How do you account for the Health Insurance Portability and Accountability Act of 1996 (HIPAA) policy requirements for personal information privacy and ensure compliance?
The HIPAA privacy rule permits disclosure to public health authorities without further authorization. Covered entities are permitted to disclose Protected Health Information to public health authorities without patients authorization as defined at 45 C.F.R 164.501 and as used in 45 C.F.R. 164.512(b), Standards for Privacy of Individuality Identifiable Health Information, promulgated under HIPAA. However, access to identifying data is tightly controlled within the CRA application. The level of access is determined by the requirements of the specific event. For instance, with the National Smallpox Preparedness Program and the monkeypox outbreaks, patient-identifying information was captured in the CRA application, then referred to Pre-Event Vaccination System (PVS) and made available only to jurisdictional users. Identifying data were not shared for national reporting. Data are transported, maintained, and stored using federal security methods which are consistent with the HIPAA security
