Centers for Disease Control and Prevention
 CDC Home Search Health Topics A-Z

Centers for Disease Control and Prevention
About CDC Announcements Funding Opportunities Publications Contact Us

U.S. Department of Health and Human Services

 

Contents
Summary
Introduction
Overview of the Privacy Rule
The Privacy Rule and Public Health
The Privacy Rule and Public Health Research
The Privacy Rule and Other Laws
Online Resources
Acknowledgments
References
Appendix A
Appendix B
   
Privacy Rule Home
Guidance for Public Health
HIPAA Basic Facts
FAQs              
Privacy Rule Reading Room
Privacy Rule Links
Public Health Grand Rounds: HIPAA Privacy Rule

HIPAA Privacy Rule and Public Health

Guidance from CDC and the U.S. Department of Health and Human Services

MMWR, Volume 52, Early Release

 

Appendix B

 

Sample Text That Can Be Used To Clarify Public Health Issues Under the Privacy Rule

Following are sample letters that can be used to help clarify Privacy Rule issues among covered entities and public health authorities (e.g., CDC, National Institutes of Health, Food and Drug Administration, Substance Abuse and Mental Health Services Administration, Health Resources and Services Administration, state and local health departments). Public health authorities can use these letters as templates by inserting names of the appropriate individuals, projects, agreements, laws, activity types, covered entities, public health authorities, and authorized agencies.

 

From a public health authority to a covered entity, clarifying rules regarding disclosure
To Whom it May Concern:

[Public health authority] is an agency of [parent authority] and is conducting the activity described here in its capacity as a public health authority as defined by the Health Insurance Portability and Accountability Act (HIPAA), Standards for Privacy of Individually Identifiable Health Information; Final Rule (Privacy Rule) [45 CFR 164.501]. Pursuant to 45 CFR 164.512(b) of the Privacy Rule, covered entities such as your organization may disclose, without individual authorization, protected health information to public health authorities " . . . authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury, or disability, including, but not limited to, the reporting of disease, injury, vital events such as birth or death, and the conduct of public health surveillance, public health investigations, and public health interventions . . . "

[Public health authority] is conducting [project], a public health activity as described by 45 CFR 164.512(b), and is authorized by [law or regulation]. The information being requested represents the minimum necessary to carry out the public health purposes of this project pursuant to 45 CFR 164.514(d) of the Privacy Rule.

If you have questions or concerns please contact [project leader].

 

From a public health authority to an authorized agency, providing grant of authority
Dear [authorized agency]:

This letter serves as verification of a grant of authority from [public health authority] for you to conduct the public health activities described here, acting as a public health authority pursuant to the Standards for Privacy of Individually Identifiable Health Information promulgated under the Health Insurance Portability and Accountability Act (HIPAA) [45 CFR Parts 160 and 164)]. Under this rule, covered entities may disclose, without individual authorization, protected health information to public health authorities " . . . authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury, or disability, including, but not limited to, the reporting of disease, injury, vital events such as birth or death, and the conduct of public health surveillance, public health investigations, and public health interventions . . . ." The definition of a public health authority includes " . . . an individual or entity acting under a grant of authority from or contract with such public agency . . . ."

[Authorized agency] is acting under [contract, grant, cooperative agreement] with [public health authority] to conduct [project], which is authorized by [law or regulation]. [Public health authority] grants this authority to [authorized agency] for purposes of this project. Further, [public health authority] considers this to be [activity type], for which disclosure of protected health information by covered entities is authorized by 45 CFR 164.512(b) of the Privacy Rule.

 

From a public health authority to a covered entity, confirming grant of authority to an authorized agency
To Whom It May Concern:

[Public health authority] is an agency of [parent authority] and is a public health authority as defined by the Health Insurance Portability and Accountability Act (HIPAA), Standards for Privacy of Individually Identifiable Health Information; Final Rule (Privacy Rule)[45 CFR 164.501]. Pursuant to 45 CFR 164.512(b) of the Privacy Rule, covered entities may disclose protected health information to public health authorities " . . . authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury, or disability, including, but not limited to, the reporting of disease, injury, vital events such as birth or death, and the conduct of public health surveillance, public health investigations, and public health interventions . . . ." The definition of public health authority includes " . . . an individual or entity acting under a grant of authority from or contract with such public agency . . ." [45 CFR 164.501]. [Authorized agency] is acting under [contract, grant or cooperative agreement] with [public health authority] to carry out [project]. Through this grant of authority, [authorized agency] may function as a public health authority under the Privacy Rule for purposes of this project.

[Project] is a public health activity as described by 45 CFR 164.512(b) referenced previously, and is authorized by [law or regulation]. The information being requested represents the minimum necessary to carry out the public health purposes of this project pursuant to 45 CFR 164.514(d) of the Privacy Rule. The Privacy Rule provides that covered entities " . . . may rely, if such reliance is reasonable under the circumstances, on a requested disclosure as the minimum necessary for the stated purposes when making disclosures to public officials that are permitted under 45 CFR 164.512, if the public official represents that the information requested is the minimum necessary for the stated purposes(s)."

If you have questions or concerns please contact [project leader for authorized agency; public health authority contact].

 


Accessibility | Privacy Policy Notice | FOIA | Information Quality

About CDC | Announcements | Funding Opportunities | Publications | Contact Us

CDC Home | Search | Health Topics A-Z

This page last reviewed April 18, 2003.

United States Department of Health and Human Services
Centers for Disease Control and Prevention