HIPAA FAQ – Public Health Uses and Disclosures
The Privacy Rule does not require a notation in each medical record that has been accessed by public health authorities, as long as the information required under the Privacy Rule is included in the accounting for disclosures. Where, as with many public health disclosures, access to an entire universe of records is involved, tracking disclosures can be accomplished without the need for documentation in each record. This flexibility in the manner of documentation facilitates complying with the accounting requirement.
By way of background, a covered entity may disclose protected health information (PHI) without the patient’s authorization to a public health authority that is legally permitted to collect or receive such information for public health surveillance or related activities (45 CFR 164.512(b)(1)). A covered entity is also required by the Privacy Rule to account to the patient for such disclosures of PHI, if the patient asks (45 CFR 164.528). Further, under the Privacy Rule, making a set of records available for review by a third party constitutes a “disclosure” of the PHI in the entire set of records, regardless of whether the third party actually reviews any particular record. See 45 CFR 164.501, for the definition of disclosure. Thus, mere access by a third party, such as a public health authority, to PHI is a disclosure and subject to an accounting for disclosures.
Public health surveillance activities often involve a retrospective review by a public health authority of a universe of patient records to identify reportable events. When a reportable case is identified, the specific data items pertinent to the public health surveillance activity are extracted and reported to the public health authority.
For example, retrospective review of the medical charts for all patients treated by a health care provider or all charts of patients treated in the entity’s emergency department may be required to identify cases of new or previously unknown infectious agents, clinical conditions associated with the use or abuse of illicit or prescription drugs, or adverse events or reactions associated with pharmaceuticals or medical devices. In these cases, as noted above, all records to which access was provided to the public health authority are deemed to have been disclosed under the Privacy Rule. Because of the universal nature of the access provided, the documentation required for the disclosure can be easily maintained. The covered entity need only document the identity (and address if known) of the public health authority to which access was provided, a description of the records and PHI subject to access, the purpose for the disclosure, and when access was provided. This documentation need not be noted in each record. It would be sufficient, for instance, for the covered entity to maintain a separate notation of such disclosures, applicable to all records so accessed. Then, if an individual requests an accounting, the covered entity need only determine whether the individual’s records were among the universe of records to which the public health authority was granted access. All individuals whose records were accessed in this fashion would receive the same accounting for the disclosure.
For example, if on August 1, 2003, a hospital began providing a public health authority ongoing access to the medical charts of all patients treated in its emergency department to identify reportable cases and extract relevant information required for a particular surveillance activity, it would be sufficient, under §164.528(b)(2), for the accounting to include the following:
- the identity, and address, if known, of the public health authority;
- a statement that the public health authority had access to medical charts for patients treated in the emergency department
- the date (or approximate range of dates) when the individual’s record was subject to access (e.g., access provided within a week of treatment in ER on [fill in date of individual visit]); and
- a statement of the purpose of the access (e.g., identify the particular public health surveillance activity).
The same basic statement could then be provided in response to a request for an accounting by any individual who was seen in the emergency department of the hospital on or after August 1, 2003.
The public health provision permits covered health care providers to disclose an individual’s protected health information to the individual’s employer without authorization in very limited circumstances.
First, the covered health care provider must provide the health care service to the individual at the request of the individual’s employer or as a member of the employer’s workforce.
Second, the health care service provided must relate to the medical surveillance of the workplace or an evaluation to determine whether the individual has a work-related illness or injury.
Third, the employer must have a duty under the Occupational Safety and Health Administration (OSHA), the Mine Safety and Health Administration (MSHA), or the requirements of a similar State law, to keep records on or act on such information. For example, OSHA requires employers to monitor employees’ exposures to certain substances and to take specific actions when an employee’s exposure level exceeds a specified limit. A covered entity which tests an individual for such an exposure level at the request of the individual’s employer may disclose that test result to the employer without authorization.
Generally, pre-placement physicals, drug tests, and fitness-for-duty examinations are not performed for such purposes. However, to the extent such an examination is conducted at the request of the employer for the purpose of such workplace medical surveillance or work-related illness or injury, and the employer needs the information to comply with the requirements of OSHA, MSHA, or similar State law, the protected health information the employer needs to meet such legal obligation may be discussed to the employer without authorization. Covered health care providers who make such disclosures must provide the individual with written notice that the information is to be disclosed to his or her employer (or by posting the notice at the work site if the service is provided there).
When a health care service does not meet the above requirements, covered entities may not disclose an individual’s protected health information to the individual’s employer without an authorization, unless the disclosure is otherwise permitted without authorization by other provisions of the Rule. However, nothing in the Rule prohibits an employer from conditioning employment on an individual providing an authorization for the disclosure of such information.
No. The public health provision is intended to facilitate the flow of information that is essential to the FDA’s public health mission. The provision does not permit covered entities to disclose protected health information to a manufacturer for the manufacturer’s commercial purposes, or for any other non-public health purpose.
For example, the Rule does not permit a covered entity to provide a drug manufacturer with a list of persons who prefer a different flavored cough syrup over the flavor of the manufacturer’s product. Rather, this provision permits covered entities to disclose protected health information as necessary to continue current voluntary reporting of adverse events and similar reports that are necessary to ensure the quality, safety, or effectiveness of an FDA-regulated product.
For instance, a covered entity would be permitted to report a concern to a drug manufacturer that its cough syrup might be unsafe based on the belief that a difference in the taste could be due to drug tampering or a manufacturing problem. Likewise, a covered health care provider would be permitted to disclose protected health information to a drug manufacturer to report that the failure of a patient’s medical condition to improve may be due to the drug’s ineffectiveness. In making such a report, the covered entity may disclose the protected health information that is reasonably necessary to achieve the purpose of the report.
Yes. In most instances when a covered entity makes an adverse event report to a person responsible for an FDA-regulated product, the covered entity will suspect, but not know, the product is the cause of the event. Determining whether the product is related to the adverse event almost always requires follow up with the covered entity which in turn may need further contact with the patient.
FDA and product manufacturers receive a great deal of important information about the safety of regulated products from these reports. To limit such reports to those instances where the covered entity is convinced of the link between the product and the event would reduce the amount of useful safety, quality and effectiveness data available to the agency as well as to product manufacturers. This would limit significantly FDA’s ability to protect the public health by helping to assure that only safe and effective products are marketed in the U.S. Accordingly, covered entities may disclose the minimum amount of protected health information that is reasonably necessary to report suspected adverse events associated with an FDA-regulated product.
Covered entities may identify persons responsible for an FDA-regulated product by using the product label, the literature that accompanies the product, or other sources of labeling, such as the Physician’s Desk Reference. If multiple persons are named, covered entities may choose any of the persons named by these sources.
The definition of a “public health authority” requires that an agency’s official mandate include the responsibility for public health matters. The mandate can be responsibility for public health matters, generally, or it can be for specific public health programs. Furthermore, an agency’s official mandate does not have to be exclusively or primarily for public health. Therefore, to the extent a government agency has public health matters as part of its official mandate, it qualifies as a public health authority.
For instance, various Department of Health and Human Service (HHS) agencies, such as National Institutes of Health (NIH), and the Health Resources and Services Administration (HRSA), are authorized by law to assist the Secretary of Health and Human Services in carrying out the purposes of section 301 of the Public Health Service Act. Those agencies are public health authorities under the Rule, even if they have other non-public health mandates.
To the extent a public health authority is authorized by law to collect or receive information for the public health purposes specified in the public health provision, covered entities may disclose protected health information to such public health authorities without authorization pursuant to the public health provision.
Yes. The HIPAA Privacy Rule permits covered entities to disclose the amount and type of protected health information that is needed for public health purposes. In some cases, the disclosure will be required by other law, in which case, covered entities may make the required disclosure pursuant to 45 CFR 164.512(a) of the Rule.
For disclosures that are not required by law, covered entities may disclose, without authorization, the information that is reasonably limited to that which is minimally necessary to accomplish the intended purpose of the disclosure. For routine or recurring public health disclosures, a covered entity may develop protocols as part of its minimum necessary policies and procedures to address the type and amount of information that may be disclosed for such purposes. Covered entities may also rely on the requesting public health authority’s determination of the minimally necessary information.
No. The Privacy Rule’s public health provision permits, but does not require, covered entities to make such disclosures. This provision is intended to allow covered entities to continue current voluntary reporting practices that are critically important to public health and safety. The Rule also permits covered entities to disclose protected health information when State or other law requires covered entities to make disclosures for public health purposes.
For instance, many State laws require health care providers to report certain diseases, cases of child abuse, births, or deaths, and the Privacy Rule permits covered entities to disclose protected health information, without authorization, to make such reports. See the fact sheet about the public health provision for more information.
No. All States have laws that require providers to report cases of specific diseases to public health officials. The HIPAA Privacy Rule permits disclosures that are required by law. Furthermore, disclosures to public health authorities that are authorized by law to collect or receive information for public health purposes are also permissible under the Privacy Rule. In order to do their job of protecting the health of the public, it is frequently necessary for public health officials to obtain information about the persons affected by a disease. In some cases they may need to contact those affected in order to determine the cause of the disease to allow for actions to prevent further illness.
The Privacy Rule continues to allow for the existing practice of sharing protected health information with public health authorities that are authorized by law to collect or receive such information to aid them in their mission of protecting the health of the public. Examples of such activities include those directed at the reporting of disease or injury, reporting deaths and births, investigating the occurrence and cause of injury and disease, and monitoring adverse outcomes related to food (including dietary supplements), drugs, biological products, and medical devices.
No, a covered entity is not required to provide an accounting for a disclosure where the only information disclosed is in the form of a limited data set, and the covered entity has a data use agreement with the public health authority receiving the information. (See 45 CFR 164.514(e) for limited data set and data use agreement requirements.)
Moreover, a covered entity is not required to provide an accounting when it uses protected health information to create a limited data set. For example, when a covered entity’s workforce member – whether a paid employee or volunteer – reviews medical records to identify reportable cases and extracts facially unidentifiable information to be reported as part of a limited data set to the public health authority, the covered entity is using, rather than disclosing, protected health information. In that case, the covered entity does not have to provide an accounting for its uses of protected health information. Further, even though a disclosure occurs when the limited data set is received by the public health authority for its own public health purposes, the covered entity is not required to account for this disclosure. Limited data sets are excepted from the accounting requirement at 45 CFR 164.528(a)(1)(viii).
Yes. The Rule recognizes that various agencies and public officials will need protected health information to deal effectively with a bio-terrorism threat or emergency. To facilitate the communications that are essential to a quick and effective response to such events, the Privacy Rule permits covered entities to disclose needed information to public officials in a variety of ways.
Covered entities may disclose protected health information, without the individual’s authorization, to a public health authority acting as authorized by law in response to a bio-terrorism threat or public health emergency (see 45 CFR 164.512(b)), public health activities). The Privacy Rule also permits a covered entity to disclose protected health information to public officials who are reasonably able to prevent or lessen a serious and imminent threat to public health or safety related to bio-terrorism (see 45 CFR 164.512(j)), to avert a serious threat to health or safety). In addition, disclosure of protected health information, without the individual’s authorization, is permitted where the circumstances of the emergency implicates law enforcement activities (see 45 CFR 164.512(f)); national security and intelligence activities (see 45 CFR 164.512(k)(2)); or judicial and administrative proceedings (see 45 CFR 164.512(e)).
A covered entity may enter into a business associate agreement with the public health authority for the sole purpose of creating a limited data set, even if the same public health authority is also the intended recipient of the information (45 CFR 164.514(e)(3)(ii)). For example, the covered entity may contract with the public health authority as a business associate for the exclusive purpose of reviewing medical charts and extracting the facially unidentifiable information needed for the particular public health surveillance activity. In these cases, the public health authority, as the covered entity’s business associate for purposes of creating a limited data set, must agree to return, destroy or not remove from the covered entity’s premises the protected health information that includes the direct identifiers, once the public health authority has completed the conversion of the information into a limited data set for its own public health use. Because the public health authority is not only the covered entity’s business associate for creating the limited data set, but also the intended recipient of the limited data set, the public health authority must enter into both a data use agreement and a business associate agreement. The data use agreement can be combined with the business associate agreement into a single agreement so long as the agreement meets the requirements of both provisions. See 45 CFR 164.504(e)(2) and 164.514(e)(4).
While there are two disclosures in this case – the disclosure to the public health authority in its role as the covered entity’s business associate in creating the limited data set, and the disclosure to the public health authority as the recipient of the limited data set – neither disclosure requires an accounting. A disclosure to a business associate for the purpose of creating a limited data set is a health care operation, as defined by the Rule at 45 CFR 164.501. Disclosures for health care operations and disclosures made as a limited data set are both excepted from the accounting requirement at 45 CFR 164.528(a)(1)(i) and (viii), respectively.
In general, and as explained below, the Privacy Rule permits a covered health care provider (covered provider), without the individual’s written authorization, to disclose protected health information to a medical device company representative (medical device company) for the covered provider’s own treatment, payment, or health care operation purposes (45 CFR 164.506(c)(1)), or for the treatment or payment purposes of a medical device company that is also a health care provider (45 CFR 164.506(c)(2), (3)). Additionally, the public health provisions of the Privacy Rule permit a covered provider to make disclosures, without an authorization, to a medical device company or other person that is subject to the jurisdiction of the Food and Drug Administration (FDA) for activities related to the quality, safety, or effectiveness of an FDA-regulated product or activity for which the person has responsibility. See 45 CFR 164.512(b)(1)(iii) and the frequently asked questions on public health disclosures for more information.
In certain situations, a covered health care provider may disclose protected health information to a medical device company without an individual’s written authorization only if the medical device company is a health care provider as defined by the Rule. A medical device company meets the Privacy Rule’s definition of “health care provider” if it furnishes, bills, or is paid for “health care” in the normal course of business. “Health care” under the Rule means care, services or supplies related to the health of an individual. Thus, a device manufacturer is a health care provider under the Privacy Rule if it needs protected health information to counsel a surgeon on or determine the appropriate size or type of prosthesis for the surgeon to use during a patient’s surgery, or otherwise assists the doctor in adjusting a device for a particular patient. Similarly, when a device company needs protected health information to provide support and guidance to a patient, or to a doctor with respect to a particular patient, regarding the proper use or insertion of the device, it is providing “health care” and, therefore, is a health care provider when engaged in these services. See 65 FR 82569. By contrast, a medical device company is not providing “health care” if it simply sells its appropriately labeled products to another entity for that entity to use or dispense to individuals.
The following are some examples of circumstances in which a covered provider may share protected health information with a medical device company, without the individual’s authorization:
- A covered provider may disclose protected health information needed for an orthopaedic device manufacturer or its representative to determine and deliver the appropriate range of sizes of a prosthesis for the surgeon to use during a particular patient’s surgery. (This would be a treatment disclosure to the device company as a health care provider. Exchanges of protected health information between health care providers for treatment of the individual are not subject to the minimum necessary standards. 45 CFR 164.502(b).)
- The device manufacturer or its representative may be present in the operating room, as requested by the surgeon, to provide support and guidance regarding the appropriate use, implantation, calibration or adjustment of a medical device for that particular patient. (This would be treatment by the device company as a health care provider. As noted in the prior example, treatment disclosures between health care providers are not subject to the minimum necessary standards.)
- A covered provider may allow a representative of a medical device manufacturer to view protected health information, such as films or patient records, to provide consultation, advice or assistance where the provider, in her professional judgment, believes that this will assist with a particular patient’s treatment. (This would also be a treatment disclosure and minimum necessary would not apply.)
- A covered provider may share protected health information with a medical device company as necessary for the device company to receive payment for the health care it provides. (This would be a disclosure for payment of a health care provider and subject to minimum necessary standards.)
- A covered provider may disclose protected health information to a medical device manufacturer that is subject to FDA jurisdiction to report an adverse event, to track an FDA-regulated product, or other purposes related to the quality, safety, or effectiveness of the FDA-regulated product. (This would be a public health disclosure and subject to minimum necessary standards.)
A business associate agreement would not usually be required for the disclosures noted above. For example, a business associate agreement would not be needed for disclosures between health care providers for the treatment of the individual (45 CFR 164.502(e)(1)(ii)(A)). Likewise, a medical device company would not be a business associate of a covered provider with respect to public health disclosures to a device company that is subject to FDA jurisdiction or disclosures to a device company as a health care provider for that company’s payment purposes, as in neither case is the device company performing a function or activity on behalf of, nor providing a specified service to, the covered provider. See 45 CFR 160.103. In other circumstances, however, a business associate agreement may be required even if the disclosure were permitted without an authorization. For example, a business associate agreement would be required if a covered entity asked the medical device company to provide an estimate of the cost savings it might expect from the use of a particular medical device; and to do so, the device company needed access to the covered entity’s protected health information. In this case, the medical device company is performing a health care operations function (business planning and development) on behalf of the covered provider, which requires a business associate agreement even though the disclosure is permitted without an authorization.