FAQs About HIPAA Privacy Rule
Provisions Relevant to Public Health Practice
Introduction
Public health officials in state and local health departments, as well as their partners in the health care system, have asked for clarification regarding the Privacy Rule and its impact on public health practice. The attached document, “Health Insurance Portability and Accountability Act of 1996 (HIPAA)– Privacy Rule: Provisions relevant to public health practice,” contains excerpts from the website of the Office for Civil Rights (OCR)- HIPAA in the United States Department of Health and Human Services. Explanatory text from the OCR website is included, but the majority of the document consists of direct quotes from the Rule itself (with appropriate page references for the Federal Register). This compilation of excerpts highlights major provisions of the Rule that are relevant to public health practice.
What information is protected?
All medical records and other individually identifiable health information used or disclosed by a covered entity in any form, whether electronically, on paper, or orally, are covered by the final rule.
For what disclosures and uses must consent be obtained by a provider?
The Privacy Rule states that:
In general, “[a] covered health care provider [with a direct treatment relationship] must obtain the individual’s consent,…prior to using or disclosing protected health information to carry out treatment, payment, or health care operations.” (See section [§] 164.506, 65 Federal Register [F.R.] p. 82810, for complete requirements.)
What about sharing protected health information (PHI) with public health authorities?
The Privacy Rule allows for the existing practice of sharing PHI with public health authorities that are authorized by law to collect or receive such information to aid them in their mission of protecting the health of the public.
This practice is described in the preamble to the actual Rule:
“The final rule continues to permit covered entities to disclose protected health information without individual authorization directly to public health authorities, such as the Food and Drug Administration, the Occupational Safety and Health Administration, the Centers for Disease Control and Prevention as well as state and local public health departments, for public health purposes as specified in the NPRM [Notice of Proposed Rulemaking for the Privacy Rule].” (65 F. R. p. 82526)
Which provision of the Privacy Rule addresses the sharing of PHI with public health authorities?
Sharing of PHI with public health authorities is addressed in §164.512, “Uses and disclosures for which consent, an authorization, or an opportunity to agree or object is not required.” §164.512(a) permits disclosures that are required by law, which may be applicable to certain public health activities. §164.512(b) explicitly permits disclosures to public health authorities for public health activities:
“(1) Permitted disclosures. A covered entity may disclose protected health information for the public health activities and purposes described in this paragraph [§164.512(b)(1)] to:
(i) A public health authority that is authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury, or disability, including but not limited to, the reporting of disease, injury, vital events such as birth or death, and the conduct of public health surveillance, public health investigations, and public health interventions; or at the direction of a public health authority, to an official of a foreign government agency that is acting in collaboration with a public health authority;
(ii) A public health authority… authorized by law to receive reports of child abuse or neglect;
(iv) A person who may have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading a disease or condition, if the necessary for the stated purpose(s); …” (See §164.514(d)(3)(iii), 65 F. R. p. 82819 for complete requirements)
How is a public health authority defined?
“Public health authority means an agency or authority of the United States, a State, a territory, a political subdivision of a State or territory, or an Indian tribe, or a person or entity acting under a grant of authority from or contract with such public agency, including the employees or agents of such public agency or its contractors or persons or entities to whom it has granted authority, that is responsible for public health matters as part of its official mandate.” (§164.501, 65 F. R. p. 82805)
How much information may be used, requested, or shared?
The Privacy Rule generally requires covered entities to take reasonable steps to limit the use or disclosure of, and requests for PHI to the minimum necessary to accomplish the intended purpose. (See §164.514(d) for specific requirements.)
“A covered entity may rely, if such reliance is reasonable under the circumstances, on a requested disclosure as the minimum necessary for the stated purpose when: (A) Making disclosures to public officials that are permitted under §164.512, if the public official represents that the information requested is the minimum necessary for the stated purpose(s); …” (See §164.514(d)(3)(iii), 65 F. R. p. 82819 for complete requirements)
Who determines what is the minimum necessary PHI for sharing with public health authorities?
Generally, the covered entity is responsible for determining the minimum amount of information reasonably needed to fulfill a request. In certain circumstances, however, the Privacy Rule permits a covered entity to rely on the judgment of the party requesting the disclosure as to the minimum amount of information that is needed. Such reliance must be reasonable under the particular circumstances of the request. This reliance is permitted, for example, when the request is made by a public official or agency for a disclosure permitted under §164.512 of the rule. §164.514(d) of the Rule describes this concept of reasonable reliance:
“A covered entity may rely, if such reliance is reasonable under the circumstances, on a requested disclosure as the minimum necessary for the stated purpose when: (A) Making disclosures to public officials that are permitted under §164.512, if the public official represents that the information requested is the minimum necessary for the stated purpose(s); …” (See §164.514(d)(3)(iii), 65 F. R. p. 82819 for complete requirements)
Will the Privacy Rule preserve existing, strong state confidentiality laws?
As required by the HIPAA law itself, state laws that provide greater privacy protection (which may be those covering mental health, HIV infection, and AIDS information) continue to apply. These confidentiality protections are cumulative; the final rule will set a national “floor” of privacy standards that protect all Americans, but in some states individuals enjoy additional protection. In circumstances where states have decided through law to require certain disclosures of health information, the final rule does not preempt these mandates.
Sources (available at Office for Civil Rights – HIPAA):
- U.S. Department of Health and Human Services. 45 CFR Parts 160 and 164. Standards for privacy of individually identifiable health information; final rule. Federal Register 2000;65:82462–82829.
- Department of Health and Human Services Fact Sheet, “Protecting the Privacy of Patients’ Health Information,” July 6, 2001.
HHS’s First Guidance for the Privacy Regulation, issued July 6, 2001 - Disclosures for Public Health Activities
- HIPAA Privacy Rule and Public Health – Guidance from CDC and the U.S. Department of Health and Human Services