CDC,
National Immunization Program
| Date: |
August
11, 2003 |
From:
|
Director,
National Immunization Program
|
Subject: |
Public
Health Implications of the
Health Insurance Portability
and Accountability Act (HIPAA)
Privacy Rule |
To:
|
Immunization
Program Managers
State Epidemiologists |
Dear
Colleague: The
Health Insurance Portability and
Accountability Act (HIPAA) Privacy
Rule, which went into effect April
14, 2003, is having unintended
consequences on some of the core
functions of public health. The
intent of HIPAA is to establish
national standards for consumer
privacy protection and insurance
market reform. Unfortunately, a
lack of information and misinterpretation
of some HIPAA provisions has begun
to hamper the conduct of time-honored
public health activities. In some
instances, confusion about the
intent and implementation of the
rules has resulted in health care
providers refusing public health
officials access to patient records
for immunization assessment and
surveillance purposes. We recognize
that providers are concerned about
compliance and they need clear
and accurate information about
the practical application of the
HIPAA Privacy Rule on public health
practices.
The
National Immunization Program (NIP)
of the Centers for Disease Control
and Prevention (CDC) is working
closely with Health and Human Services
(HHS) Office for Civil Rights,
which is the lead agency for interpreting
and enforcing HIPAA, and the CDC
legal counsel to clarify public
health provisions of the Privacy
Rule and disseminate information
to our partners at the state and
local levels. Due to the complexity
of the HIPAA Privacy Rule, NIP
plans to develop periodic advisories
regarding policy issues and interpretation
of confidentiality provisions that
may affect public health activities.
Some principal areas on which states
have requested clarification deal
with access to patient records
to conduct VFC and AFIX site visits,
participation in immunization registries,
and disease surveillance and epidemiologic
follow-up as part of outbreak investigation.
The
first of a series of HIPAA guidance
statements is attached with this
mailing. The one page “HIPAA
and Public Health Factsheet”
provides a brief summary of HIPAA
and Privacy Rule definitions. The
“HIPAA and Public Health
Site Visits: Access to Patient
Records during AFIX and VFC Visits”
provides responses to specific
questions asked by the states regarding
disclosure of patient health information
without prior authorization during
VFC and AFIX provider site visits.
The responses to these questions
were prepared by the CDC Office
of General Counsel, which provides
legal advice for CDC programs on
issues such as implementation of
HIPAA. Additional information is
available on the Office for Civil
Rights website at http://www.hhs.gov/ocr/hipaa
and in the MMWR,
HIPAA Privacy Rule and Public Health
(printable version is available
at http://www.cdc.gov/mmwr/pdf/other/m2e411.pdf)
We
hope you will find this information
helpful as you educate your provider
groups and work with your respective
legal offices on HIPAA issues.
We are encouraged that all of the
written and oral questions NIP
has submitted to HHS about the
impact of HIPAA on immunization
activities have affirmed NIP’s
position that state and local health
agencies may continue to carry
out routine public health activities
while remaining in full compliance
with HIPAA.
Attachments
(HIPAA
Factsheet)
(FAQs
about HIPAA and AFIX & VFC)
| cc: |
Chair,
Association of State and Territorial
Health Officials
Chair,
Association of Immunization
Managers |
Sincerely,
Walter
A. Orenstein, M.D.
Assistant
Surgeon General
Director
National
Immunization Program
|
