Hepatitis B Perinatal Reporting and HIPAA
This memo addresses the Minnesota Department of Health's analysis on the following two issues related to HIPAA and the Perinatal Hepatitis B Prevention Program:
- How HIPAA Interacts with the Perinatal Hepatitis B Prevention Program
- Logging Public Health Disclosures Under HIPAA
*MDH wrote another memo addressing the interaction of HIPAA and the
Minnesota Communicable Disease Reporting Rule in general. For copies
of this memo, contact, the Perinatal Hepatitis B Prevention Program at 651-201-5557.
Disclaimer of Legal Advice: The following is the Minnesota Department of Health's (MDH) analysis of how the Minnesota Communicable Disease Reporting Rule, Parts 4506.7000 to 4605.7900 , and Minnesota Statutes, §144.05, subd. 1(a) interact with the Health Insurance Portability and Accountability Act (HIPAA, privacy rules, 45 CFR 160 and 164) in regards to the Perinatal Hepatitis B Prevention Program. This is not legal advice and you should not rely on it as legal advice. Consult with a lawyer for legal advice.
The following question has been raised by some providers, their medical records departments, and their staff: Does HIPAA permit disclosure of specific patient medical information related to hepatitis B infections and perinatal reporting to MDH or other local public health authorities without patient authorization?
MDH has concluded that HIPAA permits a provider and/or the provider's medical records department or staff to release medical information pertaining to a mother's hepatitis B status, her contacts, her pregnancy, and her baby without the patient's authorization in accordance with the Minnesota Communicable Disease Reporting Rules and M.S.§144.05, subd. 1(a). This finding was based upon a review of HIPAA privacy rule and guidance from the U.S. Centers for Disease Control and Prevention (CDC) and U.S. Department of Health and Human Services (HHS).1
The patient's medical information must be related to the communicable disease report. This information includes, but is not limited to, personally identifiable information on the patient and their contacts and the tests conducted, the results of those tests, treatments related to the disease, and other pertinent information conducted.
General HIPAA Information
HIPAA governs the use and disclosure of protected health information (PHI). It applies to health plans, health care clearinghouses, and health care providers who transmit certain health claims information electronically. These entities are covered entities under the rule.
A covered entity must obtain a written authorization from the individual for the use and disclosure of PHI unless the disclosure is to the individual, for treatment, payment, or health care operations, or the disclosure falls under one of the specified exceptions.
HIPAA privacy rules, specifically 45 CFR2 §164.512, addresses the uses and disclosures of PHI for which an authorization or an opportunity to agree or object is not required. Specifically:
- Section 164.512(a) permits disclosures that are required by law, which includes statutes and rules;3 and
- Section 164.512(b) permits a covered entity to disclose PHI to:
"(i) A public health authority that is authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury, or disability, including but not limited to, the reporting of disease, injury, vital events such as birth or death, and the conduct of public health surveillance, public health investigations, and public health interventions; . .."
Under HIPAA, 45 CFR 164.501, Public health authority is defined as "an agency or authority of , a State, . . ., or a political subdivision of a State . . . , that is responsible for public health matters as part of its official mandate."
Therefore, to the extent a public health authority is authorized by law to collect or receive information for the public health purposes, covered entities may disclose PHI to such public health authority without patient authorization.
Minnesota laws authorizing the collection hepatitis B cases
Minn. Stat. §144.05, subd. 1(a)4 and Minnesota Rules, Part 4605.7040 and 4605.7090 requires providers to report cases of hepatitis B and outlines the information to be provided. Minnesota Rules, Part 4605.7500 directs the commissioner "to investigate the occurrence of cases, suspected cases, or carriers of reportable diseases ... identifying unreported cases, locating contacts of cases, identifying those at risk of disease, determining the necessary control measures "
Nine out of ten (90%) babies born to women with chronic hepatitis B will become chronic carriers if left untreated and may pass it on to others with whom they come in close contact. In addition, a chronic carrier can develop chronic liver disease, cirrhosis of the liver, or primary liver cancer. Therefore, to protect the public's health, the state must know a pregnant woman's hepatitis B status, be able to conduct a case contact investigation, and collect information on her baby.
Even though the communicable disease rule does not specifically refer to hepatitis B perinatal reporting, it does specifically list hepatitis as a reportable disease. Therefore, under current Minnesota rules and statutes, providers are allowed under HIPAA to report the information regarding this program to MDH or other local public health authorities.
In summary, M.S. §144.05, subd. 1(a) and the Minnesota Communicable Disease Reporting Rules, Parts 4506.7000 to 4605.7900, allow MDH and local public health authorities to conduct studies and investigations on communicable diseases to protect the public's health. Therefore, providers, their medical records departments, and their staff can share medical information pertaining to a communicable disease investigation, e.g., hepatitis B, without patient authorization.
Disclaimer of Legal Advice: The following is the Minnesota Department of Health's (MDH) analysis of how a provider may account for public health disclosures to public health entities as allowed by the Minnesota Disease Reporting Rule and Minnesota Statutes, §144.05, subd. 1(a) and still be in compliance with the Health Insurance Portability and Accountability Act (HIPAA), privacy rules, 45 CFR 160 and 164. This is not legal advice and you should not rely on it as legal advice. Consult with a lawyer for legal advice.
The following concern has been raised by some providers: Does a provider or its medical records department have to keep a disclosure log when they release specific patient medical information related to a communicable disease investigation to MDH or other local public health entities without patient authorization?
MDH has concluded that HIPAA permits a provider to account for these disclosures in a general, not patient specific manner in instances of an ongoing, regular reporting or inspection requirement. For example, when disclosing individual protected health information (PHI) to a public health entity as part of a communicable disease investigation, a provider may keep a general log of disclosure rather than noting them in the individual patient records (see example at end of memo). This finding is based on review of HIPAA privacy rules and guidance from the Centers for Disease Control and Prevention (CDC) and the U.S. Department of Health and Human Services (DHHS).
As discussed previously, HIPAA permits a provider or the provider's medical records department or staff to release a patient's medical information pertaining to a communicable disease in accordance with the Minnesota Communicable Disease Reporting Rule and M.S.§144.05, subd. 1(a) without the patient's authorization. At the same time, however, HIPAA requires that a covered entity, such as a provider, account for each disclosure of PHI to a public health authority without patient authorization. Specifically, the provider must maintain a disclosure log each time they disclose PHI without patient authorization (45 CFR 164.528).
The required accounting of disclosures may be accomplished in different ways. Typically, the covered entity must keep an accounting of each disclosure by date, the information disclosed, the identity of the recipient, and the purpose of the disclosure. However, 5 CFR 164.528(b)(3) does not require this type of log when a provider makes multiple disclosures for the same purpose. According to the CDC and DHHS,
"Where the covered entity has, during the accounting period, made multiple disclosures to the same recipient for the same purpose, the Privacy Rule provides for a simplified means of accounting. In such cases, the covered entity need only identify the recipient of such repetitive disclosures, the purpose of the disclosure, and describe the PHI routinely disclosed. The date of each disclosure need not be tracked.
Rather, the accounting may include the date of the first and last such disclosure during the accounting period, and a description of the frequency or periodicity of such disclosures. For example, the vast amount of data exchanged between covered entities and public health authorities is made through ongoing, regular reporting or inspection requirement."1
The following is an example of this type of disclosure.
- A health-care provider covered by HIPAA routinely reports all cases of hepatitis B or E. coli it diagnoses to the local public health authority. In this instance, the provider (covered entity) does not need to annotate each patient's medical record when these routine public health disclosures are made. Instead, the provider only needs to keep a general log of the following:
- Receiver of PHI: Name of public health entity
- PHI disclosed: Hepatitis B or E. coli cases
- Purpose of disclosure: Required for communicable disease surveillance under the MN Communicable Disease Reporting Rules
- The periodicity: Weekly (if applicable)
- Dates of disclosure: For example, August 1, 2003 to December 30, 2003
Based on the above analysis, MDH concludes that covered entities, such as Health Professionals, may maintain a general, not patient specific disclosure log for purposes of ongoing, regular reporting or inspection requirements.
Minnesota Department of Health,
April 23, 2003
11, 2003 Vol 52/Early Release MMWR: HIPAA Privacy Rule and Public Health;
Guidance from CDC and the U.S. Department of Health and Human Services
2CFR is the Code of Federal Regulations
345 CFR 164.502, Definitions.
4M.S.§144.05, subd. 1(a) gives the commission of health authority to conduct studies and investigations, collect and analyze health and vital data, and identify and describe health problems.