Federal health information regulators recently clarified that HIPAA permits certain uses and disclosures for public health activities without patient authorization.

A fact sheet released December 20 by the Health and Human Services Office for Civil Rights and the Office of the National Coordinator for Health Information Technology explains a number of hypothetical scenarios in which protected health information (PHI) may be shared in support of public health activities or other important public health policies. Under HIPAA, a number of regulatory provisions permit use and disclosure without patient authorization. Using and disclosing PHI for public health activities is one such provision. While this guidance does not change the existing HIPAA regulatory scheme, it provides a number of scenarios exemplifying some more common uses and disclosures for public health activities. A brief synopsis follows below.

  • Public Health Surveillance: As permitted by state law, providers may disclose PHI to state or local health departments for a central cancer registry.
  • Public Health Investigations: As permitted by state law, providers may report confirmed diagnoses of measles, including patient identity, demographic information, and positive test results.
  • Public Health Interventions (1 / 2): Following discovery that a local water supply is contaminated with lead, providers may collect and share data on children tested for exposure to lead poisoning with a public health authority.
  • Public Health Interventions (2 / 2): Primary care providers may disclose patient outcomes data to a public health authority to assess a public health intervention measuring outcomes for a defined patient population.
  • Exchange Subject to Food and Drug Administration (FDA) Jurisdiction: Physicians may disclose to the FDA information concerning patient-recipients of a recalled medical device.
  • Persons Exposed to Communicable Disease and Related Public Health Investigation: Hospitals may contact patients exposed to a communicable disease, and may also disclose to the local health department medical records needed to conduct investigations and implement disease control measures.
  • Support of Medical Surveillance of the Workplace: Certain employers are required by law to monitor the safety of working conditions. At the request of the employers, the employee’s physician may provide workplace medical surveillance-related PHI to employer.
  • Using Certified Electronic Health Record (EHR) Technology: Providers who disclose PHI for public health activities may use certified health IT to send the information. Disclosure of electronic PHI by certified health IT or other electronic means requires HIPAA Security Rule compliance.

Don’t forget that the other requirements of HIPAA apply to these permitted uses and disclosures. For example, if the disclosure is by a business associate, the business associate agreement must authorize the disclosure. And of course, the minimum necessary rule must be followed.