U.S Code last checked for updates: Nov 24, 2024
§ 290dd–2.
Confidentiality of records
(a)
Requirement
(b)
Permitted disclosure
(1)
Consent
The following shall apply with respect to the contents of any record referred to in subsection (a):
(A)
Such contents may be used or disclosed in accordance with the prior written consent of the patient with respect to whom such record is maintained.
(B)
Once prior written consent of the patient has been obtained, such contents may be used or disclosed by a covered entity, business associate, or a program subject to this section for purposes of treatment, payment, and health care operations as permitted by the HIPAA regulations. Any information so disclosed may then be redisclosed in accordance with the HIPAA regulations. Section 17935(c) of this title shall apply to all disclosures pursuant to subsection (b)(1) of this section.
(C)
It shall be permissible for a patient’s prior written consent to be given once for all such future uses or disclosures for purposes of treatment, payment, and health care operations, until such time as the patient revokes such consent in writing.
(D)
Section 17935(a) of this title shall apply to all disclosures pursuant to subsection (b)(1) of this section.
(2)
Method for disclosure
Whether or not the patient, with respect to whom any given record referred to in subsection (a) is maintained, gives written consent, the content of such record may be disclosed as follows:
(A)
To medical personnel to the extent necessary to meet a bona fide medical emergency.
(B)
To qualified personnel for the purpose of conducting scientific research, management audits, financial audits, or program evaluation, but such personnel may not identify, directly or indirectly, any individual patient in any report of such research, audit, or evaluation, or otherwise disclose patient identities in any manner.
(C)
If authorized by an appropriate order of a court of competent jurisdiction granted after application showing good cause therefor, including the need to avert a substantial risk of death or serious bodily harm. In assessing good cause the court shall weigh the public interest and the need for disclosure against the injury to the patient, to the physician-patient relationship, and to the treatment services. Upon the granting of such order, the court, in determining the extent to which any disclosure of all or any part of any record is necessary, shall impose appropriate safeguards against unauthorized disclosure.
(D)
To a public health authority, so long as such content meets the standards established in section 164.514(b) of title 45, Code of Federal Regulations (or successor regulations) for creating de-identified information.
(c)
Use of records in criminal, civil, or administrative contexts
Except as otherwise authorized by a court order under subsection (b)(2)(C) or by the consent of the patient, a record referred to in subsection (a), or testimony relaying the information contained therein, may not be disclosed or used in any civil, criminal, administrative, or legislative proceedings conducted by any Federal, State, or local authority, against a patient, including with respect to the following activities:
(1)
Such record or testimony shall not be entered into evidence in any criminal prosecution or civil action before a Federal or State court.
(2)
Such record or testimony shall not form part of the record for decision or otherwise be taken into account in any proceeding before a Federal, State, or local agency.
(3)
Such record or testimony shall not be used by any Federal, State, or local agency for a law enforcement purpose or to conduct any law enforcement investigation.
(4)
Such record or testimony shall not be used in any application for a warrant.
(d)
Application
(e)
Nonapplicability
The prohibitions of this section do not apply to any interchange of records—
(1)
within the Uniformed Services or within those components of the Department of Veterans Affairs furnishing health care to veterans; or
(2)
between such components and the Uniformed Services.
The prohibitions of this section do not apply to the reporting under State law of incidents of suspected child abuse and neglect to the appropriate State or local authorities.
(f)
Penalties
The provisions of sections 1176 and 1177 of the Social Security Act [42 U.S.C. 1320d–5, 1320d–6] shall apply to a violation of this section to the extent and in the same manner as such provisions apply to a violation of part C of title XI of such Act [42 U.S.C. 1320d et seq.]. In applying the previous sentence—
(1)
the reference to “this subsection” in subsection (a)(2) of such section 1176 shall be treated as a reference to “this subsection (including as applied pursuant to section 290dd–2(f) of this title)”; and
(2)
in subsection (b) of such section 1176—
(A)
each reference to “a penalty imposed under subsection (a)” shall be treated as a reference to “a penalty imposed under subsection (a) (including as applied pursuant to section 290dd–2(f) of this title)”; and
(B)
each reference to “no damages obtained under subsection (d)” shall be treated as a reference to “no damages obtained under subsection (d) (including as applied pursuant to section 290dd–2(f) of this title)”.
(g)
Regulations
(h)
Application to Department of Veterans Affairs
(i)
Antidiscrimination
(1)
In general
No entity shall discriminate against an individual on the basis of information received by such entity pursuant to an inadvertent or intentional disclosure of records, or information contained in records, described in subsection (a) in—
(A)
admission, access to, or treatment for health care;
(B)
hiring, firing, or terms of employment, or receipt of worker’s compensation;
(C)
the sale, rental, or continued rental of housing;
(D)
access to Federal, State, or local courts; or
(E)
access to, approval of, or maintenance of social services and benefits provided or funded by Federal, State, or local governments.
(2)
Recipients of Federal funds
(j)
Notification in case of breach
(k)
Definitions
For purposes of this section:
(1)
Breach
(2)
Business associate
(3)
Covered entity
(4)
Health care operations
(5)
HIPAA regulations
(6)
Payment
(7)
Public health authority
(8)
Treatment
(9)
Unsecured protected health information
(July 1, 1944, ch. 373, title V, § 543, formerly Pub. L. 91–616, title III, § 321, Dec. 31, 1970, 84 Stat. 1852, as amended Pub. L. 93–282, title I, § 121(a), May 14, 1974, 88 Stat. 130; Pub. L. 94–371, § 11(a), (b), July 26, 1976, 90 Stat. 1041; Pub. L. 94–581, title I, § 111(c)(1), Oct. 21, 1976, 90 Stat. 2852; renumbered § 522 of act July 1, 1944, and amended Pub. L. 98–24, § 2(b)(13), Apr. 26, 1983, 97 Stat. 181; renumbered § 543, Pub. L. 100–77, title VI, § 611(2), July 22, 1987, 101 Stat. 516; Pub. L. 102–321, title I, § 131, July 10, 1992, 106 Stat. 368; Pub. L. 102–405, title III, § 302(e)(1), Oct. 9, 1992, 106 Stat. 1985; Pub. L. 105–392, title IV, § 402(c), Nov. 13, 1998, 112 Stat. 3588; Pub. L. 116–136, div. A, title III, § 3221(a)–(h), Mar. 27, 2020, 134 Stat. 375–378.)
cite as: 42 USC 290dd-2