HIPAA Privacy Rule and Public Health

The Privacy Rule and Public Health

The Privacy Rule recognizes 1) the legitimate need for public health authorities and others responsible for ensuring the public's health and safety to have access to PHI to conduct their missions; and 2) the importance of public health reporting by covered entities to identify threats to the public and individuals. Accordingly, the rule 1) permits PHI disclosures without a written patient authorization for specified public health purposes to public health authorities legally authorized to collect and receive the information for such purposes, and 2) permits disclosures that are required by state and local public health or other laws. However, because the Privacy Rule affects the traditional ways PHI is used and exchanged among covered entities (e.g., doctors, hospitals, and health insurers), it can affect public health practice and research in multiple ways. To prevent misconceptions, understanding the Privacy Rule is important for public health practice. Some illustrative examples are presented in this report (Box 4). Also provided are sample letters that might prove useful in clarifying relationships involving public health and the Privacy Rule (Appendix B).

A public health authority is broadly defined as including agencies or authorities of the United States, states, territories, political subdivisions of states or territories, American Indian tribes, or an individual or entity acting under a grant of authority from such agencies and responsible for public health matters as part of an official mandate. Public health authorities include federal public health agencies (e.g., CDC, National Institutes of Health [NIH], Health Resources and Services Administration [HRSA], Substance Abuse and Mental Health Services Administration [SAMHSA], Food and Drug Administration [FDA], or Occupational Safety and Health Administration [OSHA]); tribal health agencies; state public health agencies (e.g., public health departments or divisions, state cancer registries, and vital statistics departments); local public health agencies; and anyone performing public health functions under a grant of authority from a public health agency [45 CFR § 164.501].

Public health agencies often conduct their authorized public health activities with other entities by using different mechanisms (e.g., contracts and memoranda or letters of agreement). These other entities are public health authorities under the Privacy Rule with respect to the activities they conduct under a grant of authority from such a public health agency. A covered entity may disclose PHI to public health authorities and to these designated entities pursuant to the public health provisions of the Privacy Rule.

The Privacy Rule permits covered entities to disclose PHI, without authorization, to public health authorities or other entities who are legally authorized to receive such reports for the purpose of preventing or controlling disease, injury, or disability. This includes the reporting of disease or injury; reporting vital events (e.g., births or deaths); conducting public health surveillance, investigations, or interventions; reporting child abuse and neglect; and monitoring adverse outcomes related to food (including dietary supplements), drugs, biological products, and medical devices [45 CFR 164.512(b)]. Covered entities may report adverse events related to FDA-regulated products or activities to public agencies and private entities that are subject to FDA jurisdiction [45 CFR 164.512(b)(1)(iii)]. To protect the health of the public, public health authorities might need to obtain information related to the individuals affected by a disease. In certain cases, they might need to contact those affected to determine the cause of the disease to allow for actions to prevent further illness. Also, covered entities may, at the direction of a public health authority, disclose protected health information to a foreign government agency that is acting in collaboration with a public health authority [45 CFR 164.512(b)(1)(i)].

To receive PHI for public health purposes, public health authorities should be prepared to verify their status and identity as public health authorities under the Privacy Rule. To verify its identity, an agency could provide any one of the following:

• if the request is made in person, presentation of an agency identification badge, other official credentials, or other proof of government status;
• if the request is in writing, the request is on the appropriate government letterhead;
• if the disclosure is to a person acting on behalf of a public health authority, a written statement on appropriate government letterhead that the person is acting under the government's authority [45 CFR § 164.514(h)(2)].

Public health authorities receiving information from covered entities as required or authorized by law [45 CFR 164.512(a)] [45 CFR 164.512(b)] are not business associates of the covered entities and therefore are not required to enter into business associate agreements. Public health authorities that are not covered entities also are not required to enter into business associate agreements with their public health partners and contractors. Also, after PHI is disclosed to a public health authority pursuant to the Privacy Rule, the public health authority (if it is not a covered entity) may maintain, use, and disclose the data consistent with the laws, regulations, and policies applicable to the public health authority.

Disclosures for Public Health Purposes

The Privacy Rule allows covered entities to disclose PHI to public health authorities when required by federal, tribal, state, or local laws [45 CFR 164.512(a)]. This includes state laws (or state procedures established under such law) that provide for receiving reporting of disease or injury, child abuse, birth, or death, or conducting public health surveillance, investigation, or intervention.

For disclosures not required by law, covered entities may still disclose, without authorization, to a public health authority authorized by law to collect or receive the information for the purpose of preventing or controlling disease, injury, or disability, the minimum necessary information to accomplish the intended public health purpose of the disclosure [45 CFR 164.512 (b)] (Box 1).

For example, to protect the health of the public, public health officials might need to obtain information related to persons affected by a disease. In certain cases, they might need to contact those affected to determine the cause of the disease to allow for actions to prevent further illness. The Privacy Rule continues to allow for the existing practice of sharing PHI with public health authorities who are authorized by law to collect or receive such information to aid them in their mission of protecting the health of the public. Examples of such activities include those directed at the reporting of disease or injury, reporting adverse events, reporting births and deaths, and investigating the occurrence and cause of injury and disease (1).

Although it is not a defined term, DHHS interpreted the phrase "authorized by law" to mean that a legal basis exists for the activity. Further, DHHS called the phrase "a term of art," including both actions that are permitted and actions that are required by law [64 FR 59929, November 3, 1999]. This does not mean a public health authority at the federal, tribal, state, or local level must have multiple disease or condition-specific laws that authorize each collection of information. Public health authorities operate under broad mandates to protect the health of their constituent populations.

Requirements for Covered Entities

Accounting for Public Health Disclosures

Although the Privacy Rule permits disclosures of PHI to public health authorities, covered entities must comply with certain requirements related to these disclosures. One such requirement is that a covered entity must be able to provide an individual, upon request, with an accounting of certain disclosures of PHI. The covered entity is not required to account for all disclosures of PHI. For example, an accounting is not required for disclosures made

• prior to the covered entity's compliance date;
• for TPO purposes;
• to the individual or pursuant to the individual's written authorization; or
• as part of a limited data set.

However, usually an accounting is required for disclosures made without authorization, including public health purposes.

The required accounting for disclosures may be accomplished in different ways. Typically, the covered entity must provide the individual with an accounting of each disclosure by date, the PHI disclosed, the identity of the recipient of the PHI, and the purpose of the disclosure. However, where the covered entity has, during the accounting period, made multiple disclosures to the same recipient for the same purpose, the Privacy Rule provides for a simplified means of accounting. In such cases, the covered entity need only identify the recipient of such repetitive disclosures, the purpose of the disclosure, and describe the PHI routinely disclosed. The date of each disclosure need not be tracked. Rather, the accounting may include the date of the first and last such disclosure during the accounting period, and a description of the frequency or periodicity of such disclosures. For example, the vast amount of data exchanged between covered entities and public health authorities is made through ongoing, regular reporting or inspection requirements. A covered health-care provider may routinely report all cases of measles it diagnoses to the local public health authority. An accounting of such disclosures to a requesting individual would need to identify the local public health authority receiving the PHI, the PHI disclosed, the purpose of the disclosure (required for communicable disease surveillance), the periodicity (weekly), and the first and last dates of such disclosures during the accounting period (May 1, 2003 to June 1, 2003). Thus, the covered entity would not need to annotate each patient's medical record whenever a routine public health disclosure was made.

Notice of Privacy Practices

With certain exceptions, under the Privacy Rule, individuals have the right to adequate notice of the uses and disclosures of PHI that may be made by the covered entity, as well as their rights and the covered entity's legal obligations. Notices must be in plain language and clearly posted. Certain covered entities must make a good faith effort to obtain an individual's acknowledgment of receipt of this notice. In certain cases, notice may be provided electronically.

Minimum Necessary Standard

The Privacy Rule usually directs covered entities to limit the amount of information disclosed to the minimum necessary to achieve the specified goal [45 CFR § 164.514(d)(1)]. This requirement usually applies to disclosures to a public health agency. It would not apply, however, if the disclosure were required by law, authorized by the individual, or for treatment purposes. A covered entity may also reasonably rely on a public official's determination that the information requested is the minimum necessary for the public health purpose.

Public Health Authorities Performing Covered Functions

Public health authorities at the federal, tribal, state, or local levels that perform covered functions (e.g., providing health care or insuring individuals for health-care costs), may be subject to the Privacy Rule's provisions as covered entities. For example, a local public health authority that operates a health clinic providing essential health-care services to low-income persons and performs certain electronic transactions might be defined under the Privacy Rule as a covered health-care provider and therefore a covered entity. Flow charts and interactive tools designed to help determine covered entity status are provided online by the Centers for Medicare and Medicaid Services, available at http://www.cms.gov/hipaa/hipaa2/support/tools/decisionsupport/default.asp.

The following are examples of public health authority functions that make them covered entities:

• Public health authorities as covered health-care providers. A public health authority that conducts health care as part of its activities is a covered health-care provider if it also performs electronic transactions covered by the HIPAA Transactions Rule as part of these activities. The fact that these activities are conducted in pursuit of a public health goal (e.g., vaccinating children or screening a targeted population for sexually transmitted diseases) does not preclude the public health authority from being a covered entity.
• Public health authorities as health plans. Under the Privacy Rule, a health plan is an individual or group plan that provides, or pays the cost of, medical care. This specifically includes government health plans (e.g., Medicare, Medicaid, or Veterans Health Administration). However, the Privacy Rule defines health plan to exclude government-funded programs whose principal activity is the direct provision of health care to persons or the making of grants to fund the direct provision of health care to persons [45 CFR § 160.103]. Examples include the Ryan White Comprehensive AIDS Resources Emergency Act. Although certain government programs that fund providers directly may not be health plans, government programs that reimburse providers or otherwise fund providers to perform direct health-care services should carefully analyze the details of their programs to determine if they are performing covered functions.
• Public health authorities as health-care clearinghouses. Although unlikely, a public health authority might be a health-care clearinghouse if it receives health information from another entity and translates that information from a nonstandard format into a standard transaction or standard data elements (or vice versa). Operators of community health information systems should carefully consider whether they meet the definition for a health-care clearinghouse.
• Public health agencies as hybrid entities. A public health agency that is a covered entity, and has both covered and noncovered functions may become a hybrid entity by designating its health-care components. By designating itself as a hybrid entity, a public health authority can carve out its noncovered functions, so that the majority of Privacy Rule provisions apply only to its health-care component, which is required to comply with the Privacy Rule requirements, including using and disclosing PHI only as authorized, meeting the administrative requirements, accounting for disclosure of PHI, and providing a notice of practices. However, such a designation does not preclude the public health authority from continuing to conduct authorized public health functions. A covered entity that is also a public health authority may use, as well as disclose, PHI for public health purposes to the same extent it would be permitted to disclose the PHI as a public health authority.