HIPAA requires Covered Entities to have policies and procedures addressing Uses and Disclosures that are permitted by other laws which are not pre-empted by HIPAA. System shall conduct Uses and Disclosures of PHI that are permitted by law in the absence of an authorization for routine uses without specific approval from the Privacy Officer but shall obtain such approval prior to any non-routine Use or Disclosure of PHI under this Section with the exception that, in the case of a disclosure by the Office of General Counsel (OGC), a non-routine disclosure made pursuant to subsections 4.4(2)(i), 4.4(2)(ii), 4.4(2)(iii) may be authorized by the OGC attorney with responsibility over the matter, if the attorney determines that the disclosure is permitted by applicable law. This section does not apply to Uses and Disclosures that are required by law, including Uses or Releases required by Court Order. With the exception of Subsections 4.4(1)(a) and 4.4(2)(a)(i), all Uses and Disclosures described in this section are considered to be permitted, as opposed to required, by law.
HIPAA Policy Section 4.4: Discretionary Uses and Disclosures Without An Authorization