Back to Resources

HIPAA, Privacy Rules and Communicable Diseases

posted on Sun, May 1 2011 12:00 am by Northern and Mid-States Regions

A public health practitioner at a state health department contacted the Network because of concerns about effectively carrying out the department’s public health surveillance and investigations while still applying HIPAA privacy regulations. In December 2000, the U.S. Department of Health and Human Services adopted regulations to protect the privacy of individually identifiable health information (Privacy Rule). These regulations were adopted under the Health Insurance Portability and Accountability Act (HIPAA) to set national standards for the use and disclosure of health information. For entities that are covered by HIPAA, the Privacy Rule prohibits disclosure of “individually identifiable health information” unless required or permitted by the Rule. Generally, information is identifiable if it contains geographic identifiers smaller than a state, absent statistical proof otherwise. This means that a covered entity would be prohibited from disclosing communicable disease data identifiable by county. The practitioner contacted the Network regarding this specific provision, hoping to find a way in which his health department could comply with HIPAA regulations while still keeping the public informed of communicable diseases in their locality.

The Network’s Northern and Mid-States regions coordinated to comprehensively analyze the issues and provide assistance. The practitioner’s health department had chosen to apply HIPAA to its entire department as a covered entity, meaning that every component of the department would be required to follow HIPAA’s mandates regarding health information disclosure. Another option would be to adopt a “hybrid” structure since the health department performs both covered and non-covered functions. If a covered entity decides to be a hybrid, it must define and designate its covered and non-covered components. Only the covered components would then be subject to HIPAA. Often, programs that conduct disease surveillance, investigation and response do not perform covered functions. Thus, a “hybrid” structure might allow the department to provide the public with the necessary information about communicable diseases while still protecting the privacy of individuals’ health information. The Network sent the practitioner information about forming a hybrid, examples of actual policies and analyses to form a hybrid and designated covered and non-covered entities shared by another state health department.

Need more information?

Ask a Question