HIPAA Guidance Focuses on Disclosing PHI for Public HealthHHS Fact Sheet Clarifies What the Privacy Regulations Allow
Federal regulators have issued new guidance to clarify what uses and disclosures of patient information for public health reporting, surveillance and investigations are permitted under HIPAA's privacy regulations.
The new fact sheet was issued Dec. 8 by the Department of Health and Human Services Office for Civil Rights, which enforces HIPAA, in collaboration with the HHS' Office of National Coordinator for Health IT, which oversees policies and standards for electronic health records.
Privacy attorney Kirk Nahra of the law firm Wiley Rein says the new guidance could be helpful in reducing confusion and also in urging healthcare providers to voluntarily share information that isn't legally required, in most cases, to be disclosed, but which is important to public health agencies' efforts.
"This is a perfect example of guidance that is designed to generally encourage something that is desirable from a public policy perspective," he says. "HIPAA permits a broad range of public policy disclosures but generally doesn't require them. This guidance tries to make it easier for providers to understand when they are allowed to do this, with the goal of encouraging these disclosures. It's not clear this is a problem or that this will give providers enough reason to do this, but it is useful and something that is generally a good thing to see from [OCR]."
The fact sheet provides a number of scenarios illustrating HIPAA-permitted disclosures of PHI to public health agencies that are authorized by state or federal law to collect information. It also includes examples of sharing PHI in support of public health policies.
"HIPAA provides regulations that describe the circumstances in which CEs [covered entities] are permitted, but not required, to use and disclose PHI for certain activities without first obtaining an individual's authorization," the fact sheet explains. "While HIPAA requires that the information disclosed is the minimum information necessary for the purpose, it permits the discloser to reasonably rely on a public health authority's request as to what information is necessary for the public health activities."
Public Health EHR Data Sharing
Examples of scenarios involving the sharing of PHI with public health agencies include the exchange of information for:
- Reporting diseases;
- Assisting in public health investigations and surveillance;
- Aiding in public health interventions, such as addressing contaminated water supplies;
- Medical surveillance of the workplace;
- Aiding in Food and Drug Administration "jurisdiction" activities such as safety-related recalls of medical devices.
The guidance also clarifies that providers can use EHRs when sharing the PHI with public health agencies.
"All the scenarios apply to all types of covered entities, whether they use health information technology certified by ONC or other forms of electronic transmission," the guidance notes. When electronic PHI is disclosed and shared for public health purposes, the discloser must meet the HIPAA Security Rule requirements.
The fact sheet also notes that, depending upon the nature and manner of a disclosure, other requirements of the HIPAA privacy and security rules may be applicable. "For example, if a business associate discloses PHI for public health activities on behalf of a covered entity, the BA must be authorized to do so in the BA agreement it has with the CE."
Improving Public Health
In a blog post about the new guidance, Lucia Savage, ONC chief privacy officer, and Matthew Penn, director of the public health law program at the Centers for Disease Control and Prevention, note: "Electronic health records provide structured clinical data that help public health workers track, mitigate and eliminate disease. They also offer us the opportunity to improve health across the country and address public health crises such as Zika, Ebola, lead poisoning and natural disaster."
The fact sheet aims to illustrate "how HIPAA supports electronic information exchange, including contagious disease tracking, provider participation in cancer registries and monitoring the health of children who have experienced lead poisoning," they add.