Policies > HIPAA > FAQs
HIPAA
Health Insurance Portability & Accountability Act of 1996

HIPAA and Perinatal Hepatits B Prevention
July 1, 2005

1. Does HIPAA permit providers, hospitals, and laboratories to report HBsAg-positive women to state and local health departments (including local health agencies and local boards of health) without the authorization of the individual, regardless of whether the state has a reporting law?
2. Does HIPAA permit providers and hospitals to disclose patient information to state and local health departments ((including local health agencies and local boards of health) without the authorization of the individual, for perinatal case management (e.g. immunization, prophylaxis, and post vaccination serology)?
3. Can patient records be reviewed by state and local health department staff and their contractual agents when conducting quality assurance activities (e.g. chart reviews to assess HBsAg screening rates and appropriate prophylaxis), case investigations and/or disease outbreak activities?
4. Does the HIPAA Privacy Rule apply to Indian Health Services and tribal clinics?

1. Does HIPAA permit providers, hospitals, and laboratories to report HBsAg-positive women to state and local health departments (including local health agencies and local boards of health) without the authorization of the individual, regardless of whether the state has a reporting law?

   Yes. Under 45 CFR §164.512(b)(1)(i) of the HIPAA Privacy Rule, covered entities may disclose protected health information without authorization to public health authorities that are authorized by law to collect such information for public health purposes. In addition, under 45 CFR §164.512(a), covered entities may disclose protected health information to public health authorities if the disclosure is required by law. A specific mandate to report is not required for disclosure. In states that do not have a law that specifically mandates the reporting of maternal HBsAg status, notifiable disease reporting laws mandate reporting of hepatitis B.

Top

2. Does HIPAA permit providers and hospitals to disclose patient information to state and local health departments ((including local health agencies and local boards of health) without the authorization of the individual, for perinatal case management (e.g. immunization, prophylaxis, and post vaccination serology)?

   Yes. Under 45 CFR §164.512(b)(1)(i) of the HIPAA Privacy Rule, covered entities may disclose protected health information without authorization to public health authorities that are authorized by law to collect such information for public health purposes including disease prevention or control.

Top

3. Can patient records be reviewed by state and local health department staff and their contractual agents when conducting quality assurance activities (e.g. chart reviews to assess HBsAg screening rates and appropriate prophylaxis), case investigations and/or disease outbreak activities?

   Yes. As explained above, under 45 CFR §164.512(b)(1)(i) of the HIPAA Privacy Rule, covered entities may disclose protected health information without authorization to public health authorities that are authorized by law to collect such information for public health purposes.

Top

4. Does the HIPAA Privacy Rule apply to Indian Health Services and tribal clinics?

   Yes. The HIPAA Privacy Rule governs the use and disclosure of protected health information by covered entities (health plans, clearinghouses, and providers who transmit specified transactions electronically). The definition of health plans (45 CFR §160.103) includes the Indian Health Service (IHS) and programs under the Indian Health Care Improvement Act, 25 U.S.C. 1601 et seq. (45 CFR 160.103(1)(xii)).

Top

Resources

Office for Civil Rights (responsible for enforcing the Privacy Rule) website: (www.hhs.gov/ocr/hipaa)

CDC/DHHS guidance on the Privacy Rule and Public Health, available at http://www.cdc.gov/mmwr/pdf/other/m2e411.pdf

Top of page