Frequently Asked Questions About Sexually Transmitted Disease (STD) Reporting

Download versions formatted for print: (PDF: 18KB/2 pages)

On This Page:
Who is required to report STDs to the Minnesota Department of Health (MDH)?
What information are clinicians and laboratories required to report?
Can I still disclose this information under HIPAA?
Is written consent by the patient required to release this information?
Do I have to account for disclosures when I report STD information to MDH without the patient's authorization?
Disclaimer of Legal Advice



1. Who is required to report STDs to the Minnesota Department of Health (MDH)?

Under Minnesota state law, physicians, health care facilities, and medical laboratories are required to report all laboratory-confirmed cases of chlamydia, gonorrhea, syphilis, and chancroid to the Minnesota Department of Health (MDH) [Minnesota Rules, part 4605.7030-7040].

2. What information are clinicians and laboratories required to report?
The case report must include as much of the following information as is known: patient name, birth date, ethnicity, race, residence, date of specimen collection, treatment prescribed or dispensed, treatment date, physician name, address, phone number, and other information pertinent to the case [Minnesota Rules, part 4605.7090].

3. Can I still disclose this information under HIPAA?
YES. Public health reporting mandated by law is not changed by HIPAA. In fact, HIPAA expressly permits protected health information (PHI) to be shared for specified public health purposes. The HIPAA Privacy Rule allows covered entities to disclose PHI to public health authorities when required by federal, tribal, state, or local laws [45 CFR § 164.512(a)]. This includes state statutes and rules that provide for reporting of disease or injury, child abuse, birth or death, or conducting public health surveillance, investigation, or intervention. For disclosures not required by law, covered entities may still disclose PHI, without individual authorization, to a public health authority legally authorized to collect or receive the information for the purpose of preventing or controlling disease, injury, or disability [45 CFR § 164.512(b)]. (Centers for Disease Control and Prevention. HIPAA Privacy Rule and Public Health: Guidance from CDC and the U.S. Department of Health and Human Services. MMWR 2003; 52(Supl):8.)

4. Is written consent by the patient required to release this information?
NO. Under the HIPAA privacy rules, no patient authorization or consent form is required for mandated reporting [45 CFR § 164.512(a)] or for public health activities [45 CFR § 164.512(b)].

5. Do I have to account for disclosures when I report STD information to MDH without the patient's authorization?
YES. HIPAA requires an accounting for disclosures made without patient authorization, including disclosures for public health purposes. Typically, the covered entity must provide the individual with an accounting of each disclosure by date, the PHI disclosed, the identity of the recipient of the PHI, and the purpose of the disclosure. However, where the provider has made multiple STD reports during the accounting period, the Privacy Rule provides for a simplified means of accounting. In such cases, the provider need only identify MDH as the recipient of such repetitive disclosures, that the disclosures were STD reports required by Minnesota Rules, chapter 4605, routinely consisting of all laboratory-confirmed cases of chlamydia, gonorrhea, syphilis, and chancroid along with the patient name, birth date, ethnicity, race, residence, date of specimen collection, treatment prescribed or dispensed, treatment date, physician name, address, and phone number, and other information pertinent to the case. The date of each disclosure need not be tracked. Rather, the accounting may include the date of the first and last such disclosure during the accounting period, and a description of the frequency or periodicity of such disclosures. Thus, the provider would not need to annotate each patient's medical record whenever a routine STD report was made. [45 CFR § 164.528(b)(3)]

Disclaimer of Legal Advice: The above is MDH's analysis of how the Minnesota Sexually Transmitted Disease Reporting requirements interact with the Health Insurance Portability and Accountability Act (HIPAA), privacy rules, 45 CFR 160 and 164. This is not legal advice and you should not rely on it as legal advice. Consult with a lawyer for legal advice.

Content Notice: This site contains HIV or STD prevention messages that may not be appropriate for all audiences. Since HIV and other STDs are spread primarily through sexual practices or by sharing needles, prevention messages and programs may address these topics. If you are not seeking such information or may be offended by such materials, please exit this web site.

Updated Tuesday, 26-Mar-2013 15:11:39 CDT