Immunization Data Sharing and HIPAA
This memo addresses the Minnesota Department of Health's analysis of the following two issues related to HIPAA and communicable disease reporting.
How HIPAA Interacts with the Minnesota Immunization Data Sharing Law and the School Immunization Law
Disclaimer of Legal Advice: The following is the Minnesota Department of Health's (MDH) analysis of how the Minnesota Immunization Data Sharing Law, M.S.d144.3351, and the School Immunization Law, M.S.§121A.15, interact with the Health Insurance Portability and Accountability Act (HIPAA, privacy rules, 45 CFR 160 and 164). This is not legal advice and you should not rely on it as legal advice. Consult with a lawyer for legal advice.
The following question has been raised by some providers and school officials: Does HIPAA permit disclosure of immunization data to schools and child care providers without patient authorization?
Upon review of HIPAA privacy rules, the department concludes that HIPAA permits the disclosure of immunization data to schools and child care providers, which is allowed under Minnesota's Data Sharing Law, without the patient's authorization.
HIPAA governs the use and disclosure of protected health information (PHI). It applies to health plans, health care clearinghouses, and health care providers who transmit certain health claims information electronically. These entities are covered entities under the rule.
A covered entity must obtain a written authorization from the individual, for the use and disclosure of PHI unless the disclosure is to the individual, for treatment, payment, or health care operations, or the disclosure falls under one of the specified exceptions.
HIPAA Privacy Rules, specifically 45 CFR1 §164.512, addresses the uses and disclosures for which an authorization or an opportunity to agree or object is not required. Specifically:
- Section 164.512(a) permits disclosures that are required by law, which
includes statutes and rules2; and
- Section 164.512(b) permits a covered entity to disclose PHI for the public health activities and purposes described in the following paragraph. The activities and purposes include:
"(i) A public health authority that is authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury, or disability, including but not limited to, the reporting of disease, injury, vital events such as birth or death, and the conduct of public health surveillance, public health investigations, and public health interventions; ..."
Under HIPAA, 45 CFR 164.501, Public health authority is defined as "an agency or authority of , a State, . . ., a political subdivision of a State . . . , that is responsible for public health matters as part of its official mandate."
The public health mandate can be responsibility for public health matters, generally, or it can be for specific public health programs. Furthermore, an agency's official mandate does not have to be exclusively or primarily for public health. Therefore, to the extent a government agency has public health matters as part of its official mandate, it qualifies as a public health authority for those public health matters. To the extent a public health authority is authorized by law to collect or receive information for the public health purposes specified in the public health provision, covered entities may disclose PHI to such public health authorities without authorization pursuant to the public health provision.
The department believes that under HIPAA rules, a school or child care provider would be considered a "public health authority" for the purpose of enforcement of the School Immunization Law, M.S §121A.15.
In summary, Minnesota schools and child care providers are responsible for documentation and enforcement of the school immunization law, which is a public health matter, as part of their official mandate. Therefore, providers can share immunization data to schools and child care providers without patient authorization.
Note on disclosure log requirement: Under 45 CFR 164.528, HIPAA also requires the covered entity to maintain a log of all disclosures of PHI to public health without a patient authorization. See pages three and four of this memo for analysis of this issue.
Disclaimer of Legal Advice: The following is the Minnesota Department of Health's (MDH) analysis of how a provider may account for public health disclosures to schools and child care providers as allowed under the Minnesota Immunization Data Sharing Law, M.S.d144.3351 and the School Immunization Law, M.S.§121A.15, and still be in compliance with the Health Insurance Portability and Accountability Act (HIPAA, privacy rules, 45 CFR 160 and 164). This is not legal advice and you should not rely on it as legal advice. Consult with a lawyer for legal advice.
The following concern has been raised by some providers: Does a provider have to keep a disclosure log when they release immunization data to a school or provider under the data sharing law?
MDH has concluded that HIPAA permits a provider to account for these disclosures in a general, not patient specific, manner. For example, when disclosing individual protected health information (PHI) to a public health entity as part of a immunization request from a school or child care provider, a health care provider may keep a general log of disclosure rather than noting them in the individual patient records (see example at end of memo). This finding is based on review of HIPAA privacy rule and guidance from the Centers For Disease Control and Prevention (CDC) and the U.S. Department of Health and Human Services (DHHS).
As discussed previously, HIPAA permits the disclosure of immunization data to schools and child care providers, in accordance with Minnesota's Data Sharing Law, without the patient's authorization. At the same time, however, HIPAA requires that a covered entity, such as a provider, account for each disclosure of PHI to a public health authority, i.e., school or child care, without patient authorization. Specifically, the provider must maintain a disclosure log each time a covered entity discloses PHI without the patient's authorization (45 CFR 164.528.)
The required accounting of disclosures may be accomplished in different ways. Typically, the covered entity must keep an accounting of each disclosure by date, the information disclosed, the identity of the recipient, and the purpose of the disclosure. However, 5 CFR 164.528(b)(3) does not require this type of log for multiple disclosures for the same purpose. According to the CDC and DHHS,
The following are a few examples of this type of disclosure.
"Where the covered entity has, during the accounting period, made multiple disclosures to the same recipient for the same purpose, the Privacy Rule provides for a simplified means of accounting. In such cases, the covered entity need only identify the recipient of such repetitive disclosures, the purpose of the disclosure, and describe the PHI routinely disclosed. The date of each disclosure need not be tracked.
Rather, the accounting may include the date of the first and last such disclosure during the accounting period, and a description of the frequency or periodicity of such disclosures. For example, the vast amount of data exchanged between covered entities and public health authorities is made through ongoing, regular reporting or inspection requirement. 3"
- A covered health-care provider may routinely report all cases of measles
it diagnoses to the local public health authority. The covered entity
would not need to annotate each patient's medical record whenever a
routine public health disclosure is made. An accounting of such disclosures
to a requesting individual would only need to identify the local public
health authority receiving the PHI (MDH), the PHI disclosed (measles
cases), the purpose for the disclosure (required for communicable disease
surveillance), the periodicity (weekly) if applicable, and the first
and last dates of such disclosures during the accounting period (May
1, 2003 to June 1, 2003).
- A covered health-care provider may routinely report all required immunizations to schools and child care providers. (These entities are considered public health authorities for the purpose of enforcement of the School Immunization Law, M.S §121A.15.). The health-care provider would not need to annotate each patient's medical record whenever a routine public health disclosure is made. The accounting of such disclosure would only need the following:
- Receiver of PHI: Name of School or Child Care Facility
- PHI Disclosed: Immunization data
- Purpose of Disclosure: Required for School Immunization Law and permitted under Minnesota Immunization Data Sharing Law
- Dates of Disclosure: August 1, 2003 to December 30, 2003
Based on the above analysis, MDH concludes that covered entities, such as health care providers, may maintain a general, not patient specific disclosure log for purposes of sharing immunization data with schools and child care providers.
Minnesota Department of Health
Reviewed May 2014
1CFR is the Code of Federal Regulations
245 CFR 164.502, Definitions
3April 11, 2003 Vol. 52/Early Release MMWR: HIPAA Privacy Rule and Public Health; Guidance from CDC and the U.S. Department of Health and Human Services (PDF)