Not exact matches
-- For a
covered entity described in section 700 (13)(J), 1 emission allowance for each ton of carbon dioxide equivalent of greenhouse gas that would be emitted
from the combustion of the natural gas, and any
other gas meeting the specifications for commingling with natural gas for purposes of delivery, that such
entity delivered during the previous calendar year to customers that are not
covered entities, assuming no capture and sequestration of that greenhouse gas.
-- An employer, public accommodation, or
other entity covered under this Act shall not be excused
from compliance with the requirements of this Act because of any failure to receive technical assistance under this section, including any failure in the development or dissemination of any technical assistance manual authorized by this section.
In the event an insurer receives
from a
covered person a valid order of protection against the policyholder or
other person
covered under the policy then the insurer is prohibited, for the duration of the order,
from disclosing to the policyholder or
other person the address (including street, mailing or email addresses) and telephone number of the insured, or of any person or
entity providing
covered services to the insured.
«(C) for a natural gas local distribution company described in paragraph (13)(J), greenhouse gases that would be emitted
from the combustion of the natural gas, and any
other gas meeting the specifications for commingling with natural gas for purposes of delivery, that such
entity delivered during that calendar year to customers that are not
covered entities, assuming no capture and sequestration of that greenhouse gas.
[3] The Greenhouse House Gas Protocol categorizes direct and indirect emissions into three broad scopes: Scope 1: All direct GHG emissions; Scope 2: Indirect GHG emissions
from consumption of purchased electricity, heat or steam; and Scope 3:
Other indirect emissions, such as the extraction and production of purchased materials and fuels, transport - related activities in vehicles not owned or controlled by the reporting
entity, electricity - related activities (e.g. T&D losses) not
covered in Scope 2, outsourced activities, waste disposal, etc..
This bill would, in addition, prohibit an employer or
other covered entity from making a nonjob - related injury to, or expressing any limitation, specification, or limitation based upon a person's familial status, as defined.
In response to stakeholder concern that the current requirements for sharing patient records
covered by Part 2 deter patients
from participating in HIEs, ACOs, and
other similar organizations, SAMHSA proposes that the «to whom» section of the consent disclosure form could include a more generalized description of
entities that would be permitted to receive patient information.
The regulation does not specify the form that the program must take, but requires that it be «designed to perform the following core cybersecurity functions:» (1) identify internal and external cyber risks by, at a minimum, identifying the Nonpublic Information stored on the
Covered Entity's Information Systems, the sensitivity of such Nonpublic Information, and how and by whom such Nonpublic Information may be accessed; (2) use defensive infrastructure and the implementation of policies and procedures to protect the company's Information Systems and the Nonpublic Information stored on those Information Systems,
from unauthorized access, use or
other malicious acts; (3) detect Cybersecurity Events - which are defined broadly to include «any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an Information System or information stored on an Information System;» (4) respond to identified or detected Cybersecurity Events to mitigate any negative effects; (5) recover
from Cybersecurity Events and restore normal operations and services; and (6) fulfill all regulatory reporting obligations.
We expressed the hope that
covered entities, their business partners, and
others would make greater use of de-identified health information than they do today, when it is sufficient for the purpose, and that such practice would reduce the burden and the confidentiality concerns that result
from the use of individually identifiable health information for some of these purposes.
Others argued that
covering all individually identifiable health information would eliminate any disincentives for
covered entities to convert
from paper to computerized record systems.
Other commenters maintained that section 1179 of the Act means that the Act's privacy requirements do not apply to the request for, or the use or disclosure of, information by a
covered entity with respect to payment: (a) For transferring receivables; (b) for auditing; (c) in connection with --(i) a customer dispute; or (ii) an inquiry
from or to a customer; (d) in a communication to a customer of the
entity regarding the customer's transactions payment card, account, check, or electronic funds transfer; (e) for reporting to consumer reporting agencies; or (f) for complying with: (i) a civil or criminal subpoena; or (ii) a federal or state law regulating the
entity.
Similarly, we recognize that a
covered entity may wish to rely upon a consent, authorization, or
other express legal permission obtained
from an individual prior to the applicable compliance date of this regulation that specifically permits the
covered entity to use or disclose individually identifiable health information for activities
other than to carry out treatment, payment, or health care operations.
We proposed to prohibit
covered entities from conditioning treatment or payment on authorization for the use or disclosure of any
other protected health information (see proposed § 164.508 (a)(2)(iii)-RRB-.
Other commenters were concerned that the rule would prevent a
covered entity from using or disclosing protected health information in otherwise lawful and legitimate ways because of an intentional or inadvertent omission
from its published notice.
Other than as described below, § 164.508 (b)(3) prohibits a covered entity from acting on an authorization required under this rule that is combined with any other document, including any other written legal permission from the indivi
Other than as described below, § 164.508 (b)(3) prohibits a
covered entity from acting on an authorization required under this rule that is combined with any
other document, including any other written legal permission from the indivi
other document, including any
other written legal permission from the indivi
other written legal permission
from the individual.
Comment: We received several comments suggesting that some
covered entities should be exempted
from the notice requirement or permitted to combine notices with
other covered entities.
The process by which a
covered entity seeks agreement
from an individual to use or disclose protected health information for
other purposes, or to authorize another
covered entity to disclose protected health information to the requesting
covered entity, are termed «authorizations» and the provisions relating to them are found in § 164.508.
If the disclosure is pursuant to a satisfactory assurance
from the party seeking the disclosure, at least a good faith attempt has been made to notify the individual in writing of the disclosure before it is made or the parties have sought a qualified protective order that prohibits them
from using or disclosing the protected health information for any purpose
other than the litigation or proceeding for which the information was requested and that the information will be returned to the
covered entity or destroyed at the end of the litigation or the proceeding.
We permit a
covered entity to use or disclose protected health information for
other lawful purposes if the
entity obtains a written «authorization»
from the individual, consistent with the provisions of § 164.508.
Thus, in the final rule we provide that a
covered entity may disclose protected health information in response to a subpoena, discovery request or
other lawful process that is not accompanied by a court order if it receives satisfactory assurance
from the party seeking the request that the requesting party has made a good faith attempt to provide written notice to the individual that includes sufficient information about the litigation or proceeding to permit the individual to raise an objection to the court or administrative tribunal and that the time for the individual to raise objections has elapsed (and that none were filed or all have been resolved).
Response: Employers are not
covered entities under HIPAA, so we can not prohibit them under this rule
from undertaking these or
other activities with respect to health information.
This paragraph also stated that the Secretary would maintain the confidentiality of protected health information she collected and prohibit
covered entities from taking retaliatory action against individuals for filing complaints or for
other activities.
Notwithstanding
other sections of this subpart, the following provisions apply to use or disclosure by a
covered entity of protected health information pursuant to a consent, authorization, or
other express legal permission obtained
from an individual permitting the use or disclosure of protected health information, if the consent, authorization, or
other express legal permission was obtained
from an individual before the applicable compliance date of this subpart and does not comply with § § 164.506 or 164.508 of this subpart.
Section 164.512 (k) of the final rule states that while individuals are in a correctional facility or in the lawful custody of a law enforcement official,
covered entities (for example, the prison's clinic) can use or disclose protected health information about these individuals without authorization to the correctional facility or the law enforcement official having custody as necessary for: (1) The provision of health care to such individuals; (2) the health and safety of such individual or
other inmates; (3) the health and safety of the officers of employees of or
others at the correctional institution; and (4) the health and safety of such individuals and officers or
other persons responsible for the transporting of inmates or their transfer
from one institution or facility to another; (5) law enforcement on the premises of the correctional institution; and (6) the administration and maintenance of the safety, security, and good order of the correctional institution.
Second, with respect to abuse of persons
other than children, we allow
covered entities to refuse to treat a person as an individual's personal representative if the
covered entity believes that the individual has been subjected to domestic violence, abuse, or neglect
from the person.
We also permit
covered entities to seek authorization
from the individual for another
covered entity's use or disclosure of protected health information for these purposes, including if the
covered entity is required to do so by
other law.
In order to fall within this definition of clearinghouse, the
covered entity must perform the clearinghouse function on health information received
from some
other entity.
We proposed to prohibit
covered entities from implementing a change to an information policy or procedure described in the notice until the notice was updated to reflect the change, unless a compelling reason existed to make a use or disclosure or take
other action that the notice would not have permitted.
We believe
covered entities will rarely be faced with conflicts between consents and
other written legal permission
from the individual for uses and disclosures to carry out treatment, payment, and health care operations.
We realize that a
covered entity may wish to rely upon a consent, authorization, or
other express legal permission obtained
from an individual prior to the compliance date of this regulation which permits the use or disclosure of individually identifiable health information for activities that come within treatment, payment, or health care operations (as defined in § 164.501), but that do not meet the requirements for consents set forth in § 164.506.
(4) If, after the applicable compliance date of this subpart, a
covered entity agrees to a restriction requested by an individual under § 164.522 (a), a subsequent use or disclosure of Start Printed Page 82829protected health information that is subject to the restriction based on a consent, authorization, or
other express legal permission obtained
from an individual as given effect by paragraph (b) of this section, must comply with such restriction.
We remove «
other distinguishing characteristic»
from the list of items that may be disclosed for the location and identification purposes described in this paragraph, and instead allow
covered entities to disclose only a description of distinguishing physical characteristics, such as scars and tattoos, height, weight, gender, race, hair and eye color, and the presence or absence of facial hair such as a beard or moustache.
If a
covered entity obtained a consent, authorization, or
other express legal permission
from the individual who is the subject of the research, it would be able to rely upon that consent, authorization, or permission, consistent with any limitations it expressed, to use or disclose the protected health information it created or received prior to or after the compliance date of this regulation.
(2) A
covered entity may attempt to resolve a conflict between a consent and an authorization or
other written legal permission
from the individual described in paragraph (e)(1) of this section by:
In the proposed rule, we defined designated record set as «a group of records under the control of a
covered entity from which information is retrieved by the name of the individual or by some identifying number, symbol, or
other identifying particular assigned to the individual and which is used by the
covered entity to make decisions about the individual.»
The intent of this provision is to permit
covered entities that participate in research to bind themselves to a more limited scope of uses and disclosures for all or identified subsets of research information generated
from research that involves the delivery of treatment than it may apply to
other protected health information.
We do not attempt to directly regulate employers or
other plan sponsors, but pursuant to our authority to regulate health plans, we place restrictions on the flow of information
from covered entities to non-
covered entities.
One commenter expressed concern that even though proposed § 164.510 (i) would have permitted
covered entities to disclose certain information to financial institutions for banking and payment processes, it did not state clearly that financial institutions and
other entities described in section 1179 are exempt
from the rule's requirements.
In § 164.512 (e) of the final rule, we permit
covered entities to disclose protected health information in a judicial or administrative proceeding if the request for such protected health information is made through or pursuant to an order
from a court or administrative tribunal or in response to a subpoena or discovery request
from, or
other lawful process by a party to the proceeding.
In the final rule we address the issue of differentiating health plan,
covered health care provider and health care clearinghouse activities
from other functions carried out by a single legal
entity in paragraphs (a)- (c) of § 164.504.
(2) If the consent, authorization, or
other express legal permission obtained
from an individual specifically permits a use or disclosure for a purpose
other than to carry out treatment, payment, or health care operations, the
covered entity may, with respect to protected health information that it created or received before the applicable compliance date of this subpart and to which the consent, authorization, or
other express legal permission obtained
from an individual applies, make such use or disclosure, provided that:
If a
covered entity conditions any of these services on obtaining an authorization
from the individual, as permitted in § 164.508 (b)(4) and described below, the
covered entity must not combine the authorization with any
other document.
If another federal law prohibits a
covered entity from using or disclosing information that is also protected health information, but the privacy regulation permits the use or disclosure, a
covered entity will need to comply with the
other federal law and not use or disclose the information.
We intend this to be a permissible activity for
covered entities: we do not require
covered entities to undertake these efforts in response to a subpoena, discovery request, or similar process (
other than an order
from a court or administrative tribunal).
(1) If a
covered entity has obtained a consent under this section and receives any
other authorization or written legal permission
from the individual for a disclosure of protected health information to carry out treatment, payment, or health care operations, the
covered entity may disclose such protected health information only in accordance with the more restrictive consent, authorization, or
other written legal permission
from the individual.
(1) If the consent, authorization, or
other express legal permission obtained
from an individual permits a use or disclosure for purposes of carrying out treatment, payment, or health care operations, the
covered entity may, with respect to protected health information that it created or received before the applicable compliance date of this subpart and to which the consent, authorization, or
other express legal permission obtained
from an individual applies, use or disclose such information for purposes of carrying out treatment, payment, or health care operations, provided that:
(ii) The
covered entity complies with all limitations placed by the consent, authorization, or
other express legal permission obtained
from an individual.
While this approach could remove
from the
covered entity the burden of decision - making about actions that need to be taken, we believe that
other factors outweighed this potential benefit.
The
covered entity is also prohibited
from disclosing the mechanism for re-identification, such as tables, algorithms, or
other tools that could be used to link the code with the subject of the information.
We also proposed to prohibit
covered entities from requiring individuals to sign authorizations for uses and disclosures of protected health information for treatment, payment, and health care operations, unless required by
other applicable law.