Disclosure to Public Health Under the HIPAA Privacy Rule
Immunization registries and HIPAA guidelines. Updated 6/06
Download PDF version formatted for print:
Disclosure to Public Health Under the HIPAA Privacy Rule (PDF: 31KB/1 page)
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy rule governs the use and disclosure of protected health information. It applies to health plans, health care clearinghouses, and health care providers who transmit certain health claims information electronically. These entities are covered entities under the rule. The rule also applies indirectly to business associates who perform certain functions or activities on behalf of the covered entity such as legal or accounting services. Business associates are bound by the rule through a written contract or memorandum of understanding.
A covered entity must obtain consent for uses and disclosures to carry out treatment, payment, or health care operations. The rule also specifies the uses and disclosures for which an authorization or an opportunity for an individual to agree or object is required.
Section 164.512 addresses the uses and disclosures for which consent, an authorization, or an opportunity to agree or object is not required. Section 164.512(a)permits disclosures that are required by law.
Section 164.512(b) permits a covered entity to disclose protected health information for the public health activities and purposes described in the paragraph. The activities and purposes include:
“(i) A public health authority that is authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury, or disability, including but not limited to, the reporting of disease, injury, vital events such as birth or death, and the conduct of public health surveillance, public health investigations, and public health interventions; or, at the direction of a public health authority, to an official of a foreign government agency that is acting in collaboration with a public health authority.”
Since public health authorities operate most registries in the country, and state laws mandate or allow the sharing immunization data, often without consent, registry activity is not governed by HIPAA. Covered Entities may disclose protected health information to registries without having to provide the opportunity for individuals to agree or object. Registries in turn, because they are not governed by HIPAA, can re-disclose immunization information based on their state laws.