When conducting an internal review of medical records, the medical assistant should ensure that

Procedures are the minimum RoBs for all users and shall be followed by everyone requesting any type of access to the IHS systems. Users realize that the RoBs apply even if the RoBs are not read. Users who do not comply with the prescribed RoBs are subject to penalties that may be imposed under existing policy, regulations, and laws. The IHS may enforce the use of penalties against any user who violates any IHS or Federal systems security and related policy, regulation, or law as appropriate.  Refer the IHS General User Security Handbook at:  IHS User Security Handbook.

THIS FAX IS INTENDED ONLY FOR THE USE OF THE PERSON OR OFFICE TO WHOM IT IS ADDRESSED, AND CONTAINS PRIVILEGED OR CONFIDENTIAL INFORMATION PROTECTED BY LAW. ALL RECIPIENTS ARE HEREBY NOTIFIED THAT INADVERTENT OR UNAUTHORIZED RECEIPT DOES NOT WAIVE SUCH PRIVILEGE, AND THAT UNAUTHORIZED DISSEMINATION, DISTRIBUTION, OR COPYING OF THIS COMMUNICATION IS PROHIBITED BY FEDERAL LAW. IF YOU HAVE RECEIVED THIS FAX IN ERROR, PLEASE DESTROY THE ATTACHED DOCUMENT(S) AND NOTIFY THE SENDER OF THE ERROR BY CALLING (enter applicable Service Unit or Area Office phone number and extension).

1. Records may be disclosed to Federal and non-Federal (public or private) health care providers who provide health care services to IHS patients for purposes of planning for or providing such services, or for reporting results of medical examination and treatment.
2. Records may be disclosed to Federal, State, local, or other authorized organizations that provide third-party reimbursement or fiscal intermediary functions for the purposes of billing or collecting third-party reimbursements.  Relevant records may be disclosed to debt collection agencies under a business associate agreement arrangement directly or through a third-party.
3. Records may be disclosed to State agencies or other entities acting pursuant to a contract with CMS, for fraud and abuse control efforts, to the extent required by law or under an agreement between IHS and respective State Medicaid agency or other entities.
4. Records may be disclosed to school health care programs that serve AI/AN for the purpose of student health maintenance.
5. Records may be disclosed to the Bureau of Indian Affairs (BIA) or its contractors under an agreement between IHS and the BIA relating to disabled AI/AN children for the purpose of carrying out its functions under the Individuals with Disabilities Education Act (IDEA), 20 U.S.C. 1400 et seq.
6. Records may be disclosed to organizations deemed qualified by the Secretary, HHS, and under a business associate agreement to carry out quality assessment/improvement medical audits, utilization review or to provide accreditation or certification of health care facilities or programs.
7. Records may be disclosed under a business associate agreement to individuals or authorized organizations sponsored by IHS, such as the National Indian Women's Health Resource Center, to conduct analytical and evaluation studies.
8. Disclosure may be made to a congressional office from the record of an individual in response to an inquiry from the congressional office made at the request of that individual.  An authorization, Form IHS-810, "Authorization for Use or Disclosure of Health Information," is required for the disclosure of sensitive PHI (e.g., alcohol/drug abuse patient information, human immunodeficiency virus/acquired immune deficiency syndrome (HIV/AIDS), sexually transmitted diseases (STD), or mental health) that is maintained in the medical record.
9. Records may be disclosed for the following research purposes to the extent permitted by determining that:
   1. the use(s) or disclosure(s) are met under 45 CFR 164.52 1(I); or
   2. the use(s) or disclosure(s) are met under 45 CFR 164.514(a) through 45 CFR 164.514(c) for de-identified PHI, and 5 U.S.C. 552a(b)(5): or
   3. the requirement of 45 CFR 164.5 14(e) for limited data sets, and 5 U.S.C. 552a(b)(5) are met.
10. Information from records includes, but is not limited to, the following: information concerning the commission of crimes; suspected cases of abuse (including child, elder, and sexual abuse); the reporting of neglect; sexual assault; or domestic violence; births; deaths; alcohol or drug abuse; immunization; cancer; or communicable diseases, may be disclosed to public health authorities, epidemiology centers established and funded under 25 U.S.C. 1621m, and other appropriate government authorities which are authorized by applicable Federal, State, Tribal, or local law, or regulations to receive such information.

    In Federally conducted or assisted alcohol or drug abuse programs, under 42 CFR Part 2, disclosure of patient information for purposes of criminal investigations must be authorized by court order issued under 42 CFR Part 2.65, except in cases of suspected child abuse that may be reported to the appropriate State or local authorities under State law.

11. Information may be disclosed from Federally conducted or assisted alcohol or drug abuse programs records regarding suspected cases of child abuse to:
    1. Federal, State, or Tribal agencies that need to know the information in the performance of their duties; and
    2. Members of community child protection teams for the purposes of investigating reports of suspected child abuse, establishing a diagnosis, formulating or monitoring a treatment plan, and making recommendations to the appropriate court.  Community child protection teams are comprised of representatives of Tribes, the BIA, child protection service agencies, the judicial system, law enforcement agencies, and IHS.
12. The IHS may disclose information from these records in litigations and/or proceedings related to an administrative claim when:
    1. The IHS has determined that the use of such records is relevant and necessary to the litigation and/or proceedings related to an administrative claim and would help in the effective representation of the affected party listed in subsections (i) through (iv) below, and that such disclosure is consistent with the purpose for which the records were collected. Such disclosure may be made to the HHS OGC and/or DOJ, pursuant to an agreement between IHS and OGC, when any of the following is a party to litigation and/or proceedings related to an administrative claim or has an interest in the litigation and/or proceeds related to an administrative claim:
       1. HHS or any component thereof; or
       2. any HHS employee in the employee's official capacity; or
       3. any HHS employee in his or her individual capacity where the DOJ (or HHS where it is authorized to do so) has agreed to represent the employee; or
       4. the United States or any agency thereof (other than HHS) where HHS/OGC has determined that the litigation and/or proceedings related to an administrative claim is likely to affect HHS or any of its components.
    2. In the litigation and/or proceedings related to an administrative claim described in subsection (a) above, information from these records may be disclosed to a court or other tribunal, or another party before such tribunal in response to an order of a court or administrative tribunal, provided that the covered entity discloses only the information expressly authorized by such order.
13. Records may be disclosed under a business associate agreement to an IHS contractor for the purpose of computerized data entry, medical transcription, duplication services, or maintenance of records contained in this system.
14. Records may be disclosed under a personal services contract or other agreement to student volunteers, individuals working for IHS, and other individuals performing functions for IHS who do not technically have the status of Agency employees, if they need the records in the performance of their Agency functions.
15. Records regarding specific medical services provided to an unemancipated minor individual may be disclosed to the unemancipated minor's parent or legal guardian who previously consented to those specific medical services, to the extent permitted under 45 CFR 164.502(g).
16. Records may be disclosed to an individual having authority to act on behalf of an incompetent individual concerning health care decisions, to the extent permitted under 45 CFR 164.502(g).
17. Information may be used or disclosed from the IHS hospital directory in response to an inquiry regarding a named individual from a member of the general public to establish the individual's presence (and location when needed for visitation purposes) or to report the individual's condition while hospitalized (e.g., satisfactory or stable), unless the individual objects to disclosure of this information.  The IHS may provide the religious affiliation only to members of the clergy.
18. Information may be disclosed to a relative, a close personal friend, or any other person identified by the individual that is directly relevant to that person's involvement with the individual's involvement with the individual's care or payment for health care.  Information may also be used or disclosed in order to notify a family member, personal representative, or other person responsible for the individual's care, of the individual's location, general condition, or death.  If the individual is present for, or otherwise available prior to, a use or disclosure, and is competent to make health care decisions.
    1. may use or disclose after the facility obtains the individual's consent;
    2. provides the individual with the opportunity to object and the individual does not object; or
    3. based on professional judgment it could reasonably infer that the individual does not object.

       If the individual is not present, or the opportunity to agree or object cannot practicably be provided due to incapacity or emergent circumstances, an IHS health care provider may determine, based on professional judgment, whether disclosure is in the individual's best interest, and if so, may disclose only what is directly relevant to the individual's health care.

19. Information concerning exposure to HIV may be disclosed to the extent authorized by Federal, State, or Tribal law to the sexual and/or needle-sharing partner(s) of a subject individual who is infected with HIV under the following circumstances:
    1. the information has been obtained in the course of clinical activities at IHS facilities;
    2. the IHS has made reasonable efforts to counsel and encourage the subject individual to provide information to the individual's sexual or needle-sharing partner(s)
    3. the IHS determines that subject individual is unlikely to provide the information to the sexual or needle-sharing partner(s) or that the provision of such information cannot reasonably be verified;
    4. the notification of the partner(s) is made, whenever possible, by the subject individual's physician or by a professional counselor and shall follow standard counseling practices; and
    5. the IHS has advised the partner(s) to whom information is disclosed that they shall not re-disclose or use such information for a purpose other than for which the disclosure was made.
20. Records may be disclsed to Federal or non-Federal protection and advocacy organizations that serve AI/AN for the purpose of investigating incidents of abuse and neglect of individuals with developmental disabilities (including mental disabilities), as defined in 42 U.S.C. 10801-10805(a)(4) and 42 CFR 51.41-46, to the extent that such disclosure is authorized by law and the conditions of 45 CFR 1386.22(a)(2) are met.
21. Records of an individual may be disclosed to a correctional institution or a law enforcement official, during the period of time the individual is either an inmate or is otherwise in lawful custody, for the provision of health care to the individual or for health and safety purposes. Disclosure may be made upon the representation of either the institution or a law enforcement official that disclosure is necessary for the provision of health care to the individual, for the health and safety of the individual and others (e.g.,other inmates, employees of the correctional facility, transport officers), and for facility administration and operations.  This routine use applies only for as long as the individual remains in lawful custody, and does not apply once the individual is released on parole or placed on either probation or on supervised release, or is otherwise no longer in lawful custody.
22. Records including patient name, date of birth, SSN, gender, and other identifying information may be disclosed to the United States Social Security Administration (SSA) as is reasonably necessary for the purpose of conducting an electronic validation of the SSN(s) maintained in the record to the extent required under an agreement between the IHS and SSA.
23. Disclosure of relevant health care information may be made to funeral directors or representatives of funeral homes in order to allow them to make necessary arrangements prior to and in anticipation of an individual's impending death.
24. Records may be disclosed to a public or private covered entity that is authorized by law or charter to assist in disaster relief efforts (e.g., the Red Cross and the Federal Emergency Management Administration), for purposes of coordinating information with other similar entities concerning an individual's health care, payment for health care, notification of the individual's whereabouts and the patient's health status or death
25. Records may be disclosed to appropriate Federal agencies and Department contractors that have a need to know the information for the purpose of assisting the Department's efforts to respond to a suspected or confirmed breach of the security or confidentiality of information maintained in this system of records, and the information disclosed is relevant and necessary for that assistance.

1. Responsibility for Privacy of the Patient.  The patient's right to privacy is the responsibility of all employees of each IHS facility, regardless of whether direct or contract care programs.  The facility policies shall prescribe procedures that comply with the Privacy Act of 1974 and HIPAA Privacy Regulations.  The procedure should specify the following:
   1. Persons officially authorized to provide information that may be released to news agencies on police cases.
   2. A listing of the type and amount of information that may be released to the press in other than law enforcement.
   3. All such policies shall be directed to promoting the well-being of the patient, protecting the patient's privacy, and assisting the press in covering the news.  When in doubt, the patient's right to privacy takes precedence over the public's right to know.
2. Newspaper Publicity of Patients.  Indian Health Service personnel shall not release detailed information to the press and shall not permit photographs of the patient without the signed authorization of the patient or his or her authorized representative.  Such authorizations shall become a part of the patient's health record.  Photographs shall be placed in an envelope and properly identified with patient name, health record number, and date photograph was taken.
   1. Information may be used or disclosed from the IHS hospital directory in response to an inquiry about a named individual from a member of the general public to establish the individual's presence (and location when needed for visitation purposes) or to report the individual's condition while hospitalized (e.g., satisfactory or stable), unless the individual objects to disclosure of this information.  (Refer to IHS HIPAA P&P For Use and Disclosure for Directory Purposes.)
   2. The presence of a patient being treated for alcohol or drug abuse shall not be disclosed without the patient's consent. This prohibition includes evaluation, counseling, or treatment of abuse or addiction, and medical or surgical treatment of conditions that are a known direct result of alcohol or drug abuse.
3. Photographs of Patients.  The signed authorization of the patient shall be obtained when the hospital or any person desires to take a photograph of a patient or any part of the body of a patient for any purpose whatsoever.  The Authorization for Administration of Anesthesia and for Performance of Operations or Other Procedures form (IHS-515) is required for any pictures, films, etc., that are included in the health record.  All media that capture and/or store patient health information are considered part of the health record and are, therefore, subject to confidentiality regulations.  The original or copy of the signed consent becomes a part of the patient's health record.
   1. Clinical Photography.  Permission is not required for photographing surgical or postmortem specimens, if the identity of the patient is not to be revealed.
   2. Television, Video, Motion Pictures.  The Authorization to Produce and Use Audiovisual Materials form (IHS-859) is required for photographs, movies, video and audio tapes taken of the patient.  Unless there is an express agreement to deliver the photograph or the negative to the patient, the patient has no basis for claiming possession of either, but has the right to a copy if Privacy Act and HIPAA Privacy policies are followed.
4. Visitors to the Patient in Hospital.  Patients have a right to be protected against intrusion upon their privacy in the hospital by laymen who have no connection with their treatment, such as insurance company investigators, salesmen, clergymen, and other persons whom they have not authorized to visit them.  Law enforcement officials should be encouraged to get permission of a patient's attending physician before seeing the patient.  Members of the clergy visiting patients who request patient information will be provided only the following:
   1. the name of hospitalized patients who are of the same faith;
   2. the location of such patients;
   3. whether or not any restrictions or precautions on visitation have been ordered or requested; and
   4. the patient may waive the right to privacy by signing a written authorization for visitation.
5. Legal Business within an IHS Facility.  Solicitation of legal business is prohibited (42 CFR 35.12).  The solicitation, directly or indirectly, of legal business or a retainer or agreement authorizing an attorney to render legal services, is prohibited in all IHS facilities.
   1. Entry for Negotiation of Release or Settlement Assistance.  No person shall be permitted to enter an IHS facility for the purpose of negotiating a settlement or obtaining a general or special release or statement from a patient with reference to illness or personal injury for which the patient is receiving care or treatment, or for the purpose of conferring with the patient as an attorney or representative of an attorney with reference to such illness or injury, unless the patient has signified willingness to have such person enter for such purpose and, in the judgment of the patient's attending physician the physical or mental condition of the patient will not thereby be impaired (42 CFR 35.13).

      Any person entering an IHS facility for the purpose stated in the above paragraph shall register in the manner prescribed by the attending physician, and shall furnish for the records of the Service Unit or hospital, the name of each patient by whom he or she has been received for such a purpose.

   2. Authorization.  The signed authorization for visitation by such persons shall become a part of the patient's medical record.
   3. Solicitation of Legal Business; Negotiation of Release or Settlement Assistance is Prohibited.  All employees of the Service Unit and all persons attached in any capacity to a Service Unit or hospital, including patients, are forbidden to communicate, directly or indirectly, with any person for the purpose of aiding in the solicitation of legal business or in the negotiation of a settlement or the obtaining of a general or specific release or statement from any patient with reference to any illness or personal injury for which the patient is receiving care or treatment therein (42 CFR 35.14).  No patient is prohibited by this section from communicating on his own behalf with an attorney of his choice or with other persons.