HIPAA and Perinatal Hepatitis B Prevention
These questions and answers are intended to provide guidance to health care providers and public health agencies about the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule and how it impacts perinatal hepatitis B prevention. This information is not intended to provide legal advice to you or your organization.
Q: Does HIPAA permit providers, hospitals, and laboratories to report HBsAg-positive women to state and local health departments (including local health agencies and local boards of health) without the authorization of the individual, regardless of whether the state has a reporting law?
A: Under 45 CFR § 164.512(b), for disclosures not required by law, covered entities may disclose, without authorization, to a public health authority authorized by law to collect or receive the information for the purpose of preventing or controlling disease, injury, or disability, the minimum necessary information to accomplish the intended public health purpose of the disclosure. In addition, under 45 CFR §164.512(a), covered entities may disclose protected health information to public health authorities if the disclosure is required by law. A specific mandate to report is not required for disclosure. In states that do not have a law that specifically mandates the reporting of maternal HBsAg status, notifiable disease reporting laws mandate reporting of hepatitis B.
Q: Does HIPAA permit providers and hospitals to disclose patient information to state and local health departments (including local health agencies and local boards of health) without the authorization of the individual, for perinatal case management (e.g. immunization, prophylaxis, and post vaccination serology)?
A: Under 45 CFR § 164.512(b), for disclosures not required by law, covered entities may disclose, without authorization, to a public health authority authorized by law to collect or receive the information for the purpose of preventing or controlling disease, injury, or disability, the minimum necessary information to accomplish the intended public health purpose of the disclosure.
Q: Can patient records be reviewed by state and local health department staff and their contractual agents when conducting quality assurance activities (e.g. chart reviews to assess HBsAg screening rates and appropriate prophylaxis), case investigations and/or disease outbreak activities?
A: As explained above, under 45 CFR § 164.512(b), for disclosures not required by law, covered entities may disclose, without authorization, to a public health authority authorized by law to collect or receive the information for the purpose of preventing or controlling disease, injury, or disability, the minimum necessary information to accomplish the intended public health purpose of the disclosure.
Q: Does the HIPAA Privacy Rule apply to Indian Health Services and tribal clinics?
A: Yes. The HIPAA Privacy Rule governs the use and disclosure of protected health information by covered entities (health plans, clearinghouses, and providers who transmit specified transactions electronically). The definition of health plans (45 CFR §160.103) includes the Indian Health Service (IHS) and programs under the Indian Health Care Improvement Act, 25 U.S.C. 1601 et seq. (45 CFR 160.103(1)(xii)).
Resources
- Office for Civil Rightsexternal icon (responsible for enforcing the Privacy Rule)
- CDC/DHHS guidance on the Privacy Rule and Public Health pdf icon[24 pages]