permitted by HIPAA and IU Human Research Protection Program Policy Use of Protected Health Information (PHI) in Research.
Individuals will be given the opportunity to agree or object to the following uses/disclosures of their PHI:
The purpose of this policy is to provide guidance regarding the use and disclosure of protected health information in accordance with Indiana University’s policies and procedures and applicable state and federal laws.
Disclosure: Release, transfer, provisions of, access to, or divulgence in any manner of information outside the entity holding the information.
Individually Identifiable Health Information (IIHI): A subset of health information, including demographic information collected from an individual, and: (1) is created or received by a health care provider, health plan, employer, or health care clearinghouse; and (2) relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and identifies the individual or there is a reasonable basis to believe the information can be used to identify the individual.
Protected Health Information (PHI): Individually identifiable health information held or transmitted by a covered entity or its business associate in any form or medium, whether electronic, on paper or oral.
Use: With respect to individually identifiable health information, the sharing, employment, application, utilization, examination, or analysis of such information within an entity that maintains such information.
See Glossary of HIPAA Related Terms for complete list of terms.
Knowledge of a violation or potential violation of this policy shall be reported in accordance with the Information and Information System Incident Reporting, Management, and Breach Notification Policy ISPP-26. Failure to comply with this policy can result in significant consequences to the individual as well as Indiana University, including violations of law, investigations, and criminal proceedings. Accordingly, individuals who violate this policy may be subject to a full range of sanctions, including disciplinary action, suspension, termination of employment and legal action.
07/01/2013 – Effective Date
01/21/2015 – Updated policy
10/13/2015 – Update to clarify Minimum Necessary, page 2, Section V.C.
08/01/2016 – Added link to Glossary & updated or removed bad links
11/10/2016 – Added links to IU policies
06/xx/2017 – Published on University policy site
12/13/2021 – Updated policy contacts and links
04/02/2025 – Updated the term "HIPAA Affected Areas" to "Critical Health Data Areas"
HIPAA Regulations
45 CFR §164.502
45 CFR §164.504
45 CFR §164.506
45 CFR §164.508
45 CFR §164.510
45 CFR §164.512
45 CFR §164.514
HITECH Regulations
42 CFR: Part 412
42 CFR: Part 413
42 CFR: Part 422
42 CFR: Part 495
45 CFR: Subtitle A Subchapter D
Related IU Policies
HIPAA-P02 – Minimum Necessary
HIPAA-P04 – IU Fundraising
IT-12 – Security of Information Technology Resources
IT-12.1 – Security of Mobile Devices