Privacy and Security
Administrative Policies, Legal Occurrences
Current Effective Date:
2/1/16, 5/1/05, 11/15/15
Original Effective Date:
There are situations where Health Care organizations are required to use and/or disclose individually identifiable health information to an outside source. Client authorization is not required for these uses and disclosures. These situations shall be identified in this policy as “legal occurrences.” This includes disclosing individually identifiable health information when responding to judicial and administrative proceedings, court orders (including protective orders), subpoenas, law enforcement, and other legal mandates.
North Carolina (NC) law requires that certain individuals receive confidential information or records, upon demand; however, there may be federal laws that supersede the state requirements such as the federal Substance Abuse Regulations. The HIPAA requires agencies to verify the identity and authority of individuals requesting individually identifying health information prior to releasing such information to them. Examples of individuals and groups who may need individually identifiable health information include:
NC law also requires that individually identifiable health information be released in the following circumstances:
DHHS agencies shall use or disclose individually identifiable health information as “required by law” wherein a federal, state, tribal, or local law compels an agency to make a use or disclosure of confidential information and that is enforceable in a court of law such as:
All uses and disclosures of confidential information that are required by law must comply with and be limited to the requirements of the applicable law.
Each DHHS agency shall review other state and federal laws with which the agency must comply to determine if any provision of state law is contrary to a requirement of the HIPAA Privacy Rule. Such review is entitled “preemption analysis” and shall be conducted on a provision-by-provision basis of each state and federal law. If a state law relating to the privacy of individually identifiable health information is more stringent than a privacy regulation, state law shall not be preempted, thus providing greater privacy protections for a client.
As a rule, DHHS agencies shall not disclose individually identifiable health information without first obtaining written authorization from the client who is the subject of the request or the client’s personal representative, unless there is a court order that requires disclosure of confidential information. This rule applies when responding to:
Any administrative investigator or prosecutor, including investigators of Medicaid fraud that are not expressly authorized by federal or state law, must present a court order before an agency may disclose individually identifiable health information.
There are various legal occurrences when DHHS agencies may disclose individually identifiable health information without authorization. These instances include:
Each DHHS agency shall identify all of the state and federal laws and regulations that apply to that agency’s components and shall review the requirements for using and disclosing individually identifiable health information. Agencies shall determine which law/regulation is more stringent and provides the most protections for the confidential information maintained on the agency’s clients such as laws that:
Preemption analysis may be limited to those provisions in laws and regulations that apply to the use and disclosure of individually identifiable health information maintained by HIPAA covered health care components.
There may be instances where a client may be involved in a legal proceeding, either conducted by a court of law or a government agency. In such proceedings attorneys, judges and others involved with the proceeding may contact a DHHS agency to access a client’s individually identifiable health information.
When DHHS agencies receive a subpoena for individually identifiable health information, it must be determined whether the subpoena resulted from a judicial or administrative order. If a court or administrative tribunal issues the subpoena, confidential information may be disclosed without authorization. A subpoena received from any other entity must be accompanied by an authorization from the client whose individually identifiable health information is being requested or a court order to release such information.
An order issued by a judge that specifically identifies the individually identifying health information to be disclosed. Agencies must comply with court orders.
Agencies may disclose individually identifiable health information without authorization. Such disclosure is permitted by both state law and the HIPAA Privacy Rule when initiating the involuntary commitment process of an individual.
Disclosure of individually identifiable health information without authorization is permitted by both state law and the HIPAA Privacy Rule when initiating incompetency status.
Commitment Hearings and Rehearings
Agencies must provide certified copies of written results of examinations by physicians and records in cases of clients voluntarily admitted or involuntarily committed to the client’s counsel, the attorney representing the state’s interest, and the court in district or superior court hearings. Individually identifiable health information shall be preserved in all matters except those pertaining to the necessity for admission or for continued stay in a DHHS facility or commitment under review. The relevance of health information for which disclosure is sought shall be determined by the court with jurisdiction over the matter.
Forensic Clients - Court Ordered Exam
Agencies may send the results or the report of a client’s mental examination to the clerk of court, to the district attorney or prosecuting officer, and to the attorney for the defendant when a mental examination has been ordered by the court.
Reporting Child Abuse or Neglect
Agencies are required to report child abuse and neglect. When reporting child abuse or neglect cases, demographic data and information relative to the suspected abuse or neglect may be reported without authorization to the DHHS Department of Social Services.
(NOTE: The federal substance abuse regulations exception allowing programs to comply with mandatory child abuse reporting requirements under state law applies only to the initial reports of child abuse or neglect, and to a written confirmation of that initial report. All other reporting requires authorization from the client or the client's personal representative.)
Reporting Adult Abuse or Neglect
Agencies are required to report adult abuse and neglect, unless prohibited by federal law.
(NOTE: The federal substance abuse regulations do not address adult abuse or neglect.) When reporting adult abuse or neglect cases, demographic data and information relative to the suspected abuse or neglect may be reported without authorization.
Reporting Communicable Disease/Injuries/Danger
Agencies are required to report communicable diseases, serious wounds, and injuries. A responsible professional in the agency may disclose confidential information without authorization from the client when in the professional’s opinion there is an imminent danger to the health or safety of a client or another individual; or when there is likelihood of the commission of a felony or violent misdemeanor.
Reporting for Master Client Index
Mental Health, and Developmental Disabilities, and Substance Abuse Services (MH/DD/SAS) facilities may furnish client identifying information to DHHS for the purpose of maintaining an index of clients service in state MH/DD/SAS facilities.
DHHS agencies may receive requests for individually identifiable health information that are legally allowed in specific situations, which are listed below.
Specialized Government Functions (i.e., Law Enforcement/Secret Service/FBI)
Agencies may disclose confidential information to agents representing specialized government functions as long as the request is reasonable, the identity of the requestor is verified, and there are no laws that prohibit such disclosure.
Provide only the following protected health information when assisting law enforcement officials for the purposes of identification and location:
Next of Kin
MH/DD/SAS residential facilities may disclose the fact of admission or discharge of a client to the client’s next of kin whenever the responsible professional determines that the disclosure is in the best interest of the client; however, if the client is present or available and capable, the agency may not make such disclosure unless the client agrees, is provided an opportunity to object but expresses no objection, or the agency reasonably infers from the circumstances that the client does not object.
Internal Client Advocates (MH/DD/SAS)
An internal client advocate shall be granted, without authorization of a client or the client’s personal representative, access to routine reports and other confidential information needed to fulfill the advocate’s monitoring and advocacy functions. In this role, the advocate may re-disclose such information to the facility director or other staff who are involved in the treatment of the client.
External Client Advocates (MH/DD/SAS)/Long Term Care Ombudsmen
External client advocates and Long Term Care Ombudsmen must obtain prior written authorization from a client or the client’s personal representative before being granted access to that client’s confidential information, unless other federal laws permit access. Access to information shall be limited to that which is specified in the authorization.
Accounting of Disclosures
Agencies are required to keep a record of any paper, electronic, or verbal disclosure of individually identifiable health information made in response to the legal occurrences as specified in this policy.
For questions or clarification on any of the information contained in this policy, please contact DHHS Privacy Officer. For general questions about department-wide policies and procedures, contact the DHHS Policy Coordinator.