Health Insurance Portability and Accountability Act (HIPAA)
The following information
pertaining to general public health activities has been excerpted from
the OCR HIPAA Privacy document entitled "Disclosures for Public
Health Activities" dated December 3, 2002 and revised April 3,
2003. The document may be found in its entirety at
DISCLOSURES FOR PUBLIC HEALTH ACTIVITIES
[45 CFR 164.512(b)]
The HIPAA Privacy
Rule recognizes the legitimate need for public health authorities and
others responsible for ensuring public health and safety to have access
to protected health information to carry out their public health mission.
The Rule also recognizes that public health reports made by covered
entities are an important means of identifying threats to the health
and safety of the public at large, as well as individuals. Accordingly,
the Rule permits
covered entities to disclose protected health information without
authorization for specified public health purposes.
How the Rule Works
Health Activities. The
Privacy Rule permits covered entities to disclose protected health information,
without authorization, to public health
authorities who are legally authorized to receive such reports for the
purpose of preventing or controlling disease, injury, or disability.
This would include, for example, the reporting of a disease or injury;
reporting vital events, such as births or deaths; and conducting public
health surveillance, investigations, or interventions. See 45 CFR 164.512(b)(1)(i).
Also, covered entities may, at the direction
of a public health authority, disclose protected health information
to a foreign government agency that is acting in collaboration with
a public health authority. See 45 CFR 164.512(b)(1)(i). Covered
entities who are also a public health authority may use, as well as
disclose, protected health information for these public health purposes.
See 45 CFR 164.512(b)(2).
A “public health authority” is an agency
or authority of the United States government, a State, a territory,
a political subdivision of a State or territory, or Indian tribe that
is responsible for public health matters as part of its official mandate,
as well as a person or entity acting under a grant of authority from,
or under a contract with, a public health agency. See 45 CFR 164.501.
Examples of a public health authority include State and local health
departments, the Food and Drug Administration (FDA), the Centers for
Disease Control and Prevention, and the Occupational Safety and Health
covered entities are required reasonably to limit the protected health information disclosed for public health purposes to the minimum amount
necessary to accomplish the public health purpose. However, covered
entities are not required to make a minimum necessary determination
for public health disclosures that are made pursuant to an individual’s
authorization, or for disclosures that are required by other law.
See 45 CFR164.502(b). For disclosures
to a public health authority, covered entities may reasonably rely on
a minimum necessary determination made by the public health authority
in requesting the protected health information. See 45
CFR 164.514(d)(3)(iii)(A). For routine and recurring public health
disclosures, covered entities may develop standard protocols, as part
of their minimum necessary policies and procedures, that address the
types and amount of protected health information that may be disclosed
for such purposes. See 45 CFR 164.514(d)(3)(i).