| Today's Date: Thursday, November 20, 2008 |
| When covered entities may disclose protected health information without authorization |
| Monday, March 27, 2006 |
| The HIPAA Privacy Rule recognizes the legitimate need for public health authorities and others responsible for ensuring public health and safety to have access to protected health information to carry out their public health mission.
The Rule also recognizes that public health reports made by covered entities are an important means of identifying threats to the health andsafety of the public at large, as well as individuals. Accordingly, the Rule permits covered entities to disclose protected health information without authorization for specified public health purposes. How the Rule Works General Public Health Activities. The Privacy Rule permits covered entities to discloseprotected health information, without authorization, to public health authorities who are legallyauthorized to receive such reports for the purpose of preventing or controlling disease, injury, ordisability. This would include, for example, the reporting of a disease or injury; reporting vitalevents, such as births or deaths; and conducting public health surveillance, investigations, orinterventions. See 45 CFR 164.512(b)(1)(i). Also, covered entities may, at the direction of apublic health authority, disclose protected health information to a foreign government agency thatis acting in collaboration with a public health authority. See 45 CFR 164.512(b)(1)(i). Coveredentities who are also a public health authority may use, as well as disclose, protected healthinformation for these public health purposes. See 45 CFR 164.512(b)(2). A “public health authority” is an agency or authority of the United States government, a State, a territory, a political subdivision of a State or territory, or Indian tribe that is responsiblefor public health matters as part of its official mandate, as well as a person or entity acting undera grant of authority from, or under a contract with, a public health agency. See 45 CFR 164.501. Examples of a public health authority include State and local health departments, the Food andDrug Administration (FDA), the Centers for Disease Control and Prevention, and theOccupational Safety and Health Administration (OSHA). Generally, covered entities are required reasonably to limit the protected healthinformation disclosed for public health purposes to the minimum amount necessary to accomplish the public health purpose. However, covered entities are not required to make aminimum necessary determination for public health disclosures that are made pursuant to anindividual’s authorization, or for disclosures that are required by other law. See 45 CFR164.502(b). For disclosures to a public health authority, covered entities may reasonably rely on minimum necessary determination made by the public health authority in requesting theprotected health information. See 45 CFR 164.514(d)(3)(iii)(A). |
Click here to Contact Us