HIPAA's Privacy Rule recognizes the necessity of public health activities and allows for sharing PHI without patient authorization in specific situations to enable effective disease control, surveillance, and intervention while maintaining patient privacy.
HIPAA's Privacy Rule and public health
The HIPAA Privacy Rule plays a role in shaping the interaction between healthcare confidentiality and public health initiatives. Under this rule, healthcare entities can disclose protected health information (PHI) to authorized public health authorities without requiring patient consent. This allows for effective disease prevention, control, and surveillance activities. These disclosures aid in reporting diseases, injuries, vital events, and conducting investigations, for safeguarding public health. The rule also permits sharing PHI with business associates assisting in public health endeavors.
See also: What is public health?
Who are public health authorities?
Public health authorities, as defined by the HIPAA Privacy Rule, are official agencies or entities responsible for matters related to public health. These authorities are granted legal authorization to carry out public health activities and have access to protected health information (PHI) without requiring patient authorization.
Public health authorities can include various government entities at different levels, such as federal, state, local, territorial, and tribal agencies, as well as specific organizations granted authority through contracts or grants. Covered entities can rely on determinations made by the public health authority to determine what information is minimally necessary for specific public health activities. Examples of public health authorities include
- State and local health departments
- Food and Drug Administration (FDA)
- Centers for Disease Control and Prevention (CDC)
- Occupational Safety and Health Administration (OSHA).
Public health activities
General public health activities
The Privacy Rule permits covered entities to disclose protected health information (PHI) without patient authorization to public health authorities for general public health activities. These activities include:
- Disease reporting: Covered entities can disclose PHI to public health authorities to report diseases and injuries. For example, a healthcare provider can report cases of a communicable disease to the local health department to facilitate disease control efforts.
- Vital events reporting: PHI can be shared to report events such as births or deaths.
- Public health surveillance: Covered entities can share PHI for public health surveillance purposes, aiding in tracking the spread of diseases or identifying health trends within a community.
- Public health investigations: PHI can be disclosed for investigations related to public health concerns, helping public health authorities identify and respond to potential health threats.
Other public health activities
In addition to general activities, the Privacy Rule also permits covered entities to disclose PHI for specific other public health activities, including:
- Child abuse or neglect reporting: Covered entities can share PHI with appropriate government authorities to report known or suspected cases of child abuse or neglect.
- Quality, safety, or effectiveness reporting: PHI can be disclosed to entities subject to FDA jurisdiction for public health purposes related to the quality, safety, or effectiveness of FDA-regulated products.
- Notification of disease exposure: Covered entities can share PHI with individuals at risk of contracting or spreading a disease, if authorized by law, to carry out public health interventions or investigations.
- Workplace medical surveillance: Healthcare providers can disclose PHI to employers for workplace medical surveillance or evaluation of work-related illnesses or injuries, as required by OSHA, MSHA, or similar state laws. The information disclosed must be limited to relevant health findings.
See also: What is a public health record?
How does the Privacy Rule apply in cases of public health activities?
- Authorization not required: Covered entities, such as healthcare providers, health plans, and clearinghouses, can share PHI with public health authorities for specific public health activities without obtaining patient authorization.
- General public health activities: Covered entities can disclose PHI to public health authorities engaged in general public health activities. This includes reporting diseases, vital events (births and deaths), conducting public health surveillance, and public health investigations.
- Minimum necessary principle: While PHI can be disclosed, the principle of minimum necessary applies. Covered entities must share only the minimum amount of PHI necessary to achieve the public health purpose. However, this requirement doesn't apply when disclosures are made under patient authorization or when required by law.
- Relying on public health authority determinations: Covered entities can rely on the determinations made by the public health authority to determine what information is minimally necessary to achieve the specific public health goal. This enables efficient information sharing while still maintaining the privacy principle.
- Other public health activities: The Privacy Rule also permits disclosures for other public health activities beyond those carried out by public health authorities. This includes reporting cases of child abuse or neglect, sharing information about FDA-regulated products' quality and safety, notifying individuals at risk of disease exposure, and disclosing information for workplace medical surveillance.
- Business associates: Covered entities can involve business associates in assisting with public health activities. Business associates must have written agreements with the covered entity specifying their roles and responsibilities related to these activities.
See also: HIPAA Compliant Email: The Definitive Guide