HIPAA’s Privacy Rule seeks to balance the need of public health agencies to access health data with the desire of patients for health care privacy. Often, data sharing is key to preventing communicable diseases from spreading, but it may also be useful for investigating possible environmental hazards or carcinogenic risks.
The Network was asked recently about whether the Privacy Rule of the Health Insurance Portability and Accountability Act (HIPAA) applies to public health issues beyond communicable disease — for example, chronic or environmental disease. Specifically, can local health departments ask for and obtain hospital medical records for investigating a cancer or environmental disease cluster?
The Network examined the language of the HIPAA Privacy Rule and determined that the rule applies to public health’s access to hospital medical records for non-communicable disease investigations. However, the Privacy Rule is not intended to interfere with public health functions. It allows a covered entity (e.g. hospital) to provide protected health information, without authorization, to a public health agency that is authorized to receive such information for the purpose of preventing or controlling disease, injury or disability including but not limited to public health surveillance, investigation, and intervention. (45 CFR § 164.512(b)(1)) Specifically, if a local health department is authorized by law to collect information about cancer cases, then a covered entity can disclose protected health information to the health department for a public health investigation.
The covered entity must also verify (45 CFR § 164.514) the identity of the person requesting the disclosure of health information and the authority of the person to access the health information if the identity or authority are not known to the covered entity. The Privacy Rule sets out the ways a covered entity can verify the identity and authority of a local health department’s health officer or medical director.
Need more information?