Since the Health Insurance Portability and Accountability Act (HIPAA) privacy rule was put into effect in April 2003, healthcare providers have sometimes been confused about what information they can legally disclose to public health agencies. A clear understanding of permissible disclosure will enable family physicians to continue their important role of providing individual patient information for the critical activities of disease surveillance, outbreak investigation, monitoring causes of death and birth complications, assuring health care services, conducting public health research, and formulating health policy.
HIPAA does not prohibit disclosure for public health purposes
The HIPAA is intended to protect the public from unauthorized access to, use of, and disclosure of individually identifiable health information. It places responsibility on health care providers to avoid using or disclosing protected health information (PHI) unless authorized by the person to whom it pertains, or unless the disclosure or use is required or permitted by regulation or law. Specifically excluded from the requirement for individual authorization are disclosures for public health activities. This means that sharing PHI for public health purposes is permitted as long as the agency to which the information is provided is legally authorized to collect and receive the information (see Lawful recipients of personal health information).
This specific exclusion was allowed because public health authorities have a legitimate need for PHI to ensure public health and safety, and because public health agencies have a track record of protecting the confidentiality of PHI. The HIPAA privacy rule attempts to strike a balance between individual privacy rights and the need for public protection.
Public health agencies included in this category include state, territorial, tribal, and local health departments, as well as federal health agencies such as the Centers for Disease Control and Prevention, the Food and Drug Administration, the National Institutes of Health, the Occupational Safety and Health Administration, the Substance Abuse and Mental Health Services Administration, and others. It also includes individuals and agencies working under a grant of authority from a public health agency.
Lawful disclosure: Examples
It’s instructive to consider how this public health HIPAA exception plays out in the daily practice of medicine. First, some definitions:
Protected Health Information.Individually identifiable health information transmitted electronically or any other way. It includes information about past, present, or anticipated mental or physical health, and the provision of or payment for health care.
Covered entities. These are the entities who must adhere to the HIPAA rules. Included are health care providers, health plans, and health care clearinghouses that transmit any health information in an electronic format
Personal Identifiers. Information that can be used to find the identity of an individual to link them to their PHI.
Scenario 1
A family physician’s patient dies at home. The physician is asked to fill out a death certificate, which contains PHI as defined by the HIPAA privacy rule. Is this permitted without family authorization?
Unauthorized disclosure is permitted. Vital statistics—required information on death and birth certificates—has not been changed by HIPAA. The information required on the death certificate can be provided without authorization.
Scenario 2
A patient is diagnosed with tuberculosis.This is a reportable disease per the state health code. Can the physician report the PHI requested on the disease reporting form?
Unauthorized disclosure is permitted. Each state health authority requires health care providers to report information about individuals who have contracted a disease of public health significance. Reportable disease lists differ by jurisdiction, and physicians should be aware of the diseases reportable in their areas and how the information is to be reported. Individual authorization for release of PHI in these disease reports is not required by HIPAA.
Scenario 3
A physician examines an infant who has unexplained injuries. Child abuse is suspected. Is child abuse reporting exempted from the privacy rule?
Unauthorized disclosure is permitted. Reporting of child abuse and neglect is exempted. This information may even be reported to a non-health agency, such as a child protective service, as long as the reportable information is required by law, and individual authorization is not required.
Scenario 4
A patient suffers what appears to be an adverse reaction to a medication. The FDA adverse event reporting form asks for PHI. Can a physician report PHI in this instance without patient authorization?
Unauthorized disclosure is permitted. Reporting of adverse events or reactions from drugs, food, biological products, and medical devices is still permitted without authorization.
Scenario 5
A patient is newly diagnosed with lung cancer. The state maintains a cancer registry and physicians are required to report PHI about patients with cancer. In this state the cancer registry is maintained by the university under contract with the State Health Department. Is reporting permitted without patient authorization?