The Department of Health and Human Services (HHS) Office of the National Coordinator for Health Information Technology (ONC) and Office for Civil Rights (OCR) recently released a fact sheet on permitted uses and disclosures of protected health information (PHI). The Health Insurance Portability and Accountability Act of 1996 (HIPAA) sets forth regulations for protecting and securing PHI. HIPAA also states the circumstances in which covered entities are permitted, but not required, to use and disclose PHI for activities without obtaining an authorization.
The ONC and OCR present hypothetical scenarios applying HIPAA to disclosures of PHI for public health activities made to public health agencies. Further, the ONC and OCR list instances of using and disclosing PHI to support public health policies. Other provisions of the HIPAA Privacy and Security Rules may apply for certain types of disclosures. For instance, the discloser must meet requirements set forth in the HIPAA Security Rule when disclosing electronic PHI.
The fact sheet applies HIPAA to the following scenarios:
- Exchange for reporting of disease;
- Exchange for conduct of public health surveillance;
- Exchange for public health investigations;
- Exchange for public health interventions (two scenarios);
- Exchange subject to Food and Drug Administration (FDA) jurisdiction;
- Exchange for persons exposed to communicable disease and for related public health investigation;
- Exchange in support of medical surveillance of the workplace; and
- Use of certified electronic health record technology.
The OCR fact sheet is available at: