The Privacy Rule and Public
Health
The Privacy Rule recognizes 1) the legitimate need for public health
authorities and others responsible for ensuring the public's health and
safety to have access to PHI to conduct their missions; and 2) the
importance of public health reporting by covered entities to identify
threats to the public and individuals. Accordingly, the rule 1) permits
PHI disclosures without a written patient authorization for specified
public health purposes to public health authorities legally authorized to
collect and receive the information for such purposes, and 2) permits
disclosures that are required by state and local public health or other
laws. However, because the Privacy Rule affects the traditional ways PHI
is used and exchanged among covered entities (e.g., doctors, hospitals,
and health insurers), it can affect public health practice and research in
multiple ways. To prevent misconceptions, understanding the Privacy Rule
is important for public health practice. Some illustrative examples are
presented in this report (Box 4). Also provided are
sample letters that might prove useful in clarifying relationships
involving public health and the Privacy Rule (Appendix
B).
A public health authority is broadly defined as including agencies or
authorities of the United States, states, territories, political
subdivisions of states or territories, American Indian tribes, or an
individual or entity acting under a grant of authority from such agencies
and responsible for public health matters as part of an official mandate.
Public health authorities include federal public health agencies (e.g.,
CDC, National Institutes of Health [NIH], Health Resources and Services
Administration [HRSA], Substance Abuse and Mental Health Services
Administration [SAMHSA], Food and Drug Administration [FDA], or
Occupational Safety and Health Administration [OSHA]); tribal health
agencies; state public health agencies (e.g., public health departments or
divisions, state cancer registries, and vital statistics departments);
local public health agencies; and anyone performing public health
functions under a grant of authority from a public health agency [45 CFR
§ 164.501].
Public health agencies often conduct their authorized public health
activities with other entities by using different mechanisms (e.g.,
contracts and memoranda or letters of agreement). These other entities are
public health authorities under the Privacy Rule with respect to the
activities they conduct under a grant of authority from such a public
health agency. A covered entity may disclose PHI to public health
authorities and to these designated entities pursuant to the public health
provisions of the Privacy Rule.
The Privacy Rule permits covered entities to disclose PHI, without
authorization, to public health authorities or other entities who are
legally authorized to receive such reports for the purpose of preventing
or controlling disease, injury, or disability. This includes the reporting
of disease or injury; reporting vital events (e.g., births or deaths);
conducting public health surveillance, investigations, or interventions;
reporting child abuse and neglect; and monitoring adverse outcomes related
to food (including dietary supplements), drugs, biological products, and
medical devices [45 CFR 164.512(b)]. Covered entities may report adverse
events related to FDA-regulated products or activities to public agencies
and private entities that are subject to FDA jurisdiction [45 CFR
164.512(b)(1)(iii)]. To protect the health of the public, public health
authorities might need to obtain information related to the individuals
affected by a disease. In certain cases, they might need to contact those
affected to determine the cause of the disease to allow for actions to
prevent further illness. Also, covered entities may, at the direction of a
public health authority, disclose protected health information to a
foreign government agency that is acting in collaboration with a public
health authority [45 CFR 164.512(b)(1)(i)].
To receive PHI for public health purposes, public health authorities
should be prepared to verify their status and identity as public health
authorities under the Privacy Rule. To verify its identity, an agency
could provide any one of the following:
- if the request is made in person, presentation of an agency
identification badge, other official credentials, or other proof of
government status;
- if the request is in writing, the request is on the appropriate
government letterhead;
- if the disclosure is to a person acting on behalf of a public health
authority, a written statement on appropriate government letterhead
that the person is acting under the government's authority [45 CFR §
164.514(h)(2)].
Public health authorities receiving information from covered entities
as required or authorized by law [45 CFR 164.512(a)] [45 CFR 164.512(b)]
are not business associates of the covered entities and therefore are not
required to enter into business associate agreements. Public health
authorities that are not covered entities also are not required to enter
into business associate agreements with their public health partners and
contractors. Also, after PHI is disclosed to a public health authority
pursuant to the Privacy Rule, the public health authority (if it is not a
covered entity) may maintain, use, and disclose the data consistent with
the laws, regulations, and policies applicable to the public health
authority.
Disclosures for Public Health Purposes
The Privacy Rule allows covered entities to disclose PHI to public
health authorities when required by federal, tribal, state, or local laws
[45 CFR 164.512(a)]. This includes state laws (or state procedures
established under such law) that provide for receiving reporting of
disease or injury, child abuse, birth, or death, or conducting public
health surveillance, investigation, or intervention.
For disclosures not required by law, covered entities may still
disclose, without authorization, to a public health authority authorized
by law to collect or receive the information for the purpose of preventing
or controlling disease, injury, or disability, the minimum necessary
information to accomplish the intended public health purpose of the
disclosure [45 CFR 164.512 (b)] (Box 1).
For example, to protect the health of the public, public health
officials might need to obtain information related to persons affected by
a disease. In certain cases, they might need to contact those affected to
determine the cause of the disease to allow for actions to prevent further
illness. The Privacy Rule continues to allow for the existing practice of
sharing PHI with public health authorities who are authorized by law to
collect or receive such information to aid them in their mission of
protecting the health of the public. Examples of such activities include
those directed at the reporting of disease or injury, reporting adverse
events, reporting births and deaths, and investigating the occurrence and
cause of injury and disease (1).
Although it is not a defined term, DHHS interpreted the phrase
"authorized by law" to mean that a legal basis exists for the
activity. Further, DHHS called the phrase "a term of art,"
including both actions that are permitted and actions that are required by
law [64 FR 59929, November 3, 1999]. This does not mean a public health
authority at the federal, tribal, state, or local level must have multiple
disease or condition-specific laws that authorize each collection of
information. Public health authorities operate under broad mandates to
protect the health of their constituent populations.
Requirements for Covered Entities
Accounting for Public Health Disclosures
Although the Privacy Rule permits disclosures of PHI to public health
authorities, covered entities must comply with certain requirements
related to these disclosures. One such requirement is that a covered
entity must be able to provide an individual, upon request, with an
accounting of certain disclosures of PHI. The covered entity is not
required to account for all disclosures of PHI. For example, an accounting
is not required for disclosures made
- prior to the covered entity's compliance date;
- for TPO purposes;
- to the individual or pursuant to the individual's written
authorization; or
- as part of a limited data set.
However, usually an accounting is required for disclosures made without
authorization, including public health purposes.
The required accounting for disclosures may be accomplished in
different ways. Typically, the covered entity must provide the individual
with an accounting of each disclosure by date, the PHI disclosed, the
identity of the recipient of the PHI, and the purpose of the disclosure.
However, where the covered entity has, during the accounting period, made
multiple disclosures to the same recipient for the same purpose, the
Privacy Rule provides for a simplified means of accounting. In such cases,
the covered entity need only identify the recipient of such repetitive
disclosures, the purpose of the disclosure, and describe the PHI routinely
disclosed. The date of each disclosure need not be tracked. Rather, the
accounting may include the date of the first and last such disclosure
during the accounting period, and a description of the frequency or
periodicity of such disclosures. For example, the vast amount of data
exchanged between covered entities and public health authorities is made
through ongoing, regular reporting or inspection requirements. A covered
health-care provider may routinely report all cases of measles it
diagnoses to the local public health authority. An accounting of such
disclosures to a requesting individual would need to identify the local
public health authority receiving the PHI, the PHI disclosed, the purpose
of the disclosure (required for communicable disease surveillance), the
periodicity (weekly), and the first and last dates of such disclosures
during the accounting period (May 1, 2003 to June 1, 2003). Thus, the
covered entity would not need to annotate each patient's medical record
whenever a routine public health disclosure was made.
Notice of Privacy Practices
With certain exceptions, under the Privacy Rule, individuals have the
right to adequate notice of the uses and disclosures of PHI that may be
made by the covered entity, as well as their rights and the covered
entity's legal obligations. Notices must be in plain language and clearly
posted. Certain covered entities must make a good faith effort to obtain
an individual's acknowledgment of receipt of this notice. In certain
cases, notice may be provided electronically.
Minimum Necessary Standard
The Privacy Rule usually directs covered entities to limit the amount
of information disclosed to the minimum necessary to achieve the specified
goal [45 CFR § 164.514(d)(1)]. This requirement usually applies to
disclosures to a public health agency. It would not apply, however, if the
disclosure were required by law, authorized by the individual, or for
treatment purposes. A covered entity may also reasonably rely on a public
official's determination that the information requested is the minimum
necessary for the public health purpose.
Public Health Authorities Performing Covered Functions
Public health authorities at the federal, tribal, state, or local
levels that perform covered functions (e.g., providing health care or
insuring individuals for health-care costs), may be subject to the Privacy
Rule's provisions as covered entities. For example, a local public health
authority that operates a health clinic providing essential health-care
services to low-income persons and performs certain electronic
transactions might be defined under the Privacy Rule as a covered
health-care provider and therefore a covered entity. Flow charts and
interactive tools designed to help determine covered entity status are
provided online by the Centers for Medicare and Medicaid Services,
available at http://www.cms.gov/hipaa/hipaa2/support/tools/decisionsupport/default.asp.
The following are examples of public health authority functions that
make them covered entities:
- Public health authorities as covered health-care providers. A
public health authority that conducts health care as part of its
activities is a covered health-care provider if it also performs
electronic transactions covered by the HIPAA Transactions Rule as part
of these activities. The fact that these activities are conducted in
pursuit of a public health goal (e.g., vaccinating children or
screening a targeted population for sexually transmitted diseases)
does not preclude the public health authority from being a covered
entity.
- Public health authorities as health plans. Under the Privacy
Rule, a health plan is an individual or group plan that provides, or
pays the cost of, medical care. This specifically includes government
health plans (e.g., Medicare, Medicaid, or Veterans Health
Administration). However, the Privacy Rule defines health plan to
exclude government-funded programs whose principal activity is the
direct provision of health care to persons or the making of grants to
fund the direct provision of health care to persons [45 CFR §
160.103]. Examples include the Ryan White Comprehensive AIDS Resources
Emergency Act. Although certain government programs that fund
providers directly may not be health plans, government programs that
reimburse providers or otherwise fund providers to perform direct
health-care services should carefully analyze the details of their
programs to determine if they are performing covered functions.
- Public health authorities as health-care clearinghouses.
Although unlikely, a public health authority might be a health-care
clearinghouse if it receives health information from another entity
and translates that information from a nonstandard format into a
standard transaction or standard data elements (or vice versa).
Operators of community health information systems should carefully
consider whether they meet the definition for a health-care
clearinghouse.
- Public health agencies as hybrid entities. A public health
agency that is a covered entity, and has both covered and noncovered
functions may become a hybrid entity by designating its health-care
components. By designating itself as a hybrid entity, a public health
authority can carve out its noncovered functions, so that the majority
of Privacy Rule provisions apply only to its health-care component,
which is required to comply with the Privacy Rule requirements,
including using and disclosing PHI only as authorized, meeting the
administrative requirements, accounting for disclosure of PHI, and
providing a notice of practices. However, such a designation does not
preclude the public health authority from continuing to conduct
authorized public health functions. A covered entity that is also a
public health authority may use, as well as disclose, PHI for public
health purposes to the same extent it would be permitted to disclose
the PHI as a public health authority.
|