The Health Insurance Portability and Accountability Act (HIPAA) protects the privacy of individually identifiable health information and sets national standards to ensure the security of electronic health data. For public health agencies and health care providers, ensuring compliance with HIPAA rules can be daunting. In February, the Network for Public Health Law and the CDC Public Health Law Program co-hosted a webinar entitled HIPAA and Public Health — Recent Developments to provide information and guidance. In the following Q&A, Network Attorney Jennifer Bernstein answers a few questions submitted by webinar attendees.
Q: If a patient tests positive for a sexually transmitted infection and the patient requests no disclosure be made to their spouse, does the patient's privacy rights trump the spouse's right to know for their safety?
Jennifer Bernstein: Under HIPAA, there is no requirement for health care providers to notify a patient’s spouse of a diagnosis of a sexually transmitted infection. If a patient does not consent to a disclosure, then under HIPAA, the patient has the right to keep the information confidential and the health care provider cannot disclose the information.
State laws may vary from the HIPAA rule, so it is important to research your state’s laws regarding partner notification. For example, under Texas law, doctors and public health officials are required to inform known sexual contacts of patients who have tested positive for HIV. Other states authorize, but do not require, physicians and public health officials to notify partners of individuals who have tested positive for HIV without the consent of the patient.
Q: If we have obtained a signed permission from a patient for the disclosure of their protected health information, do we still need to keep a log of those disclosures?
Jennifer Bernstein: The Privacy Rule does not require covered entities to document any information that is used or disclosed for treatment, payment or health care operations. The Rule does include documentation requirements for information disclosures for other purposes. Under 45 CFR 164.528, the Privacy Rule requires a covered entity to provide an accounting of certain disclosures, including disclosures to public health agencies or business associates, to the individual upon request. A record of a disclosure must include: the date of the disclosure; the name and address of the recipient of the protected health information, a brief description of the protected health information disclosed; and a brief statement of the purpose of the disclosure that reasonably informs the individual of the basis for the disclosure.
Q: Does individual protected health information provided to an individual electronically have to be encrypted?
Jennifer Bernstein: For the transmission of any protected health information, such as via e-mail, covered entities must do a risk analysis to determine the appropriate way to protect this information. Encryption is not required, but must be considered in the risk analysis. Encryption is one method for ensuring the safety of protected health information and is not subject to the Breach Notification Rule, even if intercepted, because encrypted information is considered "unusable, unreadable, or indecipherable."
Q: Are there any websites we can use for additional information on HIPAA?
Jennifer Bernstein: The Department of Health and Human Services, Office for Civil Rights website has an expansive section on HIPAA with detailed information on most aspects of HIPAA.
Jennifer Bernstein, J.D., M.P.H., is senior attorney at the Network for Public Health Law – Mid-States Region at the University of Michigan School of Public Health.
The Network for Public Health Law provides information and technical assistance on issues related to public health. The legal information and assistance provided in this document does not constitute legal advice or legal representation. For legal advice, readers should consult a lawyer in their state. This blog post does not represent the views of the Robert Wood Johnson Foundation.