HHS/OCR Issues Guidance on Disclosures of Protected Health Information for Public Health Purposes Under HIPAA

On December 18, the Department of Health and Human Services, Office for Civil Rights Compliance (“OCR”) issued “Guidance on HIPAA, Health Information Exchanges, and Disclosures for Public Health Purposes” (the “Guidance”). In a statement accompanying the Guidance, OCR Director Roger Severino said that the Guidance “highlight[s] how HIPAA supports the use of health information exchanges in sharing health data to improve the public’s health” during the COVID-19 public health emergency.

Specifically, the Guidance gives examples, in the form of questions and answers, of how covered entities (and their business associates) may disclose protected health information (“PHI”) to a health information exchange (“HIE”) for reporting to a local, state or federal public health authority that is authorized by law to collect or receive PHI for public health activities. Examples of public health activities of particular relevance to the COVID-19 pandemic include preventing or controlling disease, reporting disease, conducting public health surveillance, investigations and interventions.

An HIE is defined in the Guidance as “an organization that enables the sharing of electronic PHI among two or more unaffiliated entities, such as health care providers, health plans and business associates, for treatment, payment or health care operations purposes.” HIEs may also perform other activities for its participants, including but not limited to, public health reporting to public health authorities.

The Guidance clarifies that a covered entity or business associate may disclose PHI to a HIE for purposed of reporting PHI to a public health authority (“PHA”), without an individual’s authorization, in the following situations:

  • When the disclosure is required by law (federal, state or local);
  • When an HIE is a business associate of the covered entity that wishes to provide the information to a public health authority for public health activities (in accordance with the business associate agreement between the HIE and covered entity); or
  • When the HIE is acting under a grant of authority or contract with a public health agency for a public health activity. (For example, the state Department of Health can engage a HIE to collect test results and associated patient information from health care providers and transmit that information directly to the state’s electronic contact tracing systems.)

Other topics addressed in the Guidance include:

  • Can a covered entity rely on a PHA’s request to disclose a summary record to a PHA or HIE as being the minimum necessary PHI needed by the PHA to accomplish the public health purpose of the disclosure? (Short answer, yes. One example: “when the Centers for Disease Control and Prevention . . . requests that health care providers disclose PHI on an ongoing basis for all prior and current cases of patients exposed to COVID-19, whether suspected or confirmed, using Electronic Case Reporting (eCR), the automated generation and transmission of case reports from EHRs to public health agencies, for review and action.”);
  • May a covered entity disclose PHI to a PHA without receiving a direct request from the PHA? (Short answer, yes);
  • May an HIE provide PHI it has received as a business associate of a covered entity to a PHA for public health purposes without first obtaining permission from the covered entity? (Short answer, yes, during the COVID-19 public health emergency); and
  • Is a covered entity required to provide notice to individuals about its disclosures of PHI to a PHA for public health purposes? (Short answer, yes, a covered entity is required to provide notice that it discloses PHI for public health purposes, including for public health purposes for which the covered entity may use or disclose PHI without the individual’s authorization, in its Notice of Privacy Practices);
  • Is an HIE that is a business associate required to provide such notice? (Short answer, no a business associate is not required to provide a Notice of Privacy Practices, but disclosures made by a covered entity to a PHA or the covered entity’s business associate for public health purposes will be subject to the accounting of disclosures rule).

The Guidance should be helpful to covered entities and their business associates as the COVID-19 public health emergency continues and PHAs request more data on testing, test results and associated PHI for public health activities.