1. What is the HIPAA Privacy Rule?
In 1996 the U.S. Congress passed a law to increase individuals' ability to obtain and maintain health insurance coverage, which also included, among other things, uniform federal privacy protections for individually identifiable health information. This law is called the Health Insurance Portability and Accountability Act of 1996, or "HIPAA." The U.S. Department of Health and Human Services recently issued final regulations implementing the privacy provisions of HIPAA. These regulations are called the "Privacy Rule." Copies of the HIPAA Privacy Rule, as well as helpful explanatory materials, may be found at the HHS Office of Civil Rights.
2. Was HIPAA, a federal law, intended to limit the health information traditionally disclosed to Public Health Agencies under state law?
No. The HIPAA statute explicitly provides that it is not intended to limit existing state public health activities. Existing and future state laws relating to public health surveillance, investigation and intervention are not affected by the Privacy Regulations, and covered entities are not precluded from complying with requests authorized by state law for release of information to the Massachusetts Department of Public Health (MDPH). HIPAA should not interfere with the traditional reporting relationships between covered entities and MDPH.
3. What is a "Public Health Authority" under HIPAA?
HIPAA defines a Public Health Authority as "an agency or authority of the United States, a State or territory, a political subdivision of a State or territory, or an Indian tribe, or a person or entity acting under a grant of authority from or contract with such public agency, including the employees or agents of such public agency or its contractors or persons or entities to whom it has granted authority, that is responsible for public health matters as part of its official mandate." 45 C.F.R. §164.501
HIPAA provides that covered entities may disclose PHI to a public health authority that "is authorized by law to collect or receive such information for the purposes of preventing or controlling disease, injury, vital events such as birth or death, and the conduct of public health surveillance, public health investigations and public health interventions." 45 C.F.R. §164.512 (b). The Massachusetts Department of Public Health and local boards of health are public health authorities.
4. What is a "Health Oversight Agency" under HIPAA?
HIPAA defines a Health Oversight Agency as "an agency or authority of the United States, a State, a territory, a political subdivision of a State or territory, or an Indian tribe, or a person or entity acting under a grant of authority from or contract with such public agency, including the employees or agents of such pubic agency or its contractors or persons or entities to whom it has granted authority, that is authorized by law to oversee the health care system (whether public or private) or government programs in which health information is necessary to determine eligibility or compliance, or to enforce civil rights laws for which health information is relevant." The Massachusetts Department of Public Health is a health oversight agency.
5. What is the status of the Massachusetts Department of Public Health under HIPAA?
MDPH is a hybrid entity, whose activities include both covered and non-covered functions. Only covered components are required to comply with the HIPAA Privacy and Security Rules.
6. Does HIPAA require covered entities to obtain written authorization from the individual before reporting protected health information to DPH?
No. The provisions of the Privacy Rule authorizing disclosures of protected health information if the disclosure is required by law or if it is for public health activities to a public health authority authorized by law to collect or receive such information, are exceptions to the requirement for written authorization.
7. Are covered entities required to provide individuals upon request with an accounting of any protected health information that the entity has disclosed about them to DPH?
Yes. HIPAA requires covered entities to provide an accounting of most disclosures of protected health information, including disclosures made for public health purposes, health oversight and those made as required by law. See, 45 CFR §164.528.
8. Are covered entities required to sign business associate agreements with public health agencies to which they report protected health information?
No. A covered entity is required to execute a business associate agreement only when there is a business associate relationship. A business associate relationship arises when any person (including an organization) performs a function or activity involving PHI on behalf of the covered entity or that provides a service to the covered entity involving PHI, and does not arise every time a covered entity discloses PHI. Reporting to a public health authority does not require a business associate agreement.