Centers for Disease Control and Prevention
 CDC Home Search Health Topics A-Z

Centers for Disease Control and Prevention
About CDC Announcements Funding Opportunities Publications Contact Us

U.S. Department of Health and Human Services

 

Contents
Summary
Introduction
Overview of the Privacy Rule
The Privacy Rule and Public Health
The Privacy Rule and Public Health Research
The Privacy Rule and Other Laws
Online Resources
Acknowledgments
References
Appendix A
Appendix B
   
Privacy Rule Home
Guidance for Public Health
HIPAA Basic Facts
FAQs              
Privacy Rule Reading Room
Privacy Rule Links
Public Health Grand Rounds: HIPAA Privacy Rule

HIPAA Privacy Rule and Public Health

Guidance from CDC and the U.S. Department of Health and Human Services

MMWR, Volume 52, Early Release

 

The Privacy Rule and Public Health Research

The topic of research under the Privacy Rule is covered in depth in the DHHS report, Protecting Personal Health Information in Research --- Understanding the HIPAA Privacy Rule (6). The Privacy Rule provides separate provisions for disclosure without individual authorization for public health purposes and for certain research [45 CFR 164.512(b)] [45 CFR 164.512(i)]. Other federal law pertaining to research stresses the importance of distinguishing between research and practice to ensure that human subjects are appropriately protected [45 CFR Part 46]. For certain activities, this distinction is not always clear. A full discussion of the distinctions between public health practice and research is beyond the scope of this document. However, CDC and others provide guidance in this area (7--9).

Research Versus Practice

The definition of research is the same for the Privacy Rule and the Common Rule (10) --- systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge. Research is designed to test a hypothesis, permit conclusions to be drawn, and thereby to develop or contribute to generalizable knowledge. The majority of public health activities (e.g., public health surveillance, and disease prevention and control projects) are based on scientific evidence and data collection or analytic methods similar to those used in research. However, they are not designed to contribute to generalizable knowledge. Their primary purpose is to protect the health of the population through such activities as disease surveillance, prevention, or control.

The Belmont Report (11) defines practice as interventions designed solely to enhance the well-being of a person, patient, or client, and which have reasonable expectation of success. The report further states that the purpose of medical or behavioral practice is to provide diagnosis, preventive treatment, or therapy to particular patients. For public health agencies, the patient is the community. Public health practice activities (e.g., public health surveillance, disease control, or program evaluation) are undertaken with the intent to benefit a specific community, although occasionally they may provide unintended generalizable benefits to others.

Some public health activities that are initially public health practice may subsequently evolve into a research activity (e.g., an investigation to determine the cause of an outbreak that incorporates a research study evaluating the efficacy of a new drug to treat the illness). When that is the case, the disclosures may be made initially under the public health provisions of the Privacy Rule. But when the activity becomes an ongoing research activity, the entity should consider application of the relevant research disclosures provisions to continue to obtain information for this purpose. Moreover, there may be cases where the activity is both research and public health practice (e.g., an ongoing survey to monitor health conditions in the population, data from which can also be analyzed for research purposes). In those cases, disclosures may be made either under the research provisions or the public health provisions, as appropriate --- the covered entity need not comply with both sets of requirements.

 


Accessibility | Privacy Policy Notice | FOIA | Information Quality

About CDC | Announcements | Funding Opportunities | Publications | Contact Us

CDC Home | Search | Health Topics A-Z

This page last reviewed April 18, 2003.

United States Department of Health and Human Services
Centers for Disease Control and Prevention