HIPAA Privacy Rule and Public
Guidance from CDC and the U.S. Department of Health and
Volume 52, Early Release
The material in this report originated in the
Epidemiology Program Office, Stephen B. Thacker, M.D., M.Sc., Director.
New national health information privacy standards have been issued
by the U.S. Department of Health and Human Services (DHHS), pursuant to
the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
The new regulations provide protection for the privacy of certain
individually identifiable health data, referred to as protected health
information (PHI). Balancing the protection of individual health
information with the need to protect public health, the Privacy Rule
expressly permits disclosures without individual authorization to public
health authorities authorized by law to collect or receive the information
for the purpose of preventing or controlling disease, injury, or
disability, including but not limited to public health surveillance,
investigation, and intervention.
Public health practice often requires the acquisition, use, and
exchange of PHI to perform public health activities (e.g., public health
surveillance, program evaluation, terrorism preparedness, outbreak
investigations, direct health services, and public health research). Such
information enables public health authorities to implement mandated
activities (e.g., identifying, monitoring, and responding to death,
disease, and disability among populations) and accomplish public health
objectives. Public health authorities have a long history of respecting
the confidentiality of PHI, and the majority of states as well as the
federal government have laws that govern the use of, and serve to protect,
identifiable information collected by public health authorities.
The purpose of this report is to help public health agencies and others
understand and interpret their responsibilities under the Privacy Rule.
Elsewhere, comprehensive DHHS guidance is located at the HIPAA website of
the Office for Civil Rights (http://www.hhs.gov/ocr/hipaa/).