|
DISCLOSURES FOR PUBLIC HEALTH ACTIVITIES
[45 CFR 164.512(b)]
Background
The HIPAA Privacy Rule recognizes the legitimate need for public
health authorities
and others responsible for ensuring public health and safety to have access
to protected health information to carry out their public health mission. The
Rule also recognizes that public health reports made by covered entities are
an important means of identifying threats to the health and safety
of the public
at large, as well as individuals. Accordingly, the Rule permits
covered entities
to disclose protected health information without authorization for specified
public health purposes.
How the Rule Works
General Public Health Activities. The Privacy Rule permits covered
entities to disclose protected health information, without authorization, to
public health authorities who are legally authorized to receive such reports
for the purpose of preventing or controlling disease, injury, or disability.
This would include, for example, the reporting of a disease or
injury; reporting
vital events, such as births or deaths; and conducting public
health surveillance,
investigations, or interventions. See 45 CFR 164.512(b)(1)(i). Also, covered
entities may, at the direction of a public health authority,
disclose protected
health information to a foreign government agency that is acting in
collaboration
with a public health authority. See 45 CFR 164.512(b)(1)(i). Covered entities
who are also a public health authority may use, as well as
disclose, protected
health information for these public health purposes. See 45 CFR
164.512(b)(2).
A "public health authority" is an agency or authority of the United States
government, a State, a territory, a political subdivision of a
State or territory,
or Indian tribe that is responsible for public health matters as part of its
official mandate, as well as a person or entity acting under a
grant of authority
from, or under a contract with, a public health agency. See 45 CFR 164.501.
Examples of a public health authority include State and local
health departments,
the Food and Drug Administration (FDA), the Centers for Disease Control and
Prevention, and the Occupational Safety and Health Administration
(OSHA).
Generally, covered entities are required reasonably to limit the protected
health information disclosed for public health purposes to the minimum amount
necessary to accomplish the public health purpose. However, covered entities
are not required to make a minimum necessary determination for public health
disclosures that are made pursuant to an individual's authorization, or for
disclosures that are required by other law. See 45 CFR 164.502(b).
For disclosures
to a public health authority, covered entities may reasonably rely
on a minimum
necessary determination made by the public health authority in requesting the
protected health information. See 45 CFR 164.514(d)(3)(iii)(A). For routine
and recurring public health disclosures, covered entities may
develop standard
protocols, as part of their minimum necessary policies and procedures, that
address the types and amount of protected health information that
may be disclosed
for such purposes. See 45 CFR 164.514(d)(3)(i).
Other Public Health Activities. The Privacy Rule
recognizes the important
role that persons or entities other than public health authorities
play in certain
essential public health activities. Accordingly, the Rule permits
covered entities
to disclose protected health information, without authorization, to
such persons
or entities for the public health activities discussed below.
Child abuse or neglect. Covered entities may
disclose protected
health information to report known or suspected child abuse or
neglect, if
the report is made to a public health authority or other appropriate
government authority that is authorized by law to receive
such reports.
For instance, the social services department of a local
government might
have legal authority to receive reports of child abuse or neglect, in
which case, the Privacy Rule would permit a covered entity to report
such cases to that authority without obtaining individual
authorization.
Likewise, a covered entity could report such cases to the
police department
when the police department is authorized by law to receive
such reports.
See 45 CFR 164.512(b)(1)(ii). See also 45 CFR 512(c) for information
regarding disclosures about adult victims of abuse,
neglect, or domestic
violence.
Quality, safety or effectiveness of a
product or activity regulated
by the FDA. Covered entities may disclose protected health
information
to a person subject to FDA jurisdiction, for public health
purposes related
to the quality, safety or effectiveness of an FDA-regulated
product or activity
for which that person has responsibility. Examples of purposes
or activities
for which such disclosures may be made include, but are not
limited to:
- Collecting or reporting adverse events (including similar reports
regarding food and dietary supplements), product defects or problems
(including problems regarding use or labeling), or biological product
deviations;
- Tracking FDA-regulated products;
- Enabling product recalls, repairs, replacement or lookback (which
includes locating and notifying individuals who received recalled or
withdrawn products or products that are the subject of
lookback); and
- Conducting post-marketing surveillance.
See 45 CFR 164.512(b)(1)(iii). The "person" subject to the jurisdiction
of the FDA does not have to be a specific individual. Rather, it can
be an individual or an entity, such as a partnership, corporation, or
association. Covered entities may identify the party or
parties responsible
for an FDA-regulated product from the product label, from
written material
that accompanies the product (known as labeling), or from sources of
labeling, such as the Physician's Desk Reference.
Persons at risk of contracting
or spreading a disease. A covered entity may disclose
protected health information to a person who is at risk of
contracting or spreading a disease or condition if other
law authorizes
the covered entity to notify such individuals as necessary to carry
out public health interventions or investigations. For
example, a covered
health care provider may disclose protected health
information as needed
to notify a person that (s)he has been exposed to a
communicable disease
if the covered entity is legally authorized to do so to
prevent or control
the spread of the disease. See 45 CFR 164.512(b)(1)(iv).
Workplace medical surveillance.
A covered health care provider who provides a health care service to
an individual at the request of the individual's employer,
or provides
the service in the capacity of a member of the employer's workforce,
may disclose the individual's protected health information
to the employer
for the purposes of workplace medical surveillance or the evaluation
of work-related illness and injuries to the extent the employer needs
that information to comply with OSHA, the Mine Safety and
Health Administration
(MSHA), or the requirements of State laws having a similar purpose.
The information disclosed must be limited to the provider's findings
regarding such medical surveillance or work-related illness
or injury.
The covered health care provider must provide the
individual with written
notice that the information will be disclosed to his or her employer
(or the notice may be posted at the worksite if that is
where the service
is provided). See 45 CFR 164.512(b)(1)(v).
DISCLOSURES FOR PUBLIC HEALTH ACTIVITIES
Frequently Asked Questions
- Q: Must a health care provider or other covered entity
obtain permission
from a patient prior to notifying public health authorities of
the occurrence
of a reportable disease?
A: No. All States have laws that require providers to report cases
of specific diseases to public health officials. The HIPAA Privacy Rule
permits disclosures that are required by law. Furthermore, disclosures to
public health authorities that are authorized by law to collect
or receive
information for public health purposes are also permissible
under the Privacy
Rule. In order to do their job of protecting the health of the public, it
is frequently necessary for public health officials to obtain information
about the persons affected by a disease. In some cases they may need to
contact those affected in order to determine the cause of the disease to
allow for actions to prevent further illness.
The Privacy Rule continues to allow for the existing practice of sharing
protected health information with public health authorities
that are authorized
by law to collect or receive such information to aid them in
their mission
of protecting the health of the public. Examples of such
activities include
those directed at the reporting of disease or injury, reporting
deaths and
births, investigating the occurrence and cause of injury and disease, and
monitoring adverse outcomes related to food (including dietary
supplements),
drugs, biological products, and medical devices. See the fact sheet and
frequently asked questions on this web site about the public
health provision
for more information.
- Q: Does the public health provision of the HIPAA Privacy Rule require
covered entities to make public health disclosures?
A: No. The Privacy Rule's public health provision permits, but does
not require, covered entities to make such disclosures. This provision is
intended to allow covered entities to continue current
voluntary reporting
practices that are critically important to public health and safety. The
Rule also permits covered entities to disclose protected health
information
when State or other law requires covered entities to make disclosures for
public health purposes. For instance, many State laws require health care
providers to report certain diseases, cases of child abuse,
births, or deaths,
and the Privacy Rule permits covered entities to disclose
protected health
information, without authorization, to make such reports. See
the fact sheet
and frequently asked questions on this web site about the public health
provision for more information. - Q: May covered
entities disclose facially identifiable protected health
information, such as name, address, and social security number,
for public
health purposes?
A: Yes. The HIPAA Privacy Rule permits covered entities to disclose
the amount and type of protected health information that is
needed for public
health purposes. In some cases, the disclosure will be required by other
law, in which case, covered entities may make the required
disclosure pursuant
to 45 CFR 164.512(a) of the Rule. For disclosures that are not required
by law, covered entities may disclose, without authorization,
the information
that is reasonably limited to that which is minimally necessary
to accomplish
the intended purpose of the disclosure. For routine or recurring public
health disclosures, a covered entity may develop protocols as part of its
minimum necessary policies and procedures to address the type and amount
of information that may be disclosed for such purposes. Covered entities
may also rely on the requesting public health authority's determination
of the minimally necessary information. See the fact sheet and frequently
asked questions on this web site about the public health and
minimum necessary
standards for more information. - Q: Does the HIPAA
Privacy Rule's public health provision permit covered
entities to disclose protected health information to authorities such as
the National Institutes of Health (NIH)?
A: The definition of a "public health authority" requires that an
agency's official mandate include the responsibility for public
health matters.
The mandate can be responsibility for public health matters, generally,
or it can be for specific public health programs. Furthermore,
an agency's
official mandate does not have to be exclusively or primarily for public
health. Therefore, to the extent a government agency has public
health matters
as part of its official mandate, it qualifies as a public
health authority.
For instance, various Department of Health and Human Service
agencies, such
as NIH and the Health Resources and Services Administration (HRSA), are
authorized by law to assist the Secretary of Health and Human Services in
carrying out the purposes of section 301 of the Public Health
Service Act.
Those agencies are public health authorities under the Rule, even if they
have other non-public health mandates. To the extent a public
health authority
is authorized by law to collect or receive information for the
public health
purposes specified in the public health provision, covered entities may
disclose protected health information to such public health authorities
without authorization pursuant to the public health provision.
See the fact
sheet and frequently asked questions on this web site about the
public health
provision for more information. - Q: To whom may
covered entities make public health disclosures regarding
a product regulated by the Food and Drug Administration (FDA) when more
than one person is identified on the product label?
A: Covered entities may identify persons responsible for
an FDA-regulated
product by using the product label, the literature that accompanies the
product, or other sources of labeling, such as the Physician's
Desk Reference.
If multiple persons are named, covered entities may choose any
of the persons
named by these sources. See the fact sheet and frequently asked questions
on this web site about the public health provision for more information.
- Q: Is a covered entity permitted to disclose
protected health information
under the HIPAA Privacy Rule's public health provision when the
link between
an adverse event and a product regulated by the Food and Drug
Administration
(FDA) is only suspected?
A: Yes. In most instances when a covered entity makes an adverse
event report to a person responsible for an FDA-regulated
product, the covered
entity will suspect, but not know, the product is the cause of the event.
Determining whether the product is related to the adverse event
almost always
requires follow up with the covered entity which in turn may need further
contact with the patient. FDA and product manufacturers receive a great
deal of important information about the safety of regulated products from
these reports. To limit such reports to those instances where the covered
entity is convinced of the link between the product and the event would
reduce the amount of useful safety, quality and effectiveness
data available
to the agency as well as to product manufacturers. This would
limit significantly
FDA's ability to protect the public health by helping to assure that only
safe and effective products are marketed in the U.S. Accordingly, covered
entities may disclose the minimum amount of protected health information
that is reasonably necessary to report suspected adverse events
associated
with an FDA-regulated product. See the fact sheet and
frequently asked questions
on this web site about the public health and minimum necessary standards
for more information. - Q: Does the HIPAA Privacy
Rule's public health provision permit covered
entities to disclose protected health information without authorization
to a manufacturer of a product regulated by the Food and Drug
Administration
(FDA) for use by the manufacturer to assess the effectiveness
of its marketing
campaign?
A: No. The public health provision is intended to facilitate the
flow of information that is essential to the FDA's public health mission.
The provision does not permit covered entities to disclose
protected health
information to a manufacturer for the manufacturer's commercial purposes,
or for any other non-public health purpose. For example, the
Rule does not
permit a covered entity to provide a drug manufacturer with a
list of persons
who prefer a different flavored cough syrup over the flavor of
the manufacturer's
product. Rather, this provision permits covered entities to
disclose protected
health information as necessary to continue current voluntary reporting
of adverse events and similar reports that are necessary to
ensure the quality,
safety, or effectiveness of an FDA-regulated product. For
instance, a covered
entity would be permitted to report a concern to a drug manufacturer that
its cough syrup might be unsafe based on the belief that a difference in
the taste could be due to drug tampering or a manufacturing
problem. Likewise,
a covered health care provider would be permitted to disclose protected
health information to a drug manufacturer to report that the failure of
a patient's medical condition to improve may be due to the
drug's ineffectiveness.
In making such a report, the covered entity may disclose the
protected health
information that is reasonably necessary to achieve the purpose
of the report.
See the fact sheet and frequently asked questions on this web site about
the public health and minimum necessary standards for more information.
- Q: Does the HIPAA Privacy Rule's public health provision permit covered
health care providers to disclose protected health information concerning
the findings of pre-employment physicals, drug tests, or fitness-for-duty
examinations to an individual's employer?
A: The public health provision permits covered health care providers
to disclose an individual's protected health information to the
individual's
employer without authorization in very limited circumstances. First, the
covered health care provider must provide the health care service to the
individual at the request of the individual's employer or as a member of
the employer's workforce. Second, the health care service provided must
relate to the medical surveillance of the workplace or an evaluation to
determine whether the individual has a work-related illness or
injury. Third,
the employer must have a duty under the Occupational Safety and
Health Administration
(OSHA), the Mine Safety and Health Administration (MSHA), or
the requirements
of a similar State law, to keep records on or act on such
information. For
example, OSHA requires employers to monitor employees'
exposures to certain
substances and to take specific actions when an employee's exposure level
exceeds a specified limit. A covered entity which tests an individual for
such an exposure level at the request of the individual's
employer may disclose
that test result to the employer without authorization.
Generally, pre-placement physicals, drug tests, and
fitness-for-duty examinations
are not performed for such purposes. However, to the extent
such an examination
is conducted at the request of the employer for the purpose of
such workplace
medical surveillance or work-related illness or injury, and the employer
needs the information to comply with the requirements of OSHA, MSHA, or
similar State law, the protected health information the employer needs to
meet such legal obligation may be disclosed to the employer
without authorization.
Covered health care providers who make such disclosures must provide the
individual with written notice that the information is to be disclosed to
his or her employer (or by posting the notice at the worksite
if the service
is provided there).
When a health care service does not meet the above requirements, covered
entities may not disclose an individual's protected health information to
the individual's employer without an authorization, unless the disclosure
is otherwise permitted without authorization by other provisions of the
Rule. However, nothing in the Rule prohibits an employer from
conditioning
employment on an individual providing an authorization for the disclosure
of such information.
Return to the Introduction / Table of Contents
(December 2002 HHS Guidance Document)
|
 |
