Appendix B
Sample Text That Can Be Used To Clarify Public Health
Issues Under the Privacy Rule
Following are sample letters that can be used to help clarify Privacy
Rule issues among covered entities and public health authorities (e.g.,
CDC, National Institutes of Health, Food and Drug Administration,
Substance Abuse and Mental Health Services Administration, Health
Resources and Services Administration, state and local health
departments). Public health authorities can use these letters as templates
by inserting names of the appropriate individuals, projects, agreements,
laws, activity types, covered entities, public health authorities, and
authorized agencies.
From a public health authority to a covered entity, clarifying
rules regarding disclosure
To Whom it May Concern:
[Public health authority] is an agency of [parent authority] and is
conducting the activity described here in its capacity as a public health
authority as defined by the Health Insurance Portability and
Accountability Act (HIPAA), Standards for Privacy of Individually
Identifiable Health Information; Final Rule (Privacy Rule) [45 CFR §164.501].
Pursuant to 45 CFR §164.512(b) of the Privacy Rule, covered entities such
as your organization may disclose, without individual authorization,
protected health information to public health authorities " . . .
authorized by law to collect or receive such information for the purpose
of preventing or controlling disease, injury, or disability, including,
but not limited to, the reporting of disease, injury, vital events such as
birth or death, and the conduct of public health surveillance, public
health investigations, and public health interventions . . . "
[Public health authority] is conducting [project], a public health
activity as described by 45 CFR § 164.512(b), and is authorized by [law
or regulation]. The information being requested represents the minimum
necessary to carry out the public health purposes of this project pursuant
to 45 CFR §164.514(d) of the Privacy Rule.
If you have questions or concerns please contact [project leader].
From a public health authority to an authorized agency, providing
grant of authority
Dear [authorized agency]:
This letter serves as verification of a grant of authority from [public
health authority] for you to conduct the public health activities
described here, acting as a public health authority pursuant to the
Standards for Privacy of Individually Identifiable Health Information
promulgated under the Health Insurance Portability and Accountability Act
(HIPAA) [45 CFR Parts 160 and 164)]. Under this rule, covered entities may
disclose, without individual authorization, protected health information
to public health authorities " . . . authorized by law to collect or
receive such information for the purpose of preventing or controlling
disease, injury, or disability, including, but not limited to, the
reporting of disease, injury, vital events such as birth or death, and the
conduct of public health surveillance, public health investigations, and
public health interventions . . . ." The definition of a public
health authority includes " . . . an individual or entity acting
under a grant of authority from or contract with such public agency . . .
."
[Authorized agency] is acting under [contract, grant, cooperative
agreement] with [public health authority] to conduct [project], which is
authorized by [law or regulation]. [Public health authority] grants this
authority to [authorized agency] for purposes of this project. Further,
[public health authority] considers this to be [activity type], for which
disclosure of protected health information by covered entities is
authorized by 45 CFR § 164.512(b) of the Privacy Rule.
From a public health authority to a covered entity, confirming
grant of authority to an authorized agency
To Whom It May Concern:
[Public health authority] is an agency of [parent authority] and is a
public health authority as defined by the Health Insurance Portability and
Accountability Act (HIPAA), Standards for Privacy of Individually
Identifiable Health Information; Final Rule (Privacy Rule)[45 CFR §
164.501]. Pursuant to 45 CFR § 164.512(b) of the Privacy Rule, covered
entities may disclose protected health information to public health
authorities " . . . authorized by law to collect or receive such
information for the purpose of preventing or controlling disease, injury,
or disability, including, but not limited to, the reporting of disease,
injury, vital events such as birth or death, and the conduct of public
health surveillance, public health investigations, and public health
interventions . . . ." The definition of public health authority
includes " . . . an individual or entity acting under a grant of
authority from or contract with such public agency . . ." [45 CFR §
164.501]. [Authorized agency] is acting under [contract, grant or
cooperative agreement] with [public health authority] to carry out
[project]. Through this grant of authority, [authorized agency] may
function as a public health authority under the Privacy Rule for purposes
of this project.
[Project] is a public health activity as described by 45 CFR §
164.512(b) referenced previously, and is authorized by [law or
regulation]. The information being requested represents the minimum
necessary to carry out the public health purposes of this project pursuant
to 45 CFR § 164.514(d) of the Privacy Rule. The Privacy Rule provides
that covered entities " . . . may rely, if such reliance is
reasonable under the circumstances, on a requested disclosure as the
minimum necessary for the stated purposes when making disclosures to
public officials that are permitted under 45 CFR § 164.512, if the public
official represents that the information requested is the minimum
necessary for the stated purposes(s)."
If you have questions or concerns please contact [project leader for
authorized agency; public health authority contact].
|