ONC, OCR Clarify Permitted Disclosures of PHI for Public Health Activities | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

ONC, OCR Clarify Permitted Disclosures of PHI for Public Health Activities

December 9, 2016
by Heather Landi
| Reprints

The U.S. Department of Health and Human Services Office of the National Coordinator for Health Information Technology (ONC) and Office of Civil Rights (OCR) have published a new fact sheet explaining how providers are permitted to share electronic protected health information (PHI) with public health agencies without obtaining an individual’s written authorization.

With the aim of clarifying what the Health Insurance Portability and Accountability Act (HIPAA) allows, the fact sheet explains, through hypothetical scenarios, how these rules work for disclosures of PHI for public health activities to public health agencies that are authorized by state or federal law to collect the information they seek.

In a HealthIT Buzz blog post, Lucia Savage, chief privacy officer at ONC, and Matthew Penn, director of the public health law program at the Centers for Disease Control and Prevention (CDC), wrote that electronic health records provide structured clinical data that help public health workers track, mitigate and eliminate disease.

“Many Americans have not taken full advantage of electronic health record data, perhaps because of confusion about how the Health Insurance Portability and Accountability Act (HIPAA) interacts with and supports the exchange of electronic health information for the purposes of public health,” Savage and Penn wrote.

“The new fact sheet provides examples about how HIPAA supports the electronic exchange of information, including contagious disease tracking, provider participation in cancer registries, and monitoring the health of children who have experienced lead poisoning. These are only some of the examples of permitted disclosures in support of public health activities included in HIPAA regulation 45 CFR 164.512(b) (although it is important to note that all of these permitted disclosures are subject to the minimum necessary rules),” Savage and Penn wrote.

The fact sheet also gives a few examples of sharing PHI in support of other important public health policies. While HIPAA requires that the information disclosed is the minimum information necessary for the purpose, it permits the discloser to reasonably rely on a public health authority’s request as to what information is necessary for the public health activities.

Public health activities described in the new fact sheet include:

  • Collecting protected health information to monitor, prevent, and track disease and vital statistics such as birth and death records; engaging in public health interventions; and other responsibilities of authorized federal, state, or local public health agencies
  • Collecting information about the health of children who have experienced lead poisoning and tracking their neurological development over time
  • Supporting the notification of people who may have been exposed to a communicable disease that the public health department is tracking
  • Enabling employers to meet health safety reporting requirements
  • Participating in state-sponsored cancer registries

ONC and OCR also clarify in the fact sheet that if a Business Associate (BA) discloses PHI for public health activities on behalf of a CE, the BA must be authorized to do so in the BA Agreement (BAA) it has with the covered entity (CE).

“For any of the scenarios in which electronic PHI is disclosed, the discloser must meet the HIPAA Security Rule requirements. All the scenarios apply to all types of CEs, whether they use health information technology (health IT) certified by ONC or other forms of electronic transmission,” ONC and OCR state in the fact sheet.

 

Topics

News

WellStar Health System Partners with PatientPing for Care Coordination Technology

Marietta, Ga.-based WellStar Health System, the largest health system in Georgia is partnering with PatientPing, a Boston-based health technology company, to use its care coordination technology across the health system.

Senators Introduce Bill to Expand Rural Telehealth Services

U.S. Senators Roger Wicker (R-Miss.) and Brian Schatz (D-Hawaii) have introduced bipartisan legislation to expand access to rural telehealth services. The bill would allow non-rural hospitals serving rural areas to qualify for support from the Federal Communications Commission (FCC) Healthcare Connect Fund (HCF).

Healthcare Company CoPilot Settles Data Breach with $130K Payment

CoPilot Provider Support Services, a New York-based corporation that provides support services to the healthcare industry, has agreed to pay $130,000 in penalties as part of a settlement to resolve a 2015 data breach that that exposed 221,178 patient records.

Senate Republicans Release Draft of Health Care Bill

On Thursday, Senate Republican leaders, who have promised to repeal former President Barack Obama’s healthcare legislation for seven years, moved forward on that goal with the release of a draft of their plan to repeal and replace the Affordable Care Act, which they expect to vote on next week.

Vermont HIE Implements IT Solution for Improved Data Quality

Vermont Information Technology Leaders (VITL), the operator of the Vermont Health Information Exchange, has announced the implementation of a data managing and synthesizing platform in an effort to expand its IT capabilities.

Survey: 75 Percent of CIOs Concerned About Incomplete, Inaccurate Medication Data

Despite multidisciplinary efforts to improve medication reconciliation, hospital CIOs still report unsatisfactory results, with three out of four concerned that their organization’s medication history data is incomplete or inaccurate, according to a new survey conducted by the CHIME Foundation.