Centers for Disease Control and Prevention
 CDC Home Search Health Topics A-Z

Centers for Disease Control and Prevention
About CDC Announcements Funding Opportunities Publications Contact Us

U.S. Department of Health and Human Services


Overview of the Privacy Rule
The Privacy Rule and Public Health
The Privacy Rule and Public Health Research
The Privacy Rule and Other Laws
Online Resources
Appendix A
Appendix B
Privacy Rule Home
Guidance for Public Health
HIPAA Basic Facts
Privacy Rule Reading Room
Privacy Rule Links
Public Health Grand Rounds: HIPAA Privacy Rule

HIPAA Privacy Rule and Public Health

Guidance from CDC and the U.S. Department of Health and Human Services

MMWR, Volume 52, Early Release



The shift of medical records from paper to electronic formats has increased the potential for individuals to access, use, and disclose sensitive personal health data. Although protecting individual privacy is a long-standing tradition among health-care providers and public health practitioners in the United States, previous legal protections at the federal, tribal, state, and local levels were inconsistent and inadequate. A patchwork of laws provided narrow privacy protections for selected health data and certain keepers of that data (1).

The U.S. Department of Health and Human Services (DHHS) has addressed these concerns with new privacy standards that set a national minimum of basic protections, while balancing individual needs with those of society. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was adopted to ensure health insurance coverage after leaving an employer and also to provide standards for facilitating health-care--related electronic transactions. To improve the efficiency and effectiveness of the health-care system, HIPAA included administrative simplification provisions that required DHHS to adopt national standards for electronic health-care transactions (2). At the same time, Congress recognized that advances in electronic technology could erode the privacy of health information. Consequently, Congress incorporated into HIPAA provisions that mandated adoption of federal privacy protections for certain individually identifiable health information.

The HIPAA Privacy Rule (Standards for Privacy of Individually Identifiable Health Information) (3) provides the first national standards for protecting the privacy of health information. The Privacy Rule regulates how certain entities, called covered entities, use and disclose certain individually identifiable health information, called protected health information (PHI). PHI is individually identifiable health information that is transmitted or maintained in any form or medium (e.g., electronic, paper, or oral), but excludes certain educational records and employment records. Among other provisions, the Privacy Rule

  • gives patients more control over their health information;
  • sets boundaries on the use and release of health records;
  • establishes appropriate safeguards that the majority of health-care providers and others must achieve to protect the privacy of health information;
  • holds violators accountable with civil and criminal penalties that can be imposed if they violate patients' privacy rights;
  • strikes a balance when public health responsibilities support disclosure of certain forms of data;
  • enables patients to make informed choices based on how individual health information may be used;
  • enables patients to find out how their information may be used and what disclosures of their information have been made;
  • generally limits release of information to the minimum reasonably needed for the purpose of the disclosure;
  • generally gives patients the right to obtain a copy of their own health records and request corrections; and
  • empowers individuals to control certain uses and disclosures of their health information.

The deadline to comply with the Privacy Rule is April 14, 2003, for the majority of the three types of covered entities specified by the rule [45 CFR 160.102]. The covered entities are

  • health plans,
  • health-care clearinghouses, and
  • health-care providers who transmit health information in electronic form in connection with certain transactions.

At DHHS, the Office for Civil Rights (OCR) has oversight and enforcement responsibilities for the Privacy Rule. Comprehensive guidance and OCR answers to hundreds of questions are available at (4).

Impact on Public Health

Public health practice and research, including such traditional public health activities as program operations, public health surveillance, program evaluation, terrorism preparedness, outbreak investigations, direct health services, and public health research, use PHI to identify, monitor, and respond to disease, death, and disability among populations. Public health authorities have a long history of protecting and preserving the confidentiality of individually identifiable health information. They also recognize the importance of protecting individual privacy and respecting individual dignity to maintaining the quality and integrity of health data. CDC and others have worked to consistently strengthen federal and state public health information privacy practices and legal protections (5).

DHHS recognized the importance of sharing PHI to accomplish essential public health objectives and to meet certain other societal needs (e.g., administration of justice and law enforcement). Therefore, the Privacy Rule expressly permits PHI to be shared for specified public health purposes. For example, covered entities may disclose PHI, without individual authorization, to a public health authority legally authorized to collect or receive the information for the purpose of preventing or controlling disease, injury, or disability [45 CFR 164.512(b)] (Box 1). Further, the Privacy Rule permits covered entities to make disclosures that are required by other laws, including laws that require disclosures for public health purposes.

Thus, the Privacy Rule provides for the continued functioning of the U.S public health system. Covered entities should become fully aware of the scope of permissible disclosures for public health activities as well as state and local reporting laws and regulations. Moreover, a public health authority may also be a covered entity. For example, a public health agency that operates a health clinic, providing essential health-care services and performing covered transactions electronically, is a covered entity.

This report provides guidance to public health authorities and their authorized agents, researchers, and health-care providers in interpreting the Privacy Rule as it affects public health. CDC recommends that public health authorities share the information in this report with covered health-care providers and other covered entities and work closely with those entities to ensure implementation of the rule consistent with its intent to protect privacy while permitting authorized public health activities to continue.


Accessibility | Privacy Policy Notice | FOIA | Information Quality

About CDC | Announcements | Funding Opportunities | Publications | Contact Us

CDC Home | Search | Health Topics A-Z

This page last reviewed April 18, 2003.

United States Department of Health and Human Services
Centers for Disease Control and Prevention