May a covered entity disclose protected health information to a Protection and Advocacy system where the disclosure is required by law?
Yes. The Privacy Rule permits a covered entity to disclose protected health information (PHI) without the authorization of the individual to a state-designated Protection and Advocacy (P&A) system to the extent that such disclosure is required by law and the disclosure complies with the requirements of that law. 45 CFR 164.512(a). The Developmental Disabilities Assistance and Bill of Rights Act (DD Act) provides for each state to designate a public or private entity as the Protection and Advocacy system to protect and advocate for the rights of individuals with developmental disabilities, including investigating incidents of abuse or neglect. The P&A designated pursuant to the DD Act is also the Protection and Advocacy system for purposes of the Protection and Advocacy for Individuals with Mental Illness Act (PAIMI Act) and is empowered to protect and advocate for the rights of individuals with mental illness. These statutes and their implementing regulations require that access to records be provided to P&As under certain circumstances. See the DD Act at 42 USCA 15043(a)(2)(I) and (J) and the PAIMI Act at 42 USCA 10805(a)(4), and their implementing regulations at 45 CFR 1386.22 and 42 CFR 51.41, respectively. Thus, a covered entity may disclose PHI as required by the DD and PAIMI Acts to P&As requesting access to such records in carrying out their protection and advocacy functions under these Acts. Similarly, covered entities may disclose PHI to P&As where another federal, state or other law mandates such disclosures, consistent with the requirements in such law. Where disclosures are required by law, the Privacy Rule’s minimum necessary standard does not apply, since the law requiring the disclosure will establish the limits on what should be disclosed. Moreover, with respect to required by law disclosures, a covered entity cannot use the Privacy Rule as a reason not to comply with its other legal obligations.
Section 164.512(a)(2) provides that in making a “required by law” disclosure about adult abuse, neglect or domestic violence (section 164.512(c)), for judicial or administrative proceedings (section 164.512(e)), or for law enforcement purposes (section 164.512(f)), covered entities must also comply with any additional privacy requirements in these provisions that apply. However, none of the additional procedural protections in sections 164.512(c), (e) and (f) apply to the type of “required by law” disclosures to P&As under the provisions of the DD and PAIMI Acts discussed here.