21 December 2016

New HIPAA Guidance: How to Comply With HIPAA and Support Public Health Initiatives

On December 8, 2016, the Department of Health and Human Services Office of Civil Rights, which enforces HIPAA, released a new fact sheet. The fact sheet provides guidance to healthcare providers on when HIPAA permits disclosure of protected health information (PHI) to public health agencies that are authorized by state or federal law to collect health information.

The new fact sheet includes hypothetical scenarios that illustrate when HIPAA permits healthcare providers and other Covered Entities to disclose PHI to public health agencies. For example, one scenario addresses an investigation by the department of health into a measles outbreak. As part of its investigation, the department requests a hospital to provide PHI, including: patient name, diagnosis, demographic information and positive test results. The fact sheet clarifies that hospitals are permitted to disclose the requested information and to rely on the department’s representations about what specific PHI is necessary for its investigation. Other scenarios addressed by the fact sheet include notifying people who have been exposed to communicable disease, tracking the health of children exposed to lead poisoning and participating in state-sponsored cancer registries.

The fact sheet highlights how electronic health records can help public entities and public health workers address public health crises such as Zika, lead poisoning and natural disasters. Importantly, the new guidance emphasizes that any electronic transmission of PHI must comply with HIPAA Security Rule requirements which address issues like encryption and user authentication.

Key Takeaways:

  • HIPAA permits disclosure of PHI for a wide variety of public health purposes.
  • While HIPAA requires covered entities to only disclose the minimum information necessary, covered entities can rely on the public health authority’s request as to what information is minimally necessary.
  • Business Associates should consult their Business Associate Agreements (BAA) to ensure the BAA permits disclosure for public health purposes.
  • Any electronic transmissions must comply with the HIPAA Security Rule.

If you have any questions regarding this new guidance, please contact the authors or any member of the Privacy and Data Security practice group.