Does the HIPAA Privacy Rules public health provision permit covered entities to disclose protected health information to authorities such as the National Institutes of Health (NIH)?
The definition of a “public health authority” requires that an agencys official mandate include the responsibility for public health matters. The mandate can be responsibility for public health matters, generally, or it can be for specific public health programs. Furthermore, an agencys official mandate does not have to be exclusively or primarily for public health. Therefore, to the extent a government agency has public health matters as part of its official mandate, it qualifies as a public health authority. For instance, various Department of Health and Human Service agencies, such as NIH and the Health Resources and Services Administration (HRSA), are authorized by law to assist the Secretary of Health and Human Services in carrying out the purposes of section 301 of the Public Health Service Act. Those agencies are public health authorities under the Rule, even if they have other non-public health mandates. To the extent a public health authority is authorized by law to collect or
Related Questions
- Does the HIPAA Privacy Rules public health provision permit covered entities to disclose protected health information to authorities such as the National Institutes of Health (NIH)?
- Is a covered entity required to apply the HIPAA Privacy Rules minimum necessary standard to a disclosure of protected health information it makes to another covered entity?
- May covered entities disclose facially identifiable protected health information, such as name, address, and social security number, for public health purposes?
