How does HIPAA affect public health reporting?
Unauthorized disclosure is permitted. Cancer and immunization registry reporting of PHI is still permitted even if the entity responsible for the registry is not a public health agency, as long as it is under the authority of the agency to perform this public health function.
Scenario 6
A patient dies from meningitis and the local health department requests to view the hospital record to investigate cause of death. The cause turns out to be West Nile virus, which is not on the list of reportable diseases. Is the health department permitted to view the record and is authorization required?
Unauthorized disclosure is permitted. The privacy rule exception does not require a law or regulation specifically mandating disclosure. The health care provider can release requested information to a public health authority when the information is for the purpose of controlling disease, injury, or disability. The information released should be the minimum necessary for the stated public health purpose, and the provider can rely on the agency to determine what that information is. In this case, examination of the record is permitted and authorization is not required.
Scenario 7
An auditor from the Vaccine for Children program arrives at the office and requests to see patient records to audit adherence to the rules governing this program. Is the auditor allowed to exam records, and is authorization required?
Unauthorized disclosure is permitted. Patient records can be reviewed by staff of public health agencies authorized by law to collect PHI for program management purposes. No patient authorization is required.
Scenario 8
A local community agency is concerned about the potential health effects of groundwater contamination. They request information about all your patients who have contracted cancer within the past 5 years. What information can you provide them?
PHI disclosure requires patient authorization. This agency, unless under the authority of a public health agency to collect PHI, cannot obtain PHI without patient authorization. However, deidentified information could be provided. Deidentified data are not covered by HIPAA and do not require individual privacy protection or authorization for release. De-identification means removing 18 “identifiers” (Table) or enough information that allows a statistician to conclude that the chance of an individual being identified is remote.
TABLE
Individual identifiers to be removed from reports
| The following 18 identifiers of a person, or of relatives, employers, or household members of a person must be removed, and the covered entity must not have actual knowledge that the information could be used alone or in combination with other information to identify the individual, for the information to be considered de-identified and not protected health information. |
|---|
| • Names |
| • All geographic subdivisions smaller than a state, including county, city, street address, precinct, zip code (first 3 digits OK if geographic unit contains >20,000 persons), and their equivalent geocodes |
| • All elements of dates (except year) directly related to an individual; all ages >89 and all elements of dates (including year) indicative of such age (except for an aggregate into a single category of age >90) |
| • Telephone numbers |
| • Fax numbers |
| • Electronic mail addresses |
| • Social Security numbers |
| • Medical record numbers |
| • Health-plan beneficiary numbers |
| • Account numbers |
| • Certificate and license numbers |
| • Vehicle identifiers and serial numbers, including license plate numbers |
| • Medical device identifiers and serial numbers |
| • Internet universal resource locators (URLs) |
| • Internet protocol (IP) addresses |
| • Biometric identifiers, including fingerprints and voice prints |
| • Full-face photographic images and any comparable images |
| • Any other unique identifying number, characteristic, or code, except that covered identities may, under certain circumstances, assign a code or other means of record identification that allows de-identified information to be re-identified. |
| Source: “HIPAA privacy rule and public health,” Morbidity and Mortality Weekly Report, April 11, 2003; 52:1–12. |
Physician obligations with disclosure
Confirm the legitimacy of a request. Even though physicians can release PHI to public health agencies without a patient’s authorization, they have other obligations to meet. One of these is to ensure that the person or agency requesting PHI is a legitimate public health authority. If the request is made in person, some form of credentials or proof of government status should be provided. If the request is in writing, it should be on official letterhead. A person or agency acting under the authority of a pubic health agency should provide proof of this authority. If physicians have any doubt about the authenticity of a request, they should call the agency being represented and inquire.
Let patients know. The second obligation is to provide information about the disclosure to the individual whose PHI was released, if this information is requested, and to inform patients in statements about privacy practices that PHI information is released to public health agencies when required and permitted by law.
