Morbidity and Mortality Weekly Report Early Release April 11, 2003 / Vol. 52 depar depar depar depar department of health and human ser tment of health and human ser tment of health and human ser tment of health and human ser tment of health and human services vices vices vices vices Centers for Disease Control and Prevention Centers for Disease Control and Prevention Centers for Disease Control and Prevention Centers for Disease Control and Prevention Centers for Disease Control and Prevention HIPAA Privacy Rule and Public Health Guidance from CDC and the U.S. Department of Health and Human Services
Transcript
Morbidity and Mortality Weekly Report
Early Release April 11 2003 Vol 52
depardepardepardepardepartment of health and human sertment of health and human sertment of health and human sertment of health and human sertment of health and human servicesvicesvicesvicesvicesCenters for Disease Control and PreventionCenters for Disease Control and PreventionCenters for Disease Control and PreventionCenters for Disease Control and PreventionCenters for Disease Control and Prevention
HIPAA Privacy Rule and Public Health
Guidance from CDC and the US Departmentof Health and Human Services
MMWR
SUGGESTED CITATIONCenters for Disease Control and Prevention HIPAAPrivacy Rule and public health guidance from CDCand the US Department of Health and HumanServices MMWR 200352(Early Release)[inclusivepage numbers]
The MMWR series of publications is published by theEpidemiology Program Office Centers for DiseaseControl and Prevention (CDC) US Department ofHealth and Human Services Atlanta GA 30333
Centers for Disease Control and Prevention
Julie L Gerberding MD MPHDirector
David W Fleming MDDeputy Director for Public Health Science
Dixie E Snider Jr MD MPHAssociate Director for Science
Epidemiology Program Office
Stephen B Thacker MD MScDirector
Office of Scientific and Health Communications
John W Ward MDDirector
Editor MMWR Series
Suzanne M Hewitt MPAManaging Editor MMWR Series
C Kay Smith-Akin MEdLead Technical WriterEditor
Douglas W WeatherwaxProject Editor
Beverly J HollandLead Visual Information Specialist
Malbea A HeilmanVisual Information Specialist
Quang M DoanErica R Shaver
Information Technology Specialists
CONTENTS
Introduction 1
Impact on Public Health 2
Overview of the Privacy Rule 3
Who Is Covered 3
Types of Health Information 3
What is Required 4
The Privacy Rule and Public Health 6
Disclosures for Public Health Purposes 8
Requirements for Covered Entities 8
The Privacy Rule and Public Health Research 10
Research Versus Practice 10
The Privacy Rule and Other Laws 10
Online Resources 11
Federal Government Resources 11
State Government Resources 11
Associations Nonprofit Organizations
and Academic Resources 12
Acknowledgments 12
References 12
Appendix A 13
Appendix B 19
Vol 52 Early Release MMWR 1
The material in this report originated in the Epidemiology ProgramOffice Stephen B Thacker MD MSc Director
Prepared by CDC staff in consultation with the Office of the General Counselthe Office for Civil Rights other offices and agencies within the USDepartment of Health and Human Services Washington DC and healthprivacy specialists
HIPAA Privacy Rule and Public HealthGuidance from CDC and the US Department of Health and Human Services
Summary
New national health information privacy standards have been issued by the US Department of Health and Human Services(DHHS) pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) The new regulations provideprotection for the privacy of certain individually identifiable health data referred to as protected health information (PHI)Balancing the protection of individual health information with the need to protect public health the Privacy Rule expresslypermits disclosures without individual authorization to public health authorities authorized by law to collect or receive theinformation for the purpose of preventing or controlling disease injury or disability including but not limited to public healthsurveillance investigation and intervention
Public health practice often requires the acquisition use and exchange of PHI to perform public health activities (eg publichealth surveillance program evaluation terrorism preparedness outbreak investigations direct health services and public healthresearch) Such information enables public health authorities to implement mandated activities (eg identifying monitoringand responding to death disease and disability among populations) and accomplish public health objectives Public healthauthorities have a long history of respecting the confidentiality of PHI and the majority of states as well as the federal governmenthave laws that govern the use of and serve to protect identifiable information collected by public health authorities
The purpose of this report is to help public health agencies and others understand and interpret their responsibilities under thePrivacy Rule Elsewhere comprehensive DHHS guidance is located at the HIPAA website of the Office for Civil Rights (httpwwwhhsgovocrhipaa)
IntroductionThe shift of medical records from paper to electronic for-
mats has increased the potential for individuals to access useand disclose sensitive personal health data Although protect-ing individual privacy is a long-standing tradition amonghealth-care providers and public health practitioners in theUnited States previous legal protections at the federal tribalstate and local levels were inconsistent and inadequate Apatchwork of laws provided narrow privacy protections forselected health data and certain keepers of that data (1)
The US Department of Health and Human Services(DHHS) has addressed these concerns with new privacy stan-dards that set a national minimum of basic protections whilebalancing individual needs with those of society The HealthInsurance Portability and Accountability Act of 1996 (HIPAA)was adopted to ensure health insurance coverage after leavingan employer and also to provide standards for facilitatinghealth-carendashrelated electronic transactions To improve the
efficiency and effectiveness of the health-care system HIPAAincluded administrative simplification provisions that requiredDHHS to adopt national standards for electronic health-caretransactions (2) At the same time Congress recognized thatadvances in electronic technology could erode the privacy ofhealth information Consequently Congress incorporated intoHIPAA provisions that mandated adoption of federal privacyprotections for certain individually identifiable health infor-mation
The HIPAA Privacy Rule (Standards for Privacy of Indi-vidually Identifiable Health Information) (3) provides the firstnational standards for protecting the privacy of health infor-mation The Privacy Rule regulates how certain entities calledcovered entities use and disclose certain individually identifi-able health information called protected health information(PHI) PHI is individually identifiable health information thatis transmitted or maintained in any form or medium (egelectronic paper or oral) but excludes certain educationalrecords and employment records Among other provisions thePrivacy Rule
bull gives patients more control over their health informationbull sets boundaries on the use and release of health recordsbull establishes appropriate safeguards that the majority of
health-care providers and others must achieve to protectthe privacy of health information
2 MMWR April 11 2003
bull holds violators accountable with civil and criminal penal-ties that can be imposed if they violate patientsrsquo privacyrights
bull strikes a balance when public health responsibilities sup-port disclosure of certain forms of data
bull enables patients to make informed choices based on howindividual health information may be used
bull enables patients to find out how their information maybe used and what disclosures of their information havebeen made
bull generally limits release of information to the minimumreasonably needed for the purpose of the disclosure
bull generally gives patients the right to obtain a copy of theirown health records and request corrections and
bull empowers individuals to control certain uses and disclo-sures of their health information
The deadline to comply with the Privacy Rule is April 142003 for the majority of the three types of covered entitiesspecified by the rule [45 CFR sect 160102] The covered enti-ties are
bull health plansbull health-care clearinghouses andbull health-care providers who transmit health information in
electronic form in connection with certain transactionsAt DHHS the Office for Civil Rights (OCR) has oversightand enforcement responsibilities for the Privacy Rule Com-prehensive guidance and OCR answers to hundreds of ques-tions are available at httpwwwhhsgovocrhipaa (4)
Impact on Public HealthPublic health practice and research including such tradi-
tional public health activities as program operations publichealth surveillance program evaluation terrorism prepared-ness outbreak investigations direct health services and pub-lic health research use PHI to identify monitor and respondto disease death and disability among populations Publichealth authorities have a long history of protecting and pre-serving the confidentiality of individually identifiable healthinformation They also recognize the importance of protect-ing individual privacy and respecting individual dignity tomaintaining the quality and integrity of health data CDCand others have worked to consistently strengthen federal andstate public health information privacy practices and legal pro-tections (5)
DHHS recognized the importance of sharing PHI toaccomplish essential public health objectives and to meet cer-tain other societal needs (eg administration of justice andlaw enforcement) Therefore the Privacy Rule expressly per-mits PHI to be shared for specified public health purposes
For example covered entities may disclose PHI without indi-vidual authorization to a public health authority legallyauthorized to collect or receive the information for the pur-pose of preventing or controlling disease injury or disability[45 CFR sect 164512(b)] (Box 1) Further the Privacy Rulepermits covered entities to make disclosures that are requiredby other laws including laws that require disclosures for pub-lic health purposes
Thus the Privacy Rule provides for the continued func-tioning of the US public health system Covered entities shouldbecome fully aware of the scope of permissible disclosures forpublic health activities as well as state and local reporting lawsand regulations Moreover a public health authority may also
Without individual authorization a covered entity maydisclose PHI to a public health authority that is legallyauthorized to collect or receive the information for thepurposes of preventing or controlling disease injury ordisability including but not limited to
bull reporting of disease injury and vital events (eg birthor death) and
bull conducting public health surveillance investigationsand interventions
PHI may also be disclosed without individual authori-zation to
bull report child abuse or neglect to a public health or othergovernment authority legally authorized to receive suchreports
bull a person subject to jurisdiction of the Food and DrugAdministration (FDA) concerning the quality safetyor effectiveness of an FDA-related product or activityfor which that person has responsibility
bull a person who may have been exposed to a communi-cable disease or may be at risk for contracting or spread-ing a disease or condition when legally authorized tonotify the person as necessary to conduct a publichealth intervention or investigation and
bull an individualrsquos employer under certain circumstancesand conditions as needed for the employer to meetthe requirements of the Occupational Safety andHealth Administration Mine Safety and Health Ad-ministration or a similar state law
Source Adapted from [45 CFR sect 164512(b)] Or to an entity working under a grant of authority from a public health
authority or when directed by a public health authority to a foreigngovernment agency that is acting in collaboration with a public healthauthority
BOX 1 Protected health information (PHI) disclosures bycovered entities for public health activities requiring noauthorization under the Privacy Rule
Vol 52 Early Release MMWR 3
be a covered entity For example a public health agency thatoperates a health clinic providing essential health-care ser-vices and performing covered transactions electronically is acovered entity
This report provides guidance to public health authoritiesand their authorized agents researchers and health-care pro-viders in interpreting the Privacy Rule as it affects public healthCDC recommends that public health authorities share theinformation in this report with covered health-care providersand other covered entities and work closely with those entitiesto ensure implementation of the rule consistent with itsintent to protect privacy while permitting authorized publichealth activities to continue
Overview of the Privacy Rule
Who Is CoveredThe authority of DHHS to issue health-information pri-
vacy regulations was limited by Congress in HIPAA to adefined set of covered entities More complete definitions ofthese and other terms are located elsewhere in this report(Appendix A) Covered entities are as follows
bull Health plans An individual or group plan that providesor pays the cost of medical care that includes the diagno-sis cure mitigation treatment or prevention of diseaseHealth plans include private entities (eg health insurersand managed care organizations) and government orga-nizations (eg Medicaid Medicare and the VeteransHealth Administration)
bull Health-care clearinghouses A public or private entityincluding a billing service repricing company or com-munity health information system that processes non-standard data or transactions received from another entityinto standard transactions or data elements or vice versa
bull Health-care providers A provider of health-care servicesand any other person or organization that furnishes billsor is paid for health care in the normal course of businessHealth-care providers (eg physicians hospitals and clin-ics) are covered entities if they transmit health informa-tion in electronic form in connection with a transactionfor which a HIPAA standard has been adopted by DHHS
The Privacy Rule also establishes requirements for coveredentities with regard to their nonemployee business associates(eg lawyers accountants billing companies and other con-tractors) whose relationship with covered entities requires shar-ing of PHI The Privacy Rule allows a covered provider orhealth plan to disclose PHI to a business associate if satisfac-tory written assurance is obtained that the business associatewill use the information only for the purposes for which it
was engaged will safeguard the information from misuse andwill help the covered entity comply with certain of its dutiesunder the Privacy Rule
The Privacy Rule does not apply to all persons or entitiesthat regularly use disclose or store individually identifiablehealth information For example the Privacy Rule does notcover employers certain insurers (eg auto life and workercompensation) or those public agencies that deliver socialsecurity or welfare benefits when functioning solely in thesecapacities
Types of Health Information
Protected Health Information
The Privacy Rule protects certain information that coveredentities use and disclose This information is called protectedhealth information (PHI) which is generally individually iden-tifiable health information that is transmitted by or main-tained in electronic media or any other form or medium Thisinformation must relate to 1) the past present or future physi-cal or mental health or condition of an individual 2) provi-sion of health care to an individual or 3) payment for theprovision of health care to an individual If the informationidentifies or provides a reasonable basis to believe it can beused to identify an individual it is considered individuallyidentifiable health information
De-Identified Information
De-identified data (eg aggregate statistical data or datastripped of individual identifiers) require no individual pri-vacy protections and are not covered by the Privacy RuleDe-identifying can be conducted through
bull statistical de-identification mdash a properly qualified statis-tician using accepted analytic techniques concludes therisk is substantially limited that the information might beused alone or in combination with other reasonably avail-able information to identify the subject of the informa-tion [45 CFR sect 164514(b)] or the
bull safe-harbor method mdash a covered entity or its businessassociate de-identifies information by removing 18 iden-tifiers (Box 2) and the covered entity does not have actualknowledge that the remaining information can be usedalone or in combination with other data to identify thesubject [45 CFR sect 164514(b)]
In certain instances working with de-identified data may havelimited value to clinical research and other activities Whenthat is the case a limited data set may be useful
4 MMWR April 11 2003
The following protected health information (PHI) canbe included without authorization in a limited data setfor public health research or health-care operations
bull town or city state and zip code andbull elements of dates related to a person (eg years birth
dates admission dates discharge dates and dates ofdeath)
To disclose a limited data set a covered entity must en-ter into a data-use agreement with the recipient whichagrees to use or disclose the PHI for limited purposesDisclosure of a limited data set is not subject to the ac-counting requirement but must meet the minimum nec-essary standards of the Privacy Rule
BOX 3 Use of limited data sets under the Privacy Rule
The following 18 identifiers of a person or of relativesemployers or household members of a person must beremoved and the covered entity must not have actualknowledge that the information could be used alone or incombination with other information to identify the indi-vidual for the information to be considered de-identifiedand not protected health information (PHI)
bull namesbull all geographic subdivisions smaller than a state in-
cluding county city street address precinct zip codeand their equivalent geocodes
bull all elements of dates (except year) directly related toan individual all ages gt89 and all elements of dates(including year) indicative of such age (except for anaggregate into a single category of age gt90)
bull telephone numbersbull fax numbersbull electronic mail addressesbull Social Security numbersbull medical record numbersbull health-plan beneficiary numbersbull account numbersbull certificate and license numbersbull vehicle identifiers and serial numbers including
license plate numbersbull medical device identifiers and serial numbersbull Internet universal resource locators (URLs)bull Internet protocol (IP) addressesbull biometric identifiers including fingerprints and voice
printsbull full-face photographic images and any comparable
images andbull any other unique identifying number characteristic
or code except that covered identities may under cer-tain circumstances assign a code or other means ofrecord identification that allows de-identified infor-mation to be re-identified
Source Adapted from [45 CFR sect 164514(b)(2)(i)] The first three digits of a zip code are excluded from the PHI list if the
geographic unit formed by combining all zip codes with the same firstthree digits contains gt20000 persons
BOX 2 Individual identifiers under the Privacy Rule
permitted to use or receive the limited data set and providethat the recipient will
bull not use or disclose the information other than as permit-ted by the agreement or as otherwise required by law
bull use appropriate safeguards to prevent uses or disclosuresof the information that are inconsistent with the data-useagreement
bull report to the covered entity any use or disclosure of theinformation in violation of the agreement of which itbecomes aware
bull ensure that any agents to whom it provides the limiteddata set agree to the same restrictions and conditions thatapply to the limited data set recipient with respect to suchinformation and
bull not attempt to re-identify the information or contact theindividual
What is RequiredFor covered entities using or disclosing PHI the Privacy
Rule establishes a range of health-information privacy require-ments and standards that attempt to balance individual pri-vacy interests with the community need to use such data [45CFR sect 164504] Among its provisions the Privacy Rulerequires covered entities to
bull notify individuals regarding their privacy rights and howtheir PHI is used or disclosed
bull adopt and implement internal privacy policies and proce-dures
bull train employees to understand these privacy policies andprocedures as appropriate for their functions within thecovered entity
Limited Data Sets
Health information in a limited data set is not directly iden-tifiable but may contain more identifiers than de-identifieddata that has been stripped of the 18 identifiers [45 CFR sect164514] (Box 3) A data-use agreement must establish who is
Vol 52 Early Release MMWR 5
bull designate individuals who are responsible for implement-ing privacy policies and procedures and who will receiveprivacy-related complaints
bull establish privacy requirements in contracts with businessassociates that perform covered functions
bull have in place appropriate administrative technical andphysical safeguards to protect the privacy of health infor-mation and
bull meet obligations with respect to health consumers exer-cising their rights under the Privacy Rule
With respect to individuals they are vested with the follow-ing rights
bull Receive access to PHI Individual rights include inspec-tions of records and the provision for copies of PHI aboutthe individual in a designated record set for as long as thePHI is maintained in the designated record set except forpsychotherapy notes information complied for use in civilcriminal or administrative actions and PHI maintainedby a covered entity subject to the Clinical LaboratoryImprovement Amendments of 1988 [42 CFR sect 263(a)]In the majority of cases covered entities must accommo-date a request or provide a process of denial subject toreview [45 CFR sect 164524]
bull Request amendments to PHI Individuals can request thatcovered entities amend PHI about the individual in a des-ignated record set for as long as the PHI is maintained ina designated record set If the covered entity agrees to theamendment it must 1) identify the records affected 2)append or provide a link to the amendment 3) informthe individual the amendment has been made and 4) workwith other covered entities or business associates who pos-sess or receive the data to make the amendments [45 CFRsect 164526] If the covered entity denies this request thePrivacy Rule provides a process for contesting the denial[45 CFR sect 164526]
bull Receive adequate notice With limited exceptions indi-viduals have the right to receive a notice of the uses anddisclosures the covered entity will make of their PHI theirrights under the Privacy Rule and the covered entityrsquosobligations with respect to that information In certaincases notice may be provided electronically The noticemust be in plain language (eg ldquoyour health informationmay be shared with public health authorities for publichealth purposes rdquo ) and posted where it is likely to beseen by patients [45 CFR sect 164520]
bull Receive an accounting of disclosures Upon request cov-ered entities are required to provide individuals with anaccounting for certain types of disclosures of PHIalthough the rule contains certain exceptions includingdisclosures with individual authorization disclosures
related to providersrsquo treatment payment and health-careoperations (TPO) and other exceptions A typical accounting includes the name of the person or entity whoreceived the information date of the disclosure a briefdescription of the information disclosed and a brief explanation of the reasons for disclosure or copy of therequest [45 CFR sect 164528] However requirements foraccounting of public health disclosures may vary (seeAccounting for Public Health Disclosures)
bull Request restrictions Individuals have the right to requesta restriction on certain uses or disclosures of their PHIhowever the covered entity is not obligated to agree tosuch a request If the covered entity does agree to a restric-tion it must generally abide by the agreement except foremergency treatment situations But such an agreement isnot effective to prevent certain permitted uses or disclo-sures [CFR 45 sect 164512]
Required PHI Disclosures
A covered entity is required by the Privacy Rule to disclosePHI in only two instances 1) when an individual has a rightto access an accounting of his or her PHI (see previous para-graph) and 2) when DHHS needs PHI to determine compli-ance with the Privacy Rule [45 CFR sect 164502(a)(2)] Certainother uses and disclosures of PHI may be permitted withoutauthorization but are not required by the Privacy Rule How-ever other federal tribal state or local laws may compel dis-closure
Permitted PHI Disclosures WithoutAuthorization
The Privacy Rule permits a covered entity to use and dis-close PHI with certain limits and protections for TPOactivities [45 CFR sect 164506] Certain other permitted usesand disclosures for which authorization is not required fol-low Additional requirements and conditions apply to thesedisclosures The Privacy Rule text and OCR guidance shouldbe consulted for a full understanding of the following
bull Required by law Disclosures of PHI are permitted whenrequired by other laws whether federal tribal state orlocal
bull Public health PHI can be disclosed to public healthauthorities and their authorized agents for public healthpurposes including but not limited to public health sur-veillance investigations and interventions
bull Health research A covered entity can use or disclose PHIfor research without authorization under certain condi-tions including 1) if it obtains documentation of a waiverfrom an institutional review board (IRB) or a privacyboard according to a series of considerations 2) for
6 MMWR April 11 2003
activities preparatory to research and 3) for research on adecedentrsquos information
bull Abuse neglect or domestic violence PHI may be dis-closed to report abuse neglect or domestic violenceunder specified circumstances
bull Law enforcement Covered entities may under specifiedconditions disclose PHI to law enforcement officials pur-suant to a court order subpoena or other legal order tohelp identify and locate a suspect fugitive or missingperson to provide information related to a victim of acrime or a death that may have resulted from a crime orto report a crime
bull Judicial and administrative proceedings A covered entitymay disclose PHI in the course of a judicial or adminis-trative proceeding under specified circumstances
bull Cadaveric organ eye or tissue donation purposesOrgan-procurement agencies may use PHI for the pur-poses of facilitating transplant
bull Oversight Covered entities may usually disclose PHI to ahealth oversight agency for oversight activities authorizedby law
bull Workerrsquos compensation The Privacy Rule permits dis-closure of work-related health information as authorizedby and to the extent necessary to comply with workersrsquocompensation programs
Other Authorized Disclosures
A valid authorization is required for any use or disclosureof PHI that is not required or otherwise permitted withoutauthorization by the Privacy Rule In general these authoriza-tions must
bull specifically identify the PHI to be used or disclosedbull provide the names of persons or organizations or classes
of persons or organizations who will receive use or dis-close the PHI
bull state the purpose for each requestbull notify individuals of their right to refuse to sign the
authorization without negative consequences to treatmentpayment or health plan enrollment or benefit eligibilityexcept under specific circumstances
bull be signed and dated by the individual or the individualrsquospersonal representative
bull be written in plain languagebull include an expiration date or eventbull notify the individual of the right to revoke authorization
at any time in writing and how to exercise that right andany applicable exceptions to that right under the PrivacyRule and
bull explain the potential for the information to be subject toredisclosure by recipient and no longer protected by thePrivacy Rule
The Privacy Rule and Public Health The Privacy Rule recognizes 1) the legitimate need for pub-
lic health authorities and others responsible for ensuring thepublicrsquos health and safety to have access to PHI to conducttheir missions and 2) the importance of public health report-ing by covered entities to identify threats to the public andindividuals Accordingly the rule 1) permits PHI disclosureswithout a written patient authorization for specified publichealth purposes to public health authorities legally authorizedto collect and receive the information for such purposes and2) permits disclosures that are required by state and local pub-lic health or other laws However because the Privacy Ruleaffects the traditional ways PHI is used and exchanged amongcovered entities (eg doctors hospitals and health insurers)it can affect public health practice and research in multipleways To prevent misconceptions understanding the PrivacyRule is important for public health practice Some illustrativeexamples are presented in this report (Box 4) Also providedare sample letters that might prove useful in clarifying rela-tionships involving public health and the Privacy Rule(Appendix B)
A public health authority is broadly defined as includingagencies or authorities of the United States states territoriespolitical subdivisions of states or territories American Indiantribes or an individual or entity acting under a grant ofauthority from such agencies and responsible for public healthmatters as part of an official mandate Public health authori-ties include federal public health agencies (eg CDCNational Institutes of Health [NIH] Health Resources andServices Administration [HRSA] Substance Abuse and Men-tal Health Services Administration [SAMHSA] Food andDrug Administration [FDA] or Occupational Safety andHealth Administration [OSHA]) tribal health agencies statepublic health agencies (eg public health departments ordivisions state cancer registries and vital statistics depart-ments) local public health agencies and anyone performingpublic health functions under a grant of authority from a publichealth agency [45 CFR sect 164501]
Public health agencies often conduct their authorized pub-lic health activities with other entities by using different mecha-nisms (eg contracts and memoranda or letters of agreement)These other entities are public health authorities under thePrivacy Rule with respect to the activities they conduct undera grant of authority from such a public health agency Acovered entity may disclose PHI to public health authorities
Vol 52 Early Release MMWR 7
State cancer registry Under a state law health-care provid-ers are required to report cancer cases to a statersquos cancer regis-try Names are included to prevent duplicate reporting andcounting State law protects the confidentiality of the dataCan covered entities disclose the information under the Pri-vacy Rule
Privacy Rule effect Covered entities may disclose PHI to apublic health agency or any other entity when the disclosureis required by law However as covered entities the providersmust give an accounting to the persons whose PHI has beenshared The state agency may use and further disclose the PHIconsistent with applicable state law
State university-maintained cancer registry Under a statelaw health-care providers are mandated to report cancer casesto a state health departmentrsquos cancer registry The state healthdepartment contracts with a state university to receive thereports and maintain its registry As covered entities can health-care providers disclose PHI to the state university under thePrivacy Rule
Privacy Rule effect As noted in the previous example cov-ered entities may disclose without authorization PHI to thecancer registry under the Privacy Rule which expressly per-mits disclosure of PHI as required by law and sharing of PHIwith public health authorities for public health purposes Thestate university is acting under a grant of authority from a publichealth authority the state health department The universitycan use and disclose the information without authorizationconsistent with its agreement with the state health departmentand applicable state law
Early hearing detection and intervention An early hear-ing detection and intervention program in a state needs datafrom two large hospitals The state does not have a law requir-ing reporting of hearing loss Under the Privacy Rule can cov-ered entities release results of newborn hearing-screening teststo the state program
Privacy Rule effect The Privacy Rule expressly permitsrelease of PHI without authorization from a covered entityto a public health authority (eg the state health department)which is authorized by law to receive PHI for the purpose of
BOX 4 Examples of situations related to the Privacy Rule and public health
controlling disease injury or disability The rule does notrequire a state law mandating such disclosures for PHI to bereleased to a public health authority Finally the coveredentities may rely upon the statersquos representation that theinformation requested is the minimum necessary for the pur-poses of the registry
Disease registry maintained by private foundation Aprivate foundation maintains a disease registry as a way tosupport research and service for those with the disease Canhealth-care providers release PHI to the foundation underthe Privacy Rule
Privacy Rule effect Nongovernment disease registries (egthose maintained by foundations and other private organiza-tions) are not considered public health authorities unless theyhave a grant of authority from a public health authority Withsuch a grant covered entities may disclose PHI to the foun-dations But without a grant of authority PHI may bereleased only under one of the following situations
bull Release is authorized by the patientbull The PHI is de-identifiedbull The PHI is contained in a limited data set governed by
a data-use agreementbull Release of PHI is in accord with the rulersquos provisions
for disclosure for research without authorizationbull Release is otherwise permitted by the rule (eg to
entities subject to the jurisdiction of the Food and DrugAdministration (FDA) [45 CFR sect 164512(b)(1)(iii)]
Surveillance project A state health department that is nota covered entity conducts a surveillance project on humanimmunodeficiency virus (HIV) and acquired immunodefi-ciency syndrome (AIDS) The HIVAIDS surveillance projectis an interview study It asks for self-reported informationfrom participants including dates of diagnosis and visits forcare Is this PHI covered by the Privacy Rule
Privacy Rule effect Information collected directly frompersons by a person agency or institution that is not a cov-ered entity including individually identifiable informationis not covered by the Privacy Rule
and to these designated entities pursuant to the public healthprovisions of the Privacy Rule
The Privacy Rule permits covered entities to disclose PHIwithout authorization to public health authorities or otherentities who are legally authorized to receive such reports forthe purpose of preventing or controlling disease injury ordisability This includes the reporting of disease or injuryreporting vital events (eg births or deaths) conducting pub-lic health surveillance investigations or interventions report-ing child abuse and neglect and monitoring adverse outcomes
related to food (including dietary supplements) drugs bio-logical products and medical devices [45 CFR 164512(b)]Covered entities may report adverse events related to FDA-regulated products or activities to public agencies and privateentities that are subject to FDA jurisdiction [45 CFR164512(b)(1)(iii)] To protect the health of the public pub-lic health authorities might need to obtain informationrelated to the individuals affected by a disease In certain casesthey might need to contact those affected to determine thecause of the disease to allow for actions to prevent further
8 MMWR April 11 2003
illness Also covered entities may at the direction of a publichealth authority disclose protected health information to aforeign government agency that is acting in collaboration witha public health authority [45 CFR 164512(b)(1)(i)]
To receive PHI for public health purposes public healthauthorities should be prepared to verify their status and iden-tity as public health authorities under the Privacy Rule Toverify its identity an agency could provide any one of the fol-lowing
bull if the request is made in person presentation of an agencyidentification badge other official credentials or otherproof of government status
bull if the request is in writing the request is on the appropri-ate government letterhead
bull if the disclosure is to a person acting on behalf of a publichealth authority a written statement on appropriate gov-ernment letterhead that the person is acting under thegovernmentrsquos authority [45 CFR sect 164514(h)(2)]
Public health authorities receiving information from coveredentities as required or authorized by law [45 CFR 164512(a)][45 CFR 164512(b)] are not business associates of the cov-ered entities and therefore are not required to enter into busi-ness associate agreements Public health authorities that arenot covered entities also are not required to enter into busi-ness associate agreements with their public health partners andcontractors Also after PHI is disclosed to a public healthauthority pursuant to the Privacy Rule the public healthauthority (if it is not a covered entity) may maintain use anddisclose the data consistent with the laws regulations andpolicies applicable to the public health authority
Disclosures for Public Health PurposesThe Privacy Rule allows covered entities to disclose PHI to
public health authorities when required by federal tribal stateor local laws [45 CFR 164512(a)] This includes state laws(or state procedures established under such law) that providefor receiving reporting of disease or injury child abuse birthor death or conducting public health surveillance investiga-tion or intervention
For disclosures not required by law covered entities maystill disclose without authorization to a public health authorityauthorized by law to collect or receive the information for thepurpose of preventing or controlling disease injury or dis-ability the minimum necessary information to accomplish theintended public health purpose of the disclosure [45 CFR164512 (b)] (Box 1)
For example to protect the health of the public public healthofficials might need to obtain information related to personsaffected by a disease In certain cases they might need to con-
tact those affected to determine the cause of the disease toallow for actions to prevent further illness The Privacy Rulecontinues to allow for the existing practice of sharing PHIwith public health authorities who are authorized by law tocollect or receive such information to aid them in their mis-sion of protecting the health of the public Examples of suchactivities include those directed at the reporting of disease orinjury reporting adverse events reporting births and deathsand investigating the occurrence and cause of injury and dis-ease (1)
Although it is not a defined term DHHS interpreted thephrase ldquoauthorized by lawrdquo to mean that a legal basis exists forthe activity Further DHHS called the phrase ldquoa term of artrdquoincluding both actions that are permitted and actions that arerequired by law [64 FR 59929 November 3 1999] This doesnot mean a public health authority at the federal tribal stateor local level must have multiple disease or condition-specificlaws that authorize each collection of information Publichealth authorities operate under broad mandates to protectthe health of their constituent populations
Requirements for Covered Entities
Accounting for Public Health Disclosures
Although the Privacy Rule permits disclosures of PHI topublic health authorities covered entities must comply withcertain requirements related to these disclosures One suchrequirement is that a covered entity must be able to providean individual upon request with an accounting of certaindisclosures of PHI The covered entity is not required toaccount for all disclosures of PHI For example an account-ing is not required for disclosures made
bull prior to the covered entityrsquos compliance datebull for TPO purposesbull to the individual or pursuant to the individualrsquos written
authorization orbull as part of a limited data setHowever usually an accounting is required for disclosures
made without authorization including public health purposesThe required accounting for disclosures may be
accomplished in different ways Typically the covered entitymust provide the individual with an accounting of eachdisclosure by date the PHI disclosed the identity of therecipient of the PHI and the purpose of the disclosureHowever where the covered entity has during the accountingperiod made multiple disclosures to the same recipient forthe same purpose the Privacy Rule provides for a simplifiedmeans of accounting In such cases the covered entity needonly identify the recipient of such repetitive disclosures the
Vol 52 Early Release MMWR 9
purpose of the disclosure and describe the PHI routinelydisclosed The date of each disclosure need not be trackedRather the accounting may include the date of the first andlast such disclosure during the accounting period and adescription of the frequency or periodicity of such disclosuresFor example the vast amount of data exchanged betweencovered entities and public health authorities is made throughongoing regular reporting or inspection requirements Acovered health-care provider may routinely report all cases ofmeasles it diagnoses to the local public health authority Anaccounting of such disclosures to a requesting individual wouldneed to identify the local public health authority receivingthe PHI the PHI disclosed the purpose of the disclosure(required for communicable disease surveillance) theperiodicity (weekly) and the first and last dates of suchdisclosures during the accounting period (May 1 2003 toJune 1 2003) Thus the covered entity would not need toannotate each patientrsquos medical record whenever a routinepublic health disclosure was made
Notice of Privacy Practices
With certain exceptions under the Privacy Rule individu-als have the right to adequate notice of the uses and disclo-sures of PHI that may be made by the covered entity as well astheir rights and the covered entityrsquos legal obligations Noticesmust be in plain language and clearly posted Certain coveredentities must make a good faith effort to obtain an individualrsquosacknowledgment of receipt of this notice In certain casesnotice may be provided electronically
Minimum Necessary Standard
The Privacy Rule usually directs covered entities to limitthe amount of information disclosed to the minimum neces-sary to achieve the specified goal [45 CFR sect 164514(d)(1)]This requirement usually applies to disclosures to a publichealth agency It would not apply however if the disclosurewere required by law authorized by the individual or for treat-ment purposes A covered entity may also reasonably rely on apublic officialrsquos determination that the information requestedis the minimum necessary for the public health purpose
Public Health Authorities Performing CoveredFunctions
Public health authorities at the federal tribal state or locallevels that perform covered functions (eg providing healthcare or insuring individuals for health-care costs) may be sub-ject to the Privacy Rulersquos provisions as covered entities Forexample a local public health authority that operates a healthclinic providing essential health-care services to low-incomepersons and performs certain electronic transactions might be
defined under the Privacy Rule as a covered health-care pro-vider and therefore a covered entity Flow charts and interac-tive tools designed to help determine covered entity status areprovided online by the Centers for Medicare and MedicaidServices available at httpwwwcmsgovhipaahipaa2sup-porttoolsdecisionsupportdefaultasp
The following are examples of public health authority func-tions that make them covered entities
bull Public health authorities as covered health-care pro-viders A public health authority that conducts health careas part of its activities is a covered health-care provider ifit also performs electronic transactions covered by theHIPAA Transactions Rule as part of these activities Thefact that these activities are conducted in pursuit of a publichealth goal (eg vaccinating children or screening a tar-geted population for sexually transmitted diseases) doesnot preclude the public health authority from being a cov-ered entity
bull Public health authorities as health plans Under thePrivacy Rule a health plan is an individual or group planthat provides or pays the cost of medical care This spe-cifically includes government health plans (eg MedicareMedicaid or Veterans Health Administration) Howeverthe Privacy Rule defines health plan to exclude govern-ment-funded programs whose principal activity is the di-rect provision of health care to persons or the making ofgrants to fund the direct provision of health care to per-sons [45 CFR sect 160103] Examples include the RyanWhite Comprehensive AIDS Resources Emergency ActAlthough certain government programs that fund provid-ers directly may not be health plans government programsthat reimburse providers or otherwise fund providers toperform direct health-care services should carefully ana-lyze the details of their programs to determine if they areperforming covered functions
bull Public health authorities as health-care clearinghousesAlthough unlikely a public health authority might be ahealth-care clearinghouse if it receives health informationfrom another entity and translates that information froma nonstandard format into a standard transaction or stan-dard data elements (or vice versa) Operators of commu-nity health information systems should carefully considerwhether they meet the definition for a health-care clear-inghouse
bull Public health agencies as hybrid entities A public healthagency that is a covered entity and has both covered andnoncovered functions may become a hybrid entity by des-ignating its health-care components By designating itselfas a hybrid entity a public health authority can carve outits noncovered functions so that the majority of Privacy
10 MMWR April 11 2003
Rule provisions apply only to its health-care componentwhich is required to comply with the Privacy Rulerequirements including using and disclosing PHI only asauthorized meeting the administrative requirementsaccounting for disclosure of PHI and providing a noticeof practices However such a designation does not pre-clude the public health authority from continuing to con-duct authorized public health functions A covered entitythat is also a public health authority may use as well asdisclose PHI for public health purposes to the sameextent it would be permitted to disclose the PHI as a pub-lic health authority
The Privacy Rule and PublicHealth Research
The topic of research under the Privacy Rule is covered indepth in the DHHS report Protecting Personal Health Infor-mation in Research mdash Understanding the HIPAA Privacy Rule(6) The Privacy Rule provides separate provisions for disclo-sure without individual authorization for public health pur-poses and for certain research [45 CFR sect 164512(b)] [45CFR sect 164512(i)] Other federal law pertaining to researchstresses the importance of distinguishing between research andpractice to ensure that human subjects are appropriately pro-tected [45 CFR Part 46] For certain activities this distinc-tion is not always clear A full discussion of the distinctionsbetween public health practice and research is beyond the scopeof this document However CDC and others provide guid-ance in this area (7ndash9)
Research Versus PracticeThe definition of research is the same for the Privacy Rule
and the Common Rule (10) mdash systematic investigationincluding research development testing and evaluationdesigned to develop or contribute to generalizable knowledgeResearch is designed to test a hypothesis permit conclusionsto be drawn and thereby to develop or contribute to general-izable knowledge The majority of public health activities (egpublic health surveillance and disease prevention and controlprojects) are based on scientific evidence and data collectionor analytic methods similar to those used in research How-ever they are not designed to contribute to generalizable knowl-edge Their primary purpose is to protect the health of thepopulation through such activities as disease surveillance pre-vention or control
The Belmont Report (11) defines practice as interventionsdesigned solely to enhance the well-being of a person patient
or client and which have reasonable expectation of successThe report further states that the purpose of medical orbehavioral practice is to provide diagnosis preventive treat-ment or therapy to particular patients For public health agen-cies the patient is the community Public health practiceactivities (eg public health surveillance disease control orprogram evaluation) are undertaken with the intent to benefita specific community although occasionally they may pro-vide unintended generalizable benefits to others
Some public health activities that are initially public healthpractice may subsequently evolve into a research activity (egan investigation to determine the cause of an outbreak thatincorporates a research study evaluating the efficacy of a newdrug to treat the illness) When that is the case the disclosuresmay be made initially under the public health provisions ofthe Privacy Rule But when the activity becomes an ongoingresearch activity the entity should consider application of therelevant research disclosures provisions to continue to obtaininformation for this purpose Moreover there may be caseswhere the activity is both research and public health practice(eg an ongoing survey to monitor health conditions in thepopulation data from which can also be analyzed for researchpurposes) In those cases disclosures may be made either un-der the research provisions or the public health provisions asappropriate mdash the covered entity need not comply with bothsets of requirements
The Privacy Rule and Other Lawsbull Federal laws Covered entities subject to the Privacy Rule
are also subject to other federal statutes and regulationsThe specific relationship of the Privacy Rule and certainfederal laws is discussed in the preamble to the December2000 Final Rule [65 FedReg 82481] In certain instancesthe Privacy Rule imposes requirements in direct conflictwith other federal laws or regulations In those instancesan analysis will be necessary to determine whether the laterprovision was intended to overrule the prior law or regu-lation
bull State laws As a federal regulatory standard the PrivacyRule preempts only those contrary state laws relating tothe privacy of individually identifiable health informa-tion that have less stringent requirements or standards thanthe Privacy Rule (ie more stringent laws remain ineffect) In addition DHHS may upon specific requestfrom a state or other entity or person determine that aprovision of state law that is contrary to the federalrequirements and that meets certain additional criteriawill not be preempted by the federal requirements Thus
Vol 52 Early Release MMWR 11
preemption of a contrary state law will not occur if theSecretary or designated DHHS official determines inresponse to a request that the state law 1) is necessary toprevent fraud and abuse related to the provision of or pay-ment for health care 2) is necessary to ensure appropriatestate regulation of insurance and health plans to theextent expressly authorized by statute or regulation 3) isnecessary for state reporting on health-care delivery orcosts 4) is necessary to serve a compelling public healthsafety or welfare need and if a Privacy Rule provision isat issue if the Secretary determines that the intrusion intoprivacy is warranted when balanced against the need to beserved or 5) has as its principal purpose the regulation ofthe manufacture registration distribution dispensing orother control of any controlled substances The PrivacyRule specifically does not preempt contrary state publichealth laws that provide for the reporting of disease orinjury child abuse birth or death or for the conduct ofpublic health surveillance investigation or intervention[45 CFR sect 160202]
Online ResourcesReferences to non-DHHS sites on the Internet are provided
as a service to MMWR readers and do not constitute or implyendorsement of these organizations or their programs by CDCor the US Department of Health and Human Services CDCis not responsible for the content of these sites URL addresseslisted in MMWR were current as of the date of publication
Federal Government ResourcesDHHS Office for Civil Rights mdash HIPAA guidelines
North Carolina Healthcare Information and Communica-tions Alliance
httpwwwnchicaorgPublic Health Grand Rounds HIPAA Privacy RuleEnhancing or Harming Public Health
httpwwwpublichealthgrandroundsunceduStanford University Medical School mdash HIPAA
httpwwwmedstanfordeduHIPAAWorkgroup for Electronic Data Interchange mdash StrategicNational Implementation Process
httpwwwwediorgsnip
AcknowledgmentsThis report was prepared by Salvatore Lucido MPA and Denise
Koo MD Office of the Associate Director for ScienceEpidemiology Program Office CDC in collaboration with JamesG Hodge Jr JD Center for Law and the Publicrsquos HealthGeorgetown and Johns Hopkins Universities Baltimore MarylandThe preparers are grateful for the participation of Deborah Tress
JD Kenya Ford JD and Heather Horton JD Office of theGeneral Counsel Department of Health and Human Services CDCATSDR Branch the CDC Working Group on the Privacy Ruleand Beverly Dozier JD Lance A Gable JD Lawrence O GostinJD Gail Horlick JD and Jennifer Kurle
The preparers also thank the following partners for their valuableinput Association of State and Territorial Health Officers Councilof State and Territorial Epidemiologists National Association ofCounty and City Health Officials National Association of HealthData Organizations Association of Public Health Laboratories andNational Association for Public Health Statistics and InformationSystems
References1 Gostin LO Hodge JG Jr Personal privacy and common goods a frame-
work Minnesota Law Review 2002861439ndash802 Health Insurance Portability and Accountability Act of 1996 Pub L
No 104-191 110 Stat 1936 (1996)3 Office for Civil Rights Department of Health and Human Services
Title 45 of the Code of Federal Regulations Parts 160 and 164 Avail-able at httpwwwdhhsgovocrcombinedregtextpdf
4 Office for Civil Rights OCR guidance explaining significant aspects ofthe Privacy Rule 2002 Department of Health and Human ServicesAvailable at httpwwwhhsgovocrhipaa
5 Gostin LO Hodge JG Jr Privacy Law Advisory Committee Modelstate public health information privacy act 1999 Available at httpwwwpublichealthlawnetResourcesResourcesPDFsmodelprivactpdf
6 Department of Health and Human Services Protecting personal healthinformation in research mdash understanding the HIPAA Privacy RuleDepartment of Health and Human Services Washington DC 2003(in press)
7 Snider DE Stroup DF Defining research when it comes to public healthPublic Health Rep 199711229ndash32
8 CDC Guidelines for defining public health research and public healthnonresearch Available at httpwwwcdcgovodadsopspoll1htm
9 Amoroso PJ Middaugh JP Research vs public health practice whendoes a study require IRB review Prev Med 200336250ndash3
10 Office for Protection from Research Risks National Institutes of HealthDepartment of Health and Human Services Public welfare protectionof human subjects 2001 [45 CFR 46] Available at httpohrposophsdhhsgovhumansubjectsguidance45cfr46htm
11 National Commission for the Protection of Human Subjects of Bio-medical and Behavioral Research Belmont report ethical principles andguidelines for the protection of human subjects of research Depart-ment of Health Education and Welfare Available at httpwwwmedumicheduirbmedethicsbelmontBELMONTRHTM
Vol 52 Early Release MMWR 13
The following concepts and definitions are adapted fromthe regulatory language For further information see the cita-tions to the Privacy Rule
Accounting An individual has a right to receive an account-ing of disclosures of protected health information made by acovered entity in the six years prior to the date on which theaccounting is requested except for disclosures (a) to carry outtreatment payment and health care operations [45 CFR sect164506] (b) to individuals of protected health informationabout them [45 CFR sect 164502] (c) incident to a use or dis-closure otherwise permitted or required by this subpart asprovided in 45 CFR sect164502 (d) pursuant to an authoriza-tion as provided in 45 CFR sect164508 (e) for the facilityrsquosdirectory or to persons involved in the individualrsquos care orother notification purposes as provided in 45 CFR sect164510(f ) for national security or intelligence purposes as providedin 45 CFR sect164512(k)(2) (g) to correctional institutions orlaw enforcement officials as provided in 45 CFR sect164512(k)(5) or (h) as part of a limited data set in accordance with45 CFR sect164514(e) or (i) that occurred prior to the compli-ance date for the covered entityhellip Such an accounting mustmeet the following requirements (1) except as otherwise pro-vided by paragraph (a) of this section the accounting mustinclude disclosures of protected health information thatoccurred during the six years (or such shorter time period atthe request of the individual as provided in paragraph (a)(3)of this section) prior to the date of the request for an account-ing including disclosures to or by business associates of thecovered entity (2) except as otherwise provided by paragraphs(b)(3) or (b)(4) of this section the accounting must includefor each disclosure the date of the disclosure the name of theentity or person who received the protected health informa-tion and if known the address of such entity or person abrief description of the protected health information disclosedand a brief statement of the purpose of the disclosure thatreasonably informs the individual of the basis for the disclo-sure or in lieu of such a statement a copy of the individualrsquoswritten authorization pursuant to 45 CFR sect 164508 or acopy of a written request for a disclosure under 45 CFR sect164502(a)(2)(ii) or 45 CFR sect 164512 if any
If during the period covered by the accounting the coveredentity has made multiple disclosures of protected healthinformation to the same person or entity for a single purposeunder 45 CFR sect 164502(a)(2)(ii) or 45 CFR sect 164512 theaccounting may with respect to such multiple disclosures
provide the information required by paragraph (b)(2) of 45CFR sect 164528 for the first disclosure during the accountingperiod the frequency periodicity or number of the disclo-sures made during the accounting period and the date of thelast such disclosure during the accounting period [45 CFR sect164528]
Modified accounting procedures are also provided for cov-ered entities making research disclosures involving gt50 per-sons [45 CFR sect 164528(b)(4)]
Business associate A person who on behalf of a coveredentity or of an organized health care arrangement [45 CFR sect154501] in which the covered entity participates but otherthan in the capacity of a member of the workforce of suchcovered entity or arrangement performs or assists in the per-formance of a function or activity involving the use ordisclosure of individually identifiable health informationincluding claims processing or administration data analysisprocessing or administration utilization review quality assur-ance billing benefit management practice management andrepricing or any other function or activity regulated by thissubchapter or provides other than in the capacity of a mem-ber of the workforce of such covered entity legal actuarialaccounting consulting data aggregation [45 CFR sect 164501]management administrative accreditation or financial ser-vices to or for such covered entity or to or for an organizedhealth-care arrangement in which the covered entity partici-pates where the provision of the service involves the disclo-sure of individually identifiable health information from suchcovered entity or arrangement or from another business asso-ciate of such covered entity or arrangement to the individual[45 CFR sect 160103]
Covered entity 1) a health plan 2) a health-care clearing-house 3) a health-care provider who transmits any healthinformation in electronic form in connection with a transac-tion [45 CFR sect 160103]
Covered functions Those functions of a covered entity theperformance of which makes the entity a health planhealth-care provider or health-care clearinghouse [45 CFR sect164103]
Data aggregation With respect to protected health infor-mation created or received by a business associate in its capac-ity as the business associate of a covered entity the combiningof such protected health information by the business associatewith the protected health information received by the busi-ness associate in its capacity as a business associate of another
Appendix ASelected Privacy Rule Concepts and Definitions
14 MMWR April 11 2003
covered entity to permit data analyses that relate to the health-care operations of the respective covered entities [45 CFRsect164501]
De-identified health information Health information thatdoes not identify an individual and with respect to which noreasonable basis exists to believe that the information can beused to identify an individual is not individually identifiableinformation [45 CFR sect 164514(a)]
Disclosure The release transfer provision of access to ordivulging in any other manner of information outside the entityholding the information [45 CFR sect 160103]
Electronic media 1) Electronic storage media includingmemory devices in computers (hard drives) and any remov-abletransportable digital memory medium such as magnetictape or disk optical disk or digital memory card or 2) trans-mission media used to exchange information already in elec-tronic storage media Transmission media include for examplethe Internet (wide open) extranet (using Internet technologyto link a business with information accessible only to collabo-rating parties) leased lines dial-up lines private networksand the physical movement of removabletransportable elec-tronic storage media Certain transmissions including ofpaper via facsimile and of voice via telephone are not con-sidered to be transmissions via electronic media because theinformation being exchanged did not exist in electronic formbefore the transmission [45 CFR sect 160103]
Health care Care services or supplies related to the healthof an individual It includes but is not limited to 1) preven-tive diagnostic therapeutic rehabilitative maintenance orpalliative care and counseling service assessment or proce-dure with respect to the physical or mental condition or func-tional status of an individual or that affects the structure orfunction of the body and 2) sale or dispensing of a drugdevice equipment or other item in accordance with a pre-scription [45 CFR sect 160103]
Health-care clearinghouse A public or private entityincluding a billing service repricing company communityhealth management information system community healthinformation system or value-added network or switch that 1)processes or facilitates the processing of health informationreceived from another entity in a nonstandard format or con-taining nonstandard data content into standard data elementsor a standard transaction or 2) receives a standard transactionfrom another entity and processes or facilitates the processingof health information into nonstandard format or nonstand-ard data content for the receiving entity [45 CFR sect 160103]
Health-care operations Any of the following activities ofthe covered entity to the extent that the activities are related tocovered functions 1) conducting quality assessment andimprovement activities population-based activities and
related functions that do not include treatment 2) reviewingthe competence or qualifications of health care professionalsevaluating practitioner provider and health plan performanceconducting training programs where students learn to prac-tice or improve their skills as health-care providers training ofnonhealth-care professionals accreditation certificationlicensing or credentialing activities 3) underwriting premiumrating and other activities relating to the creation renewal orreplacement of a contract of health insurance or benefits 4)conducting or arranging for medical review legal services andauditing functions including fraud and abuse detection andcompliance programs 5) business planning and developmentsuch as conducting cost-management and planning-relatedanalyses related to managing and operating the entity includ-ing formulary development and administration developmentor improvement of methods of payment or coverage policiesand 6) business management and general administrativeactivities of the entity [45 CFR sect 164501]
Health-care provider A provider of services (as defined insection 1861(u) of the Act 42 USC 1395x(u)) a providerof medical or health-care services (as defined in section 1861(s)of the Act 42 USC 1395x(s)) and any other individual ororganization that furnishes bills or is paid for health care inthe normal course of business [45 CFR sect 160103]
Health information Any information whether oral orrecorded in any form or medium that 1) is created or receivedby a health-care provider health plan public health authorityemployer life insurer school or university or health-care clear-inghouse and 2) relates to the past present or future physicalor mental health or condition of an individual the provisionof health care to an individual or the past present or futurepayment for the provision of health care to an individual [45CFR sect 160103]
Health plan An individual or group plan that provides orpays the cost of medical care (as defined in section 2791(a)(2)of the PHS Act 42 USC 300gg-91(a)(2)) Health planincludes the following singly or in combination (i) a grouphealth plan as defined in 45 CFR sect 160103 of the PrivacyRule (ii) a health insurance issuer as defined in 45 CFR sect160103 of the Privacy Rule (iii) an HMO as defined in 45CFR sect 160103 of the Privacy Rule (iv) Part A or B of theMedicare program under title XVIII of the Act (v) the Med-icaid program under title XIX of the Act 42 USC 1396 etseq (vi) an issuer of a Medicare supplemental policy (asdefined in section 1882(g)(1) of the Act 42 USC1395ss(g)(1)) (vii) an issuer of a long-term care policyexcluding a nursing home fixed-indemnity policy (viii) anemployee welfare benefit plan or any other arrangement thatis established or maintained for the purpose of offering or pro-viding health benefits to the employees of two or more
Vol 52 Early Release MMWR 15
employers (ix) the health care program for active military per-sonnel under title 10 USC (x) the veterans health-care pro-gram under 38 USC Ch 17 (xi) the Civilian Health andMedical Program of the Uniformed Services (CHAMPUS)(as defined in 10 USC 1072(4)) (xii) the Indian HealthService program under the Indian Health Care ImprovementAct 25 USC 1601 et seq (xiii) the Federal EmployeesHealth Benefits Program under 5 USC 8902 et seq (xiv)an approved state child health plan under title XXI of the Actproviding benefits for child health assistance that meet therequirements of section 2103 of the Act 42 USC 1397 etseq (xv) the Medicare+Choice program under Part C of titleXVIII of the Act 42 USC 1395w-21 through 1395w-28(xvi) a high risk pool that is a mechanism established understate law to provide health insurance coverage or comparablecoverage to eligible individuals (xvii) any other individual orgroup plan or combination of individual or group plans thatprovides or pays for the cost of medical care (as defined insection 2791(a)(2) of the PHS Act 42 USC 300gg-91(a)(2))[45 CFR sect 160103]
The term health plan excludes (i) any policy plan or pro-gram to the extent that it provides or pays for the cost ofexcepted benefits that are listed in sect2791(c)(1) of the PHSAct 42 USC 300gg-91(c)(1) and (ii) a government-fundedprogram other than the one listed in items (i)-(xvi) abovewhose principal purpose is other than providing or payingthe cost of health care or whose principal activity is 1) thedirect provision of health care to individuals or 2) the mak-ing of grants to fund the direct provision of health care toindividuals [45 CFR sect 160103]
Hybrid entity A single legal entity 1) that is a covered entity 2) whose business activities include both covered andnoncovered functions and 3) that designates its health-carecomponents [45 CFR sect 164103]
Individually identifiable health information A subset ofhealth information including demographic information col-lected from an individual and 1) is created or received by ahealth-care provider health plan employer or health-care clear-inghouse and 2) relates to the past present or future physi-cal or mental health or condition of an individual the provisionof health care to an individual or the past present or futurepayment for the provision of health care to an individual andthat identifies the individual or where there is a reasonablebasis to believe the information can be used to identify theindividual [45 CFR sect 164501]
Limited data set Protected health information that excludescertain direct identifiers of the individual or of relativesemployers or household members of the individual Directidentifiers to be excluded can be found in 45 CFR sect164514(e)(2)
Minimum necessary For any type of disclosure that a cov-ered entity makes on a routine and recurring basis that thecovered entity must implement policies and procedures (whichmay be standard protocols) that limit the protected healthinformation disclosed to the amount reasonably necessary toachieve the purpose of the disclosure For all other disclosurescovered entities must develop and implement criteria designedto limit the protected health information disclosed to theinformation reasonably necessary to accomplish the purposefor which disclosure is sought and review requests for disclo-sure on an individual basis in accordance with such criteria Acovered entity may rely if such reliance is reasonable underthe circumstances on a requested disclosure as the minimumnecessary for the stated purpose when (a) making disclosuresto public officials that are permitted under 45 CFR sect 164512if the public official represents that the information requestedis the minimum necessary for the stated purpose (b) if theinformation is requested by another covered entity (c) theirbusiness associates providing personal services or (d) docu-mentation or representations that comply with the applicablerequirements of 45 CFR sect 164512(i) have been provided byan individual requesting the information for research purposes[45 CFR sect 164514(d)(3)]
The minimum necessary standard also applies to uses ofprotected health information [45 CFR sect 164514(d)(2)] andrequests for protected health information [45 CFR sect164514(d)(4)]
Notice An individual with certain exceptions has a rightto adequate notice of the uses and disclosures of protectedhealth information that may be made by the covered entityand of the individualrsquos rights and the covered entityrsquos legalduties with respect to protected health information Thenotice must be written in plain language and contain the fol-lowing elements (i) a header as specified in the rule (ii) adescription including at least one example of the types ofuses and disclosures that the covered entity is permitted tomake for treatment payment and health care operations anda description of each of the other purposes for which the cov-ered entity is permitted or required to use or disclose pro-tected health information without the individualrsquos writtenconsent or authorization If a use or disclosure is prohibitedor materially limited by other applicable law the descriptionof such use or disclosure must reflect the more stringent law(as defined in 45 CFR sect 160202) Each description mustinclude sufficient detail to place the individual on notice ofthe uses and disclosures that are permitted or required by thePrivacy Rule or other applicable law and a statement that otheruses and disclosures will be made only with the individualrsquoswritten authorization and that the individual may revoke suchauthorization as provided by 45 CFR sect 164508(b)(5)
16 MMWR April 11 2003
A separate statement must be included in the notice if acovered entity intends to engage in any of the followingactivities The statement should explain that 1) the coveredentity may contact the individual to provide appointmentreminders or information regarding treatment alternatives orother health-related benefits 2) the covered entity may con-tact the individual to raise funds for the covered entity or 3) agroup health plan health insurer or HMO with respect to agroup health plan may disclose protected health informationto the sponsor of the plan
The notice must contain a statement of the individualrsquos rightswith respect to the protected health information and a briefdescription of how the individual may exercise these rights astatement of the covered entityrsquos duties a statement that indi-viduals may complain to the covered entity or the Secretary ifthey believe their privacy rights have been violated contactinformation and the effective date of the notice [45 CFR sect164520]
Payment 1) The activities undertaken by (i) a health planto obtain premiums or to determine or fulfill its responsibilityfor coverage and provision of benefits under the health planor (ii) a health-care provider or health plan to obtain or pro-vide reimbursement for the provision of health care and 2)the activities relate to the individual to whom health care isprovided and include but are not limited to (i) determina-tions of eligibility or coverage and adjudication or subroga-tion of health benefit claims (ii) risk adjusting amounts duebased on enrollee health status and demographic characteris-tics (iii) billing claims management collection activitiesobtaining payment under a contract for reinsurance (includ-ing stop-loss insurance) and related health-care data process-ing (iv) review of health-care services with respect to medicalnecessity coverage under a health plan appropriateness of careor justification of charges (v) utilization review activitiesincluding precertification and preauthorization of services con-current and retrospective review of services and (vi) disclo-sure to consumer reporting agencies of any of the followingprotected health information relating to collection of premi-ums or reimbursement (a) name and address (b) date of birth(c) social security number (d) payment history (e) accountnumber and (f ) name and address of the health-care provideror health plan [45 CFR sect 164501]
Protected health information (PHI) Individually identi-fiable health information that is transmitted by electronicmedia maintained in electronic media or transmitted ormaintained in any other form or medium PHI excludes indi-vidually identifiable health information in (i) educationrecords covered by the Family Education Rights and PrivacyAct (20 USC 1232g) (ii) records described at 20 USC
1232g(a)(4)(B)(iv) and (iii) employment records held by acovered entity in its role as employer [45 CFR sect 160103]
Public health authority An agency or authority of theUnited States a state a territory a political subdivision of astate or territory or an Indian tribe or an individual or entityacting under a grant of authority from or contract with suchpublic agency including the employees or agents of such pub-lic agency or its contractors or individuals or entities to whomit has granted authority that is responsible for public healthmatters as part of its official mandate [45 CFR sect 164501]
Examples of public health authorities include state andlocal health departments CDC National Institutes of Health(NIH) Food and Drug Administration (FDA) and Occupa-tional Safety and Health Administration (OSHA)
Required by law A mandate contained in law that compelsan entity to make a use or disclosure of protected health infor-mation and that is enforceable in a court of law This termincludes but is not limited to court orders and court-orderedwarrants subpoenas or summons issued by a court grand jurya governmental or tribal inspector general or an administra-tive body authorized to require the production of informa-tion a civil or an authorized investigative demand Medicareconditions of participation with respect to health-care provid-ers participating in the program and statutes or regulationsthat require the production of information including statutesor regulations that require such information if payment issought under a government program providing public ben-efits [45 CFR sect 164103]
Research A systematic investigation including researchdevelopment testing and evaluation designed to develop orcontribute to generalizable knowledge [45 CFR sect sect164501]
Statistical de-identification A properly qualified statisti-cian using accepted analytical techniques concludes that therisk is limited that the information could be used alone or incombination with other reasonably available information toidentify the subject of the information [45 CFR sect 164514(b)]
Safe harbor method A covered entity or its agent removesa comprehensive set of identifiers enumerated in the PrivacyRule which includes but is not limited to names geographicsubdivisions smaller than states dates more specific than yearscontact information identification numbers and photographicimages and has no actual knowledge that the remaininginformation could be used alone or in combination with otherinformation to identify the individual who is a subject of theinformation or the individualrsquos relatives employers or house-hold members Eighteen specific identifiers will need to beremoved to achieve de-identification [45 CFR sect 164514(b)]
Transaction The transmission of information between twoparties to carry out financial or administrative activities
Vol 52 Early Release MMWR 17
related to health care It includes the following types of infor-mation transmissions health care claims or equivalent encoun-ter information health care payment and remittance advicecoordination of benefits health care claim status enrollmentand disenrollment in a health plan eligibility for a health planhealth plan premium payments referral certification andauthorization first report of injury health claims attachmentsand other transactions that the Secretary may prescribe by regu-lation [45 CFR sect 164103]
Treatment The provision coordination or managementof health care and related services by one or more health-care
providers including the coordination or management of healthcare by a health-care provider with a third party consultationbetween health-care providers relating to a patient or thereferral of a patient for health care from one health-care pro-vider to another [45 CFR sect 164501]
Use With respect to individually identifiable health infor-mation the sharing employment application utilizationexamination or analysis of such information within an entitythat maintains such information [45 CFR sect 160103]
18 MMWR April 11 2003
Vol 52 Early Release MMWR 19
Appendix BSample Text That Can Be Used To Clarify Public Health Issues
Under the Privacy Rule
pursuant to the Standards for Privacy of Individually Identifi-able Health Information promulgated under the HealthInsurance Portability and Accountability Act (HIPAA) [45CFR Parts 160 and 164)] Under this rule covered entitiesmay disclose without individual authorization protectedhealth information to public health authorities ldquo autho-rized by law to collect or receive such information for the pur-pose of preventing or controlling disease injury or disabilityincluding but not limited to the reporting of disease injuryvital events such as birth or death and the conduct of publichealth surveillance public health investigations and publichealth interventions rdquo The definition of a public health au-thority includes ldquo an individual or entity acting under a grantof authority from or contract with such public agency rdquo
[Authorized agency] is acting under [contract grant coop-erative agreement] with [public health authority] to conduct[project] which is authorized by [law or regulation] [Publichealth authority] grants this authority to [authorized agency]for purposes of this project Further [public health authority]considers this to be [activity type] for which disclosure ofprotected health information by covered entities is authorizedby 45 CFR sect 164512(b) of the Privacy Rule
From a public health authority to a covered entity con-firming grant of authority to an authorized agencyTo Whom It May Concern
[Public health authority] is an agency of [parent authority]and is a public health authority as defined by the HealthInsurance Portability and Accountability Act (HIPAA) Stan-dards for Privacy of Individually Identifiable Health Informa-tion Final Rule (Privacy Rule)[45 CFR sect 164501] Pursuantto 45 CFR sect 164512(b) of the Privacy Rule covered entitiesmay disclose protected health information to public healthauthorities ldquo authorized by law to collect or receive suchinformation for the purpose of preventing or controlling dis-ease injury or disability including but not limited to thereporting of disease injury vital events such as birth or deathand the conduct of public health surveillance public healthinvestigations and public health interventions rdquo The defi-nition of public health authority includes ldquo an individualor entity acting under a grant of authority from or contractwith such public agency rdquo [45 CFR sect 164501] [Autho-rized agency] is acting under [contract grant or cooperativeagreement] with [public health authority] to carry out [project]
Following are sample letters that can be used to help clarifyPrivacy Rule issues among covered entities and public healthauthorities (eg CDC National Institutes of Health Foodand Drug Administration Substance Abuse and Mental HealthServices Administration Health Resources and ServicesAdministration state and local health departments) Publichealth authorities can use these letters as templates by insert-ing names of the appropriate individuals projects agreementslaws activity types covered entities public health authoritiesand authorized agencies
From a public health authority to a covered entity clari-fying rules regarding disclosureTo Whom it May Concern
[Public health authority] is an agency of [parent authority]and is conducting the activity described here in its capacity asa public health authority as defined by the Health InsurancePortability and Accountability Act (HIPAA) Standards forPrivacy of Individually Identifiable Health Information FinalRule (Privacy Rule) [45 CFR sect164501] Pursuant to 45 CFRsect164512(b) of the Privacy Rule covered entities such as yourorganization may disclose without individual authorizationprotected health information to public health authorities ldquo authorized by law to collect or receive such information forthe purpose of preventing or controlling disease injury ordisability including but not limited to the reporting of dis-ease injury vital events such as birth or death and the con-duct of public health surveillance public health investigationsand public health interventions rdquo
[Public health authority] is conducting [project] a publichealth activity as described by 45 CFR sect 164512(b) and isauthorized by [law or regulation] The information beingrequested represents the minimum necessary to carry out thepublic health purposes of this project pursuant to 45 CFRsect164514(d) of the Privacy Rule
If you have questions or concerns please contact [projectleader]
From a public health authority to an authorized agencyproviding grant of authorityDear [authorized agency]
This letter serves as verification of a grant of authority from[public health authority] for you to conduct the public healthactivities described here acting as a public health authority
20 MMWR April 11 2003
Through this grant of authority [authorized agency] may func-tion as a public health authority under the Privacy Rule forpurposes of this project
[Project] is a public health activity as described by 45 CFRsect 164512(b) referenced previously and is authorized by [lawor regulation] The information being requested represents theminimum necessary to carry out the public health purposes ofthis project pursuant to 45 CFR sect 164514(d) of the PrivacyRule The Privacy Rule provides that covered entities ldquo
may rely if such reliance is reasonable under the circumstanceson a requested disclosure as the minimum necessary for thestated purposes when making disclosures to public officialsthat are permitted under 45 CFR sect 164512 if the publicofficial represents that the information requested is the mini-mum necessary for the stated purposes(s)rdquo
If you have questions or concerns please contact [projectleader for authorized agency public health authority contact]
All MMWR references are available on the Internet at httpwwwcdcgovmmwr Use the search function to find specific articlesmdashmdashmdashmdashmdashmdash
Use of trade names and commercial sources is for identification only and does not imply endorsement by the US Department of Healthand Human Services
mdashmdashmdashmdashmdashmdashReferences to non-CDC sites on the Internet are provided as a service to MMWR readers and do not constitute or imply endorsement ofthese organizations or their programs by CDC or the US Department of Health and Human Services CDC is not responsible for thecontent of these sites URL addresses listed in MMWR were current as of the date of publication
MMWR
The Morbidity and Mortality Weekly Report (MMWR) series is prepared by the Centers for Disease Control and Prevention (CDC) andis available free of charge in electronic format and on a paid subscription basis for paper copy To receive an electronic copy each week sendan e-mail message to listservlistservcdcgov The body content should read SUBscribe mmwr-toc Electronic copy also is available fromCDCrsquos Internet server at httpwwwcdcgovmmwr or from CDCrsquos file transfer protocol server at ftpftpcdcgovpubpublicationsmmwr Tosubscribe for paper copy contact Superintendent of Documents US Government Printing Office Washington DC 20402 telephone202-512-1800
Data in the weekly MMWR are provisional based on weekly reports to CDC by state health departments The reporting weekconcludes at close of business on Friday compiled data on a national basis are officially released to the public on the following FridayAddress inquiries about the MMWR series including material to be considered for publication to Editor MMWR Series Mailstop C-08CDC 1600 Clifton Rd NE Atlanta GA 30333 telephone 888-232-3228
All material in the MMWR series is in the public domain and may be used and reprinted without permission however citation of thesource is appreciated
US Government Printing Office 2003-533-15569108 Region IV
Introduction
Impact on Public Health
Overview of the Privacy Rule
Who Is Covered
Types of Health Information
What is Required
The Privacy Rule and Public Health
Disclosures for Public Health Purposes
Requirements for Covered Entities
The Privacy Rule and Public Health Research
Research Versus Practice
The Privacy Rule and Other Laws
Online Resources
Federal Government Resources
State Government Resources
Associations Nonprofit Organizations and Academic Resources
Acknowledgments
References
Appendix A
Appendix B
MMWR
SUGGESTED CITATIONCenters for Disease Control and Prevention HIPAAPrivacy Rule and public health guidance from CDCand the US Department of Health and HumanServices MMWR 200352(Early Release)[inclusivepage numbers]
The MMWR series of publications is published by theEpidemiology Program Office Centers for DiseaseControl and Prevention (CDC) US Department ofHealth and Human Services Atlanta GA 30333
Centers for Disease Control and Prevention
Julie L Gerberding MD MPHDirector
David W Fleming MDDeputy Director for Public Health Science
Dixie E Snider Jr MD MPHAssociate Director for Science
Epidemiology Program Office
Stephen B Thacker MD MScDirector
Office of Scientific and Health Communications
John W Ward MDDirector
Editor MMWR Series
Suzanne M Hewitt MPAManaging Editor MMWR Series
C Kay Smith-Akin MEdLead Technical WriterEditor
Douglas W WeatherwaxProject Editor
Beverly J HollandLead Visual Information Specialist
Malbea A HeilmanVisual Information Specialist
Quang M DoanErica R Shaver
Information Technology Specialists
CONTENTS
Introduction 1
Impact on Public Health 2
Overview of the Privacy Rule 3
Who Is Covered 3
Types of Health Information 3
What is Required 4
The Privacy Rule and Public Health 6
Disclosures for Public Health Purposes 8
Requirements for Covered Entities 8
The Privacy Rule and Public Health Research 10
Research Versus Practice 10
The Privacy Rule and Other Laws 10
Online Resources 11
Federal Government Resources 11
State Government Resources 11
Associations Nonprofit Organizations
and Academic Resources 12
Acknowledgments 12
References 12
Appendix A 13
Appendix B 19
Vol 52 Early Release MMWR 1
The material in this report originated in the Epidemiology ProgramOffice Stephen B Thacker MD MSc Director
Prepared by CDC staff in consultation with the Office of the General Counselthe Office for Civil Rights other offices and agencies within the USDepartment of Health and Human Services Washington DC and healthprivacy specialists
HIPAA Privacy Rule and Public HealthGuidance from CDC and the US Department of Health and Human Services
Summary
New national health information privacy standards have been issued by the US Department of Health and Human Services(DHHS) pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) The new regulations provideprotection for the privacy of certain individually identifiable health data referred to as protected health information (PHI)Balancing the protection of individual health information with the need to protect public health the Privacy Rule expresslypermits disclosures without individual authorization to public health authorities authorized by law to collect or receive theinformation for the purpose of preventing or controlling disease injury or disability including but not limited to public healthsurveillance investigation and intervention
Public health practice often requires the acquisition use and exchange of PHI to perform public health activities (eg publichealth surveillance program evaluation terrorism preparedness outbreak investigations direct health services and public healthresearch) Such information enables public health authorities to implement mandated activities (eg identifying monitoringand responding to death disease and disability among populations) and accomplish public health objectives Public healthauthorities have a long history of respecting the confidentiality of PHI and the majority of states as well as the federal governmenthave laws that govern the use of and serve to protect identifiable information collected by public health authorities
The purpose of this report is to help public health agencies and others understand and interpret their responsibilities under thePrivacy Rule Elsewhere comprehensive DHHS guidance is located at the HIPAA website of the Office for Civil Rights (httpwwwhhsgovocrhipaa)
IntroductionThe shift of medical records from paper to electronic for-
mats has increased the potential for individuals to access useand disclose sensitive personal health data Although protect-ing individual privacy is a long-standing tradition amonghealth-care providers and public health practitioners in theUnited States previous legal protections at the federal tribalstate and local levels were inconsistent and inadequate Apatchwork of laws provided narrow privacy protections forselected health data and certain keepers of that data (1)
The US Department of Health and Human Services(DHHS) has addressed these concerns with new privacy stan-dards that set a national minimum of basic protections whilebalancing individual needs with those of society The HealthInsurance Portability and Accountability Act of 1996 (HIPAA)was adopted to ensure health insurance coverage after leavingan employer and also to provide standards for facilitatinghealth-carendashrelated electronic transactions To improve the
efficiency and effectiveness of the health-care system HIPAAincluded administrative simplification provisions that requiredDHHS to adopt national standards for electronic health-caretransactions (2) At the same time Congress recognized thatadvances in electronic technology could erode the privacy ofhealth information Consequently Congress incorporated intoHIPAA provisions that mandated adoption of federal privacyprotections for certain individually identifiable health infor-mation
The HIPAA Privacy Rule (Standards for Privacy of Indi-vidually Identifiable Health Information) (3) provides the firstnational standards for protecting the privacy of health infor-mation The Privacy Rule regulates how certain entities calledcovered entities use and disclose certain individually identifi-able health information called protected health information(PHI) PHI is individually identifiable health information thatis transmitted or maintained in any form or medium (egelectronic paper or oral) but excludes certain educationalrecords and employment records Among other provisions thePrivacy Rule
bull gives patients more control over their health informationbull sets boundaries on the use and release of health recordsbull establishes appropriate safeguards that the majority of
health-care providers and others must achieve to protectthe privacy of health information
2 MMWR April 11 2003
bull holds violators accountable with civil and criminal penal-ties that can be imposed if they violate patientsrsquo privacyrights
bull strikes a balance when public health responsibilities sup-port disclosure of certain forms of data
bull enables patients to make informed choices based on howindividual health information may be used
bull enables patients to find out how their information maybe used and what disclosures of their information havebeen made
bull generally limits release of information to the minimumreasonably needed for the purpose of the disclosure
bull generally gives patients the right to obtain a copy of theirown health records and request corrections and
bull empowers individuals to control certain uses and disclo-sures of their health information
The deadline to comply with the Privacy Rule is April 142003 for the majority of the three types of covered entitiesspecified by the rule [45 CFR sect 160102] The covered enti-ties are
bull health plansbull health-care clearinghouses andbull health-care providers who transmit health information in
electronic form in connection with certain transactionsAt DHHS the Office for Civil Rights (OCR) has oversightand enforcement responsibilities for the Privacy Rule Com-prehensive guidance and OCR answers to hundreds of ques-tions are available at httpwwwhhsgovocrhipaa (4)
Impact on Public HealthPublic health practice and research including such tradi-
tional public health activities as program operations publichealth surveillance program evaluation terrorism prepared-ness outbreak investigations direct health services and pub-lic health research use PHI to identify monitor and respondto disease death and disability among populations Publichealth authorities have a long history of protecting and pre-serving the confidentiality of individually identifiable healthinformation They also recognize the importance of protect-ing individual privacy and respecting individual dignity tomaintaining the quality and integrity of health data CDCand others have worked to consistently strengthen federal andstate public health information privacy practices and legal pro-tections (5)
DHHS recognized the importance of sharing PHI toaccomplish essential public health objectives and to meet cer-tain other societal needs (eg administration of justice andlaw enforcement) Therefore the Privacy Rule expressly per-mits PHI to be shared for specified public health purposes
For example covered entities may disclose PHI without indi-vidual authorization to a public health authority legallyauthorized to collect or receive the information for the pur-pose of preventing or controlling disease injury or disability[45 CFR sect 164512(b)] (Box 1) Further the Privacy Rulepermits covered entities to make disclosures that are requiredby other laws including laws that require disclosures for pub-lic health purposes
Thus the Privacy Rule provides for the continued func-tioning of the US public health system Covered entities shouldbecome fully aware of the scope of permissible disclosures forpublic health activities as well as state and local reporting lawsand regulations Moreover a public health authority may also
Without individual authorization a covered entity maydisclose PHI to a public health authority that is legallyauthorized to collect or receive the information for thepurposes of preventing or controlling disease injury ordisability including but not limited to
bull reporting of disease injury and vital events (eg birthor death) and
bull conducting public health surveillance investigationsand interventions
PHI may also be disclosed without individual authori-zation to
bull report child abuse or neglect to a public health or othergovernment authority legally authorized to receive suchreports
bull a person subject to jurisdiction of the Food and DrugAdministration (FDA) concerning the quality safetyor effectiveness of an FDA-related product or activityfor which that person has responsibility
bull a person who may have been exposed to a communi-cable disease or may be at risk for contracting or spread-ing a disease or condition when legally authorized tonotify the person as necessary to conduct a publichealth intervention or investigation and
bull an individualrsquos employer under certain circumstancesand conditions as needed for the employer to meetthe requirements of the Occupational Safety andHealth Administration Mine Safety and Health Ad-ministration or a similar state law
Source Adapted from [45 CFR sect 164512(b)] Or to an entity working under a grant of authority from a public health
authority or when directed by a public health authority to a foreigngovernment agency that is acting in collaboration with a public healthauthority
BOX 1 Protected health information (PHI) disclosures bycovered entities for public health activities requiring noauthorization under the Privacy Rule
Vol 52 Early Release MMWR 3
be a covered entity For example a public health agency thatoperates a health clinic providing essential health-care ser-vices and performing covered transactions electronically is acovered entity
This report provides guidance to public health authoritiesand their authorized agents researchers and health-care pro-viders in interpreting the Privacy Rule as it affects public healthCDC recommends that public health authorities share theinformation in this report with covered health-care providersand other covered entities and work closely with those entitiesto ensure implementation of the rule consistent with itsintent to protect privacy while permitting authorized publichealth activities to continue
Overview of the Privacy Rule
Who Is CoveredThe authority of DHHS to issue health-information pri-
vacy regulations was limited by Congress in HIPAA to adefined set of covered entities More complete definitions ofthese and other terms are located elsewhere in this report(Appendix A) Covered entities are as follows
bull Health plans An individual or group plan that providesor pays the cost of medical care that includes the diagno-sis cure mitigation treatment or prevention of diseaseHealth plans include private entities (eg health insurersand managed care organizations) and government orga-nizations (eg Medicaid Medicare and the VeteransHealth Administration)
bull Health-care clearinghouses A public or private entityincluding a billing service repricing company or com-munity health information system that processes non-standard data or transactions received from another entityinto standard transactions or data elements or vice versa
bull Health-care providers A provider of health-care servicesand any other person or organization that furnishes billsor is paid for health care in the normal course of businessHealth-care providers (eg physicians hospitals and clin-ics) are covered entities if they transmit health informa-tion in electronic form in connection with a transactionfor which a HIPAA standard has been adopted by DHHS
The Privacy Rule also establishes requirements for coveredentities with regard to their nonemployee business associates(eg lawyers accountants billing companies and other con-tractors) whose relationship with covered entities requires shar-ing of PHI The Privacy Rule allows a covered provider orhealth plan to disclose PHI to a business associate if satisfac-tory written assurance is obtained that the business associatewill use the information only for the purposes for which it
was engaged will safeguard the information from misuse andwill help the covered entity comply with certain of its dutiesunder the Privacy Rule
The Privacy Rule does not apply to all persons or entitiesthat regularly use disclose or store individually identifiablehealth information For example the Privacy Rule does notcover employers certain insurers (eg auto life and workercompensation) or those public agencies that deliver socialsecurity or welfare benefits when functioning solely in thesecapacities
Types of Health Information
Protected Health Information
The Privacy Rule protects certain information that coveredentities use and disclose This information is called protectedhealth information (PHI) which is generally individually iden-tifiable health information that is transmitted by or main-tained in electronic media or any other form or medium Thisinformation must relate to 1) the past present or future physi-cal or mental health or condition of an individual 2) provi-sion of health care to an individual or 3) payment for theprovision of health care to an individual If the informationidentifies or provides a reasonable basis to believe it can beused to identify an individual it is considered individuallyidentifiable health information
De-Identified Information
De-identified data (eg aggregate statistical data or datastripped of individual identifiers) require no individual pri-vacy protections and are not covered by the Privacy RuleDe-identifying can be conducted through
bull statistical de-identification mdash a properly qualified statis-tician using accepted analytic techniques concludes therisk is substantially limited that the information might beused alone or in combination with other reasonably avail-able information to identify the subject of the informa-tion [45 CFR sect 164514(b)] or the
bull safe-harbor method mdash a covered entity or its businessassociate de-identifies information by removing 18 iden-tifiers (Box 2) and the covered entity does not have actualknowledge that the remaining information can be usedalone or in combination with other data to identify thesubject [45 CFR sect 164514(b)]
In certain instances working with de-identified data may havelimited value to clinical research and other activities Whenthat is the case a limited data set may be useful
4 MMWR April 11 2003
The following protected health information (PHI) canbe included without authorization in a limited data setfor public health research or health-care operations
bull town or city state and zip code andbull elements of dates related to a person (eg years birth
dates admission dates discharge dates and dates ofdeath)
To disclose a limited data set a covered entity must en-ter into a data-use agreement with the recipient whichagrees to use or disclose the PHI for limited purposesDisclosure of a limited data set is not subject to the ac-counting requirement but must meet the minimum nec-essary standards of the Privacy Rule
BOX 3 Use of limited data sets under the Privacy Rule
The following 18 identifiers of a person or of relativesemployers or household members of a person must beremoved and the covered entity must not have actualknowledge that the information could be used alone or incombination with other information to identify the indi-vidual for the information to be considered de-identifiedand not protected health information (PHI)
bull namesbull all geographic subdivisions smaller than a state in-
cluding county city street address precinct zip codeand their equivalent geocodes
bull all elements of dates (except year) directly related toan individual all ages gt89 and all elements of dates(including year) indicative of such age (except for anaggregate into a single category of age gt90)
bull telephone numbersbull fax numbersbull electronic mail addressesbull Social Security numbersbull medical record numbersbull health-plan beneficiary numbersbull account numbersbull certificate and license numbersbull vehicle identifiers and serial numbers including
license plate numbersbull medical device identifiers and serial numbersbull Internet universal resource locators (URLs)bull Internet protocol (IP) addressesbull biometric identifiers including fingerprints and voice
printsbull full-face photographic images and any comparable
images andbull any other unique identifying number characteristic
or code except that covered identities may under cer-tain circumstances assign a code or other means ofrecord identification that allows de-identified infor-mation to be re-identified
Source Adapted from [45 CFR sect 164514(b)(2)(i)] The first three digits of a zip code are excluded from the PHI list if the
geographic unit formed by combining all zip codes with the same firstthree digits contains gt20000 persons
BOX 2 Individual identifiers under the Privacy Rule
permitted to use or receive the limited data set and providethat the recipient will
bull not use or disclose the information other than as permit-ted by the agreement or as otherwise required by law
bull use appropriate safeguards to prevent uses or disclosuresof the information that are inconsistent with the data-useagreement
bull report to the covered entity any use or disclosure of theinformation in violation of the agreement of which itbecomes aware
bull ensure that any agents to whom it provides the limiteddata set agree to the same restrictions and conditions thatapply to the limited data set recipient with respect to suchinformation and
bull not attempt to re-identify the information or contact theindividual
What is RequiredFor covered entities using or disclosing PHI the Privacy
Rule establishes a range of health-information privacy require-ments and standards that attempt to balance individual pri-vacy interests with the community need to use such data [45CFR sect 164504] Among its provisions the Privacy Rulerequires covered entities to
bull notify individuals regarding their privacy rights and howtheir PHI is used or disclosed
bull adopt and implement internal privacy policies and proce-dures
bull train employees to understand these privacy policies andprocedures as appropriate for their functions within thecovered entity
Limited Data Sets
Health information in a limited data set is not directly iden-tifiable but may contain more identifiers than de-identifieddata that has been stripped of the 18 identifiers [45 CFR sect164514] (Box 3) A data-use agreement must establish who is
Vol 52 Early Release MMWR 5
bull designate individuals who are responsible for implement-ing privacy policies and procedures and who will receiveprivacy-related complaints
bull establish privacy requirements in contracts with businessassociates that perform covered functions
bull have in place appropriate administrative technical andphysical safeguards to protect the privacy of health infor-mation and
bull meet obligations with respect to health consumers exer-cising their rights under the Privacy Rule
With respect to individuals they are vested with the follow-ing rights
bull Receive access to PHI Individual rights include inspec-tions of records and the provision for copies of PHI aboutthe individual in a designated record set for as long as thePHI is maintained in the designated record set except forpsychotherapy notes information complied for use in civilcriminal or administrative actions and PHI maintainedby a covered entity subject to the Clinical LaboratoryImprovement Amendments of 1988 [42 CFR sect 263(a)]In the majority of cases covered entities must accommo-date a request or provide a process of denial subject toreview [45 CFR sect 164524]
bull Request amendments to PHI Individuals can request thatcovered entities amend PHI about the individual in a des-ignated record set for as long as the PHI is maintained ina designated record set If the covered entity agrees to theamendment it must 1) identify the records affected 2)append or provide a link to the amendment 3) informthe individual the amendment has been made and 4) workwith other covered entities or business associates who pos-sess or receive the data to make the amendments [45 CFRsect 164526] If the covered entity denies this request thePrivacy Rule provides a process for contesting the denial[45 CFR sect 164526]
bull Receive adequate notice With limited exceptions indi-viduals have the right to receive a notice of the uses anddisclosures the covered entity will make of their PHI theirrights under the Privacy Rule and the covered entityrsquosobligations with respect to that information In certaincases notice may be provided electronically The noticemust be in plain language (eg ldquoyour health informationmay be shared with public health authorities for publichealth purposes rdquo ) and posted where it is likely to beseen by patients [45 CFR sect 164520]
bull Receive an accounting of disclosures Upon request cov-ered entities are required to provide individuals with anaccounting for certain types of disclosures of PHIalthough the rule contains certain exceptions includingdisclosures with individual authorization disclosures
related to providersrsquo treatment payment and health-careoperations (TPO) and other exceptions A typical accounting includes the name of the person or entity whoreceived the information date of the disclosure a briefdescription of the information disclosed and a brief explanation of the reasons for disclosure or copy of therequest [45 CFR sect 164528] However requirements foraccounting of public health disclosures may vary (seeAccounting for Public Health Disclosures)
bull Request restrictions Individuals have the right to requesta restriction on certain uses or disclosures of their PHIhowever the covered entity is not obligated to agree tosuch a request If the covered entity does agree to a restric-tion it must generally abide by the agreement except foremergency treatment situations But such an agreement isnot effective to prevent certain permitted uses or disclo-sures [CFR 45 sect 164512]
Required PHI Disclosures
A covered entity is required by the Privacy Rule to disclosePHI in only two instances 1) when an individual has a rightto access an accounting of his or her PHI (see previous para-graph) and 2) when DHHS needs PHI to determine compli-ance with the Privacy Rule [45 CFR sect 164502(a)(2)] Certainother uses and disclosures of PHI may be permitted withoutauthorization but are not required by the Privacy Rule How-ever other federal tribal state or local laws may compel dis-closure
Permitted PHI Disclosures WithoutAuthorization
The Privacy Rule permits a covered entity to use and dis-close PHI with certain limits and protections for TPOactivities [45 CFR sect 164506] Certain other permitted usesand disclosures for which authorization is not required fol-low Additional requirements and conditions apply to thesedisclosures The Privacy Rule text and OCR guidance shouldbe consulted for a full understanding of the following
bull Required by law Disclosures of PHI are permitted whenrequired by other laws whether federal tribal state orlocal
bull Public health PHI can be disclosed to public healthauthorities and their authorized agents for public healthpurposes including but not limited to public health sur-veillance investigations and interventions
bull Health research A covered entity can use or disclose PHIfor research without authorization under certain condi-tions including 1) if it obtains documentation of a waiverfrom an institutional review board (IRB) or a privacyboard according to a series of considerations 2) for
6 MMWR April 11 2003
activities preparatory to research and 3) for research on adecedentrsquos information
bull Abuse neglect or domestic violence PHI may be dis-closed to report abuse neglect or domestic violenceunder specified circumstances
bull Law enforcement Covered entities may under specifiedconditions disclose PHI to law enforcement officials pur-suant to a court order subpoena or other legal order tohelp identify and locate a suspect fugitive or missingperson to provide information related to a victim of acrime or a death that may have resulted from a crime orto report a crime
bull Judicial and administrative proceedings A covered entitymay disclose PHI in the course of a judicial or adminis-trative proceeding under specified circumstances
bull Cadaveric organ eye or tissue donation purposesOrgan-procurement agencies may use PHI for the pur-poses of facilitating transplant
bull Oversight Covered entities may usually disclose PHI to ahealth oversight agency for oversight activities authorizedby law
bull Workerrsquos compensation The Privacy Rule permits dis-closure of work-related health information as authorizedby and to the extent necessary to comply with workersrsquocompensation programs
Other Authorized Disclosures
A valid authorization is required for any use or disclosureof PHI that is not required or otherwise permitted withoutauthorization by the Privacy Rule In general these authoriza-tions must
bull specifically identify the PHI to be used or disclosedbull provide the names of persons or organizations or classes
of persons or organizations who will receive use or dis-close the PHI
bull state the purpose for each requestbull notify individuals of their right to refuse to sign the
authorization without negative consequences to treatmentpayment or health plan enrollment or benefit eligibilityexcept under specific circumstances
bull be signed and dated by the individual or the individualrsquospersonal representative
bull be written in plain languagebull include an expiration date or eventbull notify the individual of the right to revoke authorization
at any time in writing and how to exercise that right andany applicable exceptions to that right under the PrivacyRule and
bull explain the potential for the information to be subject toredisclosure by recipient and no longer protected by thePrivacy Rule
The Privacy Rule and Public Health The Privacy Rule recognizes 1) the legitimate need for pub-
lic health authorities and others responsible for ensuring thepublicrsquos health and safety to have access to PHI to conducttheir missions and 2) the importance of public health report-ing by covered entities to identify threats to the public andindividuals Accordingly the rule 1) permits PHI disclosureswithout a written patient authorization for specified publichealth purposes to public health authorities legally authorizedto collect and receive the information for such purposes and2) permits disclosures that are required by state and local pub-lic health or other laws However because the Privacy Ruleaffects the traditional ways PHI is used and exchanged amongcovered entities (eg doctors hospitals and health insurers)it can affect public health practice and research in multipleways To prevent misconceptions understanding the PrivacyRule is important for public health practice Some illustrativeexamples are presented in this report (Box 4) Also providedare sample letters that might prove useful in clarifying rela-tionships involving public health and the Privacy Rule(Appendix B)
A public health authority is broadly defined as includingagencies or authorities of the United States states territoriespolitical subdivisions of states or territories American Indiantribes or an individual or entity acting under a grant ofauthority from such agencies and responsible for public healthmatters as part of an official mandate Public health authori-ties include federal public health agencies (eg CDCNational Institutes of Health [NIH] Health Resources andServices Administration [HRSA] Substance Abuse and Men-tal Health Services Administration [SAMHSA] Food andDrug Administration [FDA] or Occupational Safety andHealth Administration [OSHA]) tribal health agencies statepublic health agencies (eg public health departments ordivisions state cancer registries and vital statistics depart-ments) local public health agencies and anyone performingpublic health functions under a grant of authority from a publichealth agency [45 CFR sect 164501]
Public health agencies often conduct their authorized pub-lic health activities with other entities by using different mecha-nisms (eg contracts and memoranda or letters of agreement)These other entities are public health authorities under thePrivacy Rule with respect to the activities they conduct undera grant of authority from such a public health agency Acovered entity may disclose PHI to public health authorities
Vol 52 Early Release MMWR 7
State cancer registry Under a state law health-care provid-ers are required to report cancer cases to a statersquos cancer regis-try Names are included to prevent duplicate reporting andcounting State law protects the confidentiality of the dataCan covered entities disclose the information under the Pri-vacy Rule
Privacy Rule effect Covered entities may disclose PHI to apublic health agency or any other entity when the disclosureis required by law However as covered entities the providersmust give an accounting to the persons whose PHI has beenshared The state agency may use and further disclose the PHIconsistent with applicable state law
State university-maintained cancer registry Under a statelaw health-care providers are mandated to report cancer casesto a state health departmentrsquos cancer registry The state healthdepartment contracts with a state university to receive thereports and maintain its registry As covered entities can health-care providers disclose PHI to the state university under thePrivacy Rule
Privacy Rule effect As noted in the previous example cov-ered entities may disclose without authorization PHI to thecancer registry under the Privacy Rule which expressly per-mits disclosure of PHI as required by law and sharing of PHIwith public health authorities for public health purposes Thestate university is acting under a grant of authority from a publichealth authority the state health department The universitycan use and disclose the information without authorizationconsistent with its agreement with the state health departmentand applicable state law
Early hearing detection and intervention An early hear-ing detection and intervention program in a state needs datafrom two large hospitals The state does not have a law requir-ing reporting of hearing loss Under the Privacy Rule can cov-ered entities release results of newborn hearing-screening teststo the state program
Privacy Rule effect The Privacy Rule expressly permitsrelease of PHI without authorization from a covered entityto a public health authority (eg the state health department)which is authorized by law to receive PHI for the purpose of
BOX 4 Examples of situations related to the Privacy Rule and public health
controlling disease injury or disability The rule does notrequire a state law mandating such disclosures for PHI to bereleased to a public health authority Finally the coveredentities may rely upon the statersquos representation that theinformation requested is the minimum necessary for the pur-poses of the registry
Disease registry maintained by private foundation Aprivate foundation maintains a disease registry as a way tosupport research and service for those with the disease Canhealth-care providers release PHI to the foundation underthe Privacy Rule
Privacy Rule effect Nongovernment disease registries (egthose maintained by foundations and other private organiza-tions) are not considered public health authorities unless theyhave a grant of authority from a public health authority Withsuch a grant covered entities may disclose PHI to the foun-dations But without a grant of authority PHI may bereleased only under one of the following situations
bull Release is authorized by the patientbull The PHI is de-identifiedbull The PHI is contained in a limited data set governed by
a data-use agreementbull Release of PHI is in accord with the rulersquos provisions
for disclosure for research without authorizationbull Release is otherwise permitted by the rule (eg to
entities subject to the jurisdiction of the Food and DrugAdministration (FDA) [45 CFR sect 164512(b)(1)(iii)]
Surveillance project A state health department that is nota covered entity conducts a surveillance project on humanimmunodeficiency virus (HIV) and acquired immunodefi-ciency syndrome (AIDS) The HIVAIDS surveillance projectis an interview study It asks for self-reported informationfrom participants including dates of diagnosis and visits forcare Is this PHI covered by the Privacy Rule
Privacy Rule effect Information collected directly frompersons by a person agency or institution that is not a cov-ered entity including individually identifiable informationis not covered by the Privacy Rule
and to these designated entities pursuant to the public healthprovisions of the Privacy Rule
The Privacy Rule permits covered entities to disclose PHIwithout authorization to public health authorities or otherentities who are legally authorized to receive such reports forthe purpose of preventing or controlling disease injury ordisability This includes the reporting of disease or injuryreporting vital events (eg births or deaths) conducting pub-lic health surveillance investigations or interventions report-ing child abuse and neglect and monitoring adverse outcomes
related to food (including dietary supplements) drugs bio-logical products and medical devices [45 CFR 164512(b)]Covered entities may report adverse events related to FDA-regulated products or activities to public agencies and privateentities that are subject to FDA jurisdiction [45 CFR164512(b)(1)(iii)] To protect the health of the public pub-lic health authorities might need to obtain informationrelated to the individuals affected by a disease In certain casesthey might need to contact those affected to determine thecause of the disease to allow for actions to prevent further
8 MMWR April 11 2003
illness Also covered entities may at the direction of a publichealth authority disclose protected health information to aforeign government agency that is acting in collaboration witha public health authority [45 CFR 164512(b)(1)(i)]
To receive PHI for public health purposes public healthauthorities should be prepared to verify their status and iden-tity as public health authorities under the Privacy Rule Toverify its identity an agency could provide any one of the fol-lowing
bull if the request is made in person presentation of an agencyidentification badge other official credentials or otherproof of government status
bull if the request is in writing the request is on the appropri-ate government letterhead
bull if the disclosure is to a person acting on behalf of a publichealth authority a written statement on appropriate gov-ernment letterhead that the person is acting under thegovernmentrsquos authority [45 CFR sect 164514(h)(2)]
Public health authorities receiving information from coveredentities as required or authorized by law [45 CFR 164512(a)][45 CFR 164512(b)] are not business associates of the cov-ered entities and therefore are not required to enter into busi-ness associate agreements Public health authorities that arenot covered entities also are not required to enter into busi-ness associate agreements with their public health partners andcontractors Also after PHI is disclosed to a public healthauthority pursuant to the Privacy Rule the public healthauthority (if it is not a covered entity) may maintain use anddisclose the data consistent with the laws regulations andpolicies applicable to the public health authority
Disclosures for Public Health PurposesThe Privacy Rule allows covered entities to disclose PHI to
public health authorities when required by federal tribal stateor local laws [45 CFR 164512(a)] This includes state laws(or state procedures established under such law) that providefor receiving reporting of disease or injury child abuse birthor death or conducting public health surveillance investiga-tion or intervention
For disclosures not required by law covered entities maystill disclose without authorization to a public health authorityauthorized by law to collect or receive the information for thepurpose of preventing or controlling disease injury or dis-ability the minimum necessary information to accomplish theintended public health purpose of the disclosure [45 CFR164512 (b)] (Box 1)
For example to protect the health of the public public healthofficials might need to obtain information related to personsaffected by a disease In certain cases they might need to con-
tact those affected to determine the cause of the disease toallow for actions to prevent further illness The Privacy Rulecontinues to allow for the existing practice of sharing PHIwith public health authorities who are authorized by law tocollect or receive such information to aid them in their mis-sion of protecting the health of the public Examples of suchactivities include those directed at the reporting of disease orinjury reporting adverse events reporting births and deathsand investigating the occurrence and cause of injury and dis-ease (1)
Although it is not a defined term DHHS interpreted thephrase ldquoauthorized by lawrdquo to mean that a legal basis exists forthe activity Further DHHS called the phrase ldquoa term of artrdquoincluding both actions that are permitted and actions that arerequired by law [64 FR 59929 November 3 1999] This doesnot mean a public health authority at the federal tribal stateor local level must have multiple disease or condition-specificlaws that authorize each collection of information Publichealth authorities operate under broad mandates to protectthe health of their constituent populations
Requirements for Covered Entities
Accounting for Public Health Disclosures
Although the Privacy Rule permits disclosures of PHI topublic health authorities covered entities must comply withcertain requirements related to these disclosures One suchrequirement is that a covered entity must be able to providean individual upon request with an accounting of certaindisclosures of PHI The covered entity is not required toaccount for all disclosures of PHI For example an account-ing is not required for disclosures made
bull prior to the covered entityrsquos compliance datebull for TPO purposesbull to the individual or pursuant to the individualrsquos written
authorization orbull as part of a limited data setHowever usually an accounting is required for disclosures
made without authorization including public health purposesThe required accounting for disclosures may be
accomplished in different ways Typically the covered entitymust provide the individual with an accounting of eachdisclosure by date the PHI disclosed the identity of therecipient of the PHI and the purpose of the disclosureHowever where the covered entity has during the accountingperiod made multiple disclosures to the same recipient forthe same purpose the Privacy Rule provides for a simplifiedmeans of accounting In such cases the covered entity needonly identify the recipient of such repetitive disclosures the
Vol 52 Early Release MMWR 9
purpose of the disclosure and describe the PHI routinelydisclosed The date of each disclosure need not be trackedRather the accounting may include the date of the first andlast such disclosure during the accounting period and adescription of the frequency or periodicity of such disclosuresFor example the vast amount of data exchanged betweencovered entities and public health authorities is made throughongoing regular reporting or inspection requirements Acovered health-care provider may routinely report all cases ofmeasles it diagnoses to the local public health authority Anaccounting of such disclosures to a requesting individual wouldneed to identify the local public health authority receivingthe PHI the PHI disclosed the purpose of the disclosure(required for communicable disease surveillance) theperiodicity (weekly) and the first and last dates of suchdisclosures during the accounting period (May 1 2003 toJune 1 2003) Thus the covered entity would not need toannotate each patientrsquos medical record whenever a routinepublic health disclosure was made
Notice of Privacy Practices
With certain exceptions under the Privacy Rule individu-als have the right to adequate notice of the uses and disclo-sures of PHI that may be made by the covered entity as well astheir rights and the covered entityrsquos legal obligations Noticesmust be in plain language and clearly posted Certain coveredentities must make a good faith effort to obtain an individualrsquosacknowledgment of receipt of this notice In certain casesnotice may be provided electronically
Minimum Necessary Standard
The Privacy Rule usually directs covered entities to limitthe amount of information disclosed to the minimum neces-sary to achieve the specified goal [45 CFR sect 164514(d)(1)]This requirement usually applies to disclosures to a publichealth agency It would not apply however if the disclosurewere required by law authorized by the individual or for treat-ment purposes A covered entity may also reasonably rely on apublic officialrsquos determination that the information requestedis the minimum necessary for the public health purpose
Public Health Authorities Performing CoveredFunctions
Public health authorities at the federal tribal state or locallevels that perform covered functions (eg providing healthcare or insuring individuals for health-care costs) may be sub-ject to the Privacy Rulersquos provisions as covered entities Forexample a local public health authority that operates a healthclinic providing essential health-care services to low-incomepersons and performs certain electronic transactions might be
defined under the Privacy Rule as a covered health-care pro-vider and therefore a covered entity Flow charts and interac-tive tools designed to help determine covered entity status areprovided online by the Centers for Medicare and MedicaidServices available at httpwwwcmsgovhipaahipaa2sup-porttoolsdecisionsupportdefaultasp
The following are examples of public health authority func-tions that make them covered entities
bull Public health authorities as covered health-care pro-viders A public health authority that conducts health careas part of its activities is a covered health-care provider ifit also performs electronic transactions covered by theHIPAA Transactions Rule as part of these activities Thefact that these activities are conducted in pursuit of a publichealth goal (eg vaccinating children or screening a tar-geted population for sexually transmitted diseases) doesnot preclude the public health authority from being a cov-ered entity
bull Public health authorities as health plans Under thePrivacy Rule a health plan is an individual or group planthat provides or pays the cost of medical care This spe-cifically includes government health plans (eg MedicareMedicaid or Veterans Health Administration) Howeverthe Privacy Rule defines health plan to exclude govern-ment-funded programs whose principal activity is the di-rect provision of health care to persons or the making ofgrants to fund the direct provision of health care to per-sons [45 CFR sect 160103] Examples include the RyanWhite Comprehensive AIDS Resources Emergency ActAlthough certain government programs that fund provid-ers directly may not be health plans government programsthat reimburse providers or otherwise fund providers toperform direct health-care services should carefully ana-lyze the details of their programs to determine if they areperforming covered functions
bull Public health authorities as health-care clearinghousesAlthough unlikely a public health authority might be ahealth-care clearinghouse if it receives health informationfrom another entity and translates that information froma nonstandard format into a standard transaction or stan-dard data elements (or vice versa) Operators of commu-nity health information systems should carefully considerwhether they meet the definition for a health-care clear-inghouse
bull Public health agencies as hybrid entities A public healthagency that is a covered entity and has both covered andnoncovered functions may become a hybrid entity by des-ignating its health-care components By designating itselfas a hybrid entity a public health authority can carve outits noncovered functions so that the majority of Privacy
10 MMWR April 11 2003
Rule provisions apply only to its health-care componentwhich is required to comply with the Privacy Rulerequirements including using and disclosing PHI only asauthorized meeting the administrative requirementsaccounting for disclosure of PHI and providing a noticeof practices However such a designation does not pre-clude the public health authority from continuing to con-duct authorized public health functions A covered entitythat is also a public health authority may use as well asdisclose PHI for public health purposes to the sameextent it would be permitted to disclose the PHI as a pub-lic health authority
The Privacy Rule and PublicHealth Research
The topic of research under the Privacy Rule is covered indepth in the DHHS report Protecting Personal Health Infor-mation in Research mdash Understanding the HIPAA Privacy Rule(6) The Privacy Rule provides separate provisions for disclo-sure without individual authorization for public health pur-poses and for certain research [45 CFR sect 164512(b)] [45CFR sect 164512(i)] Other federal law pertaining to researchstresses the importance of distinguishing between research andpractice to ensure that human subjects are appropriately pro-tected [45 CFR Part 46] For certain activities this distinc-tion is not always clear A full discussion of the distinctionsbetween public health practice and research is beyond the scopeof this document However CDC and others provide guid-ance in this area (7ndash9)
Research Versus PracticeThe definition of research is the same for the Privacy Rule
and the Common Rule (10) mdash systematic investigationincluding research development testing and evaluationdesigned to develop or contribute to generalizable knowledgeResearch is designed to test a hypothesis permit conclusionsto be drawn and thereby to develop or contribute to general-izable knowledge The majority of public health activities (egpublic health surveillance and disease prevention and controlprojects) are based on scientific evidence and data collectionor analytic methods similar to those used in research How-ever they are not designed to contribute to generalizable knowl-edge Their primary purpose is to protect the health of thepopulation through such activities as disease surveillance pre-vention or control
The Belmont Report (11) defines practice as interventionsdesigned solely to enhance the well-being of a person patient
or client and which have reasonable expectation of successThe report further states that the purpose of medical orbehavioral practice is to provide diagnosis preventive treat-ment or therapy to particular patients For public health agen-cies the patient is the community Public health practiceactivities (eg public health surveillance disease control orprogram evaluation) are undertaken with the intent to benefita specific community although occasionally they may pro-vide unintended generalizable benefits to others
Some public health activities that are initially public healthpractice may subsequently evolve into a research activity (egan investigation to determine the cause of an outbreak thatincorporates a research study evaluating the efficacy of a newdrug to treat the illness) When that is the case the disclosuresmay be made initially under the public health provisions ofthe Privacy Rule But when the activity becomes an ongoingresearch activity the entity should consider application of therelevant research disclosures provisions to continue to obtaininformation for this purpose Moreover there may be caseswhere the activity is both research and public health practice(eg an ongoing survey to monitor health conditions in thepopulation data from which can also be analyzed for researchpurposes) In those cases disclosures may be made either un-der the research provisions or the public health provisions asappropriate mdash the covered entity need not comply with bothsets of requirements
The Privacy Rule and Other Lawsbull Federal laws Covered entities subject to the Privacy Rule
are also subject to other federal statutes and regulationsThe specific relationship of the Privacy Rule and certainfederal laws is discussed in the preamble to the December2000 Final Rule [65 FedReg 82481] In certain instancesthe Privacy Rule imposes requirements in direct conflictwith other federal laws or regulations In those instancesan analysis will be necessary to determine whether the laterprovision was intended to overrule the prior law or regu-lation
bull State laws As a federal regulatory standard the PrivacyRule preempts only those contrary state laws relating tothe privacy of individually identifiable health informa-tion that have less stringent requirements or standards thanthe Privacy Rule (ie more stringent laws remain ineffect) In addition DHHS may upon specific requestfrom a state or other entity or person determine that aprovision of state law that is contrary to the federalrequirements and that meets certain additional criteriawill not be preempted by the federal requirements Thus
Vol 52 Early Release MMWR 11
preemption of a contrary state law will not occur if theSecretary or designated DHHS official determines inresponse to a request that the state law 1) is necessary toprevent fraud and abuse related to the provision of or pay-ment for health care 2) is necessary to ensure appropriatestate regulation of insurance and health plans to theextent expressly authorized by statute or regulation 3) isnecessary for state reporting on health-care delivery orcosts 4) is necessary to serve a compelling public healthsafety or welfare need and if a Privacy Rule provision isat issue if the Secretary determines that the intrusion intoprivacy is warranted when balanced against the need to beserved or 5) has as its principal purpose the regulation ofthe manufacture registration distribution dispensing orother control of any controlled substances The PrivacyRule specifically does not preempt contrary state publichealth laws that provide for the reporting of disease orinjury child abuse birth or death or for the conduct ofpublic health surveillance investigation or intervention[45 CFR sect 160202]
Online ResourcesReferences to non-DHHS sites on the Internet are provided
as a service to MMWR readers and do not constitute or implyendorsement of these organizations or their programs by CDCor the US Department of Health and Human Services CDCis not responsible for the content of these sites URL addresseslisted in MMWR were current as of the date of publication
Federal Government ResourcesDHHS Office for Civil Rights mdash HIPAA guidelines
North Carolina Healthcare Information and Communica-tions Alliance
httpwwwnchicaorgPublic Health Grand Rounds HIPAA Privacy RuleEnhancing or Harming Public Health
httpwwwpublichealthgrandroundsunceduStanford University Medical School mdash HIPAA
httpwwwmedstanfordeduHIPAAWorkgroup for Electronic Data Interchange mdash StrategicNational Implementation Process
httpwwwwediorgsnip
AcknowledgmentsThis report was prepared by Salvatore Lucido MPA and Denise
Koo MD Office of the Associate Director for ScienceEpidemiology Program Office CDC in collaboration with JamesG Hodge Jr JD Center for Law and the Publicrsquos HealthGeorgetown and Johns Hopkins Universities Baltimore MarylandThe preparers are grateful for the participation of Deborah Tress
JD Kenya Ford JD and Heather Horton JD Office of theGeneral Counsel Department of Health and Human Services CDCATSDR Branch the CDC Working Group on the Privacy Ruleand Beverly Dozier JD Lance A Gable JD Lawrence O GostinJD Gail Horlick JD and Jennifer Kurle
The preparers also thank the following partners for their valuableinput Association of State and Territorial Health Officers Councilof State and Territorial Epidemiologists National Association ofCounty and City Health Officials National Association of HealthData Organizations Association of Public Health Laboratories andNational Association for Public Health Statistics and InformationSystems
References1 Gostin LO Hodge JG Jr Personal privacy and common goods a frame-
work Minnesota Law Review 2002861439ndash802 Health Insurance Portability and Accountability Act of 1996 Pub L
No 104-191 110 Stat 1936 (1996)3 Office for Civil Rights Department of Health and Human Services
Title 45 of the Code of Federal Regulations Parts 160 and 164 Avail-able at httpwwwdhhsgovocrcombinedregtextpdf
4 Office for Civil Rights OCR guidance explaining significant aspects ofthe Privacy Rule 2002 Department of Health and Human ServicesAvailable at httpwwwhhsgovocrhipaa
5 Gostin LO Hodge JG Jr Privacy Law Advisory Committee Modelstate public health information privacy act 1999 Available at httpwwwpublichealthlawnetResourcesResourcesPDFsmodelprivactpdf
6 Department of Health and Human Services Protecting personal healthinformation in research mdash understanding the HIPAA Privacy RuleDepartment of Health and Human Services Washington DC 2003(in press)
7 Snider DE Stroup DF Defining research when it comes to public healthPublic Health Rep 199711229ndash32
8 CDC Guidelines for defining public health research and public healthnonresearch Available at httpwwwcdcgovodadsopspoll1htm
9 Amoroso PJ Middaugh JP Research vs public health practice whendoes a study require IRB review Prev Med 200336250ndash3
10 Office for Protection from Research Risks National Institutes of HealthDepartment of Health and Human Services Public welfare protectionof human subjects 2001 [45 CFR 46] Available at httpohrposophsdhhsgovhumansubjectsguidance45cfr46htm
11 National Commission for the Protection of Human Subjects of Bio-medical and Behavioral Research Belmont report ethical principles andguidelines for the protection of human subjects of research Depart-ment of Health Education and Welfare Available at httpwwwmedumicheduirbmedethicsbelmontBELMONTRHTM
Vol 52 Early Release MMWR 13
The following concepts and definitions are adapted fromthe regulatory language For further information see the cita-tions to the Privacy Rule
Accounting An individual has a right to receive an account-ing of disclosures of protected health information made by acovered entity in the six years prior to the date on which theaccounting is requested except for disclosures (a) to carry outtreatment payment and health care operations [45 CFR sect164506] (b) to individuals of protected health informationabout them [45 CFR sect 164502] (c) incident to a use or dis-closure otherwise permitted or required by this subpart asprovided in 45 CFR sect164502 (d) pursuant to an authoriza-tion as provided in 45 CFR sect164508 (e) for the facilityrsquosdirectory or to persons involved in the individualrsquos care orother notification purposes as provided in 45 CFR sect164510(f ) for national security or intelligence purposes as providedin 45 CFR sect164512(k)(2) (g) to correctional institutions orlaw enforcement officials as provided in 45 CFR sect164512(k)(5) or (h) as part of a limited data set in accordance with45 CFR sect164514(e) or (i) that occurred prior to the compli-ance date for the covered entityhellip Such an accounting mustmeet the following requirements (1) except as otherwise pro-vided by paragraph (a) of this section the accounting mustinclude disclosures of protected health information thatoccurred during the six years (or such shorter time period atthe request of the individual as provided in paragraph (a)(3)of this section) prior to the date of the request for an account-ing including disclosures to or by business associates of thecovered entity (2) except as otherwise provided by paragraphs(b)(3) or (b)(4) of this section the accounting must includefor each disclosure the date of the disclosure the name of theentity or person who received the protected health informa-tion and if known the address of such entity or person abrief description of the protected health information disclosedand a brief statement of the purpose of the disclosure thatreasonably informs the individual of the basis for the disclo-sure or in lieu of such a statement a copy of the individualrsquoswritten authorization pursuant to 45 CFR sect 164508 or acopy of a written request for a disclosure under 45 CFR sect164502(a)(2)(ii) or 45 CFR sect 164512 if any
If during the period covered by the accounting the coveredentity has made multiple disclosures of protected healthinformation to the same person or entity for a single purposeunder 45 CFR sect 164502(a)(2)(ii) or 45 CFR sect 164512 theaccounting may with respect to such multiple disclosures
provide the information required by paragraph (b)(2) of 45CFR sect 164528 for the first disclosure during the accountingperiod the frequency periodicity or number of the disclo-sures made during the accounting period and the date of thelast such disclosure during the accounting period [45 CFR sect164528]
Modified accounting procedures are also provided for cov-ered entities making research disclosures involving gt50 per-sons [45 CFR sect 164528(b)(4)]
Business associate A person who on behalf of a coveredentity or of an organized health care arrangement [45 CFR sect154501] in which the covered entity participates but otherthan in the capacity of a member of the workforce of suchcovered entity or arrangement performs or assists in the per-formance of a function or activity involving the use ordisclosure of individually identifiable health informationincluding claims processing or administration data analysisprocessing or administration utilization review quality assur-ance billing benefit management practice management andrepricing or any other function or activity regulated by thissubchapter or provides other than in the capacity of a mem-ber of the workforce of such covered entity legal actuarialaccounting consulting data aggregation [45 CFR sect 164501]management administrative accreditation or financial ser-vices to or for such covered entity or to or for an organizedhealth-care arrangement in which the covered entity partici-pates where the provision of the service involves the disclo-sure of individually identifiable health information from suchcovered entity or arrangement or from another business asso-ciate of such covered entity or arrangement to the individual[45 CFR sect 160103]
Covered entity 1) a health plan 2) a health-care clearing-house 3) a health-care provider who transmits any healthinformation in electronic form in connection with a transac-tion [45 CFR sect 160103]
Covered functions Those functions of a covered entity theperformance of which makes the entity a health planhealth-care provider or health-care clearinghouse [45 CFR sect164103]
Data aggregation With respect to protected health infor-mation created or received by a business associate in its capac-ity as the business associate of a covered entity the combiningof such protected health information by the business associatewith the protected health information received by the busi-ness associate in its capacity as a business associate of another
Appendix ASelected Privacy Rule Concepts and Definitions
14 MMWR April 11 2003
covered entity to permit data analyses that relate to the health-care operations of the respective covered entities [45 CFRsect164501]
De-identified health information Health information thatdoes not identify an individual and with respect to which noreasonable basis exists to believe that the information can beused to identify an individual is not individually identifiableinformation [45 CFR sect 164514(a)]
Disclosure The release transfer provision of access to ordivulging in any other manner of information outside the entityholding the information [45 CFR sect 160103]
Electronic media 1) Electronic storage media includingmemory devices in computers (hard drives) and any remov-abletransportable digital memory medium such as magnetictape or disk optical disk or digital memory card or 2) trans-mission media used to exchange information already in elec-tronic storage media Transmission media include for examplethe Internet (wide open) extranet (using Internet technologyto link a business with information accessible only to collabo-rating parties) leased lines dial-up lines private networksand the physical movement of removabletransportable elec-tronic storage media Certain transmissions including ofpaper via facsimile and of voice via telephone are not con-sidered to be transmissions via electronic media because theinformation being exchanged did not exist in electronic formbefore the transmission [45 CFR sect 160103]
Health care Care services or supplies related to the healthof an individual It includes but is not limited to 1) preven-tive diagnostic therapeutic rehabilitative maintenance orpalliative care and counseling service assessment or proce-dure with respect to the physical or mental condition or func-tional status of an individual or that affects the structure orfunction of the body and 2) sale or dispensing of a drugdevice equipment or other item in accordance with a pre-scription [45 CFR sect 160103]
Health-care clearinghouse A public or private entityincluding a billing service repricing company communityhealth management information system community healthinformation system or value-added network or switch that 1)processes or facilitates the processing of health informationreceived from another entity in a nonstandard format or con-taining nonstandard data content into standard data elementsor a standard transaction or 2) receives a standard transactionfrom another entity and processes or facilitates the processingof health information into nonstandard format or nonstand-ard data content for the receiving entity [45 CFR sect 160103]
Health-care operations Any of the following activities ofthe covered entity to the extent that the activities are related tocovered functions 1) conducting quality assessment andimprovement activities population-based activities and
related functions that do not include treatment 2) reviewingthe competence or qualifications of health care professionalsevaluating practitioner provider and health plan performanceconducting training programs where students learn to prac-tice or improve their skills as health-care providers training ofnonhealth-care professionals accreditation certificationlicensing or credentialing activities 3) underwriting premiumrating and other activities relating to the creation renewal orreplacement of a contract of health insurance or benefits 4)conducting or arranging for medical review legal services andauditing functions including fraud and abuse detection andcompliance programs 5) business planning and developmentsuch as conducting cost-management and planning-relatedanalyses related to managing and operating the entity includ-ing formulary development and administration developmentor improvement of methods of payment or coverage policiesand 6) business management and general administrativeactivities of the entity [45 CFR sect 164501]
Health-care provider A provider of services (as defined insection 1861(u) of the Act 42 USC 1395x(u)) a providerof medical or health-care services (as defined in section 1861(s)of the Act 42 USC 1395x(s)) and any other individual ororganization that furnishes bills or is paid for health care inthe normal course of business [45 CFR sect 160103]
Health information Any information whether oral orrecorded in any form or medium that 1) is created or receivedby a health-care provider health plan public health authorityemployer life insurer school or university or health-care clear-inghouse and 2) relates to the past present or future physicalor mental health or condition of an individual the provisionof health care to an individual or the past present or futurepayment for the provision of health care to an individual [45CFR sect 160103]
Health plan An individual or group plan that provides orpays the cost of medical care (as defined in section 2791(a)(2)of the PHS Act 42 USC 300gg-91(a)(2)) Health planincludes the following singly or in combination (i) a grouphealth plan as defined in 45 CFR sect 160103 of the PrivacyRule (ii) a health insurance issuer as defined in 45 CFR sect160103 of the Privacy Rule (iii) an HMO as defined in 45CFR sect 160103 of the Privacy Rule (iv) Part A or B of theMedicare program under title XVIII of the Act (v) the Med-icaid program under title XIX of the Act 42 USC 1396 etseq (vi) an issuer of a Medicare supplemental policy (asdefined in section 1882(g)(1) of the Act 42 USC1395ss(g)(1)) (vii) an issuer of a long-term care policyexcluding a nursing home fixed-indemnity policy (viii) anemployee welfare benefit plan or any other arrangement thatis established or maintained for the purpose of offering or pro-viding health benefits to the employees of two or more
Vol 52 Early Release MMWR 15
employers (ix) the health care program for active military per-sonnel under title 10 USC (x) the veterans health-care pro-gram under 38 USC Ch 17 (xi) the Civilian Health andMedical Program of the Uniformed Services (CHAMPUS)(as defined in 10 USC 1072(4)) (xii) the Indian HealthService program under the Indian Health Care ImprovementAct 25 USC 1601 et seq (xiii) the Federal EmployeesHealth Benefits Program under 5 USC 8902 et seq (xiv)an approved state child health plan under title XXI of the Actproviding benefits for child health assistance that meet therequirements of section 2103 of the Act 42 USC 1397 etseq (xv) the Medicare+Choice program under Part C of titleXVIII of the Act 42 USC 1395w-21 through 1395w-28(xvi) a high risk pool that is a mechanism established understate law to provide health insurance coverage or comparablecoverage to eligible individuals (xvii) any other individual orgroup plan or combination of individual or group plans thatprovides or pays for the cost of medical care (as defined insection 2791(a)(2) of the PHS Act 42 USC 300gg-91(a)(2))[45 CFR sect 160103]
The term health plan excludes (i) any policy plan or pro-gram to the extent that it provides or pays for the cost ofexcepted benefits that are listed in sect2791(c)(1) of the PHSAct 42 USC 300gg-91(c)(1) and (ii) a government-fundedprogram other than the one listed in items (i)-(xvi) abovewhose principal purpose is other than providing or payingthe cost of health care or whose principal activity is 1) thedirect provision of health care to individuals or 2) the mak-ing of grants to fund the direct provision of health care toindividuals [45 CFR sect 160103]
Hybrid entity A single legal entity 1) that is a covered entity 2) whose business activities include both covered andnoncovered functions and 3) that designates its health-carecomponents [45 CFR sect 164103]
Individually identifiable health information A subset ofhealth information including demographic information col-lected from an individual and 1) is created or received by ahealth-care provider health plan employer or health-care clear-inghouse and 2) relates to the past present or future physi-cal or mental health or condition of an individual the provisionof health care to an individual or the past present or futurepayment for the provision of health care to an individual andthat identifies the individual or where there is a reasonablebasis to believe the information can be used to identify theindividual [45 CFR sect 164501]
Limited data set Protected health information that excludescertain direct identifiers of the individual or of relativesemployers or household members of the individual Directidentifiers to be excluded can be found in 45 CFR sect164514(e)(2)
Minimum necessary For any type of disclosure that a cov-ered entity makes on a routine and recurring basis that thecovered entity must implement policies and procedures (whichmay be standard protocols) that limit the protected healthinformation disclosed to the amount reasonably necessary toachieve the purpose of the disclosure For all other disclosurescovered entities must develop and implement criteria designedto limit the protected health information disclosed to theinformation reasonably necessary to accomplish the purposefor which disclosure is sought and review requests for disclo-sure on an individual basis in accordance with such criteria Acovered entity may rely if such reliance is reasonable underthe circumstances on a requested disclosure as the minimumnecessary for the stated purpose when (a) making disclosuresto public officials that are permitted under 45 CFR sect 164512if the public official represents that the information requestedis the minimum necessary for the stated purpose (b) if theinformation is requested by another covered entity (c) theirbusiness associates providing personal services or (d) docu-mentation or representations that comply with the applicablerequirements of 45 CFR sect 164512(i) have been provided byan individual requesting the information for research purposes[45 CFR sect 164514(d)(3)]
The minimum necessary standard also applies to uses ofprotected health information [45 CFR sect 164514(d)(2)] andrequests for protected health information [45 CFR sect164514(d)(4)]
Notice An individual with certain exceptions has a rightto adequate notice of the uses and disclosures of protectedhealth information that may be made by the covered entityand of the individualrsquos rights and the covered entityrsquos legalduties with respect to protected health information Thenotice must be written in plain language and contain the fol-lowing elements (i) a header as specified in the rule (ii) adescription including at least one example of the types ofuses and disclosures that the covered entity is permitted tomake for treatment payment and health care operations anda description of each of the other purposes for which the cov-ered entity is permitted or required to use or disclose pro-tected health information without the individualrsquos writtenconsent or authorization If a use or disclosure is prohibitedor materially limited by other applicable law the descriptionof such use or disclosure must reflect the more stringent law(as defined in 45 CFR sect 160202) Each description mustinclude sufficient detail to place the individual on notice ofthe uses and disclosures that are permitted or required by thePrivacy Rule or other applicable law and a statement that otheruses and disclosures will be made only with the individualrsquoswritten authorization and that the individual may revoke suchauthorization as provided by 45 CFR sect 164508(b)(5)
16 MMWR April 11 2003
A separate statement must be included in the notice if acovered entity intends to engage in any of the followingactivities The statement should explain that 1) the coveredentity may contact the individual to provide appointmentreminders or information regarding treatment alternatives orother health-related benefits 2) the covered entity may con-tact the individual to raise funds for the covered entity or 3) agroup health plan health insurer or HMO with respect to agroup health plan may disclose protected health informationto the sponsor of the plan
The notice must contain a statement of the individualrsquos rightswith respect to the protected health information and a briefdescription of how the individual may exercise these rights astatement of the covered entityrsquos duties a statement that indi-viduals may complain to the covered entity or the Secretary ifthey believe their privacy rights have been violated contactinformation and the effective date of the notice [45 CFR sect164520]
Payment 1) The activities undertaken by (i) a health planto obtain premiums or to determine or fulfill its responsibilityfor coverage and provision of benefits under the health planor (ii) a health-care provider or health plan to obtain or pro-vide reimbursement for the provision of health care and 2)the activities relate to the individual to whom health care isprovided and include but are not limited to (i) determina-tions of eligibility or coverage and adjudication or subroga-tion of health benefit claims (ii) risk adjusting amounts duebased on enrollee health status and demographic characteris-tics (iii) billing claims management collection activitiesobtaining payment under a contract for reinsurance (includ-ing stop-loss insurance) and related health-care data process-ing (iv) review of health-care services with respect to medicalnecessity coverage under a health plan appropriateness of careor justification of charges (v) utilization review activitiesincluding precertification and preauthorization of services con-current and retrospective review of services and (vi) disclo-sure to consumer reporting agencies of any of the followingprotected health information relating to collection of premi-ums or reimbursement (a) name and address (b) date of birth(c) social security number (d) payment history (e) accountnumber and (f ) name and address of the health-care provideror health plan [45 CFR sect 164501]
Protected health information (PHI) Individually identi-fiable health information that is transmitted by electronicmedia maintained in electronic media or transmitted ormaintained in any other form or medium PHI excludes indi-vidually identifiable health information in (i) educationrecords covered by the Family Education Rights and PrivacyAct (20 USC 1232g) (ii) records described at 20 USC
1232g(a)(4)(B)(iv) and (iii) employment records held by acovered entity in its role as employer [45 CFR sect 160103]
Public health authority An agency or authority of theUnited States a state a territory a political subdivision of astate or territory or an Indian tribe or an individual or entityacting under a grant of authority from or contract with suchpublic agency including the employees or agents of such pub-lic agency or its contractors or individuals or entities to whomit has granted authority that is responsible for public healthmatters as part of its official mandate [45 CFR sect 164501]
Examples of public health authorities include state andlocal health departments CDC National Institutes of Health(NIH) Food and Drug Administration (FDA) and Occupa-tional Safety and Health Administration (OSHA)
Required by law A mandate contained in law that compelsan entity to make a use or disclosure of protected health infor-mation and that is enforceable in a court of law This termincludes but is not limited to court orders and court-orderedwarrants subpoenas or summons issued by a court grand jurya governmental or tribal inspector general or an administra-tive body authorized to require the production of informa-tion a civil or an authorized investigative demand Medicareconditions of participation with respect to health-care provid-ers participating in the program and statutes or regulationsthat require the production of information including statutesor regulations that require such information if payment issought under a government program providing public ben-efits [45 CFR sect 164103]
Research A systematic investigation including researchdevelopment testing and evaluation designed to develop orcontribute to generalizable knowledge [45 CFR sect sect164501]
Statistical de-identification A properly qualified statisti-cian using accepted analytical techniques concludes that therisk is limited that the information could be used alone or incombination with other reasonably available information toidentify the subject of the information [45 CFR sect 164514(b)]
Safe harbor method A covered entity or its agent removesa comprehensive set of identifiers enumerated in the PrivacyRule which includes but is not limited to names geographicsubdivisions smaller than states dates more specific than yearscontact information identification numbers and photographicimages and has no actual knowledge that the remaininginformation could be used alone or in combination with otherinformation to identify the individual who is a subject of theinformation or the individualrsquos relatives employers or house-hold members Eighteen specific identifiers will need to beremoved to achieve de-identification [45 CFR sect 164514(b)]
Transaction The transmission of information between twoparties to carry out financial or administrative activities
Vol 52 Early Release MMWR 17
related to health care It includes the following types of infor-mation transmissions health care claims or equivalent encoun-ter information health care payment and remittance advicecoordination of benefits health care claim status enrollmentand disenrollment in a health plan eligibility for a health planhealth plan premium payments referral certification andauthorization first report of injury health claims attachmentsand other transactions that the Secretary may prescribe by regu-lation [45 CFR sect 164103]
Treatment The provision coordination or managementof health care and related services by one or more health-care
providers including the coordination or management of healthcare by a health-care provider with a third party consultationbetween health-care providers relating to a patient or thereferral of a patient for health care from one health-care pro-vider to another [45 CFR sect 164501]
Use With respect to individually identifiable health infor-mation the sharing employment application utilizationexamination or analysis of such information within an entitythat maintains such information [45 CFR sect 160103]
18 MMWR April 11 2003
Vol 52 Early Release MMWR 19
Appendix BSample Text That Can Be Used To Clarify Public Health Issues
Under the Privacy Rule
pursuant to the Standards for Privacy of Individually Identifi-able Health Information promulgated under the HealthInsurance Portability and Accountability Act (HIPAA) [45CFR Parts 160 and 164)] Under this rule covered entitiesmay disclose without individual authorization protectedhealth information to public health authorities ldquo autho-rized by law to collect or receive such information for the pur-pose of preventing or controlling disease injury or disabilityincluding but not limited to the reporting of disease injuryvital events such as birth or death and the conduct of publichealth surveillance public health investigations and publichealth interventions rdquo The definition of a public health au-thority includes ldquo an individual or entity acting under a grantof authority from or contract with such public agency rdquo
[Authorized agency] is acting under [contract grant coop-erative agreement] with [public health authority] to conduct[project] which is authorized by [law or regulation] [Publichealth authority] grants this authority to [authorized agency]for purposes of this project Further [public health authority]considers this to be [activity type] for which disclosure ofprotected health information by covered entities is authorizedby 45 CFR sect 164512(b) of the Privacy Rule
From a public health authority to a covered entity con-firming grant of authority to an authorized agencyTo Whom It May Concern
[Public health authority] is an agency of [parent authority]and is a public health authority as defined by the HealthInsurance Portability and Accountability Act (HIPAA) Stan-dards for Privacy of Individually Identifiable Health Informa-tion Final Rule (Privacy Rule)[45 CFR sect 164501] Pursuantto 45 CFR sect 164512(b) of the Privacy Rule covered entitiesmay disclose protected health information to public healthauthorities ldquo authorized by law to collect or receive suchinformation for the purpose of preventing or controlling dis-ease injury or disability including but not limited to thereporting of disease injury vital events such as birth or deathand the conduct of public health surveillance public healthinvestigations and public health interventions rdquo The defi-nition of public health authority includes ldquo an individualor entity acting under a grant of authority from or contractwith such public agency rdquo [45 CFR sect 164501] [Autho-rized agency] is acting under [contract grant or cooperativeagreement] with [public health authority] to carry out [project]
Following are sample letters that can be used to help clarifyPrivacy Rule issues among covered entities and public healthauthorities (eg CDC National Institutes of Health Foodand Drug Administration Substance Abuse and Mental HealthServices Administration Health Resources and ServicesAdministration state and local health departments) Publichealth authorities can use these letters as templates by insert-ing names of the appropriate individuals projects agreementslaws activity types covered entities public health authoritiesand authorized agencies
From a public health authority to a covered entity clari-fying rules regarding disclosureTo Whom it May Concern
[Public health authority] is an agency of [parent authority]and is conducting the activity described here in its capacity asa public health authority as defined by the Health InsurancePortability and Accountability Act (HIPAA) Standards forPrivacy of Individually Identifiable Health Information FinalRule (Privacy Rule) [45 CFR sect164501] Pursuant to 45 CFRsect164512(b) of the Privacy Rule covered entities such as yourorganization may disclose without individual authorizationprotected health information to public health authorities ldquo authorized by law to collect or receive such information forthe purpose of preventing or controlling disease injury ordisability including but not limited to the reporting of dis-ease injury vital events such as birth or death and the con-duct of public health surveillance public health investigationsand public health interventions rdquo
[Public health authority] is conducting [project] a publichealth activity as described by 45 CFR sect 164512(b) and isauthorized by [law or regulation] The information beingrequested represents the minimum necessary to carry out thepublic health purposes of this project pursuant to 45 CFRsect164514(d) of the Privacy Rule
If you have questions or concerns please contact [projectleader]
From a public health authority to an authorized agencyproviding grant of authorityDear [authorized agency]
This letter serves as verification of a grant of authority from[public health authority] for you to conduct the public healthactivities described here acting as a public health authority
20 MMWR April 11 2003
Through this grant of authority [authorized agency] may func-tion as a public health authority under the Privacy Rule forpurposes of this project
[Project] is a public health activity as described by 45 CFRsect 164512(b) referenced previously and is authorized by [lawor regulation] The information being requested represents theminimum necessary to carry out the public health purposes ofthis project pursuant to 45 CFR sect 164514(d) of the PrivacyRule The Privacy Rule provides that covered entities ldquo
may rely if such reliance is reasonable under the circumstanceson a requested disclosure as the minimum necessary for thestated purposes when making disclosures to public officialsthat are permitted under 45 CFR sect 164512 if the publicofficial represents that the information requested is the mini-mum necessary for the stated purposes(s)rdquo
If you have questions or concerns please contact [projectleader for authorized agency public health authority contact]
All MMWR references are available on the Internet at httpwwwcdcgovmmwr Use the search function to find specific articlesmdashmdashmdashmdashmdashmdash
Use of trade names and commercial sources is for identification only and does not imply endorsement by the US Department of Healthand Human Services
mdashmdashmdashmdashmdashmdashReferences to non-CDC sites on the Internet are provided as a service to MMWR readers and do not constitute or imply endorsement ofthese organizations or their programs by CDC or the US Department of Health and Human Services CDC is not responsible for thecontent of these sites URL addresses listed in MMWR were current as of the date of publication
MMWR
The Morbidity and Mortality Weekly Report (MMWR) series is prepared by the Centers for Disease Control and Prevention (CDC) andis available free of charge in electronic format and on a paid subscription basis for paper copy To receive an electronic copy each week sendan e-mail message to listservlistservcdcgov The body content should read SUBscribe mmwr-toc Electronic copy also is available fromCDCrsquos Internet server at httpwwwcdcgovmmwr or from CDCrsquos file transfer protocol server at ftpftpcdcgovpubpublicationsmmwr Tosubscribe for paper copy contact Superintendent of Documents US Government Printing Office Washington DC 20402 telephone202-512-1800
Data in the weekly MMWR are provisional based on weekly reports to CDC by state health departments The reporting weekconcludes at close of business on Friday compiled data on a national basis are officially released to the public on the following FridayAddress inquiries about the MMWR series including material to be considered for publication to Editor MMWR Series Mailstop C-08CDC 1600 Clifton Rd NE Atlanta GA 30333 telephone 888-232-3228
All material in the MMWR series is in the public domain and may be used and reprinted without permission however citation of thesource is appreciated
US Government Printing Office 2003-533-15569108 Region IV
Introduction
Impact on Public Health
Overview of the Privacy Rule
Who Is Covered
Types of Health Information
What is Required
The Privacy Rule and Public Health
Disclosures for Public Health Purposes
Requirements for Covered Entities
The Privacy Rule and Public Health Research
Research Versus Practice
The Privacy Rule and Other Laws
Online Resources
Federal Government Resources
State Government Resources
Associations Nonprofit Organizations and Academic Resources
Acknowledgments
References
Appendix A
Appendix B
Vol 52 Early Release MMWR 1
The material in this report originated in the Epidemiology ProgramOffice Stephen B Thacker MD MSc Director
Prepared by CDC staff in consultation with the Office of the General Counselthe Office for Civil Rights other offices and agencies within the USDepartment of Health and Human Services Washington DC and healthprivacy specialists
HIPAA Privacy Rule and Public HealthGuidance from CDC and the US Department of Health and Human Services
Summary
New national health information privacy standards have been issued by the US Department of Health and Human Services(DHHS) pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) The new regulations provideprotection for the privacy of certain individually identifiable health data referred to as protected health information (PHI)Balancing the protection of individual health information with the need to protect public health the Privacy Rule expresslypermits disclosures without individual authorization to public health authorities authorized by law to collect or receive theinformation for the purpose of preventing or controlling disease injury or disability including but not limited to public healthsurveillance investigation and intervention
Public health practice often requires the acquisition use and exchange of PHI to perform public health activities (eg publichealth surveillance program evaluation terrorism preparedness outbreak investigations direct health services and public healthresearch) Such information enables public health authorities to implement mandated activities (eg identifying monitoringand responding to death disease and disability among populations) and accomplish public health objectives Public healthauthorities have a long history of respecting the confidentiality of PHI and the majority of states as well as the federal governmenthave laws that govern the use of and serve to protect identifiable information collected by public health authorities
The purpose of this report is to help public health agencies and others understand and interpret their responsibilities under thePrivacy Rule Elsewhere comprehensive DHHS guidance is located at the HIPAA website of the Office for Civil Rights (httpwwwhhsgovocrhipaa)
IntroductionThe shift of medical records from paper to electronic for-
mats has increased the potential for individuals to access useand disclose sensitive personal health data Although protect-ing individual privacy is a long-standing tradition amonghealth-care providers and public health practitioners in theUnited States previous legal protections at the federal tribalstate and local levels were inconsistent and inadequate Apatchwork of laws provided narrow privacy protections forselected health data and certain keepers of that data (1)
The US Department of Health and Human Services(DHHS) has addressed these concerns with new privacy stan-dards that set a national minimum of basic protections whilebalancing individual needs with those of society The HealthInsurance Portability and Accountability Act of 1996 (HIPAA)was adopted to ensure health insurance coverage after leavingan employer and also to provide standards for facilitatinghealth-carendashrelated electronic transactions To improve the
efficiency and effectiveness of the health-care system HIPAAincluded administrative simplification provisions that requiredDHHS to adopt national standards for electronic health-caretransactions (2) At the same time Congress recognized thatadvances in electronic technology could erode the privacy ofhealth information Consequently Congress incorporated intoHIPAA provisions that mandated adoption of federal privacyprotections for certain individually identifiable health infor-mation
The HIPAA Privacy Rule (Standards for Privacy of Indi-vidually Identifiable Health Information) (3) provides the firstnational standards for protecting the privacy of health infor-mation The Privacy Rule regulates how certain entities calledcovered entities use and disclose certain individually identifi-able health information called protected health information(PHI) PHI is individually identifiable health information thatis transmitted or maintained in any form or medium (egelectronic paper or oral) but excludes certain educationalrecords and employment records Among other provisions thePrivacy Rule
bull gives patients more control over their health informationbull sets boundaries on the use and release of health recordsbull establishes appropriate safeguards that the majority of
health-care providers and others must achieve to protectthe privacy of health information
2 MMWR April 11 2003
bull holds violators accountable with civil and criminal penal-ties that can be imposed if they violate patientsrsquo privacyrights
bull strikes a balance when public health responsibilities sup-port disclosure of certain forms of data
bull enables patients to make informed choices based on howindividual health information may be used
bull enables patients to find out how their information maybe used and what disclosures of their information havebeen made
bull generally limits release of information to the minimumreasonably needed for the purpose of the disclosure
bull generally gives patients the right to obtain a copy of theirown health records and request corrections and
bull empowers individuals to control certain uses and disclo-sures of their health information
The deadline to comply with the Privacy Rule is April 142003 for the majority of the three types of covered entitiesspecified by the rule [45 CFR sect 160102] The covered enti-ties are
bull health plansbull health-care clearinghouses andbull health-care providers who transmit health information in
electronic form in connection with certain transactionsAt DHHS the Office for Civil Rights (OCR) has oversightand enforcement responsibilities for the Privacy Rule Com-prehensive guidance and OCR answers to hundreds of ques-tions are available at httpwwwhhsgovocrhipaa (4)
Impact on Public HealthPublic health practice and research including such tradi-
tional public health activities as program operations publichealth surveillance program evaluation terrorism prepared-ness outbreak investigations direct health services and pub-lic health research use PHI to identify monitor and respondto disease death and disability among populations Publichealth authorities have a long history of protecting and pre-serving the confidentiality of individually identifiable healthinformation They also recognize the importance of protect-ing individual privacy and respecting individual dignity tomaintaining the quality and integrity of health data CDCand others have worked to consistently strengthen federal andstate public health information privacy practices and legal pro-tections (5)
DHHS recognized the importance of sharing PHI toaccomplish essential public health objectives and to meet cer-tain other societal needs (eg administration of justice andlaw enforcement) Therefore the Privacy Rule expressly per-mits PHI to be shared for specified public health purposes
For example covered entities may disclose PHI without indi-vidual authorization to a public health authority legallyauthorized to collect or receive the information for the pur-pose of preventing or controlling disease injury or disability[45 CFR sect 164512(b)] (Box 1) Further the Privacy Rulepermits covered entities to make disclosures that are requiredby other laws including laws that require disclosures for pub-lic health purposes
Thus the Privacy Rule provides for the continued func-tioning of the US public health system Covered entities shouldbecome fully aware of the scope of permissible disclosures forpublic health activities as well as state and local reporting lawsand regulations Moreover a public health authority may also
Without individual authorization a covered entity maydisclose PHI to a public health authority that is legallyauthorized to collect or receive the information for thepurposes of preventing or controlling disease injury ordisability including but not limited to
bull reporting of disease injury and vital events (eg birthor death) and
bull conducting public health surveillance investigationsand interventions
PHI may also be disclosed without individual authori-zation to
bull report child abuse or neglect to a public health or othergovernment authority legally authorized to receive suchreports
bull a person subject to jurisdiction of the Food and DrugAdministration (FDA) concerning the quality safetyor effectiveness of an FDA-related product or activityfor which that person has responsibility
bull a person who may have been exposed to a communi-cable disease or may be at risk for contracting or spread-ing a disease or condition when legally authorized tonotify the person as necessary to conduct a publichealth intervention or investigation and
bull an individualrsquos employer under certain circumstancesand conditions as needed for the employer to meetthe requirements of the Occupational Safety andHealth Administration Mine Safety and Health Ad-ministration or a similar state law
Source Adapted from [45 CFR sect 164512(b)] Or to an entity working under a grant of authority from a public health
authority or when directed by a public health authority to a foreigngovernment agency that is acting in collaboration with a public healthauthority
BOX 1 Protected health information (PHI) disclosures bycovered entities for public health activities requiring noauthorization under the Privacy Rule
Vol 52 Early Release MMWR 3
be a covered entity For example a public health agency thatoperates a health clinic providing essential health-care ser-vices and performing covered transactions electronically is acovered entity
This report provides guidance to public health authoritiesand their authorized agents researchers and health-care pro-viders in interpreting the Privacy Rule as it affects public healthCDC recommends that public health authorities share theinformation in this report with covered health-care providersand other covered entities and work closely with those entitiesto ensure implementation of the rule consistent with itsintent to protect privacy while permitting authorized publichealth activities to continue
Overview of the Privacy Rule
Who Is CoveredThe authority of DHHS to issue health-information pri-
vacy regulations was limited by Congress in HIPAA to adefined set of covered entities More complete definitions ofthese and other terms are located elsewhere in this report(Appendix A) Covered entities are as follows
bull Health plans An individual or group plan that providesor pays the cost of medical care that includes the diagno-sis cure mitigation treatment or prevention of diseaseHealth plans include private entities (eg health insurersand managed care organizations) and government orga-nizations (eg Medicaid Medicare and the VeteransHealth Administration)
bull Health-care clearinghouses A public or private entityincluding a billing service repricing company or com-munity health information system that processes non-standard data or transactions received from another entityinto standard transactions or data elements or vice versa
bull Health-care providers A provider of health-care servicesand any other person or organization that furnishes billsor is paid for health care in the normal course of businessHealth-care providers (eg physicians hospitals and clin-ics) are covered entities if they transmit health informa-tion in electronic form in connection with a transactionfor which a HIPAA standard has been adopted by DHHS
The Privacy Rule also establishes requirements for coveredentities with regard to their nonemployee business associates(eg lawyers accountants billing companies and other con-tractors) whose relationship with covered entities requires shar-ing of PHI The Privacy Rule allows a covered provider orhealth plan to disclose PHI to a business associate if satisfac-tory written assurance is obtained that the business associatewill use the information only for the purposes for which it
was engaged will safeguard the information from misuse andwill help the covered entity comply with certain of its dutiesunder the Privacy Rule
The Privacy Rule does not apply to all persons or entitiesthat regularly use disclose or store individually identifiablehealth information For example the Privacy Rule does notcover employers certain insurers (eg auto life and workercompensation) or those public agencies that deliver socialsecurity or welfare benefits when functioning solely in thesecapacities
Types of Health Information
Protected Health Information
The Privacy Rule protects certain information that coveredentities use and disclose This information is called protectedhealth information (PHI) which is generally individually iden-tifiable health information that is transmitted by or main-tained in electronic media or any other form or medium Thisinformation must relate to 1) the past present or future physi-cal or mental health or condition of an individual 2) provi-sion of health care to an individual or 3) payment for theprovision of health care to an individual If the informationidentifies or provides a reasonable basis to believe it can beused to identify an individual it is considered individuallyidentifiable health information
De-Identified Information
De-identified data (eg aggregate statistical data or datastripped of individual identifiers) require no individual pri-vacy protections and are not covered by the Privacy RuleDe-identifying can be conducted through
bull statistical de-identification mdash a properly qualified statis-tician using accepted analytic techniques concludes therisk is substantially limited that the information might beused alone or in combination with other reasonably avail-able information to identify the subject of the informa-tion [45 CFR sect 164514(b)] or the
bull safe-harbor method mdash a covered entity or its businessassociate de-identifies information by removing 18 iden-tifiers (Box 2) and the covered entity does not have actualknowledge that the remaining information can be usedalone or in combination with other data to identify thesubject [45 CFR sect 164514(b)]
In certain instances working with de-identified data may havelimited value to clinical research and other activities Whenthat is the case a limited data set may be useful
4 MMWR April 11 2003
The following protected health information (PHI) canbe included without authorization in a limited data setfor public health research or health-care operations
bull town or city state and zip code andbull elements of dates related to a person (eg years birth
dates admission dates discharge dates and dates ofdeath)
To disclose a limited data set a covered entity must en-ter into a data-use agreement with the recipient whichagrees to use or disclose the PHI for limited purposesDisclosure of a limited data set is not subject to the ac-counting requirement but must meet the minimum nec-essary standards of the Privacy Rule
BOX 3 Use of limited data sets under the Privacy Rule
The following 18 identifiers of a person or of relativesemployers or household members of a person must beremoved and the covered entity must not have actualknowledge that the information could be used alone or incombination with other information to identify the indi-vidual for the information to be considered de-identifiedand not protected health information (PHI)
bull namesbull all geographic subdivisions smaller than a state in-
cluding county city street address precinct zip codeand their equivalent geocodes
bull all elements of dates (except year) directly related toan individual all ages gt89 and all elements of dates(including year) indicative of such age (except for anaggregate into a single category of age gt90)
bull telephone numbersbull fax numbersbull electronic mail addressesbull Social Security numbersbull medical record numbersbull health-plan beneficiary numbersbull account numbersbull certificate and license numbersbull vehicle identifiers and serial numbers including
license plate numbersbull medical device identifiers and serial numbersbull Internet universal resource locators (URLs)bull Internet protocol (IP) addressesbull biometric identifiers including fingerprints and voice
printsbull full-face photographic images and any comparable
images andbull any other unique identifying number characteristic
or code except that covered identities may under cer-tain circumstances assign a code or other means ofrecord identification that allows de-identified infor-mation to be re-identified
Source Adapted from [45 CFR sect 164514(b)(2)(i)] The first three digits of a zip code are excluded from the PHI list if the
geographic unit formed by combining all zip codes with the same firstthree digits contains gt20000 persons
BOX 2 Individual identifiers under the Privacy Rule
permitted to use or receive the limited data set and providethat the recipient will
bull not use or disclose the information other than as permit-ted by the agreement or as otherwise required by law
bull use appropriate safeguards to prevent uses or disclosuresof the information that are inconsistent with the data-useagreement
bull report to the covered entity any use or disclosure of theinformation in violation of the agreement of which itbecomes aware
bull ensure that any agents to whom it provides the limiteddata set agree to the same restrictions and conditions thatapply to the limited data set recipient with respect to suchinformation and
bull not attempt to re-identify the information or contact theindividual
What is RequiredFor covered entities using or disclosing PHI the Privacy
Rule establishes a range of health-information privacy require-ments and standards that attempt to balance individual pri-vacy interests with the community need to use such data [45CFR sect 164504] Among its provisions the Privacy Rulerequires covered entities to
bull notify individuals regarding their privacy rights and howtheir PHI is used or disclosed
bull adopt and implement internal privacy policies and proce-dures
bull train employees to understand these privacy policies andprocedures as appropriate for their functions within thecovered entity
Limited Data Sets
Health information in a limited data set is not directly iden-tifiable but may contain more identifiers than de-identifieddata that has been stripped of the 18 identifiers [45 CFR sect164514] (Box 3) A data-use agreement must establish who is
Vol 52 Early Release MMWR 5
bull designate individuals who are responsible for implement-ing privacy policies and procedures and who will receiveprivacy-related complaints
bull establish privacy requirements in contracts with businessassociates that perform covered functions
bull have in place appropriate administrative technical andphysical safeguards to protect the privacy of health infor-mation and
bull meet obligations with respect to health consumers exer-cising their rights under the Privacy Rule
With respect to individuals they are vested with the follow-ing rights
bull Receive access to PHI Individual rights include inspec-tions of records and the provision for copies of PHI aboutthe individual in a designated record set for as long as thePHI is maintained in the designated record set except forpsychotherapy notes information complied for use in civilcriminal or administrative actions and PHI maintainedby a covered entity subject to the Clinical LaboratoryImprovement Amendments of 1988 [42 CFR sect 263(a)]In the majority of cases covered entities must accommo-date a request or provide a process of denial subject toreview [45 CFR sect 164524]
bull Request amendments to PHI Individuals can request thatcovered entities amend PHI about the individual in a des-ignated record set for as long as the PHI is maintained ina designated record set If the covered entity agrees to theamendment it must 1) identify the records affected 2)append or provide a link to the amendment 3) informthe individual the amendment has been made and 4) workwith other covered entities or business associates who pos-sess or receive the data to make the amendments [45 CFRsect 164526] If the covered entity denies this request thePrivacy Rule provides a process for contesting the denial[45 CFR sect 164526]
bull Receive adequate notice With limited exceptions indi-viduals have the right to receive a notice of the uses anddisclosures the covered entity will make of their PHI theirrights under the Privacy Rule and the covered entityrsquosobligations with respect to that information In certaincases notice may be provided electronically The noticemust be in plain language (eg ldquoyour health informationmay be shared with public health authorities for publichealth purposes rdquo ) and posted where it is likely to beseen by patients [45 CFR sect 164520]
bull Receive an accounting of disclosures Upon request cov-ered entities are required to provide individuals with anaccounting for certain types of disclosures of PHIalthough the rule contains certain exceptions includingdisclosures with individual authorization disclosures
related to providersrsquo treatment payment and health-careoperations (TPO) and other exceptions A typical accounting includes the name of the person or entity whoreceived the information date of the disclosure a briefdescription of the information disclosed and a brief explanation of the reasons for disclosure or copy of therequest [45 CFR sect 164528] However requirements foraccounting of public health disclosures may vary (seeAccounting for Public Health Disclosures)
bull Request restrictions Individuals have the right to requesta restriction on certain uses or disclosures of their PHIhowever the covered entity is not obligated to agree tosuch a request If the covered entity does agree to a restric-tion it must generally abide by the agreement except foremergency treatment situations But such an agreement isnot effective to prevent certain permitted uses or disclo-sures [CFR 45 sect 164512]
Required PHI Disclosures
A covered entity is required by the Privacy Rule to disclosePHI in only two instances 1) when an individual has a rightto access an accounting of his or her PHI (see previous para-graph) and 2) when DHHS needs PHI to determine compli-ance with the Privacy Rule [45 CFR sect 164502(a)(2)] Certainother uses and disclosures of PHI may be permitted withoutauthorization but are not required by the Privacy Rule How-ever other federal tribal state or local laws may compel dis-closure
Permitted PHI Disclosures WithoutAuthorization
The Privacy Rule permits a covered entity to use and dis-close PHI with certain limits and protections for TPOactivities [45 CFR sect 164506] Certain other permitted usesand disclosures for which authorization is not required fol-low Additional requirements and conditions apply to thesedisclosures The Privacy Rule text and OCR guidance shouldbe consulted for a full understanding of the following
bull Required by law Disclosures of PHI are permitted whenrequired by other laws whether federal tribal state orlocal
bull Public health PHI can be disclosed to public healthauthorities and their authorized agents for public healthpurposes including but not limited to public health sur-veillance investigations and interventions
bull Health research A covered entity can use or disclose PHIfor research without authorization under certain condi-tions including 1) if it obtains documentation of a waiverfrom an institutional review board (IRB) or a privacyboard according to a series of considerations 2) for
6 MMWR April 11 2003
activities preparatory to research and 3) for research on adecedentrsquos information
bull Abuse neglect or domestic violence PHI may be dis-closed to report abuse neglect or domestic violenceunder specified circumstances
bull Law enforcement Covered entities may under specifiedconditions disclose PHI to law enforcement officials pur-suant to a court order subpoena or other legal order tohelp identify and locate a suspect fugitive or missingperson to provide information related to a victim of acrime or a death that may have resulted from a crime orto report a crime
bull Judicial and administrative proceedings A covered entitymay disclose PHI in the course of a judicial or adminis-trative proceeding under specified circumstances
bull Cadaveric organ eye or tissue donation purposesOrgan-procurement agencies may use PHI for the pur-poses of facilitating transplant
bull Oversight Covered entities may usually disclose PHI to ahealth oversight agency for oversight activities authorizedby law
bull Workerrsquos compensation The Privacy Rule permits dis-closure of work-related health information as authorizedby and to the extent necessary to comply with workersrsquocompensation programs
Other Authorized Disclosures
A valid authorization is required for any use or disclosureof PHI that is not required or otherwise permitted withoutauthorization by the Privacy Rule In general these authoriza-tions must
bull specifically identify the PHI to be used or disclosedbull provide the names of persons or organizations or classes
of persons or organizations who will receive use or dis-close the PHI
bull state the purpose for each requestbull notify individuals of their right to refuse to sign the
authorization without negative consequences to treatmentpayment or health plan enrollment or benefit eligibilityexcept under specific circumstances
bull be signed and dated by the individual or the individualrsquospersonal representative
bull be written in plain languagebull include an expiration date or eventbull notify the individual of the right to revoke authorization
at any time in writing and how to exercise that right andany applicable exceptions to that right under the PrivacyRule and
bull explain the potential for the information to be subject toredisclosure by recipient and no longer protected by thePrivacy Rule
The Privacy Rule and Public Health The Privacy Rule recognizes 1) the legitimate need for pub-
lic health authorities and others responsible for ensuring thepublicrsquos health and safety to have access to PHI to conducttheir missions and 2) the importance of public health report-ing by covered entities to identify threats to the public andindividuals Accordingly the rule 1) permits PHI disclosureswithout a written patient authorization for specified publichealth purposes to public health authorities legally authorizedto collect and receive the information for such purposes and2) permits disclosures that are required by state and local pub-lic health or other laws However because the Privacy Ruleaffects the traditional ways PHI is used and exchanged amongcovered entities (eg doctors hospitals and health insurers)it can affect public health practice and research in multipleways To prevent misconceptions understanding the PrivacyRule is important for public health practice Some illustrativeexamples are presented in this report (Box 4) Also providedare sample letters that might prove useful in clarifying rela-tionships involving public health and the Privacy Rule(Appendix B)
A public health authority is broadly defined as includingagencies or authorities of the United States states territoriespolitical subdivisions of states or territories American Indiantribes or an individual or entity acting under a grant ofauthority from such agencies and responsible for public healthmatters as part of an official mandate Public health authori-ties include federal public health agencies (eg CDCNational Institutes of Health [NIH] Health Resources andServices Administration [HRSA] Substance Abuse and Men-tal Health Services Administration [SAMHSA] Food andDrug Administration [FDA] or Occupational Safety andHealth Administration [OSHA]) tribal health agencies statepublic health agencies (eg public health departments ordivisions state cancer registries and vital statistics depart-ments) local public health agencies and anyone performingpublic health functions under a grant of authority from a publichealth agency [45 CFR sect 164501]
Public health agencies often conduct their authorized pub-lic health activities with other entities by using different mecha-nisms (eg contracts and memoranda or letters of agreement)These other entities are public health authorities under thePrivacy Rule with respect to the activities they conduct undera grant of authority from such a public health agency Acovered entity may disclose PHI to public health authorities
Vol 52 Early Release MMWR 7
State cancer registry Under a state law health-care provid-ers are required to report cancer cases to a statersquos cancer regis-try Names are included to prevent duplicate reporting andcounting State law protects the confidentiality of the dataCan covered entities disclose the information under the Pri-vacy Rule
Privacy Rule effect Covered entities may disclose PHI to apublic health agency or any other entity when the disclosureis required by law However as covered entities the providersmust give an accounting to the persons whose PHI has beenshared The state agency may use and further disclose the PHIconsistent with applicable state law
State university-maintained cancer registry Under a statelaw health-care providers are mandated to report cancer casesto a state health departmentrsquos cancer registry The state healthdepartment contracts with a state university to receive thereports and maintain its registry As covered entities can health-care providers disclose PHI to the state university under thePrivacy Rule
Privacy Rule effect As noted in the previous example cov-ered entities may disclose without authorization PHI to thecancer registry under the Privacy Rule which expressly per-mits disclosure of PHI as required by law and sharing of PHIwith public health authorities for public health purposes Thestate university is acting under a grant of authority from a publichealth authority the state health department The universitycan use and disclose the information without authorizationconsistent with its agreement with the state health departmentand applicable state law
Early hearing detection and intervention An early hear-ing detection and intervention program in a state needs datafrom two large hospitals The state does not have a law requir-ing reporting of hearing loss Under the Privacy Rule can cov-ered entities release results of newborn hearing-screening teststo the state program
Privacy Rule effect The Privacy Rule expressly permitsrelease of PHI without authorization from a covered entityto a public health authority (eg the state health department)which is authorized by law to receive PHI for the purpose of
BOX 4 Examples of situations related to the Privacy Rule and public health
controlling disease injury or disability The rule does notrequire a state law mandating such disclosures for PHI to bereleased to a public health authority Finally the coveredentities may rely upon the statersquos representation that theinformation requested is the minimum necessary for the pur-poses of the registry
Disease registry maintained by private foundation Aprivate foundation maintains a disease registry as a way tosupport research and service for those with the disease Canhealth-care providers release PHI to the foundation underthe Privacy Rule
Privacy Rule effect Nongovernment disease registries (egthose maintained by foundations and other private organiza-tions) are not considered public health authorities unless theyhave a grant of authority from a public health authority Withsuch a grant covered entities may disclose PHI to the foun-dations But without a grant of authority PHI may bereleased only under one of the following situations
bull Release is authorized by the patientbull The PHI is de-identifiedbull The PHI is contained in a limited data set governed by
a data-use agreementbull Release of PHI is in accord with the rulersquos provisions
for disclosure for research without authorizationbull Release is otherwise permitted by the rule (eg to
entities subject to the jurisdiction of the Food and DrugAdministration (FDA) [45 CFR sect 164512(b)(1)(iii)]
Surveillance project A state health department that is nota covered entity conducts a surveillance project on humanimmunodeficiency virus (HIV) and acquired immunodefi-ciency syndrome (AIDS) The HIVAIDS surveillance projectis an interview study It asks for self-reported informationfrom participants including dates of diagnosis and visits forcare Is this PHI covered by the Privacy Rule
Privacy Rule effect Information collected directly frompersons by a person agency or institution that is not a cov-ered entity including individually identifiable informationis not covered by the Privacy Rule
and to these designated entities pursuant to the public healthprovisions of the Privacy Rule
The Privacy Rule permits covered entities to disclose PHIwithout authorization to public health authorities or otherentities who are legally authorized to receive such reports forthe purpose of preventing or controlling disease injury ordisability This includes the reporting of disease or injuryreporting vital events (eg births or deaths) conducting pub-lic health surveillance investigations or interventions report-ing child abuse and neglect and monitoring adverse outcomes
related to food (including dietary supplements) drugs bio-logical products and medical devices [45 CFR 164512(b)]Covered entities may report adverse events related to FDA-regulated products or activities to public agencies and privateentities that are subject to FDA jurisdiction [45 CFR164512(b)(1)(iii)] To protect the health of the public pub-lic health authorities might need to obtain informationrelated to the individuals affected by a disease In certain casesthey might need to contact those affected to determine thecause of the disease to allow for actions to prevent further
8 MMWR April 11 2003
illness Also covered entities may at the direction of a publichealth authority disclose protected health information to aforeign government agency that is acting in collaboration witha public health authority [45 CFR 164512(b)(1)(i)]
To receive PHI for public health purposes public healthauthorities should be prepared to verify their status and iden-tity as public health authorities under the Privacy Rule Toverify its identity an agency could provide any one of the fol-lowing
bull if the request is made in person presentation of an agencyidentification badge other official credentials or otherproof of government status
bull if the request is in writing the request is on the appropri-ate government letterhead
bull if the disclosure is to a person acting on behalf of a publichealth authority a written statement on appropriate gov-ernment letterhead that the person is acting under thegovernmentrsquos authority [45 CFR sect 164514(h)(2)]
Public health authorities receiving information from coveredentities as required or authorized by law [45 CFR 164512(a)][45 CFR 164512(b)] are not business associates of the cov-ered entities and therefore are not required to enter into busi-ness associate agreements Public health authorities that arenot covered entities also are not required to enter into busi-ness associate agreements with their public health partners andcontractors Also after PHI is disclosed to a public healthauthority pursuant to the Privacy Rule the public healthauthority (if it is not a covered entity) may maintain use anddisclose the data consistent with the laws regulations andpolicies applicable to the public health authority
Disclosures for Public Health PurposesThe Privacy Rule allows covered entities to disclose PHI to
public health authorities when required by federal tribal stateor local laws [45 CFR 164512(a)] This includes state laws(or state procedures established under such law) that providefor receiving reporting of disease or injury child abuse birthor death or conducting public health surveillance investiga-tion or intervention
For disclosures not required by law covered entities maystill disclose without authorization to a public health authorityauthorized by law to collect or receive the information for thepurpose of preventing or controlling disease injury or dis-ability the minimum necessary information to accomplish theintended public health purpose of the disclosure [45 CFR164512 (b)] (Box 1)
For example to protect the health of the public public healthofficials might need to obtain information related to personsaffected by a disease In certain cases they might need to con-
tact those affected to determine the cause of the disease toallow for actions to prevent further illness The Privacy Rulecontinues to allow for the existing practice of sharing PHIwith public health authorities who are authorized by law tocollect or receive such information to aid them in their mis-sion of protecting the health of the public Examples of suchactivities include those directed at the reporting of disease orinjury reporting adverse events reporting births and deathsand investigating the occurrence and cause of injury and dis-ease (1)
Although it is not a defined term DHHS interpreted thephrase ldquoauthorized by lawrdquo to mean that a legal basis exists forthe activity Further DHHS called the phrase ldquoa term of artrdquoincluding both actions that are permitted and actions that arerequired by law [64 FR 59929 November 3 1999] This doesnot mean a public health authority at the federal tribal stateor local level must have multiple disease or condition-specificlaws that authorize each collection of information Publichealth authorities operate under broad mandates to protectthe health of their constituent populations
Requirements for Covered Entities
Accounting for Public Health Disclosures
Although the Privacy Rule permits disclosures of PHI topublic health authorities covered entities must comply withcertain requirements related to these disclosures One suchrequirement is that a covered entity must be able to providean individual upon request with an accounting of certaindisclosures of PHI The covered entity is not required toaccount for all disclosures of PHI For example an account-ing is not required for disclosures made
bull prior to the covered entityrsquos compliance datebull for TPO purposesbull to the individual or pursuant to the individualrsquos written
authorization orbull as part of a limited data setHowever usually an accounting is required for disclosures
made without authorization including public health purposesThe required accounting for disclosures may be
accomplished in different ways Typically the covered entitymust provide the individual with an accounting of eachdisclosure by date the PHI disclosed the identity of therecipient of the PHI and the purpose of the disclosureHowever where the covered entity has during the accountingperiod made multiple disclosures to the same recipient forthe same purpose the Privacy Rule provides for a simplifiedmeans of accounting In such cases the covered entity needonly identify the recipient of such repetitive disclosures the
Vol 52 Early Release MMWR 9
purpose of the disclosure and describe the PHI routinelydisclosed The date of each disclosure need not be trackedRather the accounting may include the date of the first andlast such disclosure during the accounting period and adescription of the frequency or periodicity of such disclosuresFor example the vast amount of data exchanged betweencovered entities and public health authorities is made throughongoing regular reporting or inspection requirements Acovered health-care provider may routinely report all cases ofmeasles it diagnoses to the local public health authority Anaccounting of such disclosures to a requesting individual wouldneed to identify the local public health authority receivingthe PHI the PHI disclosed the purpose of the disclosure(required for communicable disease surveillance) theperiodicity (weekly) and the first and last dates of suchdisclosures during the accounting period (May 1 2003 toJune 1 2003) Thus the covered entity would not need toannotate each patientrsquos medical record whenever a routinepublic health disclosure was made
Notice of Privacy Practices
With certain exceptions under the Privacy Rule individu-als have the right to adequate notice of the uses and disclo-sures of PHI that may be made by the covered entity as well astheir rights and the covered entityrsquos legal obligations Noticesmust be in plain language and clearly posted Certain coveredentities must make a good faith effort to obtain an individualrsquosacknowledgment of receipt of this notice In certain casesnotice may be provided electronically
Minimum Necessary Standard
The Privacy Rule usually directs covered entities to limitthe amount of information disclosed to the minimum neces-sary to achieve the specified goal [45 CFR sect 164514(d)(1)]This requirement usually applies to disclosures to a publichealth agency It would not apply however if the disclosurewere required by law authorized by the individual or for treat-ment purposes A covered entity may also reasonably rely on apublic officialrsquos determination that the information requestedis the minimum necessary for the public health purpose
Public Health Authorities Performing CoveredFunctions
Public health authorities at the federal tribal state or locallevels that perform covered functions (eg providing healthcare or insuring individuals for health-care costs) may be sub-ject to the Privacy Rulersquos provisions as covered entities Forexample a local public health authority that operates a healthclinic providing essential health-care services to low-incomepersons and performs certain electronic transactions might be
defined under the Privacy Rule as a covered health-care pro-vider and therefore a covered entity Flow charts and interac-tive tools designed to help determine covered entity status areprovided online by the Centers for Medicare and MedicaidServices available at httpwwwcmsgovhipaahipaa2sup-porttoolsdecisionsupportdefaultasp
The following are examples of public health authority func-tions that make them covered entities
bull Public health authorities as covered health-care pro-viders A public health authority that conducts health careas part of its activities is a covered health-care provider ifit also performs electronic transactions covered by theHIPAA Transactions Rule as part of these activities Thefact that these activities are conducted in pursuit of a publichealth goal (eg vaccinating children or screening a tar-geted population for sexually transmitted diseases) doesnot preclude the public health authority from being a cov-ered entity
bull Public health authorities as health plans Under thePrivacy Rule a health plan is an individual or group planthat provides or pays the cost of medical care This spe-cifically includes government health plans (eg MedicareMedicaid or Veterans Health Administration) Howeverthe Privacy Rule defines health plan to exclude govern-ment-funded programs whose principal activity is the di-rect provision of health care to persons or the making ofgrants to fund the direct provision of health care to per-sons [45 CFR sect 160103] Examples include the RyanWhite Comprehensive AIDS Resources Emergency ActAlthough certain government programs that fund provid-ers directly may not be health plans government programsthat reimburse providers or otherwise fund providers toperform direct health-care services should carefully ana-lyze the details of their programs to determine if they areperforming covered functions
bull Public health authorities as health-care clearinghousesAlthough unlikely a public health authority might be ahealth-care clearinghouse if it receives health informationfrom another entity and translates that information froma nonstandard format into a standard transaction or stan-dard data elements (or vice versa) Operators of commu-nity health information systems should carefully considerwhether they meet the definition for a health-care clear-inghouse
bull Public health agencies as hybrid entities A public healthagency that is a covered entity and has both covered andnoncovered functions may become a hybrid entity by des-ignating its health-care components By designating itselfas a hybrid entity a public health authority can carve outits noncovered functions so that the majority of Privacy
10 MMWR April 11 2003
Rule provisions apply only to its health-care componentwhich is required to comply with the Privacy Rulerequirements including using and disclosing PHI only asauthorized meeting the administrative requirementsaccounting for disclosure of PHI and providing a noticeof practices However such a designation does not pre-clude the public health authority from continuing to con-duct authorized public health functions A covered entitythat is also a public health authority may use as well asdisclose PHI for public health purposes to the sameextent it would be permitted to disclose the PHI as a pub-lic health authority
The Privacy Rule and PublicHealth Research
The topic of research under the Privacy Rule is covered indepth in the DHHS report Protecting Personal Health Infor-mation in Research mdash Understanding the HIPAA Privacy Rule(6) The Privacy Rule provides separate provisions for disclo-sure without individual authorization for public health pur-poses and for certain research [45 CFR sect 164512(b)] [45CFR sect 164512(i)] Other federal law pertaining to researchstresses the importance of distinguishing between research andpractice to ensure that human subjects are appropriately pro-tected [45 CFR Part 46] For certain activities this distinc-tion is not always clear A full discussion of the distinctionsbetween public health practice and research is beyond the scopeof this document However CDC and others provide guid-ance in this area (7ndash9)
Research Versus PracticeThe definition of research is the same for the Privacy Rule
and the Common Rule (10) mdash systematic investigationincluding research development testing and evaluationdesigned to develop or contribute to generalizable knowledgeResearch is designed to test a hypothesis permit conclusionsto be drawn and thereby to develop or contribute to general-izable knowledge The majority of public health activities (egpublic health surveillance and disease prevention and controlprojects) are based on scientific evidence and data collectionor analytic methods similar to those used in research How-ever they are not designed to contribute to generalizable knowl-edge Their primary purpose is to protect the health of thepopulation through such activities as disease surveillance pre-vention or control
The Belmont Report (11) defines practice as interventionsdesigned solely to enhance the well-being of a person patient
or client and which have reasonable expectation of successThe report further states that the purpose of medical orbehavioral practice is to provide diagnosis preventive treat-ment or therapy to particular patients For public health agen-cies the patient is the community Public health practiceactivities (eg public health surveillance disease control orprogram evaluation) are undertaken with the intent to benefita specific community although occasionally they may pro-vide unintended generalizable benefits to others
Some public health activities that are initially public healthpractice may subsequently evolve into a research activity (egan investigation to determine the cause of an outbreak thatincorporates a research study evaluating the efficacy of a newdrug to treat the illness) When that is the case the disclosuresmay be made initially under the public health provisions ofthe Privacy Rule But when the activity becomes an ongoingresearch activity the entity should consider application of therelevant research disclosures provisions to continue to obtaininformation for this purpose Moreover there may be caseswhere the activity is both research and public health practice(eg an ongoing survey to monitor health conditions in thepopulation data from which can also be analyzed for researchpurposes) In those cases disclosures may be made either un-der the research provisions or the public health provisions asappropriate mdash the covered entity need not comply with bothsets of requirements
The Privacy Rule and Other Lawsbull Federal laws Covered entities subject to the Privacy Rule
are also subject to other federal statutes and regulationsThe specific relationship of the Privacy Rule and certainfederal laws is discussed in the preamble to the December2000 Final Rule [65 FedReg 82481] In certain instancesthe Privacy Rule imposes requirements in direct conflictwith other federal laws or regulations In those instancesan analysis will be necessary to determine whether the laterprovision was intended to overrule the prior law or regu-lation
bull State laws As a federal regulatory standard the PrivacyRule preempts only those contrary state laws relating tothe privacy of individually identifiable health informa-tion that have less stringent requirements or standards thanthe Privacy Rule (ie more stringent laws remain ineffect) In addition DHHS may upon specific requestfrom a state or other entity or person determine that aprovision of state law that is contrary to the federalrequirements and that meets certain additional criteriawill not be preempted by the federal requirements Thus
Vol 52 Early Release MMWR 11
preemption of a contrary state law will not occur if theSecretary or designated DHHS official determines inresponse to a request that the state law 1) is necessary toprevent fraud and abuse related to the provision of or pay-ment for health care 2) is necessary to ensure appropriatestate regulation of insurance and health plans to theextent expressly authorized by statute or regulation 3) isnecessary for state reporting on health-care delivery orcosts 4) is necessary to serve a compelling public healthsafety or welfare need and if a Privacy Rule provision isat issue if the Secretary determines that the intrusion intoprivacy is warranted when balanced against the need to beserved or 5) has as its principal purpose the regulation ofthe manufacture registration distribution dispensing orother control of any controlled substances The PrivacyRule specifically does not preempt contrary state publichealth laws that provide for the reporting of disease orinjury child abuse birth or death or for the conduct ofpublic health surveillance investigation or intervention[45 CFR sect 160202]
Online ResourcesReferences to non-DHHS sites on the Internet are provided
as a service to MMWR readers and do not constitute or implyendorsement of these organizations or their programs by CDCor the US Department of Health and Human Services CDCis not responsible for the content of these sites URL addresseslisted in MMWR were current as of the date of publication
Federal Government ResourcesDHHS Office for Civil Rights mdash HIPAA guidelines
North Carolina Healthcare Information and Communica-tions Alliance
httpwwwnchicaorgPublic Health Grand Rounds HIPAA Privacy RuleEnhancing or Harming Public Health
httpwwwpublichealthgrandroundsunceduStanford University Medical School mdash HIPAA
httpwwwmedstanfordeduHIPAAWorkgroup for Electronic Data Interchange mdash StrategicNational Implementation Process
httpwwwwediorgsnip
AcknowledgmentsThis report was prepared by Salvatore Lucido MPA and Denise
Koo MD Office of the Associate Director for ScienceEpidemiology Program Office CDC in collaboration with JamesG Hodge Jr JD Center for Law and the Publicrsquos HealthGeorgetown and Johns Hopkins Universities Baltimore MarylandThe preparers are grateful for the participation of Deborah Tress
JD Kenya Ford JD and Heather Horton JD Office of theGeneral Counsel Department of Health and Human Services CDCATSDR Branch the CDC Working Group on the Privacy Ruleand Beverly Dozier JD Lance A Gable JD Lawrence O GostinJD Gail Horlick JD and Jennifer Kurle
The preparers also thank the following partners for their valuableinput Association of State and Territorial Health Officers Councilof State and Territorial Epidemiologists National Association ofCounty and City Health Officials National Association of HealthData Organizations Association of Public Health Laboratories andNational Association for Public Health Statistics and InformationSystems
References1 Gostin LO Hodge JG Jr Personal privacy and common goods a frame-
work Minnesota Law Review 2002861439ndash802 Health Insurance Portability and Accountability Act of 1996 Pub L
No 104-191 110 Stat 1936 (1996)3 Office for Civil Rights Department of Health and Human Services
Title 45 of the Code of Federal Regulations Parts 160 and 164 Avail-able at httpwwwdhhsgovocrcombinedregtextpdf
4 Office for Civil Rights OCR guidance explaining significant aspects ofthe Privacy Rule 2002 Department of Health and Human ServicesAvailable at httpwwwhhsgovocrhipaa
5 Gostin LO Hodge JG Jr Privacy Law Advisory Committee Modelstate public health information privacy act 1999 Available at httpwwwpublichealthlawnetResourcesResourcesPDFsmodelprivactpdf
6 Department of Health and Human Services Protecting personal healthinformation in research mdash understanding the HIPAA Privacy RuleDepartment of Health and Human Services Washington DC 2003(in press)
7 Snider DE Stroup DF Defining research when it comes to public healthPublic Health Rep 199711229ndash32
8 CDC Guidelines for defining public health research and public healthnonresearch Available at httpwwwcdcgovodadsopspoll1htm
9 Amoroso PJ Middaugh JP Research vs public health practice whendoes a study require IRB review Prev Med 200336250ndash3
10 Office for Protection from Research Risks National Institutes of HealthDepartment of Health and Human Services Public welfare protectionof human subjects 2001 [45 CFR 46] Available at httpohrposophsdhhsgovhumansubjectsguidance45cfr46htm
11 National Commission for the Protection of Human Subjects of Bio-medical and Behavioral Research Belmont report ethical principles andguidelines for the protection of human subjects of research Depart-ment of Health Education and Welfare Available at httpwwwmedumicheduirbmedethicsbelmontBELMONTRHTM
Vol 52 Early Release MMWR 13
The following concepts and definitions are adapted fromthe regulatory language For further information see the cita-tions to the Privacy Rule
Accounting An individual has a right to receive an account-ing of disclosures of protected health information made by acovered entity in the six years prior to the date on which theaccounting is requested except for disclosures (a) to carry outtreatment payment and health care operations [45 CFR sect164506] (b) to individuals of protected health informationabout them [45 CFR sect 164502] (c) incident to a use or dis-closure otherwise permitted or required by this subpart asprovided in 45 CFR sect164502 (d) pursuant to an authoriza-tion as provided in 45 CFR sect164508 (e) for the facilityrsquosdirectory or to persons involved in the individualrsquos care orother notification purposes as provided in 45 CFR sect164510(f ) for national security or intelligence purposes as providedin 45 CFR sect164512(k)(2) (g) to correctional institutions orlaw enforcement officials as provided in 45 CFR sect164512(k)(5) or (h) as part of a limited data set in accordance with45 CFR sect164514(e) or (i) that occurred prior to the compli-ance date for the covered entityhellip Such an accounting mustmeet the following requirements (1) except as otherwise pro-vided by paragraph (a) of this section the accounting mustinclude disclosures of protected health information thatoccurred during the six years (or such shorter time period atthe request of the individual as provided in paragraph (a)(3)of this section) prior to the date of the request for an account-ing including disclosures to or by business associates of thecovered entity (2) except as otherwise provided by paragraphs(b)(3) or (b)(4) of this section the accounting must includefor each disclosure the date of the disclosure the name of theentity or person who received the protected health informa-tion and if known the address of such entity or person abrief description of the protected health information disclosedand a brief statement of the purpose of the disclosure thatreasonably informs the individual of the basis for the disclo-sure or in lieu of such a statement a copy of the individualrsquoswritten authorization pursuant to 45 CFR sect 164508 or acopy of a written request for a disclosure under 45 CFR sect164502(a)(2)(ii) or 45 CFR sect 164512 if any
If during the period covered by the accounting the coveredentity has made multiple disclosures of protected healthinformation to the same person or entity for a single purposeunder 45 CFR sect 164502(a)(2)(ii) or 45 CFR sect 164512 theaccounting may with respect to such multiple disclosures
provide the information required by paragraph (b)(2) of 45CFR sect 164528 for the first disclosure during the accountingperiod the frequency periodicity or number of the disclo-sures made during the accounting period and the date of thelast such disclosure during the accounting period [45 CFR sect164528]
Modified accounting procedures are also provided for cov-ered entities making research disclosures involving gt50 per-sons [45 CFR sect 164528(b)(4)]
Business associate A person who on behalf of a coveredentity or of an organized health care arrangement [45 CFR sect154501] in which the covered entity participates but otherthan in the capacity of a member of the workforce of suchcovered entity or arrangement performs or assists in the per-formance of a function or activity involving the use ordisclosure of individually identifiable health informationincluding claims processing or administration data analysisprocessing or administration utilization review quality assur-ance billing benefit management practice management andrepricing or any other function or activity regulated by thissubchapter or provides other than in the capacity of a mem-ber of the workforce of such covered entity legal actuarialaccounting consulting data aggregation [45 CFR sect 164501]management administrative accreditation or financial ser-vices to or for such covered entity or to or for an organizedhealth-care arrangement in which the covered entity partici-pates where the provision of the service involves the disclo-sure of individually identifiable health information from suchcovered entity or arrangement or from another business asso-ciate of such covered entity or arrangement to the individual[45 CFR sect 160103]
Covered entity 1) a health plan 2) a health-care clearing-house 3) a health-care provider who transmits any healthinformation in electronic form in connection with a transac-tion [45 CFR sect 160103]
Covered functions Those functions of a covered entity theperformance of which makes the entity a health planhealth-care provider or health-care clearinghouse [45 CFR sect164103]
Data aggregation With respect to protected health infor-mation created or received by a business associate in its capac-ity as the business associate of a covered entity the combiningof such protected health information by the business associatewith the protected health information received by the busi-ness associate in its capacity as a business associate of another
Appendix ASelected Privacy Rule Concepts and Definitions
14 MMWR April 11 2003
covered entity to permit data analyses that relate to the health-care operations of the respective covered entities [45 CFRsect164501]
De-identified health information Health information thatdoes not identify an individual and with respect to which noreasonable basis exists to believe that the information can beused to identify an individual is not individually identifiableinformation [45 CFR sect 164514(a)]
Disclosure The release transfer provision of access to ordivulging in any other manner of information outside the entityholding the information [45 CFR sect 160103]
Electronic media 1) Electronic storage media includingmemory devices in computers (hard drives) and any remov-abletransportable digital memory medium such as magnetictape or disk optical disk or digital memory card or 2) trans-mission media used to exchange information already in elec-tronic storage media Transmission media include for examplethe Internet (wide open) extranet (using Internet technologyto link a business with information accessible only to collabo-rating parties) leased lines dial-up lines private networksand the physical movement of removabletransportable elec-tronic storage media Certain transmissions including ofpaper via facsimile and of voice via telephone are not con-sidered to be transmissions via electronic media because theinformation being exchanged did not exist in electronic formbefore the transmission [45 CFR sect 160103]
Health care Care services or supplies related to the healthof an individual It includes but is not limited to 1) preven-tive diagnostic therapeutic rehabilitative maintenance orpalliative care and counseling service assessment or proce-dure with respect to the physical or mental condition or func-tional status of an individual or that affects the structure orfunction of the body and 2) sale or dispensing of a drugdevice equipment or other item in accordance with a pre-scription [45 CFR sect 160103]
Health-care clearinghouse A public or private entityincluding a billing service repricing company communityhealth management information system community healthinformation system or value-added network or switch that 1)processes or facilitates the processing of health informationreceived from another entity in a nonstandard format or con-taining nonstandard data content into standard data elementsor a standard transaction or 2) receives a standard transactionfrom another entity and processes or facilitates the processingof health information into nonstandard format or nonstand-ard data content for the receiving entity [45 CFR sect 160103]
Health-care operations Any of the following activities ofthe covered entity to the extent that the activities are related tocovered functions 1) conducting quality assessment andimprovement activities population-based activities and
related functions that do not include treatment 2) reviewingthe competence or qualifications of health care professionalsevaluating practitioner provider and health plan performanceconducting training programs where students learn to prac-tice or improve their skills as health-care providers training ofnonhealth-care professionals accreditation certificationlicensing or credentialing activities 3) underwriting premiumrating and other activities relating to the creation renewal orreplacement of a contract of health insurance or benefits 4)conducting or arranging for medical review legal services andauditing functions including fraud and abuse detection andcompliance programs 5) business planning and developmentsuch as conducting cost-management and planning-relatedanalyses related to managing and operating the entity includ-ing formulary development and administration developmentor improvement of methods of payment or coverage policiesand 6) business management and general administrativeactivities of the entity [45 CFR sect 164501]
Health-care provider A provider of services (as defined insection 1861(u) of the Act 42 USC 1395x(u)) a providerof medical or health-care services (as defined in section 1861(s)of the Act 42 USC 1395x(s)) and any other individual ororganization that furnishes bills or is paid for health care inthe normal course of business [45 CFR sect 160103]
Health information Any information whether oral orrecorded in any form or medium that 1) is created or receivedby a health-care provider health plan public health authorityemployer life insurer school or university or health-care clear-inghouse and 2) relates to the past present or future physicalor mental health or condition of an individual the provisionof health care to an individual or the past present or futurepayment for the provision of health care to an individual [45CFR sect 160103]
Health plan An individual or group plan that provides orpays the cost of medical care (as defined in section 2791(a)(2)of the PHS Act 42 USC 300gg-91(a)(2)) Health planincludes the following singly or in combination (i) a grouphealth plan as defined in 45 CFR sect 160103 of the PrivacyRule (ii) a health insurance issuer as defined in 45 CFR sect160103 of the Privacy Rule (iii) an HMO as defined in 45CFR sect 160103 of the Privacy Rule (iv) Part A or B of theMedicare program under title XVIII of the Act (v) the Med-icaid program under title XIX of the Act 42 USC 1396 etseq (vi) an issuer of a Medicare supplemental policy (asdefined in section 1882(g)(1) of the Act 42 USC1395ss(g)(1)) (vii) an issuer of a long-term care policyexcluding a nursing home fixed-indemnity policy (viii) anemployee welfare benefit plan or any other arrangement thatis established or maintained for the purpose of offering or pro-viding health benefits to the employees of two or more
Vol 52 Early Release MMWR 15
employers (ix) the health care program for active military per-sonnel under title 10 USC (x) the veterans health-care pro-gram under 38 USC Ch 17 (xi) the Civilian Health andMedical Program of the Uniformed Services (CHAMPUS)(as defined in 10 USC 1072(4)) (xii) the Indian HealthService program under the Indian Health Care ImprovementAct 25 USC 1601 et seq (xiii) the Federal EmployeesHealth Benefits Program under 5 USC 8902 et seq (xiv)an approved state child health plan under title XXI of the Actproviding benefits for child health assistance that meet therequirements of section 2103 of the Act 42 USC 1397 etseq (xv) the Medicare+Choice program under Part C of titleXVIII of the Act 42 USC 1395w-21 through 1395w-28(xvi) a high risk pool that is a mechanism established understate law to provide health insurance coverage or comparablecoverage to eligible individuals (xvii) any other individual orgroup plan or combination of individual or group plans thatprovides or pays for the cost of medical care (as defined insection 2791(a)(2) of the PHS Act 42 USC 300gg-91(a)(2))[45 CFR sect 160103]
The term health plan excludes (i) any policy plan or pro-gram to the extent that it provides or pays for the cost ofexcepted benefits that are listed in sect2791(c)(1) of the PHSAct 42 USC 300gg-91(c)(1) and (ii) a government-fundedprogram other than the one listed in items (i)-(xvi) abovewhose principal purpose is other than providing or payingthe cost of health care or whose principal activity is 1) thedirect provision of health care to individuals or 2) the mak-ing of grants to fund the direct provision of health care toindividuals [45 CFR sect 160103]
Hybrid entity A single legal entity 1) that is a covered entity 2) whose business activities include both covered andnoncovered functions and 3) that designates its health-carecomponents [45 CFR sect 164103]
Individually identifiable health information A subset ofhealth information including demographic information col-lected from an individual and 1) is created or received by ahealth-care provider health plan employer or health-care clear-inghouse and 2) relates to the past present or future physi-cal or mental health or condition of an individual the provisionof health care to an individual or the past present or futurepayment for the provision of health care to an individual andthat identifies the individual or where there is a reasonablebasis to believe the information can be used to identify theindividual [45 CFR sect 164501]
Limited data set Protected health information that excludescertain direct identifiers of the individual or of relativesemployers or household members of the individual Directidentifiers to be excluded can be found in 45 CFR sect164514(e)(2)
Minimum necessary For any type of disclosure that a cov-ered entity makes on a routine and recurring basis that thecovered entity must implement policies and procedures (whichmay be standard protocols) that limit the protected healthinformation disclosed to the amount reasonably necessary toachieve the purpose of the disclosure For all other disclosurescovered entities must develop and implement criteria designedto limit the protected health information disclosed to theinformation reasonably necessary to accomplish the purposefor which disclosure is sought and review requests for disclo-sure on an individual basis in accordance with such criteria Acovered entity may rely if such reliance is reasonable underthe circumstances on a requested disclosure as the minimumnecessary for the stated purpose when (a) making disclosuresto public officials that are permitted under 45 CFR sect 164512if the public official represents that the information requestedis the minimum necessary for the stated purpose (b) if theinformation is requested by another covered entity (c) theirbusiness associates providing personal services or (d) docu-mentation or representations that comply with the applicablerequirements of 45 CFR sect 164512(i) have been provided byan individual requesting the information for research purposes[45 CFR sect 164514(d)(3)]
The minimum necessary standard also applies to uses ofprotected health information [45 CFR sect 164514(d)(2)] andrequests for protected health information [45 CFR sect164514(d)(4)]
Notice An individual with certain exceptions has a rightto adequate notice of the uses and disclosures of protectedhealth information that may be made by the covered entityand of the individualrsquos rights and the covered entityrsquos legalduties with respect to protected health information Thenotice must be written in plain language and contain the fol-lowing elements (i) a header as specified in the rule (ii) adescription including at least one example of the types ofuses and disclosures that the covered entity is permitted tomake for treatment payment and health care operations anda description of each of the other purposes for which the cov-ered entity is permitted or required to use or disclose pro-tected health information without the individualrsquos writtenconsent or authorization If a use or disclosure is prohibitedor materially limited by other applicable law the descriptionof such use or disclosure must reflect the more stringent law(as defined in 45 CFR sect 160202) Each description mustinclude sufficient detail to place the individual on notice ofthe uses and disclosures that are permitted or required by thePrivacy Rule or other applicable law and a statement that otheruses and disclosures will be made only with the individualrsquoswritten authorization and that the individual may revoke suchauthorization as provided by 45 CFR sect 164508(b)(5)
16 MMWR April 11 2003
A separate statement must be included in the notice if acovered entity intends to engage in any of the followingactivities The statement should explain that 1) the coveredentity may contact the individual to provide appointmentreminders or information regarding treatment alternatives orother health-related benefits 2) the covered entity may con-tact the individual to raise funds for the covered entity or 3) agroup health plan health insurer or HMO with respect to agroup health plan may disclose protected health informationto the sponsor of the plan
The notice must contain a statement of the individualrsquos rightswith respect to the protected health information and a briefdescription of how the individual may exercise these rights astatement of the covered entityrsquos duties a statement that indi-viduals may complain to the covered entity or the Secretary ifthey believe their privacy rights have been violated contactinformation and the effective date of the notice [45 CFR sect164520]
Payment 1) The activities undertaken by (i) a health planto obtain premiums or to determine or fulfill its responsibilityfor coverage and provision of benefits under the health planor (ii) a health-care provider or health plan to obtain or pro-vide reimbursement for the provision of health care and 2)the activities relate to the individual to whom health care isprovided and include but are not limited to (i) determina-tions of eligibility or coverage and adjudication or subroga-tion of health benefit claims (ii) risk adjusting amounts duebased on enrollee health status and demographic characteris-tics (iii) billing claims management collection activitiesobtaining payment under a contract for reinsurance (includ-ing stop-loss insurance) and related health-care data process-ing (iv) review of health-care services with respect to medicalnecessity coverage under a health plan appropriateness of careor justification of charges (v) utilization review activitiesincluding precertification and preauthorization of services con-current and retrospective review of services and (vi) disclo-sure to consumer reporting agencies of any of the followingprotected health information relating to collection of premi-ums or reimbursement (a) name and address (b) date of birth(c) social security number (d) payment history (e) accountnumber and (f ) name and address of the health-care provideror health plan [45 CFR sect 164501]
Protected health information (PHI) Individually identi-fiable health information that is transmitted by electronicmedia maintained in electronic media or transmitted ormaintained in any other form or medium PHI excludes indi-vidually identifiable health information in (i) educationrecords covered by the Family Education Rights and PrivacyAct (20 USC 1232g) (ii) records described at 20 USC
1232g(a)(4)(B)(iv) and (iii) employment records held by acovered entity in its role as employer [45 CFR sect 160103]
Public health authority An agency or authority of theUnited States a state a territory a political subdivision of astate or territory or an Indian tribe or an individual or entityacting under a grant of authority from or contract with suchpublic agency including the employees or agents of such pub-lic agency or its contractors or individuals or entities to whomit has granted authority that is responsible for public healthmatters as part of its official mandate [45 CFR sect 164501]
Examples of public health authorities include state andlocal health departments CDC National Institutes of Health(NIH) Food and Drug Administration (FDA) and Occupa-tional Safety and Health Administration (OSHA)
Required by law A mandate contained in law that compelsan entity to make a use or disclosure of protected health infor-mation and that is enforceable in a court of law This termincludes but is not limited to court orders and court-orderedwarrants subpoenas or summons issued by a court grand jurya governmental or tribal inspector general or an administra-tive body authorized to require the production of informa-tion a civil or an authorized investigative demand Medicareconditions of participation with respect to health-care provid-ers participating in the program and statutes or regulationsthat require the production of information including statutesor regulations that require such information if payment issought under a government program providing public ben-efits [45 CFR sect 164103]
Research A systematic investigation including researchdevelopment testing and evaluation designed to develop orcontribute to generalizable knowledge [45 CFR sect sect164501]
Statistical de-identification A properly qualified statisti-cian using accepted analytical techniques concludes that therisk is limited that the information could be used alone or incombination with other reasonably available information toidentify the subject of the information [45 CFR sect 164514(b)]
Safe harbor method A covered entity or its agent removesa comprehensive set of identifiers enumerated in the PrivacyRule which includes but is not limited to names geographicsubdivisions smaller than states dates more specific than yearscontact information identification numbers and photographicimages and has no actual knowledge that the remaininginformation could be used alone or in combination with otherinformation to identify the individual who is a subject of theinformation or the individualrsquos relatives employers or house-hold members Eighteen specific identifiers will need to beremoved to achieve de-identification [45 CFR sect 164514(b)]
Transaction The transmission of information between twoparties to carry out financial or administrative activities
Vol 52 Early Release MMWR 17
related to health care It includes the following types of infor-mation transmissions health care claims or equivalent encoun-ter information health care payment and remittance advicecoordination of benefits health care claim status enrollmentand disenrollment in a health plan eligibility for a health planhealth plan premium payments referral certification andauthorization first report of injury health claims attachmentsand other transactions that the Secretary may prescribe by regu-lation [45 CFR sect 164103]
Treatment The provision coordination or managementof health care and related services by one or more health-care
providers including the coordination or management of healthcare by a health-care provider with a third party consultationbetween health-care providers relating to a patient or thereferral of a patient for health care from one health-care pro-vider to another [45 CFR sect 164501]
Use With respect to individually identifiable health infor-mation the sharing employment application utilizationexamination or analysis of such information within an entitythat maintains such information [45 CFR sect 160103]
18 MMWR April 11 2003
Vol 52 Early Release MMWR 19
Appendix BSample Text That Can Be Used To Clarify Public Health Issues
Under the Privacy Rule
pursuant to the Standards for Privacy of Individually Identifi-able Health Information promulgated under the HealthInsurance Portability and Accountability Act (HIPAA) [45CFR Parts 160 and 164)] Under this rule covered entitiesmay disclose without individual authorization protectedhealth information to public health authorities ldquo autho-rized by law to collect or receive such information for the pur-pose of preventing or controlling disease injury or disabilityincluding but not limited to the reporting of disease injuryvital events such as birth or death and the conduct of publichealth surveillance public health investigations and publichealth interventions rdquo The definition of a public health au-thority includes ldquo an individual or entity acting under a grantof authority from or contract with such public agency rdquo
[Authorized agency] is acting under [contract grant coop-erative agreement] with [public health authority] to conduct[project] which is authorized by [law or regulation] [Publichealth authority] grants this authority to [authorized agency]for purposes of this project Further [public health authority]considers this to be [activity type] for which disclosure ofprotected health information by covered entities is authorizedby 45 CFR sect 164512(b) of the Privacy Rule
From a public health authority to a covered entity con-firming grant of authority to an authorized agencyTo Whom It May Concern
[Public health authority] is an agency of [parent authority]and is a public health authority as defined by the HealthInsurance Portability and Accountability Act (HIPAA) Stan-dards for Privacy of Individually Identifiable Health Informa-tion Final Rule (Privacy Rule)[45 CFR sect 164501] Pursuantto 45 CFR sect 164512(b) of the Privacy Rule covered entitiesmay disclose protected health information to public healthauthorities ldquo authorized by law to collect or receive suchinformation for the purpose of preventing or controlling dis-ease injury or disability including but not limited to thereporting of disease injury vital events such as birth or deathand the conduct of public health surveillance public healthinvestigations and public health interventions rdquo The defi-nition of public health authority includes ldquo an individualor entity acting under a grant of authority from or contractwith such public agency rdquo [45 CFR sect 164501] [Autho-rized agency] is acting under [contract grant or cooperativeagreement] with [public health authority] to carry out [project]
Following are sample letters that can be used to help clarifyPrivacy Rule issues among covered entities and public healthauthorities (eg CDC National Institutes of Health Foodand Drug Administration Substance Abuse and Mental HealthServices Administration Health Resources and ServicesAdministration state and local health departments) Publichealth authorities can use these letters as templates by insert-ing names of the appropriate individuals projects agreementslaws activity types covered entities public health authoritiesand authorized agencies
From a public health authority to a covered entity clari-fying rules regarding disclosureTo Whom it May Concern
[Public health authority] is an agency of [parent authority]and is conducting the activity described here in its capacity asa public health authority as defined by the Health InsurancePortability and Accountability Act (HIPAA) Standards forPrivacy of Individually Identifiable Health Information FinalRule (Privacy Rule) [45 CFR sect164501] Pursuant to 45 CFRsect164512(b) of the Privacy Rule covered entities such as yourorganization may disclose without individual authorizationprotected health information to public health authorities ldquo authorized by law to collect or receive such information forthe purpose of preventing or controlling disease injury ordisability including but not limited to the reporting of dis-ease injury vital events such as birth or death and the con-duct of public health surveillance public health investigationsand public health interventions rdquo
[Public health authority] is conducting [project] a publichealth activity as described by 45 CFR sect 164512(b) and isauthorized by [law or regulation] The information beingrequested represents the minimum necessary to carry out thepublic health purposes of this project pursuant to 45 CFRsect164514(d) of the Privacy Rule
If you have questions or concerns please contact [projectleader]
From a public health authority to an authorized agencyproviding grant of authorityDear [authorized agency]
This letter serves as verification of a grant of authority from[public health authority] for you to conduct the public healthactivities described here acting as a public health authority
20 MMWR April 11 2003
Through this grant of authority [authorized agency] may func-tion as a public health authority under the Privacy Rule forpurposes of this project
[Project] is a public health activity as described by 45 CFRsect 164512(b) referenced previously and is authorized by [lawor regulation] The information being requested represents theminimum necessary to carry out the public health purposes ofthis project pursuant to 45 CFR sect 164514(d) of the PrivacyRule The Privacy Rule provides that covered entities ldquo
may rely if such reliance is reasonable under the circumstanceson a requested disclosure as the minimum necessary for thestated purposes when making disclosures to public officialsthat are permitted under 45 CFR sect 164512 if the publicofficial represents that the information requested is the mini-mum necessary for the stated purposes(s)rdquo
If you have questions or concerns please contact [projectleader for authorized agency public health authority contact]
All MMWR references are available on the Internet at httpwwwcdcgovmmwr Use the search function to find specific articlesmdashmdashmdashmdashmdashmdash
Use of trade names and commercial sources is for identification only and does not imply endorsement by the US Department of Healthand Human Services
mdashmdashmdashmdashmdashmdashReferences to non-CDC sites on the Internet are provided as a service to MMWR readers and do not constitute or imply endorsement ofthese organizations or their programs by CDC or the US Department of Health and Human Services CDC is not responsible for thecontent of these sites URL addresses listed in MMWR were current as of the date of publication
MMWR
The Morbidity and Mortality Weekly Report (MMWR) series is prepared by the Centers for Disease Control and Prevention (CDC) andis available free of charge in electronic format and on a paid subscription basis for paper copy To receive an electronic copy each week sendan e-mail message to listservlistservcdcgov The body content should read SUBscribe mmwr-toc Electronic copy also is available fromCDCrsquos Internet server at httpwwwcdcgovmmwr or from CDCrsquos file transfer protocol server at ftpftpcdcgovpubpublicationsmmwr Tosubscribe for paper copy contact Superintendent of Documents US Government Printing Office Washington DC 20402 telephone202-512-1800
Data in the weekly MMWR are provisional based on weekly reports to CDC by state health departments The reporting weekconcludes at close of business on Friday compiled data on a national basis are officially released to the public on the following FridayAddress inquiries about the MMWR series including material to be considered for publication to Editor MMWR Series Mailstop C-08CDC 1600 Clifton Rd NE Atlanta GA 30333 telephone 888-232-3228
All material in the MMWR series is in the public domain and may be used and reprinted without permission however citation of thesource is appreciated
US Government Printing Office 2003-533-15569108 Region IV
Introduction
Impact on Public Health
Overview of the Privacy Rule
Who Is Covered
Types of Health Information
What is Required
The Privacy Rule and Public Health
Disclosures for Public Health Purposes
Requirements for Covered Entities
The Privacy Rule and Public Health Research
Research Versus Practice
The Privacy Rule and Other Laws
Online Resources
Federal Government Resources
State Government Resources
Associations Nonprofit Organizations and Academic Resources
Acknowledgments
References
Appendix A
Appendix B
2 MMWR April 11 2003
bull holds violators accountable with civil and criminal penal-ties that can be imposed if they violate patientsrsquo privacyrights
bull strikes a balance when public health responsibilities sup-port disclosure of certain forms of data
bull enables patients to make informed choices based on howindividual health information may be used
bull enables patients to find out how their information maybe used and what disclosures of their information havebeen made
bull generally limits release of information to the minimumreasonably needed for the purpose of the disclosure
bull generally gives patients the right to obtain a copy of theirown health records and request corrections and
bull empowers individuals to control certain uses and disclo-sures of their health information
The deadline to comply with the Privacy Rule is April 142003 for the majority of the three types of covered entitiesspecified by the rule [45 CFR sect 160102] The covered enti-ties are
bull health plansbull health-care clearinghouses andbull health-care providers who transmit health information in
electronic form in connection with certain transactionsAt DHHS the Office for Civil Rights (OCR) has oversightand enforcement responsibilities for the Privacy Rule Com-prehensive guidance and OCR answers to hundreds of ques-tions are available at httpwwwhhsgovocrhipaa (4)
Impact on Public HealthPublic health practice and research including such tradi-
tional public health activities as program operations publichealth surveillance program evaluation terrorism prepared-ness outbreak investigations direct health services and pub-lic health research use PHI to identify monitor and respondto disease death and disability among populations Publichealth authorities have a long history of protecting and pre-serving the confidentiality of individually identifiable healthinformation They also recognize the importance of protect-ing individual privacy and respecting individual dignity tomaintaining the quality and integrity of health data CDCand others have worked to consistently strengthen federal andstate public health information privacy practices and legal pro-tections (5)
DHHS recognized the importance of sharing PHI toaccomplish essential public health objectives and to meet cer-tain other societal needs (eg administration of justice andlaw enforcement) Therefore the Privacy Rule expressly per-mits PHI to be shared for specified public health purposes
For example covered entities may disclose PHI without indi-vidual authorization to a public health authority legallyauthorized to collect or receive the information for the pur-pose of preventing or controlling disease injury or disability[45 CFR sect 164512(b)] (Box 1) Further the Privacy Rulepermits covered entities to make disclosures that are requiredby other laws including laws that require disclosures for pub-lic health purposes
Thus the Privacy Rule provides for the continued func-tioning of the US public health system Covered entities shouldbecome fully aware of the scope of permissible disclosures forpublic health activities as well as state and local reporting lawsand regulations Moreover a public health authority may also
Without individual authorization a covered entity maydisclose PHI to a public health authority that is legallyauthorized to collect or receive the information for thepurposes of preventing or controlling disease injury ordisability including but not limited to
bull reporting of disease injury and vital events (eg birthor death) and
bull conducting public health surveillance investigationsand interventions
PHI may also be disclosed without individual authori-zation to
bull report child abuse or neglect to a public health or othergovernment authority legally authorized to receive suchreports
bull a person subject to jurisdiction of the Food and DrugAdministration (FDA) concerning the quality safetyor effectiveness of an FDA-related product or activityfor which that person has responsibility
bull a person who may have been exposed to a communi-cable disease or may be at risk for contracting or spread-ing a disease or condition when legally authorized tonotify the person as necessary to conduct a publichealth intervention or investigation and
bull an individualrsquos employer under certain circumstancesand conditions as needed for the employer to meetthe requirements of the Occupational Safety andHealth Administration Mine Safety and Health Ad-ministration or a similar state law
Source Adapted from [45 CFR sect 164512(b)] Or to an entity working under a grant of authority from a public health
authority or when directed by a public health authority to a foreigngovernment agency that is acting in collaboration with a public healthauthority
BOX 1 Protected health information (PHI) disclosures bycovered entities for public health activities requiring noauthorization under the Privacy Rule
Vol 52 Early Release MMWR 3
be a covered entity For example a public health agency thatoperates a health clinic providing essential health-care ser-vices and performing covered transactions electronically is acovered entity
This report provides guidance to public health authoritiesand their authorized agents researchers and health-care pro-viders in interpreting the Privacy Rule as it affects public healthCDC recommends that public health authorities share theinformation in this report with covered health-care providersand other covered entities and work closely with those entitiesto ensure implementation of the rule consistent with itsintent to protect privacy while permitting authorized publichealth activities to continue
Overview of the Privacy Rule
Who Is CoveredThe authority of DHHS to issue health-information pri-
vacy regulations was limited by Congress in HIPAA to adefined set of covered entities More complete definitions ofthese and other terms are located elsewhere in this report(Appendix A) Covered entities are as follows
bull Health plans An individual or group plan that providesor pays the cost of medical care that includes the diagno-sis cure mitigation treatment or prevention of diseaseHealth plans include private entities (eg health insurersand managed care organizations) and government orga-nizations (eg Medicaid Medicare and the VeteransHealth Administration)
bull Health-care clearinghouses A public or private entityincluding a billing service repricing company or com-munity health information system that processes non-standard data or transactions received from another entityinto standard transactions or data elements or vice versa
bull Health-care providers A provider of health-care servicesand any other person or organization that furnishes billsor is paid for health care in the normal course of businessHealth-care providers (eg physicians hospitals and clin-ics) are covered entities if they transmit health informa-tion in electronic form in connection with a transactionfor which a HIPAA standard has been adopted by DHHS
The Privacy Rule also establishes requirements for coveredentities with regard to their nonemployee business associates(eg lawyers accountants billing companies and other con-tractors) whose relationship with covered entities requires shar-ing of PHI The Privacy Rule allows a covered provider orhealth plan to disclose PHI to a business associate if satisfac-tory written assurance is obtained that the business associatewill use the information only for the purposes for which it
was engaged will safeguard the information from misuse andwill help the covered entity comply with certain of its dutiesunder the Privacy Rule
The Privacy Rule does not apply to all persons or entitiesthat regularly use disclose or store individually identifiablehealth information For example the Privacy Rule does notcover employers certain insurers (eg auto life and workercompensation) or those public agencies that deliver socialsecurity or welfare benefits when functioning solely in thesecapacities
Types of Health Information
Protected Health Information
The Privacy Rule protects certain information that coveredentities use and disclose This information is called protectedhealth information (PHI) which is generally individually iden-tifiable health information that is transmitted by or main-tained in electronic media or any other form or medium Thisinformation must relate to 1) the past present or future physi-cal or mental health or condition of an individual 2) provi-sion of health care to an individual or 3) payment for theprovision of health care to an individual If the informationidentifies or provides a reasonable basis to believe it can beused to identify an individual it is considered individuallyidentifiable health information
De-Identified Information
De-identified data (eg aggregate statistical data or datastripped of individual identifiers) require no individual pri-vacy protections and are not covered by the Privacy RuleDe-identifying can be conducted through
bull statistical de-identification mdash a properly qualified statis-tician using accepted analytic techniques concludes therisk is substantially limited that the information might beused alone or in combination with other reasonably avail-able information to identify the subject of the informa-tion [45 CFR sect 164514(b)] or the
bull safe-harbor method mdash a covered entity or its businessassociate de-identifies information by removing 18 iden-tifiers (Box 2) and the covered entity does not have actualknowledge that the remaining information can be usedalone or in combination with other data to identify thesubject [45 CFR sect 164514(b)]
In certain instances working with de-identified data may havelimited value to clinical research and other activities Whenthat is the case a limited data set may be useful
4 MMWR April 11 2003
The following protected health information (PHI) canbe included without authorization in a limited data setfor public health research or health-care operations
bull town or city state and zip code andbull elements of dates related to a person (eg years birth
dates admission dates discharge dates and dates ofdeath)
To disclose a limited data set a covered entity must en-ter into a data-use agreement with the recipient whichagrees to use or disclose the PHI for limited purposesDisclosure of a limited data set is not subject to the ac-counting requirement but must meet the minimum nec-essary standards of the Privacy Rule
BOX 3 Use of limited data sets under the Privacy Rule
The following 18 identifiers of a person or of relativesemployers or household members of a person must beremoved and the covered entity must not have actualknowledge that the information could be used alone or incombination with other information to identify the indi-vidual for the information to be considered de-identifiedand not protected health information (PHI)
bull namesbull all geographic subdivisions smaller than a state in-
cluding county city street address precinct zip codeand their equivalent geocodes
bull all elements of dates (except year) directly related toan individual all ages gt89 and all elements of dates(including year) indicative of such age (except for anaggregate into a single category of age gt90)
bull telephone numbersbull fax numbersbull electronic mail addressesbull Social Security numbersbull medical record numbersbull health-plan beneficiary numbersbull account numbersbull certificate and license numbersbull vehicle identifiers and serial numbers including
license plate numbersbull medical device identifiers and serial numbersbull Internet universal resource locators (URLs)bull Internet protocol (IP) addressesbull biometric identifiers including fingerprints and voice
printsbull full-face photographic images and any comparable
images andbull any other unique identifying number characteristic
or code except that covered identities may under cer-tain circumstances assign a code or other means ofrecord identification that allows de-identified infor-mation to be re-identified
Source Adapted from [45 CFR sect 164514(b)(2)(i)] The first three digits of a zip code are excluded from the PHI list if the
geographic unit formed by combining all zip codes with the same firstthree digits contains gt20000 persons
BOX 2 Individual identifiers under the Privacy Rule
permitted to use or receive the limited data set and providethat the recipient will
bull not use or disclose the information other than as permit-ted by the agreement or as otherwise required by law
bull use appropriate safeguards to prevent uses or disclosuresof the information that are inconsistent with the data-useagreement
bull report to the covered entity any use or disclosure of theinformation in violation of the agreement of which itbecomes aware
bull ensure that any agents to whom it provides the limiteddata set agree to the same restrictions and conditions thatapply to the limited data set recipient with respect to suchinformation and
bull not attempt to re-identify the information or contact theindividual
What is RequiredFor covered entities using or disclosing PHI the Privacy
Rule establishes a range of health-information privacy require-ments and standards that attempt to balance individual pri-vacy interests with the community need to use such data [45CFR sect 164504] Among its provisions the Privacy Rulerequires covered entities to
bull notify individuals regarding their privacy rights and howtheir PHI is used or disclosed
bull adopt and implement internal privacy policies and proce-dures
bull train employees to understand these privacy policies andprocedures as appropriate for their functions within thecovered entity
Limited Data Sets
Health information in a limited data set is not directly iden-tifiable but may contain more identifiers than de-identifieddata that has been stripped of the 18 identifiers [45 CFR sect164514] (Box 3) A data-use agreement must establish who is
Vol 52 Early Release MMWR 5
bull designate individuals who are responsible for implement-ing privacy policies and procedures and who will receiveprivacy-related complaints
bull establish privacy requirements in contracts with businessassociates that perform covered functions
bull have in place appropriate administrative technical andphysical safeguards to protect the privacy of health infor-mation and
bull meet obligations with respect to health consumers exer-cising their rights under the Privacy Rule
With respect to individuals they are vested with the follow-ing rights
bull Receive access to PHI Individual rights include inspec-tions of records and the provision for copies of PHI aboutthe individual in a designated record set for as long as thePHI is maintained in the designated record set except forpsychotherapy notes information complied for use in civilcriminal or administrative actions and PHI maintainedby a covered entity subject to the Clinical LaboratoryImprovement Amendments of 1988 [42 CFR sect 263(a)]In the majority of cases covered entities must accommo-date a request or provide a process of denial subject toreview [45 CFR sect 164524]
bull Request amendments to PHI Individuals can request thatcovered entities amend PHI about the individual in a des-ignated record set for as long as the PHI is maintained ina designated record set If the covered entity agrees to theamendment it must 1) identify the records affected 2)append or provide a link to the amendment 3) informthe individual the amendment has been made and 4) workwith other covered entities or business associates who pos-sess or receive the data to make the amendments [45 CFRsect 164526] If the covered entity denies this request thePrivacy Rule provides a process for contesting the denial[45 CFR sect 164526]
bull Receive adequate notice With limited exceptions indi-viduals have the right to receive a notice of the uses anddisclosures the covered entity will make of their PHI theirrights under the Privacy Rule and the covered entityrsquosobligations with respect to that information In certaincases notice may be provided electronically The noticemust be in plain language (eg ldquoyour health informationmay be shared with public health authorities for publichealth purposes rdquo ) and posted where it is likely to beseen by patients [45 CFR sect 164520]
bull Receive an accounting of disclosures Upon request cov-ered entities are required to provide individuals with anaccounting for certain types of disclosures of PHIalthough the rule contains certain exceptions includingdisclosures with individual authorization disclosures
related to providersrsquo treatment payment and health-careoperations (TPO) and other exceptions A typical accounting includes the name of the person or entity whoreceived the information date of the disclosure a briefdescription of the information disclosed and a brief explanation of the reasons for disclosure or copy of therequest [45 CFR sect 164528] However requirements foraccounting of public health disclosures may vary (seeAccounting for Public Health Disclosures)
bull Request restrictions Individuals have the right to requesta restriction on certain uses or disclosures of their PHIhowever the covered entity is not obligated to agree tosuch a request If the covered entity does agree to a restric-tion it must generally abide by the agreement except foremergency treatment situations But such an agreement isnot effective to prevent certain permitted uses or disclo-sures [CFR 45 sect 164512]
Required PHI Disclosures
A covered entity is required by the Privacy Rule to disclosePHI in only two instances 1) when an individual has a rightto access an accounting of his or her PHI (see previous para-graph) and 2) when DHHS needs PHI to determine compli-ance with the Privacy Rule [45 CFR sect 164502(a)(2)] Certainother uses and disclosures of PHI may be permitted withoutauthorization but are not required by the Privacy Rule How-ever other federal tribal state or local laws may compel dis-closure
Permitted PHI Disclosures WithoutAuthorization
The Privacy Rule permits a covered entity to use and dis-close PHI with certain limits and protections for TPOactivities [45 CFR sect 164506] Certain other permitted usesand disclosures for which authorization is not required fol-low Additional requirements and conditions apply to thesedisclosures The Privacy Rule text and OCR guidance shouldbe consulted for a full understanding of the following
bull Required by law Disclosures of PHI are permitted whenrequired by other laws whether federal tribal state orlocal
bull Public health PHI can be disclosed to public healthauthorities and their authorized agents for public healthpurposes including but not limited to public health sur-veillance investigations and interventions
bull Health research A covered entity can use or disclose PHIfor research without authorization under certain condi-tions including 1) if it obtains documentation of a waiverfrom an institutional review board (IRB) or a privacyboard according to a series of considerations 2) for
6 MMWR April 11 2003
activities preparatory to research and 3) for research on adecedentrsquos information
bull Abuse neglect or domestic violence PHI may be dis-closed to report abuse neglect or domestic violenceunder specified circumstances
bull Law enforcement Covered entities may under specifiedconditions disclose PHI to law enforcement officials pur-suant to a court order subpoena or other legal order tohelp identify and locate a suspect fugitive or missingperson to provide information related to a victim of acrime or a death that may have resulted from a crime orto report a crime
bull Judicial and administrative proceedings A covered entitymay disclose PHI in the course of a judicial or adminis-trative proceeding under specified circumstances
bull Cadaveric organ eye or tissue donation purposesOrgan-procurement agencies may use PHI for the pur-poses of facilitating transplant
bull Oversight Covered entities may usually disclose PHI to ahealth oversight agency for oversight activities authorizedby law
bull Workerrsquos compensation The Privacy Rule permits dis-closure of work-related health information as authorizedby and to the extent necessary to comply with workersrsquocompensation programs
Other Authorized Disclosures
A valid authorization is required for any use or disclosureof PHI that is not required or otherwise permitted withoutauthorization by the Privacy Rule In general these authoriza-tions must
bull specifically identify the PHI to be used or disclosedbull provide the names of persons or organizations or classes
of persons or organizations who will receive use or dis-close the PHI
bull state the purpose for each requestbull notify individuals of their right to refuse to sign the
authorization without negative consequences to treatmentpayment or health plan enrollment or benefit eligibilityexcept under specific circumstances
bull be signed and dated by the individual or the individualrsquospersonal representative
bull be written in plain languagebull include an expiration date or eventbull notify the individual of the right to revoke authorization
at any time in writing and how to exercise that right andany applicable exceptions to that right under the PrivacyRule and
bull explain the potential for the information to be subject toredisclosure by recipient and no longer protected by thePrivacy Rule
The Privacy Rule and Public Health The Privacy Rule recognizes 1) the legitimate need for pub-
lic health authorities and others responsible for ensuring thepublicrsquos health and safety to have access to PHI to conducttheir missions and 2) the importance of public health report-ing by covered entities to identify threats to the public andindividuals Accordingly the rule 1) permits PHI disclosureswithout a written patient authorization for specified publichealth purposes to public health authorities legally authorizedto collect and receive the information for such purposes and2) permits disclosures that are required by state and local pub-lic health or other laws However because the Privacy Ruleaffects the traditional ways PHI is used and exchanged amongcovered entities (eg doctors hospitals and health insurers)it can affect public health practice and research in multipleways To prevent misconceptions understanding the PrivacyRule is important for public health practice Some illustrativeexamples are presented in this report (Box 4) Also providedare sample letters that might prove useful in clarifying rela-tionships involving public health and the Privacy Rule(Appendix B)
A public health authority is broadly defined as includingagencies or authorities of the United States states territoriespolitical subdivisions of states or territories American Indiantribes or an individual or entity acting under a grant ofauthority from such agencies and responsible for public healthmatters as part of an official mandate Public health authori-ties include federal public health agencies (eg CDCNational Institutes of Health [NIH] Health Resources andServices Administration [HRSA] Substance Abuse and Men-tal Health Services Administration [SAMHSA] Food andDrug Administration [FDA] or Occupational Safety andHealth Administration [OSHA]) tribal health agencies statepublic health agencies (eg public health departments ordivisions state cancer registries and vital statistics depart-ments) local public health agencies and anyone performingpublic health functions under a grant of authority from a publichealth agency [45 CFR sect 164501]
Public health agencies often conduct their authorized pub-lic health activities with other entities by using different mecha-nisms (eg contracts and memoranda or letters of agreement)These other entities are public health authorities under thePrivacy Rule with respect to the activities they conduct undera grant of authority from such a public health agency Acovered entity may disclose PHI to public health authorities
Vol 52 Early Release MMWR 7
State cancer registry Under a state law health-care provid-ers are required to report cancer cases to a statersquos cancer regis-try Names are included to prevent duplicate reporting andcounting State law protects the confidentiality of the dataCan covered entities disclose the information under the Pri-vacy Rule
Privacy Rule effect Covered entities may disclose PHI to apublic health agency or any other entity when the disclosureis required by law However as covered entities the providersmust give an accounting to the persons whose PHI has beenshared The state agency may use and further disclose the PHIconsistent with applicable state law
State university-maintained cancer registry Under a statelaw health-care providers are mandated to report cancer casesto a state health departmentrsquos cancer registry The state healthdepartment contracts with a state university to receive thereports and maintain its registry As covered entities can health-care providers disclose PHI to the state university under thePrivacy Rule
Privacy Rule effect As noted in the previous example cov-ered entities may disclose without authorization PHI to thecancer registry under the Privacy Rule which expressly per-mits disclosure of PHI as required by law and sharing of PHIwith public health authorities for public health purposes Thestate university is acting under a grant of authority from a publichealth authority the state health department The universitycan use and disclose the information without authorizationconsistent with its agreement with the state health departmentand applicable state law
Early hearing detection and intervention An early hear-ing detection and intervention program in a state needs datafrom two large hospitals The state does not have a law requir-ing reporting of hearing loss Under the Privacy Rule can cov-ered entities release results of newborn hearing-screening teststo the state program
Privacy Rule effect The Privacy Rule expressly permitsrelease of PHI without authorization from a covered entityto a public health authority (eg the state health department)which is authorized by law to receive PHI for the purpose of
BOX 4 Examples of situations related to the Privacy Rule and public health
controlling disease injury or disability The rule does notrequire a state law mandating such disclosures for PHI to bereleased to a public health authority Finally the coveredentities may rely upon the statersquos representation that theinformation requested is the minimum necessary for the pur-poses of the registry
Disease registry maintained by private foundation Aprivate foundation maintains a disease registry as a way tosupport research and service for those with the disease Canhealth-care providers release PHI to the foundation underthe Privacy Rule
Privacy Rule effect Nongovernment disease registries (egthose maintained by foundations and other private organiza-tions) are not considered public health authorities unless theyhave a grant of authority from a public health authority Withsuch a grant covered entities may disclose PHI to the foun-dations But without a grant of authority PHI may bereleased only under one of the following situations
bull Release is authorized by the patientbull The PHI is de-identifiedbull The PHI is contained in a limited data set governed by
a data-use agreementbull Release of PHI is in accord with the rulersquos provisions
for disclosure for research without authorizationbull Release is otherwise permitted by the rule (eg to
entities subject to the jurisdiction of the Food and DrugAdministration (FDA) [45 CFR sect 164512(b)(1)(iii)]
Surveillance project A state health department that is nota covered entity conducts a surveillance project on humanimmunodeficiency virus (HIV) and acquired immunodefi-ciency syndrome (AIDS) The HIVAIDS surveillance projectis an interview study It asks for self-reported informationfrom participants including dates of diagnosis and visits forcare Is this PHI covered by the Privacy Rule
Privacy Rule effect Information collected directly frompersons by a person agency or institution that is not a cov-ered entity including individually identifiable informationis not covered by the Privacy Rule
and to these designated entities pursuant to the public healthprovisions of the Privacy Rule
The Privacy Rule permits covered entities to disclose PHIwithout authorization to public health authorities or otherentities who are legally authorized to receive such reports forthe purpose of preventing or controlling disease injury ordisability This includes the reporting of disease or injuryreporting vital events (eg births or deaths) conducting pub-lic health surveillance investigations or interventions report-ing child abuse and neglect and monitoring adverse outcomes
related to food (including dietary supplements) drugs bio-logical products and medical devices [45 CFR 164512(b)]Covered entities may report adverse events related to FDA-regulated products or activities to public agencies and privateentities that are subject to FDA jurisdiction [45 CFR164512(b)(1)(iii)] To protect the health of the public pub-lic health authorities might need to obtain informationrelated to the individuals affected by a disease In certain casesthey might need to contact those affected to determine thecause of the disease to allow for actions to prevent further
8 MMWR April 11 2003
illness Also covered entities may at the direction of a publichealth authority disclose protected health information to aforeign government agency that is acting in collaboration witha public health authority [45 CFR 164512(b)(1)(i)]
To receive PHI for public health purposes public healthauthorities should be prepared to verify their status and iden-tity as public health authorities under the Privacy Rule Toverify its identity an agency could provide any one of the fol-lowing
bull if the request is made in person presentation of an agencyidentification badge other official credentials or otherproof of government status
bull if the request is in writing the request is on the appropri-ate government letterhead
bull if the disclosure is to a person acting on behalf of a publichealth authority a written statement on appropriate gov-ernment letterhead that the person is acting under thegovernmentrsquos authority [45 CFR sect 164514(h)(2)]
Public health authorities receiving information from coveredentities as required or authorized by law [45 CFR 164512(a)][45 CFR 164512(b)] are not business associates of the cov-ered entities and therefore are not required to enter into busi-ness associate agreements Public health authorities that arenot covered entities also are not required to enter into busi-ness associate agreements with their public health partners andcontractors Also after PHI is disclosed to a public healthauthority pursuant to the Privacy Rule the public healthauthority (if it is not a covered entity) may maintain use anddisclose the data consistent with the laws regulations andpolicies applicable to the public health authority
Disclosures for Public Health PurposesThe Privacy Rule allows covered entities to disclose PHI to
public health authorities when required by federal tribal stateor local laws [45 CFR 164512(a)] This includes state laws(or state procedures established under such law) that providefor receiving reporting of disease or injury child abuse birthor death or conducting public health surveillance investiga-tion or intervention
For disclosures not required by law covered entities maystill disclose without authorization to a public health authorityauthorized by law to collect or receive the information for thepurpose of preventing or controlling disease injury or dis-ability the minimum necessary information to accomplish theintended public health purpose of the disclosure [45 CFR164512 (b)] (Box 1)
For example to protect the health of the public public healthofficials might need to obtain information related to personsaffected by a disease In certain cases they might need to con-
tact those affected to determine the cause of the disease toallow for actions to prevent further illness The Privacy Rulecontinues to allow for the existing practice of sharing PHIwith public health authorities who are authorized by law tocollect or receive such information to aid them in their mis-sion of protecting the health of the public Examples of suchactivities include those directed at the reporting of disease orinjury reporting adverse events reporting births and deathsand investigating the occurrence and cause of injury and dis-ease (1)
Although it is not a defined term DHHS interpreted thephrase ldquoauthorized by lawrdquo to mean that a legal basis exists forthe activity Further DHHS called the phrase ldquoa term of artrdquoincluding both actions that are permitted and actions that arerequired by law [64 FR 59929 November 3 1999] This doesnot mean a public health authority at the federal tribal stateor local level must have multiple disease or condition-specificlaws that authorize each collection of information Publichealth authorities operate under broad mandates to protectthe health of their constituent populations
Requirements for Covered Entities
Accounting for Public Health Disclosures
Although the Privacy Rule permits disclosures of PHI topublic health authorities covered entities must comply withcertain requirements related to these disclosures One suchrequirement is that a covered entity must be able to providean individual upon request with an accounting of certaindisclosures of PHI The covered entity is not required toaccount for all disclosures of PHI For example an account-ing is not required for disclosures made
bull prior to the covered entityrsquos compliance datebull for TPO purposesbull to the individual or pursuant to the individualrsquos written
authorization orbull as part of a limited data setHowever usually an accounting is required for disclosures
made without authorization including public health purposesThe required accounting for disclosures may be
accomplished in different ways Typically the covered entitymust provide the individual with an accounting of eachdisclosure by date the PHI disclosed the identity of therecipient of the PHI and the purpose of the disclosureHowever where the covered entity has during the accountingperiod made multiple disclosures to the same recipient forthe same purpose the Privacy Rule provides for a simplifiedmeans of accounting In such cases the covered entity needonly identify the recipient of such repetitive disclosures the
Vol 52 Early Release MMWR 9
purpose of the disclosure and describe the PHI routinelydisclosed The date of each disclosure need not be trackedRather the accounting may include the date of the first andlast such disclosure during the accounting period and adescription of the frequency or periodicity of such disclosuresFor example the vast amount of data exchanged betweencovered entities and public health authorities is made throughongoing regular reporting or inspection requirements Acovered health-care provider may routinely report all cases ofmeasles it diagnoses to the local public health authority Anaccounting of such disclosures to a requesting individual wouldneed to identify the local public health authority receivingthe PHI the PHI disclosed the purpose of the disclosure(required for communicable disease surveillance) theperiodicity (weekly) and the first and last dates of suchdisclosures during the accounting period (May 1 2003 toJune 1 2003) Thus the covered entity would not need toannotate each patientrsquos medical record whenever a routinepublic health disclosure was made
Notice of Privacy Practices
With certain exceptions under the Privacy Rule individu-als have the right to adequate notice of the uses and disclo-sures of PHI that may be made by the covered entity as well astheir rights and the covered entityrsquos legal obligations Noticesmust be in plain language and clearly posted Certain coveredentities must make a good faith effort to obtain an individualrsquosacknowledgment of receipt of this notice In certain casesnotice may be provided electronically
Minimum Necessary Standard
The Privacy Rule usually directs covered entities to limitthe amount of information disclosed to the minimum neces-sary to achieve the specified goal [45 CFR sect 164514(d)(1)]This requirement usually applies to disclosures to a publichealth agency It would not apply however if the disclosurewere required by law authorized by the individual or for treat-ment purposes A covered entity may also reasonably rely on apublic officialrsquos determination that the information requestedis the minimum necessary for the public health purpose
Public Health Authorities Performing CoveredFunctions
Public health authorities at the federal tribal state or locallevels that perform covered functions (eg providing healthcare or insuring individuals for health-care costs) may be sub-ject to the Privacy Rulersquos provisions as covered entities Forexample a local public health authority that operates a healthclinic providing essential health-care services to low-incomepersons and performs certain electronic transactions might be
defined under the Privacy Rule as a covered health-care pro-vider and therefore a covered entity Flow charts and interac-tive tools designed to help determine covered entity status areprovided online by the Centers for Medicare and MedicaidServices available at httpwwwcmsgovhipaahipaa2sup-porttoolsdecisionsupportdefaultasp
The following are examples of public health authority func-tions that make them covered entities
bull Public health authorities as covered health-care pro-viders A public health authority that conducts health careas part of its activities is a covered health-care provider ifit also performs electronic transactions covered by theHIPAA Transactions Rule as part of these activities Thefact that these activities are conducted in pursuit of a publichealth goal (eg vaccinating children or screening a tar-geted population for sexually transmitted diseases) doesnot preclude the public health authority from being a cov-ered entity
bull Public health authorities as health plans Under thePrivacy Rule a health plan is an individual or group planthat provides or pays the cost of medical care This spe-cifically includes government health plans (eg MedicareMedicaid or Veterans Health Administration) Howeverthe Privacy Rule defines health plan to exclude govern-ment-funded programs whose principal activity is the di-rect provision of health care to persons or the making ofgrants to fund the direct provision of health care to per-sons [45 CFR sect 160103] Examples include the RyanWhite Comprehensive AIDS Resources Emergency ActAlthough certain government programs that fund provid-ers directly may not be health plans government programsthat reimburse providers or otherwise fund providers toperform direct health-care services should carefully ana-lyze the details of their programs to determine if they areperforming covered functions
bull Public health authorities as health-care clearinghousesAlthough unlikely a public health authority might be ahealth-care clearinghouse if it receives health informationfrom another entity and translates that information froma nonstandard format into a standard transaction or stan-dard data elements (or vice versa) Operators of commu-nity health information systems should carefully considerwhether they meet the definition for a health-care clear-inghouse
bull Public health agencies as hybrid entities A public healthagency that is a covered entity and has both covered andnoncovered functions may become a hybrid entity by des-ignating its health-care components By designating itselfas a hybrid entity a public health authority can carve outits noncovered functions so that the majority of Privacy
10 MMWR April 11 2003
Rule provisions apply only to its health-care componentwhich is required to comply with the Privacy Rulerequirements including using and disclosing PHI only asauthorized meeting the administrative requirementsaccounting for disclosure of PHI and providing a noticeof practices However such a designation does not pre-clude the public health authority from continuing to con-duct authorized public health functions A covered entitythat is also a public health authority may use as well asdisclose PHI for public health purposes to the sameextent it would be permitted to disclose the PHI as a pub-lic health authority
The Privacy Rule and PublicHealth Research
The topic of research under the Privacy Rule is covered indepth in the DHHS report Protecting Personal Health Infor-mation in Research mdash Understanding the HIPAA Privacy Rule(6) The Privacy Rule provides separate provisions for disclo-sure without individual authorization for public health pur-poses and for certain research [45 CFR sect 164512(b)] [45CFR sect 164512(i)] Other federal law pertaining to researchstresses the importance of distinguishing between research andpractice to ensure that human subjects are appropriately pro-tected [45 CFR Part 46] For certain activities this distinc-tion is not always clear A full discussion of the distinctionsbetween public health practice and research is beyond the scopeof this document However CDC and others provide guid-ance in this area (7ndash9)
Research Versus PracticeThe definition of research is the same for the Privacy Rule
and the Common Rule (10) mdash systematic investigationincluding research development testing and evaluationdesigned to develop or contribute to generalizable knowledgeResearch is designed to test a hypothesis permit conclusionsto be drawn and thereby to develop or contribute to general-izable knowledge The majority of public health activities (egpublic health surveillance and disease prevention and controlprojects) are based on scientific evidence and data collectionor analytic methods similar to those used in research How-ever they are not designed to contribute to generalizable knowl-edge Their primary purpose is to protect the health of thepopulation through such activities as disease surveillance pre-vention or control
The Belmont Report (11) defines practice as interventionsdesigned solely to enhance the well-being of a person patient
or client and which have reasonable expectation of successThe report further states that the purpose of medical orbehavioral practice is to provide diagnosis preventive treat-ment or therapy to particular patients For public health agen-cies the patient is the community Public health practiceactivities (eg public health surveillance disease control orprogram evaluation) are undertaken with the intent to benefita specific community although occasionally they may pro-vide unintended generalizable benefits to others
Some public health activities that are initially public healthpractice may subsequently evolve into a research activity (egan investigation to determine the cause of an outbreak thatincorporates a research study evaluating the efficacy of a newdrug to treat the illness) When that is the case the disclosuresmay be made initially under the public health provisions ofthe Privacy Rule But when the activity becomes an ongoingresearch activity the entity should consider application of therelevant research disclosures provisions to continue to obtaininformation for this purpose Moreover there may be caseswhere the activity is both research and public health practice(eg an ongoing survey to monitor health conditions in thepopulation data from which can also be analyzed for researchpurposes) In those cases disclosures may be made either un-der the research provisions or the public health provisions asappropriate mdash the covered entity need not comply with bothsets of requirements
The Privacy Rule and Other Lawsbull Federal laws Covered entities subject to the Privacy Rule
are also subject to other federal statutes and regulationsThe specific relationship of the Privacy Rule and certainfederal laws is discussed in the preamble to the December2000 Final Rule [65 FedReg 82481] In certain instancesthe Privacy Rule imposes requirements in direct conflictwith other federal laws or regulations In those instancesan analysis will be necessary to determine whether the laterprovision was intended to overrule the prior law or regu-lation
bull State laws As a federal regulatory standard the PrivacyRule preempts only those contrary state laws relating tothe privacy of individually identifiable health informa-tion that have less stringent requirements or standards thanthe Privacy Rule (ie more stringent laws remain ineffect) In addition DHHS may upon specific requestfrom a state or other entity or person determine that aprovision of state law that is contrary to the federalrequirements and that meets certain additional criteriawill not be preempted by the federal requirements Thus
Vol 52 Early Release MMWR 11
preemption of a contrary state law will not occur if theSecretary or designated DHHS official determines inresponse to a request that the state law 1) is necessary toprevent fraud and abuse related to the provision of or pay-ment for health care 2) is necessary to ensure appropriatestate regulation of insurance and health plans to theextent expressly authorized by statute or regulation 3) isnecessary for state reporting on health-care delivery orcosts 4) is necessary to serve a compelling public healthsafety or welfare need and if a Privacy Rule provision isat issue if the Secretary determines that the intrusion intoprivacy is warranted when balanced against the need to beserved or 5) has as its principal purpose the regulation ofthe manufacture registration distribution dispensing orother control of any controlled substances The PrivacyRule specifically does not preempt contrary state publichealth laws that provide for the reporting of disease orinjury child abuse birth or death or for the conduct ofpublic health surveillance investigation or intervention[45 CFR sect 160202]
Online ResourcesReferences to non-DHHS sites on the Internet are provided
as a service to MMWR readers and do not constitute or implyendorsement of these organizations or their programs by CDCor the US Department of Health and Human Services CDCis not responsible for the content of these sites URL addresseslisted in MMWR were current as of the date of publication
Federal Government ResourcesDHHS Office for Civil Rights mdash HIPAA guidelines
North Carolina Healthcare Information and Communica-tions Alliance
httpwwwnchicaorgPublic Health Grand Rounds HIPAA Privacy RuleEnhancing or Harming Public Health
httpwwwpublichealthgrandroundsunceduStanford University Medical School mdash HIPAA
httpwwwmedstanfordeduHIPAAWorkgroup for Electronic Data Interchange mdash StrategicNational Implementation Process
httpwwwwediorgsnip
AcknowledgmentsThis report was prepared by Salvatore Lucido MPA and Denise
Koo MD Office of the Associate Director for ScienceEpidemiology Program Office CDC in collaboration with JamesG Hodge Jr JD Center for Law and the Publicrsquos HealthGeorgetown and Johns Hopkins Universities Baltimore MarylandThe preparers are grateful for the participation of Deborah Tress
JD Kenya Ford JD and Heather Horton JD Office of theGeneral Counsel Department of Health and Human Services CDCATSDR Branch the CDC Working Group on the Privacy Ruleand Beverly Dozier JD Lance A Gable JD Lawrence O GostinJD Gail Horlick JD and Jennifer Kurle
The preparers also thank the following partners for their valuableinput Association of State and Territorial Health Officers Councilof State and Territorial Epidemiologists National Association ofCounty and City Health Officials National Association of HealthData Organizations Association of Public Health Laboratories andNational Association for Public Health Statistics and InformationSystems
References1 Gostin LO Hodge JG Jr Personal privacy and common goods a frame-
work Minnesota Law Review 2002861439ndash802 Health Insurance Portability and Accountability Act of 1996 Pub L
No 104-191 110 Stat 1936 (1996)3 Office for Civil Rights Department of Health and Human Services
Title 45 of the Code of Federal Regulations Parts 160 and 164 Avail-able at httpwwwdhhsgovocrcombinedregtextpdf
4 Office for Civil Rights OCR guidance explaining significant aspects ofthe Privacy Rule 2002 Department of Health and Human ServicesAvailable at httpwwwhhsgovocrhipaa
5 Gostin LO Hodge JG Jr Privacy Law Advisory Committee Modelstate public health information privacy act 1999 Available at httpwwwpublichealthlawnetResourcesResourcesPDFsmodelprivactpdf
6 Department of Health and Human Services Protecting personal healthinformation in research mdash understanding the HIPAA Privacy RuleDepartment of Health and Human Services Washington DC 2003(in press)
7 Snider DE Stroup DF Defining research when it comes to public healthPublic Health Rep 199711229ndash32
8 CDC Guidelines for defining public health research and public healthnonresearch Available at httpwwwcdcgovodadsopspoll1htm
9 Amoroso PJ Middaugh JP Research vs public health practice whendoes a study require IRB review Prev Med 200336250ndash3
10 Office for Protection from Research Risks National Institutes of HealthDepartment of Health and Human Services Public welfare protectionof human subjects 2001 [45 CFR 46] Available at httpohrposophsdhhsgovhumansubjectsguidance45cfr46htm
11 National Commission for the Protection of Human Subjects of Bio-medical and Behavioral Research Belmont report ethical principles andguidelines for the protection of human subjects of research Depart-ment of Health Education and Welfare Available at httpwwwmedumicheduirbmedethicsbelmontBELMONTRHTM
Vol 52 Early Release MMWR 13
The following concepts and definitions are adapted fromthe regulatory language For further information see the cita-tions to the Privacy Rule
Accounting An individual has a right to receive an account-ing of disclosures of protected health information made by acovered entity in the six years prior to the date on which theaccounting is requested except for disclosures (a) to carry outtreatment payment and health care operations [45 CFR sect164506] (b) to individuals of protected health informationabout them [45 CFR sect 164502] (c) incident to a use or dis-closure otherwise permitted or required by this subpart asprovided in 45 CFR sect164502 (d) pursuant to an authoriza-tion as provided in 45 CFR sect164508 (e) for the facilityrsquosdirectory or to persons involved in the individualrsquos care orother notification purposes as provided in 45 CFR sect164510(f ) for national security or intelligence purposes as providedin 45 CFR sect164512(k)(2) (g) to correctional institutions orlaw enforcement officials as provided in 45 CFR sect164512(k)(5) or (h) as part of a limited data set in accordance with45 CFR sect164514(e) or (i) that occurred prior to the compli-ance date for the covered entityhellip Such an accounting mustmeet the following requirements (1) except as otherwise pro-vided by paragraph (a) of this section the accounting mustinclude disclosures of protected health information thatoccurred during the six years (or such shorter time period atthe request of the individual as provided in paragraph (a)(3)of this section) prior to the date of the request for an account-ing including disclosures to or by business associates of thecovered entity (2) except as otherwise provided by paragraphs(b)(3) or (b)(4) of this section the accounting must includefor each disclosure the date of the disclosure the name of theentity or person who received the protected health informa-tion and if known the address of such entity or person abrief description of the protected health information disclosedand a brief statement of the purpose of the disclosure thatreasonably informs the individual of the basis for the disclo-sure or in lieu of such a statement a copy of the individualrsquoswritten authorization pursuant to 45 CFR sect 164508 or acopy of a written request for a disclosure under 45 CFR sect164502(a)(2)(ii) or 45 CFR sect 164512 if any
If during the period covered by the accounting the coveredentity has made multiple disclosures of protected healthinformation to the same person or entity for a single purposeunder 45 CFR sect 164502(a)(2)(ii) or 45 CFR sect 164512 theaccounting may with respect to such multiple disclosures
provide the information required by paragraph (b)(2) of 45CFR sect 164528 for the first disclosure during the accountingperiod the frequency periodicity or number of the disclo-sures made during the accounting period and the date of thelast such disclosure during the accounting period [45 CFR sect164528]
Modified accounting procedures are also provided for cov-ered entities making research disclosures involving gt50 per-sons [45 CFR sect 164528(b)(4)]
Business associate A person who on behalf of a coveredentity or of an organized health care arrangement [45 CFR sect154501] in which the covered entity participates but otherthan in the capacity of a member of the workforce of suchcovered entity or arrangement performs or assists in the per-formance of a function or activity involving the use ordisclosure of individually identifiable health informationincluding claims processing or administration data analysisprocessing or administration utilization review quality assur-ance billing benefit management practice management andrepricing or any other function or activity regulated by thissubchapter or provides other than in the capacity of a mem-ber of the workforce of such covered entity legal actuarialaccounting consulting data aggregation [45 CFR sect 164501]management administrative accreditation or financial ser-vices to or for such covered entity or to or for an organizedhealth-care arrangement in which the covered entity partici-pates where the provision of the service involves the disclo-sure of individually identifiable health information from suchcovered entity or arrangement or from another business asso-ciate of such covered entity or arrangement to the individual[45 CFR sect 160103]
Covered entity 1) a health plan 2) a health-care clearing-house 3) a health-care provider who transmits any healthinformation in electronic form in connection with a transac-tion [45 CFR sect 160103]
Covered functions Those functions of a covered entity theperformance of which makes the entity a health planhealth-care provider or health-care clearinghouse [45 CFR sect164103]
Data aggregation With respect to protected health infor-mation created or received by a business associate in its capac-ity as the business associate of a covered entity the combiningof such protected health information by the business associatewith the protected health information received by the busi-ness associate in its capacity as a business associate of another
Appendix ASelected Privacy Rule Concepts and Definitions
14 MMWR April 11 2003
covered entity to permit data analyses that relate to the health-care operations of the respective covered entities [45 CFRsect164501]
De-identified health information Health information thatdoes not identify an individual and with respect to which noreasonable basis exists to believe that the information can beused to identify an individual is not individually identifiableinformation [45 CFR sect 164514(a)]
Disclosure The release transfer provision of access to ordivulging in any other manner of information outside the entityholding the information [45 CFR sect 160103]
Electronic media 1) Electronic storage media includingmemory devices in computers (hard drives) and any remov-abletransportable digital memory medium such as magnetictape or disk optical disk or digital memory card or 2) trans-mission media used to exchange information already in elec-tronic storage media Transmission media include for examplethe Internet (wide open) extranet (using Internet technologyto link a business with information accessible only to collabo-rating parties) leased lines dial-up lines private networksand the physical movement of removabletransportable elec-tronic storage media Certain transmissions including ofpaper via facsimile and of voice via telephone are not con-sidered to be transmissions via electronic media because theinformation being exchanged did not exist in electronic formbefore the transmission [45 CFR sect 160103]
Health care Care services or supplies related to the healthof an individual It includes but is not limited to 1) preven-tive diagnostic therapeutic rehabilitative maintenance orpalliative care and counseling service assessment or proce-dure with respect to the physical or mental condition or func-tional status of an individual or that affects the structure orfunction of the body and 2) sale or dispensing of a drugdevice equipment or other item in accordance with a pre-scription [45 CFR sect 160103]
Health-care clearinghouse A public or private entityincluding a billing service repricing company communityhealth management information system community healthinformation system or value-added network or switch that 1)processes or facilitates the processing of health informationreceived from another entity in a nonstandard format or con-taining nonstandard data content into standard data elementsor a standard transaction or 2) receives a standard transactionfrom another entity and processes or facilitates the processingof health information into nonstandard format or nonstand-ard data content for the receiving entity [45 CFR sect 160103]
Health-care operations Any of the following activities ofthe covered entity to the extent that the activities are related tocovered functions 1) conducting quality assessment andimprovement activities population-based activities and
related functions that do not include treatment 2) reviewingthe competence or qualifications of health care professionalsevaluating practitioner provider and health plan performanceconducting training programs where students learn to prac-tice or improve their skills as health-care providers training ofnonhealth-care professionals accreditation certificationlicensing or credentialing activities 3) underwriting premiumrating and other activities relating to the creation renewal orreplacement of a contract of health insurance or benefits 4)conducting or arranging for medical review legal services andauditing functions including fraud and abuse detection andcompliance programs 5) business planning and developmentsuch as conducting cost-management and planning-relatedanalyses related to managing and operating the entity includ-ing formulary development and administration developmentor improvement of methods of payment or coverage policiesand 6) business management and general administrativeactivities of the entity [45 CFR sect 164501]
Health-care provider A provider of services (as defined insection 1861(u) of the Act 42 USC 1395x(u)) a providerof medical or health-care services (as defined in section 1861(s)of the Act 42 USC 1395x(s)) and any other individual ororganization that furnishes bills or is paid for health care inthe normal course of business [45 CFR sect 160103]
Health information Any information whether oral orrecorded in any form or medium that 1) is created or receivedby a health-care provider health plan public health authorityemployer life insurer school or university or health-care clear-inghouse and 2) relates to the past present or future physicalor mental health or condition of an individual the provisionof health care to an individual or the past present or futurepayment for the provision of health care to an individual [45CFR sect 160103]
Health plan An individual or group plan that provides orpays the cost of medical care (as defined in section 2791(a)(2)of the PHS Act 42 USC 300gg-91(a)(2)) Health planincludes the following singly or in combination (i) a grouphealth plan as defined in 45 CFR sect 160103 of the PrivacyRule (ii) a health insurance issuer as defined in 45 CFR sect160103 of the Privacy Rule (iii) an HMO as defined in 45CFR sect 160103 of the Privacy Rule (iv) Part A or B of theMedicare program under title XVIII of the Act (v) the Med-icaid program under title XIX of the Act 42 USC 1396 etseq (vi) an issuer of a Medicare supplemental policy (asdefined in section 1882(g)(1) of the Act 42 USC1395ss(g)(1)) (vii) an issuer of a long-term care policyexcluding a nursing home fixed-indemnity policy (viii) anemployee welfare benefit plan or any other arrangement thatis established or maintained for the purpose of offering or pro-viding health benefits to the employees of two or more
Vol 52 Early Release MMWR 15
employers (ix) the health care program for active military per-sonnel under title 10 USC (x) the veterans health-care pro-gram under 38 USC Ch 17 (xi) the Civilian Health andMedical Program of the Uniformed Services (CHAMPUS)(as defined in 10 USC 1072(4)) (xii) the Indian HealthService program under the Indian Health Care ImprovementAct 25 USC 1601 et seq (xiii) the Federal EmployeesHealth Benefits Program under 5 USC 8902 et seq (xiv)an approved state child health plan under title XXI of the Actproviding benefits for child health assistance that meet therequirements of section 2103 of the Act 42 USC 1397 etseq (xv) the Medicare+Choice program under Part C of titleXVIII of the Act 42 USC 1395w-21 through 1395w-28(xvi) a high risk pool that is a mechanism established understate law to provide health insurance coverage or comparablecoverage to eligible individuals (xvii) any other individual orgroup plan or combination of individual or group plans thatprovides or pays for the cost of medical care (as defined insection 2791(a)(2) of the PHS Act 42 USC 300gg-91(a)(2))[45 CFR sect 160103]
The term health plan excludes (i) any policy plan or pro-gram to the extent that it provides or pays for the cost ofexcepted benefits that are listed in sect2791(c)(1) of the PHSAct 42 USC 300gg-91(c)(1) and (ii) a government-fundedprogram other than the one listed in items (i)-(xvi) abovewhose principal purpose is other than providing or payingthe cost of health care or whose principal activity is 1) thedirect provision of health care to individuals or 2) the mak-ing of grants to fund the direct provision of health care toindividuals [45 CFR sect 160103]
Hybrid entity A single legal entity 1) that is a covered entity 2) whose business activities include both covered andnoncovered functions and 3) that designates its health-carecomponents [45 CFR sect 164103]
Individually identifiable health information A subset ofhealth information including demographic information col-lected from an individual and 1) is created or received by ahealth-care provider health plan employer or health-care clear-inghouse and 2) relates to the past present or future physi-cal or mental health or condition of an individual the provisionof health care to an individual or the past present or futurepayment for the provision of health care to an individual andthat identifies the individual or where there is a reasonablebasis to believe the information can be used to identify theindividual [45 CFR sect 164501]
Limited data set Protected health information that excludescertain direct identifiers of the individual or of relativesemployers or household members of the individual Directidentifiers to be excluded can be found in 45 CFR sect164514(e)(2)
Minimum necessary For any type of disclosure that a cov-ered entity makes on a routine and recurring basis that thecovered entity must implement policies and procedures (whichmay be standard protocols) that limit the protected healthinformation disclosed to the amount reasonably necessary toachieve the purpose of the disclosure For all other disclosurescovered entities must develop and implement criteria designedto limit the protected health information disclosed to theinformation reasonably necessary to accomplish the purposefor which disclosure is sought and review requests for disclo-sure on an individual basis in accordance with such criteria Acovered entity may rely if such reliance is reasonable underthe circumstances on a requested disclosure as the minimumnecessary for the stated purpose when (a) making disclosuresto public officials that are permitted under 45 CFR sect 164512if the public official represents that the information requestedis the minimum necessary for the stated purpose (b) if theinformation is requested by another covered entity (c) theirbusiness associates providing personal services or (d) docu-mentation or representations that comply with the applicablerequirements of 45 CFR sect 164512(i) have been provided byan individual requesting the information for research purposes[45 CFR sect 164514(d)(3)]
The minimum necessary standard also applies to uses ofprotected health information [45 CFR sect 164514(d)(2)] andrequests for protected health information [45 CFR sect164514(d)(4)]
Notice An individual with certain exceptions has a rightto adequate notice of the uses and disclosures of protectedhealth information that may be made by the covered entityand of the individualrsquos rights and the covered entityrsquos legalduties with respect to protected health information Thenotice must be written in plain language and contain the fol-lowing elements (i) a header as specified in the rule (ii) adescription including at least one example of the types ofuses and disclosures that the covered entity is permitted tomake for treatment payment and health care operations anda description of each of the other purposes for which the cov-ered entity is permitted or required to use or disclose pro-tected health information without the individualrsquos writtenconsent or authorization If a use or disclosure is prohibitedor materially limited by other applicable law the descriptionof such use or disclosure must reflect the more stringent law(as defined in 45 CFR sect 160202) Each description mustinclude sufficient detail to place the individual on notice ofthe uses and disclosures that are permitted or required by thePrivacy Rule or other applicable law and a statement that otheruses and disclosures will be made only with the individualrsquoswritten authorization and that the individual may revoke suchauthorization as provided by 45 CFR sect 164508(b)(5)
16 MMWR April 11 2003
A separate statement must be included in the notice if acovered entity intends to engage in any of the followingactivities The statement should explain that 1) the coveredentity may contact the individual to provide appointmentreminders or information regarding treatment alternatives orother health-related benefits 2) the covered entity may con-tact the individual to raise funds for the covered entity or 3) agroup health plan health insurer or HMO with respect to agroup health plan may disclose protected health informationto the sponsor of the plan
The notice must contain a statement of the individualrsquos rightswith respect to the protected health information and a briefdescription of how the individual may exercise these rights astatement of the covered entityrsquos duties a statement that indi-viduals may complain to the covered entity or the Secretary ifthey believe their privacy rights have been violated contactinformation and the effective date of the notice [45 CFR sect164520]
Payment 1) The activities undertaken by (i) a health planto obtain premiums or to determine or fulfill its responsibilityfor coverage and provision of benefits under the health planor (ii) a health-care provider or health plan to obtain or pro-vide reimbursement for the provision of health care and 2)the activities relate to the individual to whom health care isprovided and include but are not limited to (i) determina-tions of eligibility or coverage and adjudication or subroga-tion of health benefit claims (ii) risk adjusting amounts duebased on enrollee health status and demographic characteris-tics (iii) billing claims management collection activitiesobtaining payment under a contract for reinsurance (includ-ing stop-loss insurance) and related health-care data process-ing (iv) review of health-care services with respect to medicalnecessity coverage under a health plan appropriateness of careor justification of charges (v) utilization review activitiesincluding precertification and preauthorization of services con-current and retrospective review of services and (vi) disclo-sure to consumer reporting agencies of any of the followingprotected health information relating to collection of premi-ums or reimbursement (a) name and address (b) date of birth(c) social security number (d) payment history (e) accountnumber and (f ) name and address of the health-care provideror health plan [45 CFR sect 164501]
Protected health information (PHI) Individually identi-fiable health information that is transmitted by electronicmedia maintained in electronic media or transmitted ormaintained in any other form or medium PHI excludes indi-vidually identifiable health information in (i) educationrecords covered by the Family Education Rights and PrivacyAct (20 USC 1232g) (ii) records described at 20 USC
1232g(a)(4)(B)(iv) and (iii) employment records held by acovered entity in its role as employer [45 CFR sect 160103]
Public health authority An agency or authority of theUnited States a state a territory a political subdivision of astate or territory or an Indian tribe or an individual or entityacting under a grant of authority from or contract with suchpublic agency including the employees or agents of such pub-lic agency or its contractors or individuals or entities to whomit has granted authority that is responsible for public healthmatters as part of its official mandate [45 CFR sect 164501]
Examples of public health authorities include state andlocal health departments CDC National Institutes of Health(NIH) Food and Drug Administration (FDA) and Occupa-tional Safety and Health Administration (OSHA)
Required by law A mandate contained in law that compelsan entity to make a use or disclosure of protected health infor-mation and that is enforceable in a court of law This termincludes but is not limited to court orders and court-orderedwarrants subpoenas or summons issued by a court grand jurya governmental or tribal inspector general or an administra-tive body authorized to require the production of informa-tion a civil or an authorized investigative demand Medicareconditions of participation with respect to health-care provid-ers participating in the program and statutes or regulationsthat require the production of information including statutesor regulations that require such information if payment issought under a government program providing public ben-efits [45 CFR sect 164103]
Research A systematic investigation including researchdevelopment testing and evaluation designed to develop orcontribute to generalizable knowledge [45 CFR sect sect164501]
Statistical de-identification A properly qualified statisti-cian using accepted analytical techniques concludes that therisk is limited that the information could be used alone or incombination with other reasonably available information toidentify the subject of the information [45 CFR sect 164514(b)]
Safe harbor method A covered entity or its agent removesa comprehensive set of identifiers enumerated in the PrivacyRule which includes but is not limited to names geographicsubdivisions smaller than states dates more specific than yearscontact information identification numbers and photographicimages and has no actual knowledge that the remaininginformation could be used alone or in combination with otherinformation to identify the individual who is a subject of theinformation or the individualrsquos relatives employers or house-hold members Eighteen specific identifiers will need to beremoved to achieve de-identification [45 CFR sect 164514(b)]
Transaction The transmission of information between twoparties to carry out financial or administrative activities
Vol 52 Early Release MMWR 17
related to health care It includes the following types of infor-mation transmissions health care claims or equivalent encoun-ter information health care payment and remittance advicecoordination of benefits health care claim status enrollmentand disenrollment in a health plan eligibility for a health planhealth plan premium payments referral certification andauthorization first report of injury health claims attachmentsand other transactions that the Secretary may prescribe by regu-lation [45 CFR sect 164103]
Treatment The provision coordination or managementof health care and related services by one or more health-care
providers including the coordination or management of healthcare by a health-care provider with a third party consultationbetween health-care providers relating to a patient or thereferral of a patient for health care from one health-care pro-vider to another [45 CFR sect 164501]
Use With respect to individually identifiable health infor-mation the sharing employment application utilizationexamination or analysis of such information within an entitythat maintains such information [45 CFR sect 160103]
18 MMWR April 11 2003
Vol 52 Early Release MMWR 19
Appendix BSample Text That Can Be Used To Clarify Public Health Issues
Under the Privacy Rule
pursuant to the Standards for Privacy of Individually Identifi-able Health Information promulgated under the HealthInsurance Portability and Accountability Act (HIPAA) [45CFR Parts 160 and 164)] Under this rule covered entitiesmay disclose without individual authorization protectedhealth information to public health authorities ldquo autho-rized by law to collect or receive such information for the pur-pose of preventing or controlling disease injury or disabilityincluding but not limited to the reporting of disease injuryvital events such as birth or death and the conduct of publichealth surveillance public health investigations and publichealth interventions rdquo The definition of a public health au-thority includes ldquo an individual or entity acting under a grantof authority from or contract with such public agency rdquo
[Authorized agency] is acting under [contract grant coop-erative agreement] with [public health authority] to conduct[project] which is authorized by [law or regulation] [Publichealth authority] grants this authority to [authorized agency]for purposes of this project Further [public health authority]considers this to be [activity type] for which disclosure ofprotected health information by covered entities is authorizedby 45 CFR sect 164512(b) of the Privacy Rule
From a public health authority to a covered entity con-firming grant of authority to an authorized agencyTo Whom It May Concern
[Public health authority] is an agency of [parent authority]and is a public health authority as defined by the HealthInsurance Portability and Accountability Act (HIPAA) Stan-dards for Privacy of Individually Identifiable Health Informa-tion Final Rule (Privacy Rule)[45 CFR sect 164501] Pursuantto 45 CFR sect 164512(b) of the Privacy Rule covered entitiesmay disclose protected health information to public healthauthorities ldquo authorized by law to collect or receive suchinformation for the purpose of preventing or controlling dis-ease injury or disability including but not limited to thereporting of disease injury vital events such as birth or deathand the conduct of public health surveillance public healthinvestigations and public health interventions rdquo The defi-nition of public health authority includes ldquo an individualor entity acting under a grant of authority from or contractwith such public agency rdquo [45 CFR sect 164501] [Autho-rized agency] is acting under [contract grant or cooperativeagreement] with [public health authority] to carry out [project]
Following are sample letters that can be used to help clarifyPrivacy Rule issues among covered entities and public healthauthorities (eg CDC National Institutes of Health Foodand Drug Administration Substance Abuse and Mental HealthServices Administration Health Resources and ServicesAdministration state and local health departments) Publichealth authorities can use these letters as templates by insert-ing names of the appropriate individuals projects agreementslaws activity types covered entities public health authoritiesand authorized agencies
From a public health authority to a covered entity clari-fying rules regarding disclosureTo Whom it May Concern
[Public health authority] is an agency of [parent authority]and is conducting the activity described here in its capacity asa public health authority as defined by the Health InsurancePortability and Accountability Act (HIPAA) Standards forPrivacy of Individually Identifiable Health Information FinalRule (Privacy Rule) [45 CFR sect164501] Pursuant to 45 CFRsect164512(b) of the Privacy Rule covered entities such as yourorganization may disclose without individual authorizationprotected health information to public health authorities ldquo authorized by law to collect or receive such information forthe purpose of preventing or controlling disease injury ordisability including but not limited to the reporting of dis-ease injury vital events such as birth or death and the con-duct of public health surveillance public health investigationsand public health interventions rdquo
[Public health authority] is conducting [project] a publichealth activity as described by 45 CFR sect 164512(b) and isauthorized by [law or regulation] The information beingrequested represents the minimum necessary to carry out thepublic health purposes of this project pursuant to 45 CFRsect164514(d) of the Privacy Rule
If you have questions or concerns please contact [projectleader]
From a public health authority to an authorized agencyproviding grant of authorityDear [authorized agency]
This letter serves as verification of a grant of authority from[public health authority] for you to conduct the public healthactivities described here acting as a public health authority
20 MMWR April 11 2003
Through this grant of authority [authorized agency] may func-tion as a public health authority under the Privacy Rule forpurposes of this project
[Project] is a public health activity as described by 45 CFRsect 164512(b) referenced previously and is authorized by [lawor regulation] The information being requested represents theminimum necessary to carry out the public health purposes ofthis project pursuant to 45 CFR sect 164514(d) of the PrivacyRule The Privacy Rule provides that covered entities ldquo
may rely if such reliance is reasonable under the circumstanceson a requested disclosure as the minimum necessary for thestated purposes when making disclosures to public officialsthat are permitted under 45 CFR sect 164512 if the publicofficial represents that the information requested is the mini-mum necessary for the stated purposes(s)rdquo
If you have questions or concerns please contact [projectleader for authorized agency public health authority contact]
All MMWR references are available on the Internet at httpwwwcdcgovmmwr Use the search function to find specific articlesmdashmdashmdashmdashmdashmdash
Use of trade names and commercial sources is for identification only and does not imply endorsement by the US Department of Healthand Human Services
mdashmdashmdashmdashmdashmdashReferences to non-CDC sites on the Internet are provided as a service to MMWR readers and do not constitute or imply endorsement ofthese organizations or their programs by CDC or the US Department of Health and Human Services CDC is not responsible for thecontent of these sites URL addresses listed in MMWR were current as of the date of publication
MMWR
The Morbidity and Mortality Weekly Report (MMWR) series is prepared by the Centers for Disease Control and Prevention (CDC) andis available free of charge in electronic format and on a paid subscription basis for paper copy To receive an electronic copy each week sendan e-mail message to listservlistservcdcgov The body content should read SUBscribe mmwr-toc Electronic copy also is available fromCDCrsquos Internet server at httpwwwcdcgovmmwr or from CDCrsquos file transfer protocol server at ftpftpcdcgovpubpublicationsmmwr Tosubscribe for paper copy contact Superintendent of Documents US Government Printing Office Washington DC 20402 telephone202-512-1800
Data in the weekly MMWR are provisional based on weekly reports to CDC by state health departments The reporting weekconcludes at close of business on Friday compiled data on a national basis are officially released to the public on the following FridayAddress inquiries about the MMWR series including material to be considered for publication to Editor MMWR Series Mailstop C-08CDC 1600 Clifton Rd NE Atlanta GA 30333 telephone 888-232-3228
All material in the MMWR series is in the public domain and may be used and reprinted without permission however citation of thesource is appreciated
US Government Printing Office 2003-533-15569108 Region IV
Introduction
Impact on Public Health
Overview of the Privacy Rule
Who Is Covered
Types of Health Information
What is Required
The Privacy Rule and Public Health
Disclosures for Public Health Purposes
Requirements for Covered Entities
The Privacy Rule and Public Health Research
Research Versus Practice
The Privacy Rule and Other Laws
Online Resources
Federal Government Resources
State Government Resources
Associations Nonprofit Organizations and Academic Resources
Acknowledgments
References
Appendix A
Appendix B
Vol 52 Early Release MMWR 3
be a covered entity For example a public health agency thatoperates a health clinic providing essential health-care ser-vices and performing covered transactions electronically is acovered entity
This report provides guidance to public health authoritiesand their authorized agents researchers and health-care pro-viders in interpreting the Privacy Rule as it affects public healthCDC recommends that public health authorities share theinformation in this report with covered health-care providersand other covered entities and work closely with those entitiesto ensure implementation of the rule consistent with itsintent to protect privacy while permitting authorized publichealth activities to continue
Overview of the Privacy Rule
Who Is CoveredThe authority of DHHS to issue health-information pri-
vacy regulations was limited by Congress in HIPAA to adefined set of covered entities More complete definitions ofthese and other terms are located elsewhere in this report(Appendix A) Covered entities are as follows
bull Health plans An individual or group plan that providesor pays the cost of medical care that includes the diagno-sis cure mitigation treatment or prevention of diseaseHealth plans include private entities (eg health insurersand managed care organizations) and government orga-nizations (eg Medicaid Medicare and the VeteransHealth Administration)
bull Health-care clearinghouses A public or private entityincluding a billing service repricing company or com-munity health information system that processes non-standard data or transactions received from another entityinto standard transactions or data elements or vice versa
bull Health-care providers A provider of health-care servicesand any other person or organization that furnishes billsor is paid for health care in the normal course of businessHealth-care providers (eg physicians hospitals and clin-ics) are covered entities if they transmit health informa-tion in electronic form in connection with a transactionfor which a HIPAA standard has been adopted by DHHS
The Privacy Rule also establishes requirements for coveredentities with regard to their nonemployee business associates(eg lawyers accountants billing companies and other con-tractors) whose relationship with covered entities requires shar-ing of PHI The Privacy Rule allows a covered provider orhealth plan to disclose PHI to a business associate if satisfac-tory written assurance is obtained that the business associatewill use the information only for the purposes for which it
was engaged will safeguard the information from misuse andwill help the covered entity comply with certain of its dutiesunder the Privacy Rule
The Privacy Rule does not apply to all persons or entitiesthat regularly use disclose or store individually identifiablehealth information For example the Privacy Rule does notcover employers certain insurers (eg auto life and workercompensation) or those public agencies that deliver socialsecurity or welfare benefits when functioning solely in thesecapacities
Types of Health Information
Protected Health Information
The Privacy Rule protects certain information that coveredentities use and disclose This information is called protectedhealth information (PHI) which is generally individually iden-tifiable health information that is transmitted by or main-tained in electronic media or any other form or medium Thisinformation must relate to 1) the past present or future physi-cal or mental health or condition of an individual 2) provi-sion of health care to an individual or 3) payment for theprovision of health care to an individual If the informationidentifies or provides a reasonable basis to believe it can beused to identify an individual it is considered individuallyidentifiable health information
De-Identified Information
De-identified data (eg aggregate statistical data or datastripped of individual identifiers) require no individual pri-vacy protections and are not covered by the Privacy RuleDe-identifying can be conducted through
bull statistical de-identification mdash a properly qualified statis-tician using accepted analytic techniques concludes therisk is substantially limited that the information might beused alone or in combination with other reasonably avail-able information to identify the subject of the informa-tion [45 CFR sect 164514(b)] or the
bull safe-harbor method mdash a covered entity or its businessassociate de-identifies information by removing 18 iden-tifiers (Box 2) and the covered entity does not have actualknowledge that the remaining information can be usedalone or in combination with other data to identify thesubject [45 CFR sect 164514(b)]
In certain instances working with de-identified data may havelimited value to clinical research and other activities Whenthat is the case a limited data set may be useful
4 MMWR April 11 2003
The following protected health information (PHI) canbe included without authorization in a limited data setfor public health research or health-care operations
bull town or city state and zip code andbull elements of dates related to a person (eg years birth
dates admission dates discharge dates and dates ofdeath)
To disclose a limited data set a covered entity must en-ter into a data-use agreement with the recipient whichagrees to use or disclose the PHI for limited purposesDisclosure of a limited data set is not subject to the ac-counting requirement but must meet the minimum nec-essary standards of the Privacy Rule
BOX 3 Use of limited data sets under the Privacy Rule
The following 18 identifiers of a person or of relativesemployers or household members of a person must beremoved and the covered entity must not have actualknowledge that the information could be used alone or incombination with other information to identify the indi-vidual for the information to be considered de-identifiedand not protected health information (PHI)
bull namesbull all geographic subdivisions smaller than a state in-
cluding county city street address precinct zip codeand their equivalent geocodes
bull all elements of dates (except year) directly related toan individual all ages gt89 and all elements of dates(including year) indicative of such age (except for anaggregate into a single category of age gt90)
bull telephone numbersbull fax numbersbull electronic mail addressesbull Social Security numbersbull medical record numbersbull health-plan beneficiary numbersbull account numbersbull certificate and license numbersbull vehicle identifiers and serial numbers including
license plate numbersbull medical device identifiers and serial numbersbull Internet universal resource locators (URLs)bull Internet protocol (IP) addressesbull biometric identifiers including fingerprints and voice
printsbull full-face photographic images and any comparable
images andbull any other unique identifying number characteristic
or code except that covered identities may under cer-tain circumstances assign a code or other means ofrecord identification that allows de-identified infor-mation to be re-identified
Source Adapted from [45 CFR sect 164514(b)(2)(i)] The first three digits of a zip code are excluded from the PHI list if the
geographic unit formed by combining all zip codes with the same firstthree digits contains gt20000 persons
BOX 2 Individual identifiers under the Privacy Rule
permitted to use or receive the limited data set and providethat the recipient will
bull not use or disclose the information other than as permit-ted by the agreement or as otherwise required by law
bull use appropriate safeguards to prevent uses or disclosuresof the information that are inconsistent with the data-useagreement
bull report to the covered entity any use or disclosure of theinformation in violation of the agreement of which itbecomes aware
bull ensure that any agents to whom it provides the limiteddata set agree to the same restrictions and conditions thatapply to the limited data set recipient with respect to suchinformation and
bull not attempt to re-identify the information or contact theindividual
What is RequiredFor covered entities using or disclosing PHI the Privacy
Rule establishes a range of health-information privacy require-ments and standards that attempt to balance individual pri-vacy interests with the community need to use such data [45CFR sect 164504] Among its provisions the Privacy Rulerequires covered entities to
bull notify individuals regarding their privacy rights and howtheir PHI is used or disclosed
bull adopt and implement internal privacy policies and proce-dures
bull train employees to understand these privacy policies andprocedures as appropriate for their functions within thecovered entity
Limited Data Sets
Health information in a limited data set is not directly iden-tifiable but may contain more identifiers than de-identifieddata that has been stripped of the 18 identifiers [45 CFR sect164514] (Box 3) A data-use agreement must establish who is
Vol 52 Early Release MMWR 5
bull designate individuals who are responsible for implement-ing privacy policies and procedures and who will receiveprivacy-related complaints
bull establish privacy requirements in contracts with businessassociates that perform covered functions
bull have in place appropriate administrative technical andphysical safeguards to protect the privacy of health infor-mation and
bull meet obligations with respect to health consumers exer-cising their rights under the Privacy Rule
With respect to individuals they are vested with the follow-ing rights
bull Receive access to PHI Individual rights include inspec-tions of records and the provision for copies of PHI aboutthe individual in a designated record set for as long as thePHI is maintained in the designated record set except forpsychotherapy notes information complied for use in civilcriminal or administrative actions and PHI maintainedby a covered entity subject to the Clinical LaboratoryImprovement Amendments of 1988 [42 CFR sect 263(a)]In the majority of cases covered entities must accommo-date a request or provide a process of denial subject toreview [45 CFR sect 164524]
bull Request amendments to PHI Individuals can request thatcovered entities amend PHI about the individual in a des-ignated record set for as long as the PHI is maintained ina designated record set If the covered entity agrees to theamendment it must 1) identify the records affected 2)append or provide a link to the amendment 3) informthe individual the amendment has been made and 4) workwith other covered entities or business associates who pos-sess or receive the data to make the amendments [45 CFRsect 164526] If the covered entity denies this request thePrivacy Rule provides a process for contesting the denial[45 CFR sect 164526]
bull Receive adequate notice With limited exceptions indi-viduals have the right to receive a notice of the uses anddisclosures the covered entity will make of their PHI theirrights under the Privacy Rule and the covered entityrsquosobligations with respect to that information In certaincases notice may be provided electronically The noticemust be in plain language (eg ldquoyour health informationmay be shared with public health authorities for publichealth purposes rdquo ) and posted where it is likely to beseen by patients [45 CFR sect 164520]
bull Receive an accounting of disclosures Upon request cov-ered entities are required to provide individuals with anaccounting for certain types of disclosures of PHIalthough the rule contains certain exceptions includingdisclosures with individual authorization disclosures
related to providersrsquo treatment payment and health-careoperations (TPO) and other exceptions A typical accounting includes the name of the person or entity whoreceived the information date of the disclosure a briefdescription of the information disclosed and a brief explanation of the reasons for disclosure or copy of therequest [45 CFR sect 164528] However requirements foraccounting of public health disclosures may vary (seeAccounting for Public Health Disclosures)
bull Request restrictions Individuals have the right to requesta restriction on certain uses or disclosures of their PHIhowever the covered entity is not obligated to agree tosuch a request If the covered entity does agree to a restric-tion it must generally abide by the agreement except foremergency treatment situations But such an agreement isnot effective to prevent certain permitted uses or disclo-sures [CFR 45 sect 164512]
Required PHI Disclosures
A covered entity is required by the Privacy Rule to disclosePHI in only two instances 1) when an individual has a rightto access an accounting of his or her PHI (see previous para-graph) and 2) when DHHS needs PHI to determine compli-ance with the Privacy Rule [45 CFR sect 164502(a)(2)] Certainother uses and disclosures of PHI may be permitted withoutauthorization but are not required by the Privacy Rule How-ever other federal tribal state or local laws may compel dis-closure
Permitted PHI Disclosures WithoutAuthorization
The Privacy Rule permits a covered entity to use and dis-close PHI with certain limits and protections for TPOactivities [45 CFR sect 164506] Certain other permitted usesand disclosures for which authorization is not required fol-low Additional requirements and conditions apply to thesedisclosures The Privacy Rule text and OCR guidance shouldbe consulted for a full understanding of the following
bull Required by law Disclosures of PHI are permitted whenrequired by other laws whether federal tribal state orlocal
bull Public health PHI can be disclosed to public healthauthorities and their authorized agents for public healthpurposes including but not limited to public health sur-veillance investigations and interventions
bull Health research A covered entity can use or disclose PHIfor research without authorization under certain condi-tions including 1) if it obtains documentation of a waiverfrom an institutional review board (IRB) or a privacyboard according to a series of considerations 2) for
6 MMWR April 11 2003
activities preparatory to research and 3) for research on adecedentrsquos information
bull Abuse neglect or domestic violence PHI may be dis-closed to report abuse neglect or domestic violenceunder specified circumstances
bull Law enforcement Covered entities may under specifiedconditions disclose PHI to law enforcement officials pur-suant to a court order subpoena or other legal order tohelp identify and locate a suspect fugitive or missingperson to provide information related to a victim of acrime or a death that may have resulted from a crime orto report a crime
bull Judicial and administrative proceedings A covered entitymay disclose PHI in the course of a judicial or adminis-trative proceeding under specified circumstances
bull Cadaveric organ eye or tissue donation purposesOrgan-procurement agencies may use PHI for the pur-poses of facilitating transplant
bull Oversight Covered entities may usually disclose PHI to ahealth oversight agency for oversight activities authorizedby law
bull Workerrsquos compensation The Privacy Rule permits dis-closure of work-related health information as authorizedby and to the extent necessary to comply with workersrsquocompensation programs
Other Authorized Disclosures
A valid authorization is required for any use or disclosureof PHI that is not required or otherwise permitted withoutauthorization by the Privacy Rule In general these authoriza-tions must
bull specifically identify the PHI to be used or disclosedbull provide the names of persons or organizations or classes
of persons or organizations who will receive use or dis-close the PHI
bull state the purpose for each requestbull notify individuals of their right to refuse to sign the
authorization without negative consequences to treatmentpayment or health plan enrollment or benefit eligibilityexcept under specific circumstances
bull be signed and dated by the individual or the individualrsquospersonal representative
bull be written in plain languagebull include an expiration date or eventbull notify the individual of the right to revoke authorization
at any time in writing and how to exercise that right andany applicable exceptions to that right under the PrivacyRule and
bull explain the potential for the information to be subject toredisclosure by recipient and no longer protected by thePrivacy Rule
The Privacy Rule and Public Health The Privacy Rule recognizes 1) the legitimate need for pub-
lic health authorities and others responsible for ensuring thepublicrsquos health and safety to have access to PHI to conducttheir missions and 2) the importance of public health report-ing by covered entities to identify threats to the public andindividuals Accordingly the rule 1) permits PHI disclosureswithout a written patient authorization for specified publichealth purposes to public health authorities legally authorizedto collect and receive the information for such purposes and2) permits disclosures that are required by state and local pub-lic health or other laws However because the Privacy Ruleaffects the traditional ways PHI is used and exchanged amongcovered entities (eg doctors hospitals and health insurers)it can affect public health practice and research in multipleways To prevent misconceptions understanding the PrivacyRule is important for public health practice Some illustrativeexamples are presented in this report (Box 4) Also providedare sample letters that might prove useful in clarifying rela-tionships involving public health and the Privacy Rule(Appendix B)
A public health authority is broadly defined as includingagencies or authorities of the United States states territoriespolitical subdivisions of states or territories American Indiantribes or an individual or entity acting under a grant ofauthority from such agencies and responsible for public healthmatters as part of an official mandate Public health authori-ties include federal public health agencies (eg CDCNational Institutes of Health [NIH] Health Resources andServices Administration [HRSA] Substance Abuse and Men-tal Health Services Administration [SAMHSA] Food andDrug Administration [FDA] or Occupational Safety andHealth Administration [OSHA]) tribal health agencies statepublic health agencies (eg public health departments ordivisions state cancer registries and vital statistics depart-ments) local public health agencies and anyone performingpublic health functions under a grant of authority from a publichealth agency [45 CFR sect 164501]
Public health agencies often conduct their authorized pub-lic health activities with other entities by using different mecha-nisms (eg contracts and memoranda or letters of agreement)These other entities are public health authorities under thePrivacy Rule with respect to the activities they conduct undera grant of authority from such a public health agency Acovered entity may disclose PHI to public health authorities
Vol 52 Early Release MMWR 7
State cancer registry Under a state law health-care provid-ers are required to report cancer cases to a statersquos cancer regis-try Names are included to prevent duplicate reporting andcounting State law protects the confidentiality of the dataCan covered entities disclose the information under the Pri-vacy Rule
Privacy Rule effect Covered entities may disclose PHI to apublic health agency or any other entity when the disclosureis required by law However as covered entities the providersmust give an accounting to the persons whose PHI has beenshared The state agency may use and further disclose the PHIconsistent with applicable state law
State university-maintained cancer registry Under a statelaw health-care providers are mandated to report cancer casesto a state health departmentrsquos cancer registry The state healthdepartment contracts with a state university to receive thereports and maintain its registry As covered entities can health-care providers disclose PHI to the state university under thePrivacy Rule
Privacy Rule effect As noted in the previous example cov-ered entities may disclose without authorization PHI to thecancer registry under the Privacy Rule which expressly per-mits disclosure of PHI as required by law and sharing of PHIwith public health authorities for public health purposes Thestate university is acting under a grant of authority from a publichealth authority the state health department The universitycan use and disclose the information without authorizationconsistent with its agreement with the state health departmentand applicable state law
Early hearing detection and intervention An early hear-ing detection and intervention program in a state needs datafrom two large hospitals The state does not have a law requir-ing reporting of hearing loss Under the Privacy Rule can cov-ered entities release results of newborn hearing-screening teststo the state program
Privacy Rule effect The Privacy Rule expressly permitsrelease of PHI without authorization from a covered entityto a public health authority (eg the state health department)which is authorized by law to receive PHI for the purpose of
BOX 4 Examples of situations related to the Privacy Rule and public health
controlling disease injury or disability The rule does notrequire a state law mandating such disclosures for PHI to bereleased to a public health authority Finally the coveredentities may rely upon the statersquos representation that theinformation requested is the minimum necessary for the pur-poses of the registry
Disease registry maintained by private foundation Aprivate foundation maintains a disease registry as a way tosupport research and service for those with the disease Canhealth-care providers release PHI to the foundation underthe Privacy Rule
Privacy Rule effect Nongovernment disease registries (egthose maintained by foundations and other private organiza-tions) are not considered public health authorities unless theyhave a grant of authority from a public health authority Withsuch a grant covered entities may disclose PHI to the foun-dations But without a grant of authority PHI may bereleased only under one of the following situations
bull Release is authorized by the patientbull The PHI is de-identifiedbull The PHI is contained in a limited data set governed by
a data-use agreementbull Release of PHI is in accord with the rulersquos provisions
for disclosure for research without authorizationbull Release is otherwise permitted by the rule (eg to
entities subject to the jurisdiction of the Food and DrugAdministration (FDA) [45 CFR sect 164512(b)(1)(iii)]
Surveillance project A state health department that is nota covered entity conducts a surveillance project on humanimmunodeficiency virus (HIV) and acquired immunodefi-ciency syndrome (AIDS) The HIVAIDS surveillance projectis an interview study It asks for self-reported informationfrom participants including dates of diagnosis and visits forcare Is this PHI covered by the Privacy Rule
Privacy Rule effect Information collected directly frompersons by a person agency or institution that is not a cov-ered entity including individually identifiable informationis not covered by the Privacy Rule
and to these designated entities pursuant to the public healthprovisions of the Privacy Rule
The Privacy Rule permits covered entities to disclose PHIwithout authorization to public health authorities or otherentities who are legally authorized to receive such reports forthe purpose of preventing or controlling disease injury ordisability This includes the reporting of disease or injuryreporting vital events (eg births or deaths) conducting pub-lic health surveillance investigations or interventions report-ing child abuse and neglect and monitoring adverse outcomes
related to food (including dietary supplements) drugs bio-logical products and medical devices [45 CFR 164512(b)]Covered entities may report adverse events related to FDA-regulated products or activities to public agencies and privateentities that are subject to FDA jurisdiction [45 CFR164512(b)(1)(iii)] To protect the health of the public pub-lic health authorities might need to obtain informationrelated to the individuals affected by a disease In certain casesthey might need to contact those affected to determine thecause of the disease to allow for actions to prevent further
8 MMWR April 11 2003
illness Also covered entities may at the direction of a publichealth authority disclose protected health information to aforeign government agency that is acting in collaboration witha public health authority [45 CFR 164512(b)(1)(i)]
To receive PHI for public health purposes public healthauthorities should be prepared to verify their status and iden-tity as public health authorities under the Privacy Rule Toverify its identity an agency could provide any one of the fol-lowing
bull if the request is made in person presentation of an agencyidentification badge other official credentials or otherproof of government status
bull if the request is in writing the request is on the appropri-ate government letterhead
bull if the disclosure is to a person acting on behalf of a publichealth authority a written statement on appropriate gov-ernment letterhead that the person is acting under thegovernmentrsquos authority [45 CFR sect 164514(h)(2)]
Public health authorities receiving information from coveredentities as required or authorized by law [45 CFR 164512(a)][45 CFR 164512(b)] are not business associates of the cov-ered entities and therefore are not required to enter into busi-ness associate agreements Public health authorities that arenot covered entities also are not required to enter into busi-ness associate agreements with their public health partners andcontractors Also after PHI is disclosed to a public healthauthority pursuant to the Privacy Rule the public healthauthority (if it is not a covered entity) may maintain use anddisclose the data consistent with the laws regulations andpolicies applicable to the public health authority
Disclosures for Public Health PurposesThe Privacy Rule allows covered entities to disclose PHI to
public health authorities when required by federal tribal stateor local laws [45 CFR 164512(a)] This includes state laws(or state procedures established under such law) that providefor receiving reporting of disease or injury child abuse birthor death or conducting public health surveillance investiga-tion or intervention
For disclosures not required by law covered entities maystill disclose without authorization to a public health authorityauthorized by law to collect or receive the information for thepurpose of preventing or controlling disease injury or dis-ability the minimum necessary information to accomplish theintended public health purpose of the disclosure [45 CFR164512 (b)] (Box 1)
For example to protect the health of the public public healthofficials might need to obtain information related to personsaffected by a disease In certain cases they might need to con-
tact those affected to determine the cause of the disease toallow for actions to prevent further illness The Privacy Rulecontinues to allow for the existing practice of sharing PHIwith public health authorities who are authorized by law tocollect or receive such information to aid them in their mis-sion of protecting the health of the public Examples of suchactivities include those directed at the reporting of disease orinjury reporting adverse events reporting births and deathsand investigating the occurrence and cause of injury and dis-ease (1)
Although it is not a defined term DHHS interpreted thephrase ldquoauthorized by lawrdquo to mean that a legal basis exists forthe activity Further DHHS called the phrase ldquoa term of artrdquoincluding both actions that are permitted and actions that arerequired by law [64 FR 59929 November 3 1999] This doesnot mean a public health authority at the federal tribal stateor local level must have multiple disease or condition-specificlaws that authorize each collection of information Publichealth authorities operate under broad mandates to protectthe health of their constituent populations
Requirements for Covered Entities
Accounting for Public Health Disclosures
Although the Privacy Rule permits disclosures of PHI topublic health authorities covered entities must comply withcertain requirements related to these disclosures One suchrequirement is that a covered entity must be able to providean individual upon request with an accounting of certaindisclosures of PHI The covered entity is not required toaccount for all disclosures of PHI For example an account-ing is not required for disclosures made
bull prior to the covered entityrsquos compliance datebull for TPO purposesbull to the individual or pursuant to the individualrsquos written
authorization orbull as part of a limited data setHowever usually an accounting is required for disclosures
made without authorization including public health purposesThe required accounting for disclosures may be
accomplished in different ways Typically the covered entitymust provide the individual with an accounting of eachdisclosure by date the PHI disclosed the identity of therecipient of the PHI and the purpose of the disclosureHowever where the covered entity has during the accountingperiod made multiple disclosures to the same recipient forthe same purpose the Privacy Rule provides for a simplifiedmeans of accounting In such cases the covered entity needonly identify the recipient of such repetitive disclosures the
Vol 52 Early Release MMWR 9
purpose of the disclosure and describe the PHI routinelydisclosed The date of each disclosure need not be trackedRather the accounting may include the date of the first andlast such disclosure during the accounting period and adescription of the frequency or periodicity of such disclosuresFor example the vast amount of data exchanged betweencovered entities and public health authorities is made throughongoing regular reporting or inspection requirements Acovered health-care provider may routinely report all cases ofmeasles it diagnoses to the local public health authority Anaccounting of such disclosures to a requesting individual wouldneed to identify the local public health authority receivingthe PHI the PHI disclosed the purpose of the disclosure(required for communicable disease surveillance) theperiodicity (weekly) and the first and last dates of suchdisclosures during the accounting period (May 1 2003 toJune 1 2003) Thus the covered entity would not need toannotate each patientrsquos medical record whenever a routinepublic health disclosure was made
Notice of Privacy Practices
With certain exceptions under the Privacy Rule individu-als have the right to adequate notice of the uses and disclo-sures of PHI that may be made by the covered entity as well astheir rights and the covered entityrsquos legal obligations Noticesmust be in plain language and clearly posted Certain coveredentities must make a good faith effort to obtain an individualrsquosacknowledgment of receipt of this notice In certain casesnotice may be provided electronically
Minimum Necessary Standard
The Privacy Rule usually directs covered entities to limitthe amount of information disclosed to the minimum neces-sary to achieve the specified goal [45 CFR sect 164514(d)(1)]This requirement usually applies to disclosures to a publichealth agency It would not apply however if the disclosurewere required by law authorized by the individual or for treat-ment purposes A covered entity may also reasonably rely on apublic officialrsquos determination that the information requestedis the minimum necessary for the public health purpose
Public Health Authorities Performing CoveredFunctions
Public health authorities at the federal tribal state or locallevels that perform covered functions (eg providing healthcare or insuring individuals for health-care costs) may be sub-ject to the Privacy Rulersquos provisions as covered entities Forexample a local public health authority that operates a healthclinic providing essential health-care services to low-incomepersons and performs certain electronic transactions might be
defined under the Privacy Rule as a covered health-care pro-vider and therefore a covered entity Flow charts and interac-tive tools designed to help determine covered entity status areprovided online by the Centers for Medicare and MedicaidServices available at httpwwwcmsgovhipaahipaa2sup-porttoolsdecisionsupportdefaultasp
The following are examples of public health authority func-tions that make them covered entities
bull Public health authorities as covered health-care pro-viders A public health authority that conducts health careas part of its activities is a covered health-care provider ifit also performs electronic transactions covered by theHIPAA Transactions Rule as part of these activities Thefact that these activities are conducted in pursuit of a publichealth goal (eg vaccinating children or screening a tar-geted population for sexually transmitted diseases) doesnot preclude the public health authority from being a cov-ered entity
bull Public health authorities as health plans Under thePrivacy Rule a health plan is an individual or group planthat provides or pays the cost of medical care This spe-cifically includes government health plans (eg MedicareMedicaid or Veterans Health Administration) Howeverthe Privacy Rule defines health plan to exclude govern-ment-funded programs whose principal activity is the di-rect provision of health care to persons or the making ofgrants to fund the direct provision of health care to per-sons [45 CFR sect 160103] Examples include the RyanWhite Comprehensive AIDS Resources Emergency ActAlthough certain government programs that fund provid-ers directly may not be health plans government programsthat reimburse providers or otherwise fund providers toperform direct health-care services should carefully ana-lyze the details of their programs to determine if they areperforming covered functions
bull Public health authorities as health-care clearinghousesAlthough unlikely a public health authority might be ahealth-care clearinghouse if it receives health informationfrom another entity and translates that information froma nonstandard format into a standard transaction or stan-dard data elements (or vice versa) Operators of commu-nity health information systems should carefully considerwhether they meet the definition for a health-care clear-inghouse
bull Public health agencies as hybrid entities A public healthagency that is a covered entity and has both covered andnoncovered functions may become a hybrid entity by des-ignating its health-care components By designating itselfas a hybrid entity a public health authority can carve outits noncovered functions so that the majority of Privacy
10 MMWR April 11 2003
Rule provisions apply only to its health-care componentwhich is required to comply with the Privacy Rulerequirements including using and disclosing PHI only asauthorized meeting the administrative requirementsaccounting for disclosure of PHI and providing a noticeof practices However such a designation does not pre-clude the public health authority from continuing to con-duct authorized public health functions A covered entitythat is also a public health authority may use as well asdisclose PHI for public health purposes to the sameextent it would be permitted to disclose the PHI as a pub-lic health authority
The Privacy Rule and PublicHealth Research
The topic of research under the Privacy Rule is covered indepth in the DHHS report Protecting Personal Health Infor-mation in Research mdash Understanding the HIPAA Privacy Rule(6) The Privacy Rule provides separate provisions for disclo-sure without individual authorization for public health pur-poses and for certain research [45 CFR sect 164512(b)] [45CFR sect 164512(i)] Other federal law pertaining to researchstresses the importance of distinguishing between research andpractice to ensure that human subjects are appropriately pro-tected [45 CFR Part 46] For certain activities this distinc-tion is not always clear A full discussion of the distinctionsbetween public health practice and research is beyond the scopeof this document However CDC and others provide guid-ance in this area (7ndash9)
Research Versus PracticeThe definition of research is the same for the Privacy Rule
and the Common Rule (10) mdash systematic investigationincluding research development testing and evaluationdesigned to develop or contribute to generalizable knowledgeResearch is designed to test a hypothesis permit conclusionsto be drawn and thereby to develop or contribute to general-izable knowledge The majority of public health activities (egpublic health surveillance and disease prevention and controlprojects) are based on scientific evidence and data collectionor analytic methods similar to those used in research How-ever they are not designed to contribute to generalizable knowl-edge Their primary purpose is to protect the health of thepopulation through such activities as disease surveillance pre-vention or control
The Belmont Report (11) defines practice as interventionsdesigned solely to enhance the well-being of a person patient
or client and which have reasonable expectation of successThe report further states that the purpose of medical orbehavioral practice is to provide diagnosis preventive treat-ment or therapy to particular patients For public health agen-cies the patient is the community Public health practiceactivities (eg public health surveillance disease control orprogram evaluation) are undertaken with the intent to benefita specific community although occasionally they may pro-vide unintended generalizable benefits to others
Some public health activities that are initially public healthpractice may subsequently evolve into a research activity (egan investigation to determine the cause of an outbreak thatincorporates a research study evaluating the efficacy of a newdrug to treat the illness) When that is the case the disclosuresmay be made initially under the public health provisions ofthe Privacy Rule But when the activity becomes an ongoingresearch activity the entity should consider application of therelevant research disclosures provisions to continue to obtaininformation for this purpose Moreover there may be caseswhere the activity is both research and public health practice(eg an ongoing survey to monitor health conditions in thepopulation data from which can also be analyzed for researchpurposes) In those cases disclosures may be made either un-der the research provisions or the public health provisions asappropriate mdash the covered entity need not comply with bothsets of requirements
The Privacy Rule and Other Lawsbull Federal laws Covered entities subject to the Privacy Rule
are also subject to other federal statutes and regulationsThe specific relationship of the Privacy Rule and certainfederal laws is discussed in the preamble to the December2000 Final Rule [65 FedReg 82481] In certain instancesthe Privacy Rule imposes requirements in direct conflictwith other federal laws or regulations In those instancesan analysis will be necessary to determine whether the laterprovision was intended to overrule the prior law or regu-lation
bull State laws As a federal regulatory standard the PrivacyRule preempts only those contrary state laws relating tothe privacy of individually identifiable health informa-tion that have less stringent requirements or standards thanthe Privacy Rule (ie more stringent laws remain ineffect) In addition DHHS may upon specific requestfrom a state or other entity or person determine that aprovision of state law that is contrary to the federalrequirements and that meets certain additional criteriawill not be preempted by the federal requirements Thus
Vol 52 Early Release MMWR 11
preemption of a contrary state law will not occur if theSecretary or designated DHHS official determines inresponse to a request that the state law 1) is necessary toprevent fraud and abuse related to the provision of or pay-ment for health care 2) is necessary to ensure appropriatestate regulation of insurance and health plans to theextent expressly authorized by statute or regulation 3) isnecessary for state reporting on health-care delivery orcosts 4) is necessary to serve a compelling public healthsafety or welfare need and if a Privacy Rule provision isat issue if the Secretary determines that the intrusion intoprivacy is warranted when balanced against the need to beserved or 5) has as its principal purpose the regulation ofthe manufacture registration distribution dispensing orother control of any controlled substances The PrivacyRule specifically does not preempt contrary state publichealth laws that provide for the reporting of disease orinjury child abuse birth or death or for the conduct ofpublic health surveillance investigation or intervention[45 CFR sect 160202]
Online ResourcesReferences to non-DHHS sites on the Internet are provided
as a service to MMWR readers and do not constitute or implyendorsement of these organizations or their programs by CDCor the US Department of Health and Human Services CDCis not responsible for the content of these sites URL addresseslisted in MMWR were current as of the date of publication
Federal Government ResourcesDHHS Office for Civil Rights mdash HIPAA guidelines
North Carolina Healthcare Information and Communica-tions Alliance
httpwwwnchicaorgPublic Health Grand Rounds HIPAA Privacy RuleEnhancing or Harming Public Health
httpwwwpublichealthgrandroundsunceduStanford University Medical School mdash HIPAA
httpwwwmedstanfordeduHIPAAWorkgroup for Electronic Data Interchange mdash StrategicNational Implementation Process
httpwwwwediorgsnip
AcknowledgmentsThis report was prepared by Salvatore Lucido MPA and Denise
Koo MD Office of the Associate Director for ScienceEpidemiology Program Office CDC in collaboration with JamesG Hodge Jr JD Center for Law and the Publicrsquos HealthGeorgetown and Johns Hopkins Universities Baltimore MarylandThe preparers are grateful for the participation of Deborah Tress
JD Kenya Ford JD and Heather Horton JD Office of theGeneral Counsel Department of Health and Human Services CDCATSDR Branch the CDC Working Group on the Privacy Ruleand Beverly Dozier JD Lance A Gable JD Lawrence O GostinJD Gail Horlick JD and Jennifer Kurle
The preparers also thank the following partners for their valuableinput Association of State and Territorial Health Officers Councilof State and Territorial Epidemiologists National Association ofCounty and City Health Officials National Association of HealthData Organizations Association of Public Health Laboratories andNational Association for Public Health Statistics and InformationSystems
References1 Gostin LO Hodge JG Jr Personal privacy and common goods a frame-
work Minnesota Law Review 2002861439ndash802 Health Insurance Portability and Accountability Act of 1996 Pub L
No 104-191 110 Stat 1936 (1996)3 Office for Civil Rights Department of Health and Human Services
Title 45 of the Code of Federal Regulations Parts 160 and 164 Avail-able at httpwwwdhhsgovocrcombinedregtextpdf
4 Office for Civil Rights OCR guidance explaining significant aspects ofthe Privacy Rule 2002 Department of Health and Human ServicesAvailable at httpwwwhhsgovocrhipaa
5 Gostin LO Hodge JG Jr Privacy Law Advisory Committee Modelstate public health information privacy act 1999 Available at httpwwwpublichealthlawnetResourcesResourcesPDFsmodelprivactpdf
6 Department of Health and Human Services Protecting personal healthinformation in research mdash understanding the HIPAA Privacy RuleDepartment of Health and Human Services Washington DC 2003(in press)
7 Snider DE Stroup DF Defining research when it comes to public healthPublic Health Rep 199711229ndash32
8 CDC Guidelines for defining public health research and public healthnonresearch Available at httpwwwcdcgovodadsopspoll1htm
9 Amoroso PJ Middaugh JP Research vs public health practice whendoes a study require IRB review Prev Med 200336250ndash3
10 Office for Protection from Research Risks National Institutes of HealthDepartment of Health and Human Services Public welfare protectionof human subjects 2001 [45 CFR 46] Available at httpohrposophsdhhsgovhumansubjectsguidance45cfr46htm
11 National Commission for the Protection of Human Subjects of Bio-medical and Behavioral Research Belmont report ethical principles andguidelines for the protection of human subjects of research Depart-ment of Health Education and Welfare Available at httpwwwmedumicheduirbmedethicsbelmontBELMONTRHTM
Vol 52 Early Release MMWR 13
The following concepts and definitions are adapted fromthe regulatory language For further information see the cita-tions to the Privacy Rule
Accounting An individual has a right to receive an account-ing of disclosures of protected health information made by acovered entity in the six years prior to the date on which theaccounting is requested except for disclosures (a) to carry outtreatment payment and health care operations [45 CFR sect164506] (b) to individuals of protected health informationabout them [45 CFR sect 164502] (c) incident to a use or dis-closure otherwise permitted or required by this subpart asprovided in 45 CFR sect164502 (d) pursuant to an authoriza-tion as provided in 45 CFR sect164508 (e) for the facilityrsquosdirectory or to persons involved in the individualrsquos care orother notification purposes as provided in 45 CFR sect164510(f ) for national security or intelligence purposes as providedin 45 CFR sect164512(k)(2) (g) to correctional institutions orlaw enforcement officials as provided in 45 CFR sect164512(k)(5) or (h) as part of a limited data set in accordance with45 CFR sect164514(e) or (i) that occurred prior to the compli-ance date for the covered entityhellip Such an accounting mustmeet the following requirements (1) except as otherwise pro-vided by paragraph (a) of this section the accounting mustinclude disclosures of protected health information thatoccurred during the six years (or such shorter time period atthe request of the individual as provided in paragraph (a)(3)of this section) prior to the date of the request for an account-ing including disclosures to or by business associates of thecovered entity (2) except as otherwise provided by paragraphs(b)(3) or (b)(4) of this section the accounting must includefor each disclosure the date of the disclosure the name of theentity or person who received the protected health informa-tion and if known the address of such entity or person abrief description of the protected health information disclosedand a brief statement of the purpose of the disclosure thatreasonably informs the individual of the basis for the disclo-sure or in lieu of such a statement a copy of the individualrsquoswritten authorization pursuant to 45 CFR sect 164508 or acopy of a written request for a disclosure under 45 CFR sect164502(a)(2)(ii) or 45 CFR sect 164512 if any
If during the period covered by the accounting the coveredentity has made multiple disclosures of protected healthinformation to the same person or entity for a single purposeunder 45 CFR sect 164502(a)(2)(ii) or 45 CFR sect 164512 theaccounting may with respect to such multiple disclosures
provide the information required by paragraph (b)(2) of 45CFR sect 164528 for the first disclosure during the accountingperiod the frequency periodicity or number of the disclo-sures made during the accounting period and the date of thelast such disclosure during the accounting period [45 CFR sect164528]
Modified accounting procedures are also provided for cov-ered entities making research disclosures involving gt50 per-sons [45 CFR sect 164528(b)(4)]
Business associate A person who on behalf of a coveredentity or of an organized health care arrangement [45 CFR sect154501] in which the covered entity participates but otherthan in the capacity of a member of the workforce of suchcovered entity or arrangement performs or assists in the per-formance of a function or activity involving the use ordisclosure of individually identifiable health informationincluding claims processing or administration data analysisprocessing or administration utilization review quality assur-ance billing benefit management practice management andrepricing or any other function or activity regulated by thissubchapter or provides other than in the capacity of a mem-ber of the workforce of such covered entity legal actuarialaccounting consulting data aggregation [45 CFR sect 164501]management administrative accreditation or financial ser-vices to or for such covered entity or to or for an organizedhealth-care arrangement in which the covered entity partici-pates where the provision of the service involves the disclo-sure of individually identifiable health information from suchcovered entity or arrangement or from another business asso-ciate of such covered entity or arrangement to the individual[45 CFR sect 160103]
Covered entity 1) a health plan 2) a health-care clearing-house 3) a health-care provider who transmits any healthinformation in electronic form in connection with a transac-tion [45 CFR sect 160103]
Covered functions Those functions of a covered entity theperformance of which makes the entity a health planhealth-care provider or health-care clearinghouse [45 CFR sect164103]
Data aggregation With respect to protected health infor-mation created or received by a business associate in its capac-ity as the business associate of a covered entity the combiningof such protected health information by the business associatewith the protected health information received by the busi-ness associate in its capacity as a business associate of another
Appendix ASelected Privacy Rule Concepts and Definitions
14 MMWR April 11 2003
covered entity to permit data analyses that relate to the health-care operations of the respective covered entities [45 CFRsect164501]
De-identified health information Health information thatdoes not identify an individual and with respect to which noreasonable basis exists to believe that the information can beused to identify an individual is not individually identifiableinformation [45 CFR sect 164514(a)]
Disclosure The release transfer provision of access to ordivulging in any other manner of information outside the entityholding the information [45 CFR sect 160103]
Electronic media 1) Electronic storage media includingmemory devices in computers (hard drives) and any remov-abletransportable digital memory medium such as magnetictape or disk optical disk or digital memory card or 2) trans-mission media used to exchange information already in elec-tronic storage media Transmission media include for examplethe Internet (wide open) extranet (using Internet technologyto link a business with information accessible only to collabo-rating parties) leased lines dial-up lines private networksand the physical movement of removabletransportable elec-tronic storage media Certain transmissions including ofpaper via facsimile and of voice via telephone are not con-sidered to be transmissions via electronic media because theinformation being exchanged did not exist in electronic formbefore the transmission [45 CFR sect 160103]
Health care Care services or supplies related to the healthof an individual It includes but is not limited to 1) preven-tive diagnostic therapeutic rehabilitative maintenance orpalliative care and counseling service assessment or proce-dure with respect to the physical or mental condition or func-tional status of an individual or that affects the structure orfunction of the body and 2) sale or dispensing of a drugdevice equipment or other item in accordance with a pre-scription [45 CFR sect 160103]
Health-care clearinghouse A public or private entityincluding a billing service repricing company communityhealth management information system community healthinformation system or value-added network or switch that 1)processes or facilitates the processing of health informationreceived from another entity in a nonstandard format or con-taining nonstandard data content into standard data elementsor a standard transaction or 2) receives a standard transactionfrom another entity and processes or facilitates the processingof health information into nonstandard format or nonstand-ard data content for the receiving entity [45 CFR sect 160103]
Health-care operations Any of the following activities ofthe covered entity to the extent that the activities are related tocovered functions 1) conducting quality assessment andimprovement activities population-based activities and
related functions that do not include treatment 2) reviewingthe competence or qualifications of health care professionalsevaluating practitioner provider and health plan performanceconducting training programs where students learn to prac-tice or improve their skills as health-care providers training ofnonhealth-care professionals accreditation certificationlicensing or credentialing activities 3) underwriting premiumrating and other activities relating to the creation renewal orreplacement of a contract of health insurance or benefits 4)conducting or arranging for medical review legal services andauditing functions including fraud and abuse detection andcompliance programs 5) business planning and developmentsuch as conducting cost-management and planning-relatedanalyses related to managing and operating the entity includ-ing formulary development and administration developmentor improvement of methods of payment or coverage policiesand 6) business management and general administrativeactivities of the entity [45 CFR sect 164501]
Health-care provider A provider of services (as defined insection 1861(u) of the Act 42 USC 1395x(u)) a providerof medical or health-care services (as defined in section 1861(s)of the Act 42 USC 1395x(s)) and any other individual ororganization that furnishes bills or is paid for health care inthe normal course of business [45 CFR sect 160103]
Health information Any information whether oral orrecorded in any form or medium that 1) is created or receivedby a health-care provider health plan public health authorityemployer life insurer school or university or health-care clear-inghouse and 2) relates to the past present or future physicalor mental health or condition of an individual the provisionof health care to an individual or the past present or futurepayment for the provision of health care to an individual [45CFR sect 160103]
Health plan An individual or group plan that provides orpays the cost of medical care (as defined in section 2791(a)(2)of the PHS Act 42 USC 300gg-91(a)(2)) Health planincludes the following singly or in combination (i) a grouphealth plan as defined in 45 CFR sect 160103 of the PrivacyRule (ii) a health insurance issuer as defined in 45 CFR sect160103 of the Privacy Rule (iii) an HMO as defined in 45CFR sect 160103 of the Privacy Rule (iv) Part A or B of theMedicare program under title XVIII of the Act (v) the Med-icaid program under title XIX of the Act 42 USC 1396 etseq (vi) an issuer of a Medicare supplemental policy (asdefined in section 1882(g)(1) of the Act 42 USC1395ss(g)(1)) (vii) an issuer of a long-term care policyexcluding a nursing home fixed-indemnity policy (viii) anemployee welfare benefit plan or any other arrangement thatis established or maintained for the purpose of offering or pro-viding health benefits to the employees of two or more
Vol 52 Early Release MMWR 15
employers (ix) the health care program for active military per-sonnel under title 10 USC (x) the veterans health-care pro-gram under 38 USC Ch 17 (xi) the Civilian Health andMedical Program of the Uniformed Services (CHAMPUS)(as defined in 10 USC 1072(4)) (xii) the Indian HealthService program under the Indian Health Care ImprovementAct 25 USC 1601 et seq (xiii) the Federal EmployeesHealth Benefits Program under 5 USC 8902 et seq (xiv)an approved state child health plan under title XXI of the Actproviding benefits for child health assistance that meet therequirements of section 2103 of the Act 42 USC 1397 etseq (xv) the Medicare+Choice program under Part C of titleXVIII of the Act 42 USC 1395w-21 through 1395w-28(xvi) a high risk pool that is a mechanism established understate law to provide health insurance coverage or comparablecoverage to eligible individuals (xvii) any other individual orgroup plan or combination of individual or group plans thatprovides or pays for the cost of medical care (as defined insection 2791(a)(2) of the PHS Act 42 USC 300gg-91(a)(2))[45 CFR sect 160103]
The term health plan excludes (i) any policy plan or pro-gram to the extent that it provides or pays for the cost ofexcepted benefits that are listed in sect2791(c)(1) of the PHSAct 42 USC 300gg-91(c)(1) and (ii) a government-fundedprogram other than the one listed in items (i)-(xvi) abovewhose principal purpose is other than providing or payingthe cost of health care or whose principal activity is 1) thedirect provision of health care to individuals or 2) the mak-ing of grants to fund the direct provision of health care toindividuals [45 CFR sect 160103]
Hybrid entity A single legal entity 1) that is a covered entity 2) whose business activities include both covered andnoncovered functions and 3) that designates its health-carecomponents [45 CFR sect 164103]
Individually identifiable health information A subset ofhealth information including demographic information col-lected from an individual and 1) is created or received by ahealth-care provider health plan employer or health-care clear-inghouse and 2) relates to the past present or future physi-cal or mental health or condition of an individual the provisionof health care to an individual or the past present or futurepayment for the provision of health care to an individual andthat identifies the individual or where there is a reasonablebasis to believe the information can be used to identify theindividual [45 CFR sect 164501]
Limited data set Protected health information that excludescertain direct identifiers of the individual or of relativesemployers or household members of the individual Directidentifiers to be excluded can be found in 45 CFR sect164514(e)(2)
Minimum necessary For any type of disclosure that a cov-ered entity makes on a routine and recurring basis that thecovered entity must implement policies and procedures (whichmay be standard protocols) that limit the protected healthinformation disclosed to the amount reasonably necessary toachieve the purpose of the disclosure For all other disclosurescovered entities must develop and implement criteria designedto limit the protected health information disclosed to theinformation reasonably necessary to accomplish the purposefor which disclosure is sought and review requests for disclo-sure on an individual basis in accordance with such criteria Acovered entity may rely if such reliance is reasonable underthe circumstances on a requested disclosure as the minimumnecessary for the stated purpose when (a) making disclosuresto public officials that are permitted under 45 CFR sect 164512if the public official represents that the information requestedis the minimum necessary for the stated purpose (b) if theinformation is requested by another covered entity (c) theirbusiness associates providing personal services or (d) docu-mentation or representations that comply with the applicablerequirements of 45 CFR sect 164512(i) have been provided byan individual requesting the information for research purposes[45 CFR sect 164514(d)(3)]
The minimum necessary standard also applies to uses ofprotected health information [45 CFR sect 164514(d)(2)] andrequests for protected health information [45 CFR sect164514(d)(4)]
Notice An individual with certain exceptions has a rightto adequate notice of the uses and disclosures of protectedhealth information that may be made by the covered entityand of the individualrsquos rights and the covered entityrsquos legalduties with respect to protected health information Thenotice must be written in plain language and contain the fol-lowing elements (i) a header as specified in the rule (ii) adescription including at least one example of the types ofuses and disclosures that the covered entity is permitted tomake for treatment payment and health care operations anda description of each of the other purposes for which the cov-ered entity is permitted or required to use or disclose pro-tected health information without the individualrsquos writtenconsent or authorization If a use or disclosure is prohibitedor materially limited by other applicable law the descriptionof such use or disclosure must reflect the more stringent law(as defined in 45 CFR sect 160202) Each description mustinclude sufficient detail to place the individual on notice ofthe uses and disclosures that are permitted or required by thePrivacy Rule or other applicable law and a statement that otheruses and disclosures will be made only with the individualrsquoswritten authorization and that the individual may revoke suchauthorization as provided by 45 CFR sect 164508(b)(5)
16 MMWR April 11 2003
A separate statement must be included in the notice if acovered entity intends to engage in any of the followingactivities The statement should explain that 1) the coveredentity may contact the individual to provide appointmentreminders or information regarding treatment alternatives orother health-related benefits 2) the covered entity may con-tact the individual to raise funds for the covered entity or 3) agroup health plan health insurer or HMO with respect to agroup health plan may disclose protected health informationto the sponsor of the plan
The notice must contain a statement of the individualrsquos rightswith respect to the protected health information and a briefdescription of how the individual may exercise these rights astatement of the covered entityrsquos duties a statement that indi-viduals may complain to the covered entity or the Secretary ifthey believe their privacy rights have been violated contactinformation and the effective date of the notice [45 CFR sect164520]
Payment 1) The activities undertaken by (i) a health planto obtain premiums or to determine or fulfill its responsibilityfor coverage and provision of benefits under the health planor (ii) a health-care provider or health plan to obtain or pro-vide reimbursement for the provision of health care and 2)the activities relate to the individual to whom health care isprovided and include but are not limited to (i) determina-tions of eligibility or coverage and adjudication or subroga-tion of health benefit claims (ii) risk adjusting amounts duebased on enrollee health status and demographic characteris-tics (iii) billing claims management collection activitiesobtaining payment under a contract for reinsurance (includ-ing stop-loss insurance) and related health-care data process-ing (iv) review of health-care services with respect to medicalnecessity coverage under a health plan appropriateness of careor justification of charges (v) utilization review activitiesincluding precertification and preauthorization of services con-current and retrospective review of services and (vi) disclo-sure to consumer reporting agencies of any of the followingprotected health information relating to collection of premi-ums or reimbursement (a) name and address (b) date of birth(c) social security number (d) payment history (e) accountnumber and (f ) name and address of the health-care provideror health plan [45 CFR sect 164501]
Protected health information (PHI) Individually identi-fiable health information that is transmitted by electronicmedia maintained in electronic media or transmitted ormaintained in any other form or medium PHI excludes indi-vidually identifiable health information in (i) educationrecords covered by the Family Education Rights and PrivacyAct (20 USC 1232g) (ii) records described at 20 USC
1232g(a)(4)(B)(iv) and (iii) employment records held by acovered entity in its role as employer [45 CFR sect 160103]
Public health authority An agency or authority of theUnited States a state a territory a political subdivision of astate or territory or an Indian tribe or an individual or entityacting under a grant of authority from or contract with suchpublic agency including the employees or agents of such pub-lic agency or its contractors or individuals or entities to whomit has granted authority that is responsible for public healthmatters as part of its official mandate [45 CFR sect 164501]
Examples of public health authorities include state andlocal health departments CDC National Institutes of Health(NIH) Food and Drug Administration (FDA) and Occupa-tional Safety and Health Administration (OSHA)
Required by law A mandate contained in law that compelsan entity to make a use or disclosure of protected health infor-mation and that is enforceable in a court of law This termincludes but is not limited to court orders and court-orderedwarrants subpoenas or summons issued by a court grand jurya governmental or tribal inspector general or an administra-tive body authorized to require the production of informa-tion a civil or an authorized investigative demand Medicareconditions of participation with respect to health-care provid-ers participating in the program and statutes or regulationsthat require the production of information including statutesor regulations that require such information if payment issought under a government program providing public ben-efits [45 CFR sect 164103]
Research A systematic investigation including researchdevelopment testing and evaluation designed to develop orcontribute to generalizable knowledge [45 CFR sect sect164501]
Statistical de-identification A properly qualified statisti-cian using accepted analytical techniques concludes that therisk is limited that the information could be used alone or incombination with other reasonably available information toidentify the subject of the information [45 CFR sect 164514(b)]
Safe harbor method A covered entity or its agent removesa comprehensive set of identifiers enumerated in the PrivacyRule which includes but is not limited to names geographicsubdivisions smaller than states dates more specific than yearscontact information identification numbers and photographicimages and has no actual knowledge that the remaininginformation could be used alone or in combination with otherinformation to identify the individual who is a subject of theinformation or the individualrsquos relatives employers or house-hold members Eighteen specific identifiers will need to beremoved to achieve de-identification [45 CFR sect 164514(b)]
Transaction The transmission of information between twoparties to carry out financial or administrative activities
Vol 52 Early Release MMWR 17
related to health care It includes the following types of infor-mation transmissions health care claims or equivalent encoun-ter information health care payment and remittance advicecoordination of benefits health care claim status enrollmentand disenrollment in a health plan eligibility for a health planhealth plan premium payments referral certification andauthorization first report of injury health claims attachmentsand other transactions that the Secretary may prescribe by regu-lation [45 CFR sect 164103]
Treatment The provision coordination or managementof health care and related services by one or more health-care
providers including the coordination or management of healthcare by a health-care provider with a third party consultationbetween health-care providers relating to a patient or thereferral of a patient for health care from one health-care pro-vider to another [45 CFR sect 164501]
Use With respect to individually identifiable health infor-mation the sharing employment application utilizationexamination or analysis of such information within an entitythat maintains such information [45 CFR sect 160103]
18 MMWR April 11 2003
Vol 52 Early Release MMWR 19
Appendix BSample Text That Can Be Used To Clarify Public Health Issues
Under the Privacy Rule
pursuant to the Standards for Privacy of Individually Identifi-able Health Information promulgated under the HealthInsurance Portability and Accountability Act (HIPAA) [45CFR Parts 160 and 164)] Under this rule covered entitiesmay disclose without individual authorization protectedhealth information to public health authorities ldquo autho-rized by law to collect or receive such information for the pur-pose of preventing or controlling disease injury or disabilityincluding but not limited to the reporting of disease injuryvital events such as birth or death and the conduct of publichealth surveillance public health investigations and publichealth interventions rdquo The definition of a public health au-thority includes ldquo an individual or entity acting under a grantof authority from or contract with such public agency rdquo
[Authorized agency] is acting under [contract grant coop-erative agreement] with [public health authority] to conduct[project] which is authorized by [law or regulation] [Publichealth authority] grants this authority to [authorized agency]for purposes of this project Further [public health authority]considers this to be [activity type] for which disclosure ofprotected health information by covered entities is authorizedby 45 CFR sect 164512(b) of the Privacy Rule
From a public health authority to a covered entity con-firming grant of authority to an authorized agencyTo Whom It May Concern
[Public health authority] is an agency of [parent authority]and is a public health authority as defined by the HealthInsurance Portability and Accountability Act (HIPAA) Stan-dards for Privacy of Individually Identifiable Health Informa-tion Final Rule (Privacy Rule)[45 CFR sect 164501] Pursuantto 45 CFR sect 164512(b) of the Privacy Rule covered entitiesmay disclose protected health information to public healthauthorities ldquo authorized by law to collect or receive suchinformation for the purpose of preventing or controlling dis-ease injury or disability including but not limited to thereporting of disease injury vital events such as birth or deathand the conduct of public health surveillance public healthinvestigations and public health interventions rdquo The defi-nition of public health authority includes ldquo an individualor entity acting under a grant of authority from or contractwith such public agency rdquo [45 CFR sect 164501] [Autho-rized agency] is acting under [contract grant or cooperativeagreement] with [public health authority] to carry out [project]
Following are sample letters that can be used to help clarifyPrivacy Rule issues among covered entities and public healthauthorities (eg CDC National Institutes of Health Foodand Drug Administration Substance Abuse and Mental HealthServices Administration Health Resources and ServicesAdministration state and local health departments) Publichealth authorities can use these letters as templates by insert-ing names of the appropriate individuals projects agreementslaws activity types covered entities public health authoritiesand authorized agencies
From a public health authority to a covered entity clari-fying rules regarding disclosureTo Whom it May Concern
[Public health authority] is an agency of [parent authority]and is conducting the activity described here in its capacity asa public health authority as defined by the Health InsurancePortability and Accountability Act (HIPAA) Standards forPrivacy of Individually Identifiable Health Information FinalRule (Privacy Rule) [45 CFR sect164501] Pursuant to 45 CFRsect164512(b) of the Privacy Rule covered entities such as yourorganization may disclose without individual authorizationprotected health information to public health authorities ldquo authorized by law to collect or receive such information forthe purpose of preventing or controlling disease injury ordisability including but not limited to the reporting of dis-ease injury vital events such as birth or death and the con-duct of public health surveillance public health investigationsand public health interventions rdquo
[Public health authority] is conducting [project] a publichealth activity as described by 45 CFR sect 164512(b) and isauthorized by [law or regulation] The information beingrequested represents the minimum necessary to carry out thepublic health purposes of this project pursuant to 45 CFRsect164514(d) of the Privacy Rule
If you have questions or concerns please contact [projectleader]
From a public health authority to an authorized agencyproviding grant of authorityDear [authorized agency]
This letter serves as verification of a grant of authority from[public health authority] for you to conduct the public healthactivities described here acting as a public health authority
20 MMWR April 11 2003
Through this grant of authority [authorized agency] may func-tion as a public health authority under the Privacy Rule forpurposes of this project
[Project] is a public health activity as described by 45 CFRsect 164512(b) referenced previously and is authorized by [lawor regulation] The information being requested represents theminimum necessary to carry out the public health purposes ofthis project pursuant to 45 CFR sect 164514(d) of the PrivacyRule The Privacy Rule provides that covered entities ldquo
may rely if such reliance is reasonable under the circumstanceson a requested disclosure as the minimum necessary for thestated purposes when making disclosures to public officialsthat are permitted under 45 CFR sect 164512 if the publicofficial represents that the information requested is the mini-mum necessary for the stated purposes(s)rdquo
If you have questions or concerns please contact [projectleader for authorized agency public health authority contact]
All MMWR references are available on the Internet at httpwwwcdcgovmmwr Use the search function to find specific articlesmdashmdashmdashmdashmdashmdash
Use of trade names and commercial sources is for identification only and does not imply endorsement by the US Department of Healthand Human Services
mdashmdashmdashmdashmdashmdashReferences to non-CDC sites on the Internet are provided as a service to MMWR readers and do not constitute or imply endorsement ofthese organizations or their programs by CDC or the US Department of Health and Human Services CDC is not responsible for thecontent of these sites URL addresses listed in MMWR were current as of the date of publication
MMWR
The Morbidity and Mortality Weekly Report (MMWR) series is prepared by the Centers for Disease Control and Prevention (CDC) andis available free of charge in electronic format and on a paid subscription basis for paper copy To receive an electronic copy each week sendan e-mail message to listservlistservcdcgov The body content should read SUBscribe mmwr-toc Electronic copy also is available fromCDCrsquos Internet server at httpwwwcdcgovmmwr or from CDCrsquos file transfer protocol server at ftpftpcdcgovpubpublicationsmmwr Tosubscribe for paper copy contact Superintendent of Documents US Government Printing Office Washington DC 20402 telephone202-512-1800
Data in the weekly MMWR are provisional based on weekly reports to CDC by state health departments The reporting weekconcludes at close of business on Friday compiled data on a national basis are officially released to the public on the following FridayAddress inquiries about the MMWR series including material to be considered for publication to Editor MMWR Series Mailstop C-08CDC 1600 Clifton Rd NE Atlanta GA 30333 telephone 888-232-3228
All material in the MMWR series is in the public domain and may be used and reprinted without permission however citation of thesource is appreciated
US Government Printing Office 2003-533-15569108 Region IV
Introduction
Impact on Public Health
Overview of the Privacy Rule
Who Is Covered
Types of Health Information
What is Required
The Privacy Rule and Public Health
Disclosures for Public Health Purposes
Requirements for Covered Entities
The Privacy Rule and Public Health Research
Research Versus Practice
The Privacy Rule and Other Laws
Online Resources
Federal Government Resources
State Government Resources
Associations Nonprofit Organizations and Academic Resources
Acknowledgments
References
Appendix A
Appendix B
4 MMWR April 11 2003
The following protected health information (PHI) canbe included without authorization in a limited data setfor public health research or health-care operations
bull town or city state and zip code andbull elements of dates related to a person (eg years birth
dates admission dates discharge dates and dates ofdeath)
To disclose a limited data set a covered entity must en-ter into a data-use agreement with the recipient whichagrees to use or disclose the PHI for limited purposesDisclosure of a limited data set is not subject to the ac-counting requirement but must meet the minimum nec-essary standards of the Privacy Rule
BOX 3 Use of limited data sets under the Privacy Rule
The following 18 identifiers of a person or of relativesemployers or household members of a person must beremoved and the covered entity must not have actualknowledge that the information could be used alone or incombination with other information to identify the indi-vidual for the information to be considered de-identifiedand not protected health information (PHI)
bull namesbull all geographic subdivisions smaller than a state in-
cluding county city street address precinct zip codeand their equivalent geocodes
bull all elements of dates (except year) directly related toan individual all ages gt89 and all elements of dates(including year) indicative of such age (except for anaggregate into a single category of age gt90)
bull telephone numbersbull fax numbersbull electronic mail addressesbull Social Security numbersbull medical record numbersbull health-plan beneficiary numbersbull account numbersbull certificate and license numbersbull vehicle identifiers and serial numbers including
license plate numbersbull medical device identifiers and serial numbersbull Internet universal resource locators (URLs)bull Internet protocol (IP) addressesbull biometric identifiers including fingerprints and voice
printsbull full-face photographic images and any comparable
images andbull any other unique identifying number characteristic
or code except that covered identities may under cer-tain circumstances assign a code or other means ofrecord identification that allows de-identified infor-mation to be re-identified
Source Adapted from [45 CFR sect 164514(b)(2)(i)] The first three digits of a zip code are excluded from the PHI list if the
geographic unit formed by combining all zip codes with the same firstthree digits contains gt20000 persons
BOX 2 Individual identifiers under the Privacy Rule
permitted to use or receive the limited data set and providethat the recipient will
bull not use or disclose the information other than as permit-ted by the agreement or as otherwise required by law
bull use appropriate safeguards to prevent uses or disclosuresof the information that are inconsistent with the data-useagreement
bull report to the covered entity any use or disclosure of theinformation in violation of the agreement of which itbecomes aware
bull ensure that any agents to whom it provides the limiteddata set agree to the same restrictions and conditions thatapply to the limited data set recipient with respect to suchinformation and
bull not attempt to re-identify the information or contact theindividual
What is RequiredFor covered entities using or disclosing PHI the Privacy
Rule establishes a range of health-information privacy require-ments and standards that attempt to balance individual pri-vacy interests with the community need to use such data [45CFR sect 164504] Among its provisions the Privacy Rulerequires covered entities to
bull notify individuals regarding their privacy rights and howtheir PHI is used or disclosed
bull adopt and implement internal privacy policies and proce-dures
bull train employees to understand these privacy policies andprocedures as appropriate for their functions within thecovered entity
Limited Data Sets
Health information in a limited data set is not directly iden-tifiable but may contain more identifiers than de-identifieddata that has been stripped of the 18 identifiers [45 CFR sect164514] (Box 3) A data-use agreement must establish who is
Vol 52 Early Release MMWR 5
bull designate individuals who are responsible for implement-ing privacy policies and procedures and who will receiveprivacy-related complaints
bull establish privacy requirements in contracts with businessassociates that perform covered functions
bull have in place appropriate administrative technical andphysical safeguards to protect the privacy of health infor-mation and
bull meet obligations with respect to health consumers exer-cising their rights under the Privacy Rule
With respect to individuals they are vested with the follow-ing rights
bull Receive access to PHI Individual rights include inspec-tions of records and the provision for copies of PHI aboutthe individual in a designated record set for as long as thePHI is maintained in the designated record set except forpsychotherapy notes information complied for use in civilcriminal or administrative actions and PHI maintainedby a covered entity subject to the Clinical LaboratoryImprovement Amendments of 1988 [42 CFR sect 263(a)]In the majority of cases covered entities must accommo-date a request or provide a process of denial subject toreview [45 CFR sect 164524]
bull Request amendments to PHI Individuals can request thatcovered entities amend PHI about the individual in a des-ignated record set for as long as the PHI is maintained ina designated record set If the covered entity agrees to theamendment it must 1) identify the records affected 2)append or provide a link to the amendment 3) informthe individual the amendment has been made and 4) workwith other covered entities or business associates who pos-sess or receive the data to make the amendments [45 CFRsect 164526] If the covered entity denies this request thePrivacy Rule provides a process for contesting the denial[45 CFR sect 164526]
bull Receive adequate notice With limited exceptions indi-viduals have the right to receive a notice of the uses anddisclosures the covered entity will make of their PHI theirrights under the Privacy Rule and the covered entityrsquosobligations with respect to that information In certaincases notice may be provided electronically The noticemust be in plain language (eg ldquoyour health informationmay be shared with public health authorities for publichealth purposes rdquo ) and posted where it is likely to beseen by patients [45 CFR sect 164520]
bull Receive an accounting of disclosures Upon request cov-ered entities are required to provide individuals with anaccounting for certain types of disclosures of PHIalthough the rule contains certain exceptions includingdisclosures with individual authorization disclosures
related to providersrsquo treatment payment and health-careoperations (TPO) and other exceptions A typical accounting includes the name of the person or entity whoreceived the information date of the disclosure a briefdescription of the information disclosed and a brief explanation of the reasons for disclosure or copy of therequest [45 CFR sect 164528] However requirements foraccounting of public health disclosures may vary (seeAccounting for Public Health Disclosures)
bull Request restrictions Individuals have the right to requesta restriction on certain uses or disclosures of their PHIhowever the covered entity is not obligated to agree tosuch a request If the covered entity does agree to a restric-tion it must generally abide by the agreement except foremergency treatment situations But such an agreement isnot effective to prevent certain permitted uses or disclo-sures [CFR 45 sect 164512]
Required PHI Disclosures
A covered entity is required by the Privacy Rule to disclosePHI in only two instances 1) when an individual has a rightto access an accounting of his or her PHI (see previous para-graph) and 2) when DHHS needs PHI to determine compli-ance with the Privacy Rule [45 CFR sect 164502(a)(2)] Certainother uses and disclosures of PHI may be permitted withoutauthorization but are not required by the Privacy Rule How-ever other federal tribal state or local laws may compel dis-closure
Permitted PHI Disclosures WithoutAuthorization
The Privacy Rule permits a covered entity to use and dis-close PHI with certain limits and protections for TPOactivities [45 CFR sect 164506] Certain other permitted usesand disclosures for which authorization is not required fol-low Additional requirements and conditions apply to thesedisclosures The Privacy Rule text and OCR guidance shouldbe consulted for a full understanding of the following
bull Required by law Disclosures of PHI are permitted whenrequired by other laws whether federal tribal state orlocal
bull Public health PHI can be disclosed to public healthauthorities and their authorized agents for public healthpurposes including but not limited to public health sur-veillance investigations and interventions
bull Health research A covered entity can use or disclose PHIfor research without authorization under certain condi-tions including 1) if it obtains documentation of a waiverfrom an institutional review board (IRB) or a privacyboard according to a series of considerations 2) for
6 MMWR April 11 2003
activities preparatory to research and 3) for research on adecedentrsquos information
bull Abuse neglect or domestic violence PHI may be dis-closed to report abuse neglect or domestic violenceunder specified circumstances
bull Law enforcement Covered entities may under specifiedconditions disclose PHI to law enforcement officials pur-suant to a court order subpoena or other legal order tohelp identify and locate a suspect fugitive or missingperson to provide information related to a victim of acrime or a death that may have resulted from a crime orto report a crime
bull Judicial and administrative proceedings A covered entitymay disclose PHI in the course of a judicial or adminis-trative proceeding under specified circumstances
bull Cadaveric organ eye or tissue donation purposesOrgan-procurement agencies may use PHI for the pur-poses of facilitating transplant
bull Oversight Covered entities may usually disclose PHI to ahealth oversight agency for oversight activities authorizedby law
bull Workerrsquos compensation The Privacy Rule permits dis-closure of work-related health information as authorizedby and to the extent necessary to comply with workersrsquocompensation programs
Other Authorized Disclosures
A valid authorization is required for any use or disclosureof PHI that is not required or otherwise permitted withoutauthorization by the Privacy Rule In general these authoriza-tions must
bull specifically identify the PHI to be used or disclosedbull provide the names of persons or organizations or classes
of persons or organizations who will receive use or dis-close the PHI
bull state the purpose for each requestbull notify individuals of their right to refuse to sign the
authorization without negative consequences to treatmentpayment or health plan enrollment or benefit eligibilityexcept under specific circumstances
bull be signed and dated by the individual or the individualrsquospersonal representative
bull be written in plain languagebull include an expiration date or eventbull notify the individual of the right to revoke authorization
at any time in writing and how to exercise that right andany applicable exceptions to that right under the PrivacyRule and
bull explain the potential for the information to be subject toredisclosure by recipient and no longer protected by thePrivacy Rule
The Privacy Rule and Public Health The Privacy Rule recognizes 1) the legitimate need for pub-
lic health authorities and others responsible for ensuring thepublicrsquos health and safety to have access to PHI to conducttheir missions and 2) the importance of public health report-ing by covered entities to identify threats to the public andindividuals Accordingly the rule 1) permits PHI disclosureswithout a written patient authorization for specified publichealth purposes to public health authorities legally authorizedto collect and receive the information for such purposes and2) permits disclosures that are required by state and local pub-lic health or other laws However because the Privacy Ruleaffects the traditional ways PHI is used and exchanged amongcovered entities (eg doctors hospitals and health insurers)it can affect public health practice and research in multipleways To prevent misconceptions understanding the PrivacyRule is important for public health practice Some illustrativeexamples are presented in this report (Box 4) Also providedare sample letters that might prove useful in clarifying rela-tionships involving public health and the Privacy Rule(Appendix B)
A public health authority is broadly defined as includingagencies or authorities of the United States states territoriespolitical subdivisions of states or territories American Indiantribes or an individual or entity acting under a grant ofauthority from such agencies and responsible for public healthmatters as part of an official mandate Public health authori-ties include federal public health agencies (eg CDCNational Institutes of Health [NIH] Health Resources andServices Administration [HRSA] Substance Abuse and Men-tal Health Services Administration [SAMHSA] Food andDrug Administration [FDA] or Occupational Safety andHealth Administration [OSHA]) tribal health agencies statepublic health agencies (eg public health departments ordivisions state cancer registries and vital statistics depart-ments) local public health agencies and anyone performingpublic health functions under a grant of authority from a publichealth agency [45 CFR sect 164501]
Public health agencies often conduct their authorized pub-lic health activities with other entities by using different mecha-nisms (eg contracts and memoranda or letters of agreement)These other entities are public health authorities under thePrivacy Rule with respect to the activities they conduct undera grant of authority from such a public health agency Acovered entity may disclose PHI to public health authorities
Vol 52 Early Release MMWR 7
State cancer registry Under a state law health-care provid-ers are required to report cancer cases to a statersquos cancer regis-try Names are included to prevent duplicate reporting andcounting State law protects the confidentiality of the dataCan covered entities disclose the information under the Pri-vacy Rule
Privacy Rule effect Covered entities may disclose PHI to apublic health agency or any other entity when the disclosureis required by law However as covered entities the providersmust give an accounting to the persons whose PHI has beenshared The state agency may use and further disclose the PHIconsistent with applicable state law
State university-maintained cancer registry Under a statelaw health-care providers are mandated to report cancer casesto a state health departmentrsquos cancer registry The state healthdepartment contracts with a state university to receive thereports and maintain its registry As covered entities can health-care providers disclose PHI to the state university under thePrivacy Rule
Privacy Rule effect As noted in the previous example cov-ered entities may disclose without authorization PHI to thecancer registry under the Privacy Rule which expressly per-mits disclosure of PHI as required by law and sharing of PHIwith public health authorities for public health purposes Thestate university is acting under a grant of authority from a publichealth authority the state health department The universitycan use and disclose the information without authorizationconsistent with its agreement with the state health departmentand applicable state law
Early hearing detection and intervention An early hear-ing detection and intervention program in a state needs datafrom two large hospitals The state does not have a law requir-ing reporting of hearing loss Under the Privacy Rule can cov-ered entities release results of newborn hearing-screening teststo the state program
Privacy Rule effect The Privacy Rule expressly permitsrelease of PHI without authorization from a covered entityto a public health authority (eg the state health department)which is authorized by law to receive PHI for the purpose of
BOX 4 Examples of situations related to the Privacy Rule and public health
controlling disease injury or disability The rule does notrequire a state law mandating such disclosures for PHI to bereleased to a public health authority Finally the coveredentities may rely upon the statersquos representation that theinformation requested is the minimum necessary for the pur-poses of the registry
Disease registry maintained by private foundation Aprivate foundation maintains a disease registry as a way tosupport research and service for those with the disease Canhealth-care providers release PHI to the foundation underthe Privacy Rule
Privacy Rule effect Nongovernment disease registries (egthose maintained by foundations and other private organiza-tions) are not considered public health authorities unless theyhave a grant of authority from a public health authority Withsuch a grant covered entities may disclose PHI to the foun-dations But without a grant of authority PHI may bereleased only under one of the following situations
bull Release is authorized by the patientbull The PHI is de-identifiedbull The PHI is contained in a limited data set governed by
a data-use agreementbull Release of PHI is in accord with the rulersquos provisions
for disclosure for research without authorizationbull Release is otherwise permitted by the rule (eg to
entities subject to the jurisdiction of the Food and DrugAdministration (FDA) [45 CFR sect 164512(b)(1)(iii)]
Surveillance project A state health department that is nota covered entity conducts a surveillance project on humanimmunodeficiency virus (HIV) and acquired immunodefi-ciency syndrome (AIDS) The HIVAIDS surveillance projectis an interview study It asks for self-reported informationfrom participants including dates of diagnosis and visits forcare Is this PHI covered by the Privacy Rule
Privacy Rule effect Information collected directly frompersons by a person agency or institution that is not a cov-ered entity including individually identifiable informationis not covered by the Privacy Rule
and to these designated entities pursuant to the public healthprovisions of the Privacy Rule
The Privacy Rule permits covered entities to disclose PHIwithout authorization to public health authorities or otherentities who are legally authorized to receive such reports forthe purpose of preventing or controlling disease injury ordisability This includes the reporting of disease or injuryreporting vital events (eg births or deaths) conducting pub-lic health surveillance investigations or interventions report-ing child abuse and neglect and monitoring adverse outcomes
related to food (including dietary supplements) drugs bio-logical products and medical devices [45 CFR 164512(b)]Covered entities may report adverse events related to FDA-regulated products or activities to public agencies and privateentities that are subject to FDA jurisdiction [45 CFR164512(b)(1)(iii)] To protect the health of the public pub-lic health authorities might need to obtain informationrelated to the individuals affected by a disease In certain casesthey might need to contact those affected to determine thecause of the disease to allow for actions to prevent further
8 MMWR April 11 2003
illness Also covered entities may at the direction of a publichealth authority disclose protected health information to aforeign government agency that is acting in collaboration witha public health authority [45 CFR 164512(b)(1)(i)]
To receive PHI for public health purposes public healthauthorities should be prepared to verify their status and iden-tity as public health authorities under the Privacy Rule Toverify its identity an agency could provide any one of the fol-lowing
bull if the request is made in person presentation of an agencyidentification badge other official credentials or otherproof of government status
bull if the request is in writing the request is on the appropri-ate government letterhead
bull if the disclosure is to a person acting on behalf of a publichealth authority a written statement on appropriate gov-ernment letterhead that the person is acting under thegovernmentrsquos authority [45 CFR sect 164514(h)(2)]
Public health authorities receiving information from coveredentities as required or authorized by law [45 CFR 164512(a)][45 CFR 164512(b)] are not business associates of the cov-ered entities and therefore are not required to enter into busi-ness associate agreements Public health authorities that arenot covered entities also are not required to enter into busi-ness associate agreements with their public health partners andcontractors Also after PHI is disclosed to a public healthauthority pursuant to the Privacy Rule the public healthauthority (if it is not a covered entity) may maintain use anddisclose the data consistent with the laws regulations andpolicies applicable to the public health authority
Disclosures for Public Health PurposesThe Privacy Rule allows covered entities to disclose PHI to
public health authorities when required by federal tribal stateor local laws [45 CFR 164512(a)] This includes state laws(or state procedures established under such law) that providefor receiving reporting of disease or injury child abuse birthor death or conducting public health surveillance investiga-tion or intervention
For disclosures not required by law covered entities maystill disclose without authorization to a public health authorityauthorized by law to collect or receive the information for thepurpose of preventing or controlling disease injury or dis-ability the minimum necessary information to accomplish theintended public health purpose of the disclosure [45 CFR164512 (b)] (Box 1)
For example to protect the health of the public public healthofficials might need to obtain information related to personsaffected by a disease In certain cases they might need to con-
tact those affected to determine the cause of the disease toallow for actions to prevent further illness The Privacy Rulecontinues to allow for the existing practice of sharing PHIwith public health authorities who are authorized by law tocollect or receive such information to aid them in their mis-sion of protecting the health of the public Examples of suchactivities include those directed at the reporting of disease orinjury reporting adverse events reporting births and deathsand investigating the occurrence and cause of injury and dis-ease (1)
Although it is not a defined term DHHS interpreted thephrase ldquoauthorized by lawrdquo to mean that a legal basis exists forthe activity Further DHHS called the phrase ldquoa term of artrdquoincluding both actions that are permitted and actions that arerequired by law [64 FR 59929 November 3 1999] This doesnot mean a public health authority at the federal tribal stateor local level must have multiple disease or condition-specificlaws that authorize each collection of information Publichealth authorities operate under broad mandates to protectthe health of their constituent populations
Requirements for Covered Entities
Accounting for Public Health Disclosures
Although the Privacy Rule permits disclosures of PHI topublic health authorities covered entities must comply withcertain requirements related to these disclosures One suchrequirement is that a covered entity must be able to providean individual upon request with an accounting of certaindisclosures of PHI The covered entity is not required toaccount for all disclosures of PHI For example an account-ing is not required for disclosures made
bull prior to the covered entityrsquos compliance datebull for TPO purposesbull to the individual or pursuant to the individualrsquos written
authorization orbull as part of a limited data setHowever usually an accounting is required for disclosures
made without authorization including public health purposesThe required accounting for disclosures may be
accomplished in different ways Typically the covered entitymust provide the individual with an accounting of eachdisclosure by date the PHI disclosed the identity of therecipient of the PHI and the purpose of the disclosureHowever where the covered entity has during the accountingperiod made multiple disclosures to the same recipient forthe same purpose the Privacy Rule provides for a simplifiedmeans of accounting In such cases the covered entity needonly identify the recipient of such repetitive disclosures the
Vol 52 Early Release MMWR 9
purpose of the disclosure and describe the PHI routinelydisclosed The date of each disclosure need not be trackedRather the accounting may include the date of the first andlast such disclosure during the accounting period and adescription of the frequency or periodicity of such disclosuresFor example the vast amount of data exchanged betweencovered entities and public health authorities is made throughongoing regular reporting or inspection requirements Acovered health-care provider may routinely report all cases ofmeasles it diagnoses to the local public health authority Anaccounting of such disclosures to a requesting individual wouldneed to identify the local public health authority receivingthe PHI the PHI disclosed the purpose of the disclosure(required for communicable disease surveillance) theperiodicity (weekly) and the first and last dates of suchdisclosures during the accounting period (May 1 2003 toJune 1 2003) Thus the covered entity would not need toannotate each patientrsquos medical record whenever a routinepublic health disclosure was made
Notice of Privacy Practices
With certain exceptions under the Privacy Rule individu-als have the right to adequate notice of the uses and disclo-sures of PHI that may be made by the covered entity as well astheir rights and the covered entityrsquos legal obligations Noticesmust be in plain language and clearly posted Certain coveredentities must make a good faith effort to obtain an individualrsquosacknowledgment of receipt of this notice In certain casesnotice may be provided electronically
Minimum Necessary Standard
The Privacy Rule usually directs covered entities to limitthe amount of information disclosed to the minimum neces-sary to achieve the specified goal [45 CFR sect 164514(d)(1)]This requirement usually applies to disclosures to a publichealth agency It would not apply however if the disclosurewere required by law authorized by the individual or for treat-ment purposes A covered entity may also reasonably rely on apublic officialrsquos determination that the information requestedis the minimum necessary for the public health purpose
Public Health Authorities Performing CoveredFunctions
Public health authorities at the federal tribal state or locallevels that perform covered functions (eg providing healthcare or insuring individuals for health-care costs) may be sub-ject to the Privacy Rulersquos provisions as covered entities Forexample a local public health authority that operates a healthclinic providing essential health-care services to low-incomepersons and performs certain electronic transactions might be
defined under the Privacy Rule as a covered health-care pro-vider and therefore a covered entity Flow charts and interac-tive tools designed to help determine covered entity status areprovided online by the Centers for Medicare and MedicaidServices available at httpwwwcmsgovhipaahipaa2sup-porttoolsdecisionsupportdefaultasp
The following are examples of public health authority func-tions that make them covered entities
bull Public health authorities as covered health-care pro-viders A public health authority that conducts health careas part of its activities is a covered health-care provider ifit also performs electronic transactions covered by theHIPAA Transactions Rule as part of these activities Thefact that these activities are conducted in pursuit of a publichealth goal (eg vaccinating children or screening a tar-geted population for sexually transmitted diseases) doesnot preclude the public health authority from being a cov-ered entity
bull Public health authorities as health plans Under thePrivacy Rule a health plan is an individual or group planthat provides or pays the cost of medical care This spe-cifically includes government health plans (eg MedicareMedicaid or Veterans Health Administration) Howeverthe Privacy Rule defines health plan to exclude govern-ment-funded programs whose principal activity is the di-rect provision of health care to persons or the making ofgrants to fund the direct provision of health care to per-sons [45 CFR sect 160103] Examples include the RyanWhite Comprehensive AIDS Resources Emergency ActAlthough certain government programs that fund provid-ers directly may not be health plans government programsthat reimburse providers or otherwise fund providers toperform direct health-care services should carefully ana-lyze the details of their programs to determine if they areperforming covered functions
bull Public health authorities as health-care clearinghousesAlthough unlikely a public health authority might be ahealth-care clearinghouse if it receives health informationfrom another entity and translates that information froma nonstandard format into a standard transaction or stan-dard data elements (or vice versa) Operators of commu-nity health information systems should carefully considerwhether they meet the definition for a health-care clear-inghouse
bull Public health agencies as hybrid entities A public healthagency that is a covered entity and has both covered andnoncovered functions may become a hybrid entity by des-ignating its health-care components By designating itselfas a hybrid entity a public health authority can carve outits noncovered functions so that the majority of Privacy
10 MMWR April 11 2003
Rule provisions apply only to its health-care componentwhich is required to comply with the Privacy Rulerequirements including using and disclosing PHI only asauthorized meeting the administrative requirementsaccounting for disclosure of PHI and providing a noticeof practices However such a designation does not pre-clude the public health authority from continuing to con-duct authorized public health functions A covered entitythat is also a public health authority may use as well asdisclose PHI for public health purposes to the sameextent it would be permitted to disclose the PHI as a pub-lic health authority
The Privacy Rule and PublicHealth Research
The topic of research under the Privacy Rule is covered indepth in the DHHS report Protecting Personal Health Infor-mation in Research mdash Understanding the HIPAA Privacy Rule(6) The Privacy Rule provides separate provisions for disclo-sure without individual authorization for public health pur-poses and for certain research [45 CFR sect 164512(b)] [45CFR sect 164512(i)] Other federal law pertaining to researchstresses the importance of distinguishing between research andpractice to ensure that human subjects are appropriately pro-tected [45 CFR Part 46] For certain activities this distinc-tion is not always clear A full discussion of the distinctionsbetween public health practice and research is beyond the scopeof this document However CDC and others provide guid-ance in this area (7ndash9)
Research Versus PracticeThe definition of research is the same for the Privacy Rule
and the Common Rule (10) mdash systematic investigationincluding research development testing and evaluationdesigned to develop or contribute to generalizable knowledgeResearch is designed to test a hypothesis permit conclusionsto be drawn and thereby to develop or contribute to general-izable knowledge The majority of public health activities (egpublic health surveillance and disease prevention and controlprojects) are based on scientific evidence and data collectionor analytic methods similar to those used in research How-ever they are not designed to contribute to generalizable knowl-edge Their primary purpose is to protect the health of thepopulation through such activities as disease surveillance pre-vention or control
The Belmont Report (11) defines practice as interventionsdesigned solely to enhance the well-being of a person patient
or client and which have reasonable expectation of successThe report further states that the purpose of medical orbehavioral practice is to provide diagnosis preventive treat-ment or therapy to particular patients For public health agen-cies the patient is the community Public health practiceactivities (eg public health surveillance disease control orprogram evaluation) are undertaken with the intent to benefita specific community although occasionally they may pro-vide unintended generalizable benefits to others
Some public health activities that are initially public healthpractice may subsequently evolve into a research activity (egan investigation to determine the cause of an outbreak thatincorporates a research study evaluating the efficacy of a newdrug to treat the illness) When that is the case the disclosuresmay be made initially under the public health provisions ofthe Privacy Rule But when the activity becomes an ongoingresearch activity the entity should consider application of therelevant research disclosures provisions to continue to obtaininformation for this purpose Moreover there may be caseswhere the activity is both research and public health practice(eg an ongoing survey to monitor health conditions in thepopulation data from which can also be analyzed for researchpurposes) In those cases disclosures may be made either un-der the research provisions or the public health provisions asappropriate mdash the covered entity need not comply with bothsets of requirements
The Privacy Rule and Other Lawsbull Federal laws Covered entities subject to the Privacy Rule
are also subject to other federal statutes and regulationsThe specific relationship of the Privacy Rule and certainfederal laws is discussed in the preamble to the December2000 Final Rule [65 FedReg 82481] In certain instancesthe Privacy Rule imposes requirements in direct conflictwith other federal laws or regulations In those instancesan analysis will be necessary to determine whether the laterprovision was intended to overrule the prior law or regu-lation
bull State laws As a federal regulatory standard the PrivacyRule preempts only those contrary state laws relating tothe privacy of individually identifiable health informa-tion that have less stringent requirements or standards thanthe Privacy Rule (ie more stringent laws remain ineffect) In addition DHHS may upon specific requestfrom a state or other entity or person determine that aprovision of state law that is contrary to the federalrequirements and that meets certain additional criteriawill not be preempted by the federal requirements Thus
Vol 52 Early Release MMWR 11
preemption of a contrary state law will not occur if theSecretary or designated DHHS official determines inresponse to a request that the state law 1) is necessary toprevent fraud and abuse related to the provision of or pay-ment for health care 2) is necessary to ensure appropriatestate regulation of insurance and health plans to theextent expressly authorized by statute or regulation 3) isnecessary for state reporting on health-care delivery orcosts 4) is necessary to serve a compelling public healthsafety or welfare need and if a Privacy Rule provision isat issue if the Secretary determines that the intrusion intoprivacy is warranted when balanced against the need to beserved or 5) has as its principal purpose the regulation ofthe manufacture registration distribution dispensing orother control of any controlled substances The PrivacyRule specifically does not preempt contrary state publichealth laws that provide for the reporting of disease orinjury child abuse birth or death or for the conduct ofpublic health surveillance investigation or intervention[45 CFR sect 160202]
Online ResourcesReferences to non-DHHS sites on the Internet are provided
as a service to MMWR readers and do not constitute or implyendorsement of these organizations or their programs by CDCor the US Department of Health and Human Services CDCis not responsible for the content of these sites URL addresseslisted in MMWR were current as of the date of publication
Federal Government ResourcesDHHS Office for Civil Rights mdash HIPAA guidelines
North Carolina Healthcare Information and Communica-tions Alliance
httpwwwnchicaorgPublic Health Grand Rounds HIPAA Privacy RuleEnhancing or Harming Public Health
httpwwwpublichealthgrandroundsunceduStanford University Medical School mdash HIPAA
httpwwwmedstanfordeduHIPAAWorkgroup for Electronic Data Interchange mdash StrategicNational Implementation Process
httpwwwwediorgsnip
AcknowledgmentsThis report was prepared by Salvatore Lucido MPA and Denise
Koo MD Office of the Associate Director for ScienceEpidemiology Program Office CDC in collaboration with JamesG Hodge Jr JD Center for Law and the Publicrsquos HealthGeorgetown and Johns Hopkins Universities Baltimore MarylandThe preparers are grateful for the participation of Deborah Tress
JD Kenya Ford JD and Heather Horton JD Office of theGeneral Counsel Department of Health and Human Services CDCATSDR Branch the CDC Working Group on the Privacy Ruleand Beverly Dozier JD Lance A Gable JD Lawrence O GostinJD Gail Horlick JD and Jennifer Kurle
The preparers also thank the following partners for their valuableinput Association of State and Territorial Health Officers Councilof State and Territorial Epidemiologists National Association ofCounty and City Health Officials National Association of HealthData Organizations Association of Public Health Laboratories andNational Association for Public Health Statistics and InformationSystems
References1 Gostin LO Hodge JG Jr Personal privacy and common goods a frame-
work Minnesota Law Review 2002861439ndash802 Health Insurance Portability and Accountability Act of 1996 Pub L
No 104-191 110 Stat 1936 (1996)3 Office for Civil Rights Department of Health and Human Services
Title 45 of the Code of Federal Regulations Parts 160 and 164 Avail-able at httpwwwdhhsgovocrcombinedregtextpdf
4 Office for Civil Rights OCR guidance explaining significant aspects ofthe Privacy Rule 2002 Department of Health and Human ServicesAvailable at httpwwwhhsgovocrhipaa
5 Gostin LO Hodge JG Jr Privacy Law Advisory Committee Modelstate public health information privacy act 1999 Available at httpwwwpublichealthlawnetResourcesResourcesPDFsmodelprivactpdf
6 Department of Health and Human Services Protecting personal healthinformation in research mdash understanding the HIPAA Privacy RuleDepartment of Health and Human Services Washington DC 2003(in press)
7 Snider DE Stroup DF Defining research when it comes to public healthPublic Health Rep 199711229ndash32
8 CDC Guidelines for defining public health research and public healthnonresearch Available at httpwwwcdcgovodadsopspoll1htm
9 Amoroso PJ Middaugh JP Research vs public health practice whendoes a study require IRB review Prev Med 200336250ndash3
10 Office for Protection from Research Risks National Institutes of HealthDepartment of Health and Human Services Public welfare protectionof human subjects 2001 [45 CFR 46] Available at httpohrposophsdhhsgovhumansubjectsguidance45cfr46htm
11 National Commission for the Protection of Human Subjects of Bio-medical and Behavioral Research Belmont report ethical principles andguidelines for the protection of human subjects of research Depart-ment of Health Education and Welfare Available at httpwwwmedumicheduirbmedethicsbelmontBELMONTRHTM
Vol 52 Early Release MMWR 13
The following concepts and definitions are adapted fromthe regulatory language For further information see the cita-tions to the Privacy Rule
Accounting An individual has a right to receive an account-ing of disclosures of protected health information made by acovered entity in the six years prior to the date on which theaccounting is requested except for disclosures (a) to carry outtreatment payment and health care operations [45 CFR sect164506] (b) to individuals of protected health informationabout them [45 CFR sect 164502] (c) incident to a use or dis-closure otherwise permitted or required by this subpart asprovided in 45 CFR sect164502 (d) pursuant to an authoriza-tion as provided in 45 CFR sect164508 (e) for the facilityrsquosdirectory or to persons involved in the individualrsquos care orother notification purposes as provided in 45 CFR sect164510(f ) for national security or intelligence purposes as providedin 45 CFR sect164512(k)(2) (g) to correctional institutions orlaw enforcement officials as provided in 45 CFR sect164512(k)(5) or (h) as part of a limited data set in accordance with45 CFR sect164514(e) or (i) that occurred prior to the compli-ance date for the covered entityhellip Such an accounting mustmeet the following requirements (1) except as otherwise pro-vided by paragraph (a) of this section the accounting mustinclude disclosures of protected health information thatoccurred during the six years (or such shorter time period atthe request of the individual as provided in paragraph (a)(3)of this section) prior to the date of the request for an account-ing including disclosures to or by business associates of thecovered entity (2) except as otherwise provided by paragraphs(b)(3) or (b)(4) of this section the accounting must includefor each disclosure the date of the disclosure the name of theentity or person who received the protected health informa-tion and if known the address of such entity or person abrief description of the protected health information disclosedand a brief statement of the purpose of the disclosure thatreasonably informs the individual of the basis for the disclo-sure or in lieu of such a statement a copy of the individualrsquoswritten authorization pursuant to 45 CFR sect 164508 or acopy of a written request for a disclosure under 45 CFR sect164502(a)(2)(ii) or 45 CFR sect 164512 if any
If during the period covered by the accounting the coveredentity has made multiple disclosures of protected healthinformation to the same person or entity for a single purposeunder 45 CFR sect 164502(a)(2)(ii) or 45 CFR sect 164512 theaccounting may with respect to such multiple disclosures
provide the information required by paragraph (b)(2) of 45CFR sect 164528 for the first disclosure during the accountingperiod the frequency periodicity or number of the disclo-sures made during the accounting period and the date of thelast such disclosure during the accounting period [45 CFR sect164528]
Modified accounting procedures are also provided for cov-ered entities making research disclosures involving gt50 per-sons [45 CFR sect 164528(b)(4)]
Business associate A person who on behalf of a coveredentity or of an organized health care arrangement [45 CFR sect154501] in which the covered entity participates but otherthan in the capacity of a member of the workforce of suchcovered entity or arrangement performs or assists in the per-formance of a function or activity involving the use ordisclosure of individually identifiable health informationincluding claims processing or administration data analysisprocessing or administration utilization review quality assur-ance billing benefit management practice management andrepricing or any other function or activity regulated by thissubchapter or provides other than in the capacity of a mem-ber of the workforce of such covered entity legal actuarialaccounting consulting data aggregation [45 CFR sect 164501]management administrative accreditation or financial ser-vices to or for such covered entity or to or for an organizedhealth-care arrangement in which the covered entity partici-pates where the provision of the service involves the disclo-sure of individually identifiable health information from suchcovered entity or arrangement or from another business asso-ciate of such covered entity or arrangement to the individual[45 CFR sect 160103]
Covered entity 1) a health plan 2) a health-care clearing-house 3) a health-care provider who transmits any healthinformation in electronic form in connection with a transac-tion [45 CFR sect 160103]
Covered functions Those functions of a covered entity theperformance of which makes the entity a health planhealth-care provider or health-care clearinghouse [45 CFR sect164103]
Data aggregation With respect to protected health infor-mation created or received by a business associate in its capac-ity as the business associate of a covered entity the combiningof such protected health information by the business associatewith the protected health information received by the busi-ness associate in its capacity as a business associate of another
Appendix ASelected Privacy Rule Concepts and Definitions
14 MMWR April 11 2003
covered entity to permit data analyses that relate to the health-care operations of the respective covered entities [45 CFRsect164501]
De-identified health information Health information thatdoes not identify an individual and with respect to which noreasonable basis exists to believe that the information can beused to identify an individual is not individually identifiableinformation [45 CFR sect 164514(a)]
Disclosure The release transfer provision of access to ordivulging in any other manner of information outside the entityholding the information [45 CFR sect 160103]
Electronic media 1) Electronic storage media includingmemory devices in computers (hard drives) and any remov-abletransportable digital memory medium such as magnetictape or disk optical disk or digital memory card or 2) trans-mission media used to exchange information already in elec-tronic storage media Transmission media include for examplethe Internet (wide open) extranet (using Internet technologyto link a business with information accessible only to collabo-rating parties) leased lines dial-up lines private networksand the physical movement of removabletransportable elec-tronic storage media Certain transmissions including ofpaper via facsimile and of voice via telephone are not con-sidered to be transmissions via electronic media because theinformation being exchanged did not exist in electronic formbefore the transmission [45 CFR sect 160103]
Health care Care services or supplies related to the healthof an individual It includes but is not limited to 1) preven-tive diagnostic therapeutic rehabilitative maintenance orpalliative care and counseling service assessment or proce-dure with respect to the physical or mental condition or func-tional status of an individual or that affects the structure orfunction of the body and 2) sale or dispensing of a drugdevice equipment or other item in accordance with a pre-scription [45 CFR sect 160103]
Health-care clearinghouse A public or private entityincluding a billing service repricing company communityhealth management information system community healthinformation system or value-added network or switch that 1)processes or facilitates the processing of health informationreceived from another entity in a nonstandard format or con-taining nonstandard data content into standard data elementsor a standard transaction or 2) receives a standard transactionfrom another entity and processes or facilitates the processingof health information into nonstandard format or nonstand-ard data content for the receiving entity [45 CFR sect 160103]
Health-care operations Any of the following activities ofthe covered entity to the extent that the activities are related tocovered functions 1) conducting quality assessment andimprovement activities population-based activities and
related functions that do not include treatment 2) reviewingthe competence or qualifications of health care professionalsevaluating practitioner provider and health plan performanceconducting training programs where students learn to prac-tice or improve their skills as health-care providers training ofnonhealth-care professionals accreditation certificationlicensing or credentialing activities 3) underwriting premiumrating and other activities relating to the creation renewal orreplacement of a contract of health insurance or benefits 4)conducting or arranging for medical review legal services andauditing functions including fraud and abuse detection andcompliance programs 5) business planning and developmentsuch as conducting cost-management and planning-relatedanalyses related to managing and operating the entity includ-ing formulary development and administration developmentor improvement of methods of payment or coverage policiesand 6) business management and general administrativeactivities of the entity [45 CFR sect 164501]
Health-care provider A provider of services (as defined insection 1861(u) of the Act 42 USC 1395x(u)) a providerof medical or health-care services (as defined in section 1861(s)of the Act 42 USC 1395x(s)) and any other individual ororganization that furnishes bills or is paid for health care inthe normal course of business [45 CFR sect 160103]
Health information Any information whether oral orrecorded in any form or medium that 1) is created or receivedby a health-care provider health plan public health authorityemployer life insurer school or university or health-care clear-inghouse and 2) relates to the past present or future physicalor mental health or condition of an individual the provisionof health care to an individual or the past present or futurepayment for the provision of health care to an individual [45CFR sect 160103]
Health plan An individual or group plan that provides orpays the cost of medical care (as defined in section 2791(a)(2)of the PHS Act 42 USC 300gg-91(a)(2)) Health planincludes the following singly or in combination (i) a grouphealth plan as defined in 45 CFR sect 160103 of the PrivacyRule (ii) a health insurance issuer as defined in 45 CFR sect160103 of the Privacy Rule (iii) an HMO as defined in 45CFR sect 160103 of the Privacy Rule (iv) Part A or B of theMedicare program under title XVIII of the Act (v) the Med-icaid program under title XIX of the Act 42 USC 1396 etseq (vi) an issuer of a Medicare supplemental policy (asdefined in section 1882(g)(1) of the Act 42 USC1395ss(g)(1)) (vii) an issuer of a long-term care policyexcluding a nursing home fixed-indemnity policy (viii) anemployee welfare benefit plan or any other arrangement thatis established or maintained for the purpose of offering or pro-viding health benefits to the employees of two or more
Vol 52 Early Release MMWR 15
employers (ix) the health care program for active military per-sonnel under title 10 USC (x) the veterans health-care pro-gram under 38 USC Ch 17 (xi) the Civilian Health andMedical Program of the Uniformed Services (CHAMPUS)(as defined in 10 USC 1072(4)) (xii) the Indian HealthService program under the Indian Health Care ImprovementAct 25 USC 1601 et seq (xiii) the Federal EmployeesHealth Benefits Program under 5 USC 8902 et seq (xiv)an approved state child health plan under title XXI of the Actproviding benefits for child health assistance that meet therequirements of section 2103 of the Act 42 USC 1397 etseq (xv) the Medicare+Choice program under Part C of titleXVIII of the Act 42 USC 1395w-21 through 1395w-28(xvi) a high risk pool that is a mechanism established understate law to provide health insurance coverage or comparablecoverage to eligible individuals (xvii) any other individual orgroup plan or combination of individual or group plans thatprovides or pays for the cost of medical care (as defined insection 2791(a)(2) of the PHS Act 42 USC 300gg-91(a)(2))[45 CFR sect 160103]
The term health plan excludes (i) any policy plan or pro-gram to the extent that it provides or pays for the cost ofexcepted benefits that are listed in sect2791(c)(1) of the PHSAct 42 USC 300gg-91(c)(1) and (ii) a government-fundedprogram other than the one listed in items (i)-(xvi) abovewhose principal purpose is other than providing or payingthe cost of health care or whose principal activity is 1) thedirect provision of health care to individuals or 2) the mak-ing of grants to fund the direct provision of health care toindividuals [45 CFR sect 160103]
Hybrid entity A single legal entity 1) that is a covered entity 2) whose business activities include both covered andnoncovered functions and 3) that designates its health-carecomponents [45 CFR sect 164103]
Individually identifiable health information A subset ofhealth information including demographic information col-lected from an individual and 1) is created or received by ahealth-care provider health plan employer or health-care clear-inghouse and 2) relates to the past present or future physi-cal or mental health or condition of an individual the provisionof health care to an individual or the past present or futurepayment for the provision of health care to an individual andthat identifies the individual or where there is a reasonablebasis to believe the information can be used to identify theindividual [45 CFR sect 164501]
Limited data set Protected health information that excludescertain direct identifiers of the individual or of relativesemployers or household members of the individual Directidentifiers to be excluded can be found in 45 CFR sect164514(e)(2)
Minimum necessary For any type of disclosure that a cov-ered entity makes on a routine and recurring basis that thecovered entity must implement policies and procedures (whichmay be standard protocols) that limit the protected healthinformation disclosed to the amount reasonably necessary toachieve the purpose of the disclosure For all other disclosurescovered entities must develop and implement criteria designedto limit the protected health information disclosed to theinformation reasonably necessary to accomplish the purposefor which disclosure is sought and review requests for disclo-sure on an individual basis in accordance with such criteria Acovered entity may rely if such reliance is reasonable underthe circumstances on a requested disclosure as the minimumnecessary for the stated purpose when (a) making disclosuresto public officials that are permitted under 45 CFR sect 164512if the public official represents that the information requestedis the minimum necessary for the stated purpose (b) if theinformation is requested by another covered entity (c) theirbusiness associates providing personal services or (d) docu-mentation or representations that comply with the applicablerequirements of 45 CFR sect 164512(i) have been provided byan individual requesting the information for research purposes[45 CFR sect 164514(d)(3)]
The minimum necessary standard also applies to uses ofprotected health information [45 CFR sect 164514(d)(2)] andrequests for protected health information [45 CFR sect164514(d)(4)]
Notice An individual with certain exceptions has a rightto adequate notice of the uses and disclosures of protectedhealth information that may be made by the covered entityand of the individualrsquos rights and the covered entityrsquos legalduties with respect to protected health information Thenotice must be written in plain language and contain the fol-lowing elements (i) a header as specified in the rule (ii) adescription including at least one example of the types ofuses and disclosures that the covered entity is permitted tomake for treatment payment and health care operations anda description of each of the other purposes for which the cov-ered entity is permitted or required to use or disclose pro-tected health information without the individualrsquos writtenconsent or authorization If a use or disclosure is prohibitedor materially limited by other applicable law the descriptionof such use or disclosure must reflect the more stringent law(as defined in 45 CFR sect 160202) Each description mustinclude sufficient detail to place the individual on notice ofthe uses and disclosures that are permitted or required by thePrivacy Rule or other applicable law and a statement that otheruses and disclosures will be made only with the individualrsquoswritten authorization and that the individual may revoke suchauthorization as provided by 45 CFR sect 164508(b)(5)
16 MMWR April 11 2003
A separate statement must be included in the notice if acovered entity intends to engage in any of the followingactivities The statement should explain that 1) the coveredentity may contact the individual to provide appointmentreminders or information regarding treatment alternatives orother health-related benefits 2) the covered entity may con-tact the individual to raise funds for the covered entity or 3) agroup health plan health insurer or HMO with respect to agroup health plan may disclose protected health informationto the sponsor of the plan
The notice must contain a statement of the individualrsquos rightswith respect to the protected health information and a briefdescription of how the individual may exercise these rights astatement of the covered entityrsquos duties a statement that indi-viduals may complain to the covered entity or the Secretary ifthey believe their privacy rights have been violated contactinformation and the effective date of the notice [45 CFR sect164520]
Payment 1) The activities undertaken by (i) a health planto obtain premiums or to determine or fulfill its responsibilityfor coverage and provision of benefits under the health planor (ii) a health-care provider or health plan to obtain or pro-vide reimbursement for the provision of health care and 2)the activities relate to the individual to whom health care isprovided and include but are not limited to (i) determina-tions of eligibility or coverage and adjudication or subroga-tion of health benefit claims (ii) risk adjusting amounts duebased on enrollee health status and demographic characteris-tics (iii) billing claims management collection activitiesobtaining payment under a contract for reinsurance (includ-ing stop-loss insurance) and related health-care data process-ing (iv) review of health-care services with respect to medicalnecessity coverage under a health plan appropriateness of careor justification of charges (v) utilization review activitiesincluding precertification and preauthorization of services con-current and retrospective review of services and (vi) disclo-sure to consumer reporting agencies of any of the followingprotected health information relating to collection of premi-ums or reimbursement (a) name and address (b) date of birth(c) social security number (d) payment history (e) accountnumber and (f ) name and address of the health-care provideror health plan [45 CFR sect 164501]
Protected health information (PHI) Individually identi-fiable health information that is transmitted by electronicmedia maintained in electronic media or transmitted ormaintained in any other form or medium PHI excludes indi-vidually identifiable health information in (i) educationrecords covered by the Family Education Rights and PrivacyAct (20 USC 1232g) (ii) records described at 20 USC
1232g(a)(4)(B)(iv) and (iii) employment records held by acovered entity in its role as employer [45 CFR sect 160103]
Public health authority An agency or authority of theUnited States a state a territory a political subdivision of astate or territory or an Indian tribe or an individual or entityacting under a grant of authority from or contract with suchpublic agency including the employees or agents of such pub-lic agency or its contractors or individuals or entities to whomit has granted authority that is responsible for public healthmatters as part of its official mandate [45 CFR sect 164501]
Examples of public health authorities include state andlocal health departments CDC National Institutes of Health(NIH) Food and Drug Administration (FDA) and Occupa-tional Safety and Health Administration (OSHA)
Required by law A mandate contained in law that compelsan entity to make a use or disclosure of protected health infor-mation and that is enforceable in a court of law This termincludes but is not limited to court orders and court-orderedwarrants subpoenas or summons issued by a court grand jurya governmental or tribal inspector general or an administra-tive body authorized to require the production of informa-tion a civil or an authorized investigative demand Medicareconditions of participation with respect to health-care provid-ers participating in the program and statutes or regulationsthat require the production of information including statutesor regulations that require such information if payment issought under a government program providing public ben-efits [45 CFR sect 164103]
Research A systematic investigation including researchdevelopment testing and evaluation designed to develop orcontribute to generalizable knowledge [45 CFR sect sect164501]
Statistical de-identification A properly qualified statisti-cian using accepted analytical techniques concludes that therisk is limited that the information could be used alone or incombination with other reasonably available information toidentify the subject of the information [45 CFR sect 164514(b)]
Safe harbor method A covered entity or its agent removesa comprehensive set of identifiers enumerated in the PrivacyRule which includes but is not limited to names geographicsubdivisions smaller than states dates more specific than yearscontact information identification numbers and photographicimages and has no actual knowledge that the remaininginformation could be used alone or in combination with otherinformation to identify the individual who is a subject of theinformation or the individualrsquos relatives employers or house-hold members Eighteen specific identifiers will need to beremoved to achieve de-identification [45 CFR sect 164514(b)]
Transaction The transmission of information between twoparties to carry out financial or administrative activities
Vol 52 Early Release MMWR 17
related to health care It includes the following types of infor-mation transmissions health care claims or equivalent encoun-ter information health care payment and remittance advicecoordination of benefits health care claim status enrollmentand disenrollment in a health plan eligibility for a health planhealth plan premium payments referral certification andauthorization first report of injury health claims attachmentsand other transactions that the Secretary may prescribe by regu-lation [45 CFR sect 164103]
Treatment The provision coordination or managementof health care and related services by one or more health-care
providers including the coordination or management of healthcare by a health-care provider with a third party consultationbetween health-care providers relating to a patient or thereferral of a patient for health care from one health-care pro-vider to another [45 CFR sect 164501]
Use With respect to individually identifiable health infor-mation the sharing employment application utilizationexamination or analysis of such information within an entitythat maintains such information [45 CFR sect 160103]
18 MMWR April 11 2003
Vol 52 Early Release MMWR 19
Appendix BSample Text That Can Be Used To Clarify Public Health Issues
Under the Privacy Rule
pursuant to the Standards for Privacy of Individually Identifi-able Health Information promulgated under the HealthInsurance Portability and Accountability Act (HIPAA) [45CFR Parts 160 and 164)] Under this rule covered entitiesmay disclose without individual authorization protectedhealth information to public health authorities ldquo autho-rized by law to collect or receive such information for the pur-pose of preventing or controlling disease injury or disabilityincluding but not limited to the reporting of disease injuryvital events such as birth or death and the conduct of publichealth surveillance public health investigations and publichealth interventions rdquo The definition of a public health au-thority includes ldquo an individual or entity acting under a grantof authority from or contract with such public agency rdquo
[Authorized agency] is acting under [contract grant coop-erative agreement] with [public health authority] to conduct[project] which is authorized by [law or regulation] [Publichealth authority] grants this authority to [authorized agency]for purposes of this project Further [public health authority]considers this to be [activity type] for which disclosure ofprotected health information by covered entities is authorizedby 45 CFR sect 164512(b) of the Privacy Rule
From a public health authority to a covered entity con-firming grant of authority to an authorized agencyTo Whom It May Concern
[Public health authority] is an agency of [parent authority]and is a public health authority as defined by the HealthInsurance Portability and Accountability Act (HIPAA) Stan-dards for Privacy of Individually Identifiable Health Informa-tion Final Rule (Privacy Rule)[45 CFR sect 164501] Pursuantto 45 CFR sect 164512(b) of the Privacy Rule covered entitiesmay disclose protected health information to public healthauthorities ldquo authorized by law to collect or receive suchinformation for the purpose of preventing or controlling dis-ease injury or disability including but not limited to thereporting of disease injury vital events such as birth or deathand the conduct of public health surveillance public healthinvestigations and public health interventions rdquo The defi-nition of public health authority includes ldquo an individualor entity acting under a grant of authority from or contractwith such public agency rdquo [45 CFR sect 164501] [Autho-rized agency] is acting under [contract grant or cooperativeagreement] with [public health authority] to carry out [project]
Following are sample letters that can be used to help clarifyPrivacy Rule issues among covered entities and public healthauthorities (eg CDC National Institutes of Health Foodand Drug Administration Substance Abuse and Mental HealthServices Administration Health Resources and ServicesAdministration state and local health departments) Publichealth authorities can use these letters as templates by insert-ing names of the appropriate individuals projects agreementslaws activity types covered entities public health authoritiesand authorized agencies
From a public health authority to a covered entity clari-fying rules regarding disclosureTo Whom it May Concern
[Public health authority] is an agency of [parent authority]and is conducting the activity described here in its capacity asa public health authority as defined by the Health InsurancePortability and Accountability Act (HIPAA) Standards forPrivacy of Individually Identifiable Health Information FinalRule (Privacy Rule) [45 CFR sect164501] Pursuant to 45 CFRsect164512(b) of the Privacy Rule covered entities such as yourorganization may disclose without individual authorizationprotected health information to public health authorities ldquo authorized by law to collect or receive such information forthe purpose of preventing or controlling disease injury ordisability including but not limited to the reporting of dis-ease injury vital events such as birth or death and the con-duct of public health surveillance public health investigationsand public health interventions rdquo
[Public health authority] is conducting [project] a publichealth activity as described by 45 CFR sect 164512(b) and isauthorized by [law or regulation] The information beingrequested represents the minimum necessary to carry out thepublic health purposes of this project pursuant to 45 CFRsect164514(d) of the Privacy Rule
If you have questions or concerns please contact [projectleader]
From a public health authority to an authorized agencyproviding grant of authorityDear [authorized agency]
This letter serves as verification of a grant of authority from[public health authority] for you to conduct the public healthactivities described here acting as a public health authority
20 MMWR April 11 2003
Through this grant of authority [authorized agency] may func-tion as a public health authority under the Privacy Rule forpurposes of this project
[Project] is a public health activity as described by 45 CFRsect 164512(b) referenced previously and is authorized by [lawor regulation] The information being requested represents theminimum necessary to carry out the public health purposes ofthis project pursuant to 45 CFR sect 164514(d) of the PrivacyRule The Privacy Rule provides that covered entities ldquo
may rely if such reliance is reasonable under the circumstanceson a requested disclosure as the minimum necessary for thestated purposes when making disclosures to public officialsthat are permitted under 45 CFR sect 164512 if the publicofficial represents that the information requested is the mini-mum necessary for the stated purposes(s)rdquo
If you have questions or concerns please contact [projectleader for authorized agency public health authority contact]
All MMWR references are available on the Internet at httpwwwcdcgovmmwr Use the search function to find specific articlesmdashmdashmdashmdashmdashmdash
Use of trade names and commercial sources is for identification only and does not imply endorsement by the US Department of Healthand Human Services
mdashmdashmdashmdashmdashmdashReferences to non-CDC sites on the Internet are provided as a service to MMWR readers and do not constitute or imply endorsement ofthese organizations or their programs by CDC or the US Department of Health and Human Services CDC is not responsible for thecontent of these sites URL addresses listed in MMWR were current as of the date of publication
MMWR
The Morbidity and Mortality Weekly Report (MMWR) series is prepared by the Centers for Disease Control and Prevention (CDC) andis available free of charge in electronic format and on a paid subscription basis for paper copy To receive an electronic copy each week sendan e-mail message to listservlistservcdcgov The body content should read SUBscribe mmwr-toc Electronic copy also is available fromCDCrsquos Internet server at httpwwwcdcgovmmwr or from CDCrsquos file transfer protocol server at ftpftpcdcgovpubpublicationsmmwr Tosubscribe for paper copy contact Superintendent of Documents US Government Printing Office Washington DC 20402 telephone202-512-1800
Data in the weekly MMWR are provisional based on weekly reports to CDC by state health departments The reporting weekconcludes at close of business on Friday compiled data on a national basis are officially released to the public on the following FridayAddress inquiries about the MMWR series including material to be considered for publication to Editor MMWR Series Mailstop C-08CDC 1600 Clifton Rd NE Atlanta GA 30333 telephone 888-232-3228
All material in the MMWR series is in the public domain and may be used and reprinted without permission however citation of thesource is appreciated
US Government Printing Office 2003-533-15569108 Region IV
Introduction
Impact on Public Health
Overview of the Privacy Rule
Who Is Covered
Types of Health Information
What is Required
The Privacy Rule and Public Health
Disclosures for Public Health Purposes
Requirements for Covered Entities
The Privacy Rule and Public Health Research
Research Versus Practice
The Privacy Rule and Other Laws
Online Resources
Federal Government Resources
State Government Resources
Associations Nonprofit Organizations and Academic Resources
Acknowledgments
References
Appendix A
Appendix B
Vol 52 Early Release MMWR 5
bull designate individuals who are responsible for implement-ing privacy policies and procedures and who will receiveprivacy-related complaints
bull establish privacy requirements in contracts with businessassociates that perform covered functions
bull have in place appropriate administrative technical andphysical safeguards to protect the privacy of health infor-mation and
bull meet obligations with respect to health consumers exer-cising their rights under the Privacy Rule
With respect to individuals they are vested with the follow-ing rights
bull Receive access to PHI Individual rights include inspec-tions of records and the provision for copies of PHI aboutthe individual in a designated record set for as long as thePHI is maintained in the designated record set except forpsychotherapy notes information complied for use in civilcriminal or administrative actions and PHI maintainedby a covered entity subject to the Clinical LaboratoryImprovement Amendments of 1988 [42 CFR sect 263(a)]In the majority of cases covered entities must accommo-date a request or provide a process of denial subject toreview [45 CFR sect 164524]
bull Request amendments to PHI Individuals can request thatcovered entities amend PHI about the individual in a des-ignated record set for as long as the PHI is maintained ina designated record set If the covered entity agrees to theamendment it must 1) identify the records affected 2)append or provide a link to the amendment 3) informthe individual the amendment has been made and 4) workwith other covered entities or business associates who pos-sess or receive the data to make the amendments [45 CFRsect 164526] If the covered entity denies this request thePrivacy Rule provides a process for contesting the denial[45 CFR sect 164526]
bull Receive adequate notice With limited exceptions indi-viduals have the right to receive a notice of the uses anddisclosures the covered entity will make of their PHI theirrights under the Privacy Rule and the covered entityrsquosobligations with respect to that information In certaincases notice may be provided electronically The noticemust be in plain language (eg ldquoyour health informationmay be shared with public health authorities for publichealth purposes rdquo ) and posted where it is likely to beseen by patients [45 CFR sect 164520]
bull Receive an accounting of disclosures Upon request cov-ered entities are required to provide individuals with anaccounting for certain types of disclosures of PHIalthough the rule contains certain exceptions includingdisclosures with individual authorization disclosures
related to providersrsquo treatment payment and health-careoperations (TPO) and other exceptions A typical accounting includes the name of the person or entity whoreceived the information date of the disclosure a briefdescription of the information disclosed and a brief explanation of the reasons for disclosure or copy of therequest [45 CFR sect 164528] However requirements foraccounting of public health disclosures may vary (seeAccounting for Public Health Disclosures)
bull Request restrictions Individuals have the right to requesta restriction on certain uses or disclosures of their PHIhowever the covered entity is not obligated to agree tosuch a request If the covered entity does agree to a restric-tion it must generally abide by the agreement except foremergency treatment situations But such an agreement isnot effective to prevent certain permitted uses or disclo-sures [CFR 45 sect 164512]
Required PHI Disclosures
A covered entity is required by the Privacy Rule to disclosePHI in only two instances 1) when an individual has a rightto access an accounting of his or her PHI (see previous para-graph) and 2) when DHHS needs PHI to determine compli-ance with the Privacy Rule [45 CFR sect 164502(a)(2)] Certainother uses and disclosures of PHI may be permitted withoutauthorization but are not required by the Privacy Rule How-ever other federal tribal state or local laws may compel dis-closure
Permitted PHI Disclosures WithoutAuthorization
The Privacy Rule permits a covered entity to use and dis-close PHI with certain limits and protections for TPOactivities [45 CFR sect 164506] Certain other permitted usesand disclosures for which authorization is not required fol-low Additional requirements and conditions apply to thesedisclosures The Privacy Rule text and OCR guidance shouldbe consulted for a full understanding of the following
bull Required by law Disclosures of PHI are permitted whenrequired by other laws whether federal tribal state orlocal
bull Public health PHI can be disclosed to public healthauthorities and their authorized agents for public healthpurposes including but not limited to public health sur-veillance investigations and interventions
bull Health research A covered entity can use or disclose PHIfor research without authorization under certain condi-tions including 1) if it obtains documentation of a waiverfrom an institutional review board (IRB) or a privacyboard according to a series of considerations 2) for
6 MMWR April 11 2003
activities preparatory to research and 3) for research on adecedentrsquos information
bull Abuse neglect or domestic violence PHI may be dis-closed to report abuse neglect or domestic violenceunder specified circumstances
bull Law enforcement Covered entities may under specifiedconditions disclose PHI to law enforcement officials pur-suant to a court order subpoena or other legal order tohelp identify and locate a suspect fugitive or missingperson to provide information related to a victim of acrime or a death that may have resulted from a crime orto report a crime
bull Judicial and administrative proceedings A covered entitymay disclose PHI in the course of a judicial or adminis-trative proceeding under specified circumstances
bull Cadaveric organ eye or tissue donation purposesOrgan-procurement agencies may use PHI for the pur-poses of facilitating transplant
bull Oversight Covered entities may usually disclose PHI to ahealth oversight agency for oversight activities authorizedby law
bull Workerrsquos compensation The Privacy Rule permits dis-closure of work-related health information as authorizedby and to the extent necessary to comply with workersrsquocompensation programs
Other Authorized Disclosures
A valid authorization is required for any use or disclosureof PHI that is not required or otherwise permitted withoutauthorization by the Privacy Rule In general these authoriza-tions must
bull specifically identify the PHI to be used or disclosedbull provide the names of persons or organizations or classes
of persons or organizations who will receive use or dis-close the PHI
bull state the purpose for each requestbull notify individuals of their right to refuse to sign the
authorization without negative consequences to treatmentpayment or health plan enrollment or benefit eligibilityexcept under specific circumstances
bull be signed and dated by the individual or the individualrsquospersonal representative
bull be written in plain languagebull include an expiration date or eventbull notify the individual of the right to revoke authorization
at any time in writing and how to exercise that right andany applicable exceptions to that right under the PrivacyRule and
bull explain the potential for the information to be subject toredisclosure by recipient and no longer protected by thePrivacy Rule
The Privacy Rule and Public Health The Privacy Rule recognizes 1) the legitimate need for pub-
lic health authorities and others responsible for ensuring thepublicrsquos health and safety to have access to PHI to conducttheir missions and 2) the importance of public health report-ing by covered entities to identify threats to the public andindividuals Accordingly the rule 1) permits PHI disclosureswithout a written patient authorization for specified publichealth purposes to public health authorities legally authorizedto collect and receive the information for such purposes and2) permits disclosures that are required by state and local pub-lic health or other laws However because the Privacy Ruleaffects the traditional ways PHI is used and exchanged amongcovered entities (eg doctors hospitals and health insurers)it can affect public health practice and research in multipleways To prevent misconceptions understanding the PrivacyRule is important for public health practice Some illustrativeexamples are presented in this report (Box 4) Also providedare sample letters that might prove useful in clarifying rela-tionships involving public health and the Privacy Rule(Appendix B)
A public health authority is broadly defined as includingagencies or authorities of the United States states territoriespolitical subdivisions of states or territories American Indiantribes or an individual or entity acting under a grant ofauthority from such agencies and responsible for public healthmatters as part of an official mandate Public health authori-ties include federal public health agencies (eg CDCNational Institutes of Health [NIH] Health Resources andServices Administration [HRSA] Substance Abuse and Men-tal Health Services Administration [SAMHSA] Food andDrug Administration [FDA] or Occupational Safety andHealth Administration [OSHA]) tribal health agencies statepublic health agencies (eg public health departments ordivisions state cancer registries and vital statistics depart-ments) local public health agencies and anyone performingpublic health functions under a grant of authority from a publichealth agency [45 CFR sect 164501]
Public health agencies often conduct their authorized pub-lic health activities with other entities by using different mecha-nisms (eg contracts and memoranda or letters of agreement)These other entities are public health authorities under thePrivacy Rule with respect to the activities they conduct undera grant of authority from such a public health agency Acovered entity may disclose PHI to public health authorities
Vol 52 Early Release MMWR 7
State cancer registry Under a state law health-care provid-ers are required to report cancer cases to a statersquos cancer regis-try Names are included to prevent duplicate reporting andcounting State law protects the confidentiality of the dataCan covered entities disclose the information under the Pri-vacy Rule
Privacy Rule effect Covered entities may disclose PHI to apublic health agency or any other entity when the disclosureis required by law However as covered entities the providersmust give an accounting to the persons whose PHI has beenshared The state agency may use and further disclose the PHIconsistent with applicable state law
State university-maintained cancer registry Under a statelaw health-care providers are mandated to report cancer casesto a state health departmentrsquos cancer registry The state healthdepartment contracts with a state university to receive thereports and maintain its registry As covered entities can health-care providers disclose PHI to the state university under thePrivacy Rule
Privacy Rule effect As noted in the previous example cov-ered entities may disclose without authorization PHI to thecancer registry under the Privacy Rule which expressly per-mits disclosure of PHI as required by law and sharing of PHIwith public health authorities for public health purposes Thestate university is acting under a grant of authority from a publichealth authority the state health department The universitycan use and disclose the information without authorizationconsistent with its agreement with the state health departmentand applicable state law
Early hearing detection and intervention An early hear-ing detection and intervention program in a state needs datafrom two large hospitals The state does not have a law requir-ing reporting of hearing loss Under the Privacy Rule can cov-ered entities release results of newborn hearing-screening teststo the state program
Privacy Rule effect The Privacy Rule expressly permitsrelease of PHI without authorization from a covered entityto a public health authority (eg the state health department)which is authorized by law to receive PHI for the purpose of
BOX 4 Examples of situations related to the Privacy Rule and public health
controlling disease injury or disability The rule does notrequire a state law mandating such disclosures for PHI to bereleased to a public health authority Finally the coveredentities may rely upon the statersquos representation that theinformation requested is the minimum necessary for the pur-poses of the registry
Disease registry maintained by private foundation Aprivate foundation maintains a disease registry as a way tosupport research and service for those with the disease Canhealth-care providers release PHI to the foundation underthe Privacy Rule
Privacy Rule effect Nongovernment disease registries (egthose maintained by foundations and other private organiza-tions) are not considered public health authorities unless theyhave a grant of authority from a public health authority Withsuch a grant covered entities may disclose PHI to the foun-dations But without a grant of authority PHI may bereleased only under one of the following situations
bull Release is authorized by the patientbull The PHI is de-identifiedbull The PHI is contained in a limited data set governed by
a data-use agreementbull Release of PHI is in accord with the rulersquos provisions
for disclosure for research without authorizationbull Release is otherwise permitted by the rule (eg to
entities subject to the jurisdiction of the Food and DrugAdministration (FDA) [45 CFR sect 164512(b)(1)(iii)]
Surveillance project A state health department that is nota covered entity conducts a surveillance project on humanimmunodeficiency virus (HIV) and acquired immunodefi-ciency syndrome (AIDS) The HIVAIDS surveillance projectis an interview study It asks for self-reported informationfrom participants including dates of diagnosis and visits forcare Is this PHI covered by the Privacy Rule
Privacy Rule effect Information collected directly frompersons by a person agency or institution that is not a cov-ered entity including individually identifiable informationis not covered by the Privacy Rule
and to these designated entities pursuant to the public healthprovisions of the Privacy Rule
The Privacy Rule permits covered entities to disclose PHIwithout authorization to public health authorities or otherentities who are legally authorized to receive such reports forthe purpose of preventing or controlling disease injury ordisability This includes the reporting of disease or injuryreporting vital events (eg births or deaths) conducting pub-lic health surveillance investigations or interventions report-ing child abuse and neglect and monitoring adverse outcomes
related to food (including dietary supplements) drugs bio-logical products and medical devices [45 CFR 164512(b)]Covered entities may report adverse events related to FDA-regulated products or activities to public agencies and privateentities that are subject to FDA jurisdiction [45 CFR164512(b)(1)(iii)] To protect the health of the public pub-lic health authorities might need to obtain informationrelated to the individuals affected by a disease In certain casesthey might need to contact those affected to determine thecause of the disease to allow for actions to prevent further
8 MMWR April 11 2003
illness Also covered entities may at the direction of a publichealth authority disclose protected health information to aforeign government agency that is acting in collaboration witha public health authority [45 CFR 164512(b)(1)(i)]
To receive PHI for public health purposes public healthauthorities should be prepared to verify their status and iden-tity as public health authorities under the Privacy Rule Toverify its identity an agency could provide any one of the fol-lowing
bull if the request is made in person presentation of an agencyidentification badge other official credentials or otherproof of government status
bull if the request is in writing the request is on the appropri-ate government letterhead
bull if the disclosure is to a person acting on behalf of a publichealth authority a written statement on appropriate gov-ernment letterhead that the person is acting under thegovernmentrsquos authority [45 CFR sect 164514(h)(2)]
Public health authorities receiving information from coveredentities as required or authorized by law [45 CFR 164512(a)][45 CFR 164512(b)] are not business associates of the cov-ered entities and therefore are not required to enter into busi-ness associate agreements Public health authorities that arenot covered entities also are not required to enter into busi-ness associate agreements with their public health partners andcontractors Also after PHI is disclosed to a public healthauthority pursuant to the Privacy Rule the public healthauthority (if it is not a covered entity) may maintain use anddisclose the data consistent with the laws regulations andpolicies applicable to the public health authority
Disclosures for Public Health PurposesThe Privacy Rule allows covered entities to disclose PHI to
public health authorities when required by federal tribal stateor local laws [45 CFR 164512(a)] This includes state laws(or state procedures established under such law) that providefor receiving reporting of disease or injury child abuse birthor death or conducting public health surveillance investiga-tion or intervention
For disclosures not required by law covered entities maystill disclose without authorization to a public health authorityauthorized by law to collect or receive the information for thepurpose of preventing or controlling disease injury or dis-ability the minimum necessary information to accomplish theintended public health purpose of the disclosure [45 CFR164512 (b)] (Box 1)
For example to protect the health of the public public healthofficials might need to obtain information related to personsaffected by a disease In certain cases they might need to con-
tact those affected to determine the cause of the disease toallow for actions to prevent further illness The Privacy Rulecontinues to allow for the existing practice of sharing PHIwith public health authorities who are authorized by law tocollect or receive such information to aid them in their mis-sion of protecting the health of the public Examples of suchactivities include those directed at the reporting of disease orinjury reporting adverse events reporting births and deathsand investigating the occurrence and cause of injury and dis-ease (1)
Although it is not a defined term DHHS interpreted thephrase ldquoauthorized by lawrdquo to mean that a legal basis exists forthe activity Further DHHS called the phrase ldquoa term of artrdquoincluding both actions that are permitted and actions that arerequired by law [64 FR 59929 November 3 1999] This doesnot mean a public health authority at the federal tribal stateor local level must have multiple disease or condition-specificlaws that authorize each collection of information Publichealth authorities operate under broad mandates to protectthe health of their constituent populations
Requirements for Covered Entities
Accounting for Public Health Disclosures
Although the Privacy Rule permits disclosures of PHI topublic health authorities covered entities must comply withcertain requirements related to these disclosures One suchrequirement is that a covered entity must be able to providean individual upon request with an accounting of certaindisclosures of PHI The covered entity is not required toaccount for all disclosures of PHI For example an account-ing is not required for disclosures made
bull prior to the covered entityrsquos compliance datebull for TPO purposesbull to the individual or pursuant to the individualrsquos written
authorization orbull as part of a limited data setHowever usually an accounting is required for disclosures
made without authorization including public health purposesThe required accounting for disclosures may be
accomplished in different ways Typically the covered entitymust provide the individual with an accounting of eachdisclosure by date the PHI disclosed the identity of therecipient of the PHI and the purpose of the disclosureHowever where the covered entity has during the accountingperiod made multiple disclosures to the same recipient forthe same purpose the Privacy Rule provides for a simplifiedmeans of accounting In such cases the covered entity needonly identify the recipient of such repetitive disclosures the
Vol 52 Early Release MMWR 9
purpose of the disclosure and describe the PHI routinelydisclosed The date of each disclosure need not be trackedRather the accounting may include the date of the first andlast such disclosure during the accounting period and adescription of the frequency or periodicity of such disclosuresFor example the vast amount of data exchanged betweencovered entities and public health authorities is made throughongoing regular reporting or inspection requirements Acovered health-care provider may routinely report all cases ofmeasles it diagnoses to the local public health authority Anaccounting of such disclosures to a requesting individual wouldneed to identify the local public health authority receivingthe PHI the PHI disclosed the purpose of the disclosure(required for communicable disease surveillance) theperiodicity (weekly) and the first and last dates of suchdisclosures during the accounting period (May 1 2003 toJune 1 2003) Thus the covered entity would not need toannotate each patientrsquos medical record whenever a routinepublic health disclosure was made
Notice of Privacy Practices
With certain exceptions under the Privacy Rule individu-als have the right to adequate notice of the uses and disclo-sures of PHI that may be made by the covered entity as well astheir rights and the covered entityrsquos legal obligations Noticesmust be in plain language and clearly posted Certain coveredentities must make a good faith effort to obtain an individualrsquosacknowledgment of receipt of this notice In certain casesnotice may be provided electronically
Minimum Necessary Standard
The Privacy Rule usually directs covered entities to limitthe amount of information disclosed to the minimum neces-sary to achieve the specified goal [45 CFR sect 164514(d)(1)]This requirement usually applies to disclosures to a publichealth agency It would not apply however if the disclosurewere required by law authorized by the individual or for treat-ment purposes A covered entity may also reasonably rely on apublic officialrsquos determination that the information requestedis the minimum necessary for the public health purpose
Public Health Authorities Performing CoveredFunctions
Public health authorities at the federal tribal state or locallevels that perform covered functions (eg providing healthcare or insuring individuals for health-care costs) may be sub-ject to the Privacy Rulersquos provisions as covered entities Forexample a local public health authority that operates a healthclinic providing essential health-care services to low-incomepersons and performs certain electronic transactions might be
defined under the Privacy Rule as a covered health-care pro-vider and therefore a covered entity Flow charts and interac-tive tools designed to help determine covered entity status areprovided online by the Centers for Medicare and MedicaidServices available at httpwwwcmsgovhipaahipaa2sup-porttoolsdecisionsupportdefaultasp
The following are examples of public health authority func-tions that make them covered entities
bull Public health authorities as covered health-care pro-viders A public health authority that conducts health careas part of its activities is a covered health-care provider ifit also performs electronic transactions covered by theHIPAA Transactions Rule as part of these activities Thefact that these activities are conducted in pursuit of a publichealth goal (eg vaccinating children or screening a tar-geted population for sexually transmitted diseases) doesnot preclude the public health authority from being a cov-ered entity
bull Public health authorities as health plans Under thePrivacy Rule a health plan is an individual or group planthat provides or pays the cost of medical care This spe-cifically includes government health plans (eg MedicareMedicaid or Veterans Health Administration) Howeverthe Privacy Rule defines health plan to exclude govern-ment-funded programs whose principal activity is the di-rect provision of health care to persons or the making ofgrants to fund the direct provision of health care to per-sons [45 CFR sect 160103] Examples include the RyanWhite Comprehensive AIDS Resources Emergency ActAlthough certain government programs that fund provid-ers directly may not be health plans government programsthat reimburse providers or otherwise fund providers toperform direct health-care services should carefully ana-lyze the details of their programs to determine if they areperforming covered functions
bull Public health authorities as health-care clearinghousesAlthough unlikely a public health authority might be ahealth-care clearinghouse if it receives health informationfrom another entity and translates that information froma nonstandard format into a standard transaction or stan-dard data elements (or vice versa) Operators of commu-nity health information systems should carefully considerwhether they meet the definition for a health-care clear-inghouse
bull Public health agencies as hybrid entities A public healthagency that is a covered entity and has both covered andnoncovered functions may become a hybrid entity by des-ignating its health-care components By designating itselfas a hybrid entity a public health authority can carve outits noncovered functions so that the majority of Privacy
10 MMWR April 11 2003
Rule provisions apply only to its health-care componentwhich is required to comply with the Privacy Rulerequirements including using and disclosing PHI only asauthorized meeting the administrative requirementsaccounting for disclosure of PHI and providing a noticeof practices However such a designation does not pre-clude the public health authority from continuing to con-duct authorized public health functions A covered entitythat is also a public health authority may use as well asdisclose PHI for public health purposes to the sameextent it would be permitted to disclose the PHI as a pub-lic health authority
The Privacy Rule and PublicHealth Research
The topic of research under the Privacy Rule is covered indepth in the DHHS report Protecting Personal Health Infor-mation in Research mdash Understanding the HIPAA Privacy Rule(6) The Privacy Rule provides separate provisions for disclo-sure without individual authorization for public health pur-poses and for certain research [45 CFR sect 164512(b)] [45CFR sect 164512(i)] Other federal law pertaining to researchstresses the importance of distinguishing between research andpractice to ensure that human subjects are appropriately pro-tected [45 CFR Part 46] For certain activities this distinc-tion is not always clear A full discussion of the distinctionsbetween public health practice and research is beyond the scopeof this document However CDC and others provide guid-ance in this area (7ndash9)
Research Versus PracticeThe definition of research is the same for the Privacy Rule
and the Common Rule (10) mdash systematic investigationincluding research development testing and evaluationdesigned to develop or contribute to generalizable knowledgeResearch is designed to test a hypothesis permit conclusionsto be drawn and thereby to develop or contribute to general-izable knowledge The majority of public health activities (egpublic health surveillance and disease prevention and controlprojects) are based on scientific evidence and data collectionor analytic methods similar to those used in research How-ever they are not designed to contribute to generalizable knowl-edge Their primary purpose is to protect the health of thepopulation through such activities as disease surveillance pre-vention or control
The Belmont Report (11) defines practice as interventionsdesigned solely to enhance the well-being of a person patient
or client and which have reasonable expectation of successThe report further states that the purpose of medical orbehavioral practice is to provide diagnosis preventive treat-ment or therapy to particular patients For public health agen-cies the patient is the community Public health practiceactivities (eg public health surveillance disease control orprogram evaluation) are undertaken with the intent to benefita specific community although occasionally they may pro-vide unintended generalizable benefits to others
Some public health activities that are initially public healthpractice may subsequently evolve into a research activity (egan investigation to determine the cause of an outbreak thatincorporates a research study evaluating the efficacy of a newdrug to treat the illness) When that is the case the disclosuresmay be made initially under the public health provisions ofthe Privacy Rule But when the activity becomes an ongoingresearch activity the entity should consider application of therelevant research disclosures provisions to continue to obtaininformation for this purpose Moreover there may be caseswhere the activity is both research and public health practice(eg an ongoing survey to monitor health conditions in thepopulation data from which can also be analyzed for researchpurposes) In those cases disclosures may be made either un-der the research provisions or the public health provisions asappropriate mdash the covered entity need not comply with bothsets of requirements
The Privacy Rule and Other Lawsbull Federal laws Covered entities subject to the Privacy Rule
are also subject to other federal statutes and regulationsThe specific relationship of the Privacy Rule and certainfederal laws is discussed in the preamble to the December2000 Final Rule [65 FedReg 82481] In certain instancesthe Privacy Rule imposes requirements in direct conflictwith other federal laws or regulations In those instancesan analysis will be necessary to determine whether the laterprovision was intended to overrule the prior law or regu-lation
bull State laws As a federal regulatory standard the PrivacyRule preempts only those contrary state laws relating tothe privacy of individually identifiable health informa-tion that have less stringent requirements or standards thanthe Privacy Rule (ie more stringent laws remain ineffect) In addition DHHS may upon specific requestfrom a state or other entity or person determine that aprovision of state law that is contrary to the federalrequirements and that meets certain additional criteriawill not be preempted by the federal requirements Thus
Vol 52 Early Release MMWR 11
preemption of a contrary state law will not occur if theSecretary or designated DHHS official determines inresponse to a request that the state law 1) is necessary toprevent fraud and abuse related to the provision of or pay-ment for health care 2) is necessary to ensure appropriatestate regulation of insurance and health plans to theextent expressly authorized by statute or regulation 3) isnecessary for state reporting on health-care delivery orcosts 4) is necessary to serve a compelling public healthsafety or welfare need and if a Privacy Rule provision isat issue if the Secretary determines that the intrusion intoprivacy is warranted when balanced against the need to beserved or 5) has as its principal purpose the regulation ofthe manufacture registration distribution dispensing orother control of any controlled substances The PrivacyRule specifically does not preempt contrary state publichealth laws that provide for the reporting of disease orinjury child abuse birth or death or for the conduct ofpublic health surveillance investigation or intervention[45 CFR sect 160202]
Online ResourcesReferences to non-DHHS sites on the Internet are provided
as a service to MMWR readers and do not constitute or implyendorsement of these organizations or their programs by CDCor the US Department of Health and Human Services CDCis not responsible for the content of these sites URL addresseslisted in MMWR were current as of the date of publication
Federal Government ResourcesDHHS Office for Civil Rights mdash HIPAA guidelines
North Carolina Healthcare Information and Communica-tions Alliance
httpwwwnchicaorgPublic Health Grand Rounds HIPAA Privacy RuleEnhancing or Harming Public Health
httpwwwpublichealthgrandroundsunceduStanford University Medical School mdash HIPAA
httpwwwmedstanfordeduHIPAAWorkgroup for Electronic Data Interchange mdash StrategicNational Implementation Process
httpwwwwediorgsnip
AcknowledgmentsThis report was prepared by Salvatore Lucido MPA and Denise
Koo MD Office of the Associate Director for ScienceEpidemiology Program Office CDC in collaboration with JamesG Hodge Jr JD Center for Law and the Publicrsquos HealthGeorgetown and Johns Hopkins Universities Baltimore MarylandThe preparers are grateful for the participation of Deborah Tress
JD Kenya Ford JD and Heather Horton JD Office of theGeneral Counsel Department of Health and Human Services CDCATSDR Branch the CDC Working Group on the Privacy Ruleand Beverly Dozier JD Lance A Gable JD Lawrence O GostinJD Gail Horlick JD and Jennifer Kurle
The preparers also thank the following partners for their valuableinput Association of State and Territorial Health Officers Councilof State and Territorial Epidemiologists National Association ofCounty and City Health Officials National Association of HealthData Organizations Association of Public Health Laboratories andNational Association for Public Health Statistics and InformationSystems
References1 Gostin LO Hodge JG Jr Personal privacy and common goods a frame-
work Minnesota Law Review 2002861439ndash802 Health Insurance Portability and Accountability Act of 1996 Pub L
No 104-191 110 Stat 1936 (1996)3 Office for Civil Rights Department of Health and Human Services
Title 45 of the Code of Federal Regulations Parts 160 and 164 Avail-able at httpwwwdhhsgovocrcombinedregtextpdf
4 Office for Civil Rights OCR guidance explaining significant aspects ofthe Privacy Rule 2002 Department of Health and Human ServicesAvailable at httpwwwhhsgovocrhipaa
5 Gostin LO Hodge JG Jr Privacy Law Advisory Committee Modelstate public health information privacy act 1999 Available at httpwwwpublichealthlawnetResourcesResourcesPDFsmodelprivactpdf
6 Department of Health and Human Services Protecting personal healthinformation in research mdash understanding the HIPAA Privacy RuleDepartment of Health and Human Services Washington DC 2003(in press)
7 Snider DE Stroup DF Defining research when it comes to public healthPublic Health Rep 199711229ndash32
8 CDC Guidelines for defining public health research and public healthnonresearch Available at httpwwwcdcgovodadsopspoll1htm
9 Amoroso PJ Middaugh JP Research vs public health practice whendoes a study require IRB review Prev Med 200336250ndash3
10 Office for Protection from Research Risks National Institutes of HealthDepartment of Health and Human Services Public welfare protectionof human subjects 2001 [45 CFR 46] Available at httpohrposophsdhhsgovhumansubjectsguidance45cfr46htm
11 National Commission for the Protection of Human Subjects of Bio-medical and Behavioral Research Belmont report ethical principles andguidelines for the protection of human subjects of research Depart-ment of Health Education and Welfare Available at httpwwwmedumicheduirbmedethicsbelmontBELMONTRHTM
Vol 52 Early Release MMWR 13
The following concepts and definitions are adapted fromthe regulatory language For further information see the cita-tions to the Privacy Rule
Accounting An individual has a right to receive an account-ing of disclosures of protected health information made by acovered entity in the six years prior to the date on which theaccounting is requested except for disclosures (a) to carry outtreatment payment and health care operations [45 CFR sect164506] (b) to individuals of protected health informationabout them [45 CFR sect 164502] (c) incident to a use or dis-closure otherwise permitted or required by this subpart asprovided in 45 CFR sect164502 (d) pursuant to an authoriza-tion as provided in 45 CFR sect164508 (e) for the facilityrsquosdirectory or to persons involved in the individualrsquos care orother notification purposes as provided in 45 CFR sect164510(f ) for national security or intelligence purposes as providedin 45 CFR sect164512(k)(2) (g) to correctional institutions orlaw enforcement officials as provided in 45 CFR sect164512(k)(5) or (h) as part of a limited data set in accordance with45 CFR sect164514(e) or (i) that occurred prior to the compli-ance date for the covered entityhellip Such an accounting mustmeet the following requirements (1) except as otherwise pro-vided by paragraph (a) of this section the accounting mustinclude disclosures of protected health information thatoccurred during the six years (or such shorter time period atthe request of the individual as provided in paragraph (a)(3)of this section) prior to the date of the request for an account-ing including disclosures to or by business associates of thecovered entity (2) except as otherwise provided by paragraphs(b)(3) or (b)(4) of this section the accounting must includefor each disclosure the date of the disclosure the name of theentity or person who received the protected health informa-tion and if known the address of such entity or person abrief description of the protected health information disclosedand a brief statement of the purpose of the disclosure thatreasonably informs the individual of the basis for the disclo-sure or in lieu of such a statement a copy of the individualrsquoswritten authorization pursuant to 45 CFR sect 164508 or acopy of a written request for a disclosure under 45 CFR sect164502(a)(2)(ii) or 45 CFR sect 164512 if any
If during the period covered by the accounting the coveredentity has made multiple disclosures of protected healthinformation to the same person or entity for a single purposeunder 45 CFR sect 164502(a)(2)(ii) or 45 CFR sect 164512 theaccounting may with respect to such multiple disclosures
provide the information required by paragraph (b)(2) of 45CFR sect 164528 for the first disclosure during the accountingperiod the frequency periodicity or number of the disclo-sures made during the accounting period and the date of thelast such disclosure during the accounting period [45 CFR sect164528]
Modified accounting procedures are also provided for cov-ered entities making research disclosures involving gt50 per-sons [45 CFR sect 164528(b)(4)]
Business associate A person who on behalf of a coveredentity or of an organized health care arrangement [45 CFR sect154501] in which the covered entity participates but otherthan in the capacity of a member of the workforce of suchcovered entity or arrangement performs or assists in the per-formance of a function or activity involving the use ordisclosure of individually identifiable health informationincluding claims processing or administration data analysisprocessing or administration utilization review quality assur-ance billing benefit management practice management andrepricing or any other function or activity regulated by thissubchapter or provides other than in the capacity of a mem-ber of the workforce of such covered entity legal actuarialaccounting consulting data aggregation [45 CFR sect 164501]management administrative accreditation or financial ser-vices to or for such covered entity or to or for an organizedhealth-care arrangement in which the covered entity partici-pates where the provision of the service involves the disclo-sure of individually identifiable health information from suchcovered entity or arrangement or from another business asso-ciate of such covered entity or arrangement to the individual[45 CFR sect 160103]
Covered entity 1) a health plan 2) a health-care clearing-house 3) a health-care provider who transmits any healthinformation in electronic form in connection with a transac-tion [45 CFR sect 160103]
Covered functions Those functions of a covered entity theperformance of which makes the entity a health planhealth-care provider or health-care clearinghouse [45 CFR sect164103]
Data aggregation With respect to protected health infor-mation created or received by a business associate in its capac-ity as the business associate of a covered entity the combiningof such protected health information by the business associatewith the protected health information received by the busi-ness associate in its capacity as a business associate of another
Appendix ASelected Privacy Rule Concepts and Definitions
14 MMWR April 11 2003
covered entity to permit data analyses that relate to the health-care operations of the respective covered entities [45 CFRsect164501]
De-identified health information Health information thatdoes not identify an individual and with respect to which noreasonable basis exists to believe that the information can beused to identify an individual is not individually identifiableinformation [45 CFR sect 164514(a)]
Disclosure The release transfer provision of access to ordivulging in any other manner of information outside the entityholding the information [45 CFR sect 160103]
Electronic media 1) Electronic storage media includingmemory devices in computers (hard drives) and any remov-abletransportable digital memory medium such as magnetictape or disk optical disk or digital memory card or 2) trans-mission media used to exchange information already in elec-tronic storage media Transmission media include for examplethe Internet (wide open) extranet (using Internet technologyto link a business with information accessible only to collabo-rating parties) leased lines dial-up lines private networksand the physical movement of removabletransportable elec-tronic storage media Certain transmissions including ofpaper via facsimile and of voice via telephone are not con-sidered to be transmissions via electronic media because theinformation being exchanged did not exist in electronic formbefore the transmission [45 CFR sect 160103]
Health care Care services or supplies related to the healthof an individual It includes but is not limited to 1) preven-tive diagnostic therapeutic rehabilitative maintenance orpalliative care and counseling service assessment or proce-dure with respect to the physical or mental condition or func-tional status of an individual or that affects the structure orfunction of the body and 2) sale or dispensing of a drugdevice equipment or other item in accordance with a pre-scription [45 CFR sect 160103]
Health-care clearinghouse A public or private entityincluding a billing service repricing company communityhealth management information system community healthinformation system or value-added network or switch that 1)processes or facilitates the processing of health informationreceived from another entity in a nonstandard format or con-taining nonstandard data content into standard data elementsor a standard transaction or 2) receives a standard transactionfrom another entity and processes or facilitates the processingof health information into nonstandard format or nonstand-ard data content for the receiving entity [45 CFR sect 160103]
Health-care operations Any of the following activities ofthe covered entity to the extent that the activities are related tocovered functions 1) conducting quality assessment andimprovement activities population-based activities and
related functions that do not include treatment 2) reviewingthe competence or qualifications of health care professionalsevaluating practitioner provider and health plan performanceconducting training programs where students learn to prac-tice or improve their skills as health-care providers training ofnonhealth-care professionals accreditation certificationlicensing or credentialing activities 3) underwriting premiumrating and other activities relating to the creation renewal orreplacement of a contract of health insurance or benefits 4)conducting or arranging for medical review legal services andauditing functions including fraud and abuse detection andcompliance programs 5) business planning and developmentsuch as conducting cost-management and planning-relatedanalyses related to managing and operating the entity includ-ing formulary development and administration developmentor improvement of methods of payment or coverage policiesand 6) business management and general administrativeactivities of the entity [45 CFR sect 164501]
Health-care provider A provider of services (as defined insection 1861(u) of the Act 42 USC 1395x(u)) a providerof medical or health-care services (as defined in section 1861(s)of the Act 42 USC 1395x(s)) and any other individual ororganization that furnishes bills or is paid for health care inthe normal course of business [45 CFR sect 160103]
Health information Any information whether oral orrecorded in any form or medium that 1) is created or receivedby a health-care provider health plan public health authorityemployer life insurer school or university or health-care clear-inghouse and 2) relates to the past present or future physicalor mental health or condition of an individual the provisionof health care to an individual or the past present or futurepayment for the provision of health care to an individual [45CFR sect 160103]
Health plan An individual or group plan that provides orpays the cost of medical care (as defined in section 2791(a)(2)of the PHS Act 42 USC 300gg-91(a)(2)) Health planincludes the following singly or in combination (i) a grouphealth plan as defined in 45 CFR sect 160103 of the PrivacyRule (ii) a health insurance issuer as defined in 45 CFR sect160103 of the Privacy Rule (iii) an HMO as defined in 45CFR sect 160103 of the Privacy Rule (iv) Part A or B of theMedicare program under title XVIII of the Act (v) the Med-icaid program under title XIX of the Act 42 USC 1396 etseq (vi) an issuer of a Medicare supplemental policy (asdefined in section 1882(g)(1) of the Act 42 USC1395ss(g)(1)) (vii) an issuer of a long-term care policyexcluding a nursing home fixed-indemnity policy (viii) anemployee welfare benefit plan or any other arrangement thatis established or maintained for the purpose of offering or pro-viding health benefits to the employees of two or more
Vol 52 Early Release MMWR 15
employers (ix) the health care program for active military per-sonnel under title 10 USC (x) the veterans health-care pro-gram under 38 USC Ch 17 (xi) the Civilian Health andMedical Program of the Uniformed Services (CHAMPUS)(as defined in 10 USC 1072(4)) (xii) the Indian HealthService program under the Indian Health Care ImprovementAct 25 USC 1601 et seq (xiii) the Federal EmployeesHealth Benefits Program under 5 USC 8902 et seq (xiv)an approved state child health plan under title XXI of the Actproviding benefits for child health assistance that meet therequirements of section 2103 of the Act 42 USC 1397 etseq (xv) the Medicare+Choice program under Part C of titleXVIII of the Act 42 USC 1395w-21 through 1395w-28(xvi) a high risk pool that is a mechanism established understate law to provide health insurance coverage or comparablecoverage to eligible individuals (xvii) any other individual orgroup plan or combination of individual or group plans thatprovides or pays for the cost of medical care (as defined insection 2791(a)(2) of the PHS Act 42 USC 300gg-91(a)(2))[45 CFR sect 160103]
The term health plan excludes (i) any policy plan or pro-gram to the extent that it provides or pays for the cost ofexcepted benefits that are listed in sect2791(c)(1) of the PHSAct 42 USC 300gg-91(c)(1) and (ii) a government-fundedprogram other than the one listed in items (i)-(xvi) abovewhose principal purpose is other than providing or payingthe cost of health care or whose principal activity is 1) thedirect provision of health care to individuals or 2) the mak-ing of grants to fund the direct provision of health care toindividuals [45 CFR sect 160103]
Hybrid entity A single legal entity 1) that is a covered entity 2) whose business activities include both covered andnoncovered functions and 3) that designates its health-carecomponents [45 CFR sect 164103]
Individually identifiable health information A subset ofhealth information including demographic information col-lected from an individual and 1) is created or received by ahealth-care provider health plan employer or health-care clear-inghouse and 2) relates to the past present or future physi-cal or mental health or condition of an individual the provisionof health care to an individual or the past present or futurepayment for the provision of health care to an individual andthat identifies the individual or where there is a reasonablebasis to believe the information can be used to identify theindividual [45 CFR sect 164501]
Limited data set Protected health information that excludescertain direct identifiers of the individual or of relativesemployers or household members of the individual Directidentifiers to be excluded can be found in 45 CFR sect164514(e)(2)
Minimum necessary For any type of disclosure that a cov-ered entity makes on a routine and recurring basis that thecovered entity must implement policies and procedures (whichmay be standard protocols) that limit the protected healthinformation disclosed to the amount reasonably necessary toachieve the purpose of the disclosure For all other disclosurescovered entities must develop and implement criteria designedto limit the protected health information disclosed to theinformation reasonably necessary to accomplish the purposefor which disclosure is sought and review requests for disclo-sure on an individual basis in accordance with such criteria Acovered entity may rely if such reliance is reasonable underthe circumstances on a requested disclosure as the minimumnecessary for the stated purpose when (a) making disclosuresto public officials that are permitted under 45 CFR sect 164512if the public official represents that the information requestedis the minimum necessary for the stated purpose (b) if theinformation is requested by another covered entity (c) theirbusiness associates providing personal services or (d) docu-mentation or representations that comply with the applicablerequirements of 45 CFR sect 164512(i) have been provided byan individual requesting the information for research purposes[45 CFR sect 164514(d)(3)]
The minimum necessary standard also applies to uses ofprotected health information [45 CFR sect 164514(d)(2)] andrequests for protected health information [45 CFR sect164514(d)(4)]
Notice An individual with certain exceptions has a rightto adequate notice of the uses and disclosures of protectedhealth information that may be made by the covered entityand of the individualrsquos rights and the covered entityrsquos legalduties with respect to protected health information Thenotice must be written in plain language and contain the fol-lowing elements (i) a header as specified in the rule (ii) adescription including at least one example of the types ofuses and disclosures that the covered entity is permitted tomake for treatment payment and health care operations anda description of each of the other purposes for which the cov-ered entity is permitted or required to use or disclose pro-tected health information without the individualrsquos writtenconsent or authorization If a use or disclosure is prohibitedor materially limited by other applicable law the descriptionof such use or disclosure must reflect the more stringent law(as defined in 45 CFR sect 160202) Each description mustinclude sufficient detail to place the individual on notice ofthe uses and disclosures that are permitted or required by thePrivacy Rule or other applicable law and a statement that otheruses and disclosures will be made only with the individualrsquoswritten authorization and that the individual may revoke suchauthorization as provided by 45 CFR sect 164508(b)(5)
16 MMWR April 11 2003
A separate statement must be included in the notice if acovered entity intends to engage in any of the followingactivities The statement should explain that 1) the coveredentity may contact the individual to provide appointmentreminders or information regarding treatment alternatives orother health-related benefits 2) the covered entity may con-tact the individual to raise funds for the covered entity or 3) agroup health plan health insurer or HMO with respect to agroup health plan may disclose protected health informationto the sponsor of the plan
The notice must contain a statement of the individualrsquos rightswith respect to the protected health information and a briefdescription of how the individual may exercise these rights astatement of the covered entityrsquos duties a statement that indi-viduals may complain to the covered entity or the Secretary ifthey believe their privacy rights have been violated contactinformation and the effective date of the notice [45 CFR sect164520]
Payment 1) The activities undertaken by (i) a health planto obtain premiums or to determine or fulfill its responsibilityfor coverage and provision of benefits under the health planor (ii) a health-care provider or health plan to obtain or pro-vide reimbursement for the provision of health care and 2)the activities relate to the individual to whom health care isprovided and include but are not limited to (i) determina-tions of eligibility or coverage and adjudication or subroga-tion of health benefit claims (ii) risk adjusting amounts duebased on enrollee health status and demographic characteris-tics (iii) billing claims management collection activitiesobtaining payment under a contract for reinsurance (includ-ing stop-loss insurance) and related health-care data process-ing (iv) review of health-care services with respect to medicalnecessity coverage under a health plan appropriateness of careor justification of charges (v) utilization review activitiesincluding precertification and preauthorization of services con-current and retrospective review of services and (vi) disclo-sure to consumer reporting agencies of any of the followingprotected health information relating to collection of premi-ums or reimbursement (a) name and address (b) date of birth(c) social security number (d) payment history (e) accountnumber and (f ) name and address of the health-care provideror health plan [45 CFR sect 164501]
Protected health information (PHI) Individually identi-fiable health information that is transmitted by electronicmedia maintained in electronic media or transmitted ormaintained in any other form or medium PHI excludes indi-vidually identifiable health information in (i) educationrecords covered by the Family Education Rights and PrivacyAct (20 USC 1232g) (ii) records described at 20 USC
1232g(a)(4)(B)(iv) and (iii) employment records held by acovered entity in its role as employer [45 CFR sect 160103]
Public health authority An agency or authority of theUnited States a state a territory a political subdivision of astate or territory or an Indian tribe or an individual or entityacting under a grant of authority from or contract with suchpublic agency including the employees or agents of such pub-lic agency or its contractors or individuals or entities to whomit has granted authority that is responsible for public healthmatters as part of its official mandate [45 CFR sect 164501]
Examples of public health authorities include state andlocal health departments CDC National Institutes of Health(NIH) Food and Drug Administration (FDA) and Occupa-tional Safety and Health Administration (OSHA)
Required by law A mandate contained in law that compelsan entity to make a use or disclosure of protected health infor-mation and that is enforceable in a court of law This termincludes but is not limited to court orders and court-orderedwarrants subpoenas or summons issued by a court grand jurya governmental or tribal inspector general or an administra-tive body authorized to require the production of informa-tion a civil or an authorized investigative demand Medicareconditions of participation with respect to health-care provid-ers participating in the program and statutes or regulationsthat require the production of information including statutesor regulations that require such information if payment issought under a government program providing public ben-efits [45 CFR sect 164103]
Research A systematic investigation including researchdevelopment testing and evaluation designed to develop orcontribute to generalizable knowledge [45 CFR sect sect164501]
Statistical de-identification A properly qualified statisti-cian using accepted analytical techniques concludes that therisk is limited that the information could be used alone or incombination with other reasonably available information toidentify the subject of the information [45 CFR sect 164514(b)]
Safe harbor method A covered entity or its agent removesa comprehensive set of identifiers enumerated in the PrivacyRule which includes but is not limited to names geographicsubdivisions smaller than states dates more specific than yearscontact information identification numbers and photographicimages and has no actual knowledge that the remaininginformation could be used alone or in combination with otherinformation to identify the individual who is a subject of theinformation or the individualrsquos relatives employers or house-hold members Eighteen specific identifiers will need to beremoved to achieve de-identification [45 CFR sect 164514(b)]
Transaction The transmission of information between twoparties to carry out financial or administrative activities
Vol 52 Early Release MMWR 17
related to health care It includes the following types of infor-mation transmissions health care claims or equivalent encoun-ter information health care payment and remittance advicecoordination of benefits health care claim status enrollmentand disenrollment in a health plan eligibility for a health planhealth plan premium payments referral certification andauthorization first report of injury health claims attachmentsand other transactions that the Secretary may prescribe by regu-lation [45 CFR sect 164103]
Treatment The provision coordination or managementof health care and related services by one or more health-care
providers including the coordination or management of healthcare by a health-care provider with a third party consultationbetween health-care providers relating to a patient or thereferral of a patient for health care from one health-care pro-vider to another [45 CFR sect 164501]
Use With respect to individually identifiable health infor-mation the sharing employment application utilizationexamination or analysis of such information within an entitythat maintains such information [45 CFR sect 160103]
18 MMWR April 11 2003
Vol 52 Early Release MMWR 19
Appendix BSample Text That Can Be Used To Clarify Public Health Issues
Under the Privacy Rule
pursuant to the Standards for Privacy of Individually Identifi-able Health Information promulgated under the HealthInsurance Portability and Accountability Act (HIPAA) [45CFR Parts 160 and 164)] Under this rule covered entitiesmay disclose without individual authorization protectedhealth information to public health authorities ldquo autho-rized by law to collect or receive such information for the pur-pose of preventing or controlling disease injury or disabilityincluding but not limited to the reporting of disease injuryvital events such as birth or death and the conduct of publichealth surveillance public health investigations and publichealth interventions rdquo The definition of a public health au-thority includes ldquo an individual or entity acting under a grantof authority from or contract with such public agency rdquo
[Authorized agency] is acting under [contract grant coop-erative agreement] with [public health authority] to conduct[project] which is authorized by [law or regulation] [Publichealth authority] grants this authority to [authorized agency]for purposes of this project Further [public health authority]considers this to be [activity type] for which disclosure ofprotected health information by covered entities is authorizedby 45 CFR sect 164512(b) of the Privacy Rule
From a public health authority to a covered entity con-firming grant of authority to an authorized agencyTo Whom It May Concern
[Public health authority] is an agency of [parent authority]and is a public health authority as defined by the HealthInsurance Portability and Accountability Act (HIPAA) Stan-dards for Privacy of Individually Identifiable Health Informa-tion Final Rule (Privacy Rule)[45 CFR sect 164501] Pursuantto 45 CFR sect 164512(b) of the Privacy Rule covered entitiesmay disclose protected health information to public healthauthorities ldquo authorized by law to collect or receive suchinformation for the purpose of preventing or controlling dis-ease injury or disability including but not limited to thereporting of disease injury vital events such as birth or deathand the conduct of public health surveillance public healthinvestigations and public health interventions rdquo The defi-nition of public health authority includes ldquo an individualor entity acting under a grant of authority from or contractwith such public agency rdquo [45 CFR sect 164501] [Autho-rized agency] is acting under [contract grant or cooperativeagreement] with [public health authority] to carry out [project]
Following are sample letters that can be used to help clarifyPrivacy Rule issues among covered entities and public healthauthorities (eg CDC National Institutes of Health Foodand Drug Administration Substance Abuse and Mental HealthServices Administration Health Resources and ServicesAdministration state and local health departments) Publichealth authorities can use these letters as templates by insert-ing names of the appropriate individuals projects agreementslaws activity types covered entities public health authoritiesand authorized agencies
From a public health authority to a covered entity clari-fying rules regarding disclosureTo Whom it May Concern
[Public health authority] is an agency of [parent authority]and is conducting the activity described here in its capacity asa public health authority as defined by the Health InsurancePortability and Accountability Act (HIPAA) Standards forPrivacy of Individually Identifiable Health Information FinalRule (Privacy Rule) [45 CFR sect164501] Pursuant to 45 CFRsect164512(b) of the Privacy Rule covered entities such as yourorganization may disclose without individual authorizationprotected health information to public health authorities ldquo authorized by law to collect or receive such information forthe purpose of preventing or controlling disease injury ordisability including but not limited to the reporting of dis-ease injury vital events such as birth or death and the con-duct of public health surveillance public health investigationsand public health interventions rdquo
[Public health authority] is conducting [project] a publichealth activity as described by 45 CFR sect 164512(b) and isauthorized by [law or regulation] The information beingrequested represents the minimum necessary to carry out thepublic health purposes of this project pursuant to 45 CFRsect164514(d) of the Privacy Rule
If you have questions or concerns please contact [projectleader]
From a public health authority to an authorized agencyproviding grant of authorityDear [authorized agency]
This letter serves as verification of a grant of authority from[public health authority] for you to conduct the public healthactivities described here acting as a public health authority
20 MMWR April 11 2003
Through this grant of authority [authorized agency] may func-tion as a public health authority under the Privacy Rule forpurposes of this project
[Project] is a public health activity as described by 45 CFRsect 164512(b) referenced previously and is authorized by [lawor regulation] The information being requested represents theminimum necessary to carry out the public health purposes ofthis project pursuant to 45 CFR sect 164514(d) of the PrivacyRule The Privacy Rule provides that covered entities ldquo
may rely if such reliance is reasonable under the circumstanceson a requested disclosure as the minimum necessary for thestated purposes when making disclosures to public officialsthat are permitted under 45 CFR sect 164512 if the publicofficial represents that the information requested is the mini-mum necessary for the stated purposes(s)rdquo
If you have questions or concerns please contact [projectleader for authorized agency public health authority contact]
All MMWR references are available on the Internet at httpwwwcdcgovmmwr Use the search function to find specific articlesmdashmdashmdashmdashmdashmdash
Use of trade names and commercial sources is for identification only and does not imply endorsement by the US Department of Healthand Human Services
mdashmdashmdashmdashmdashmdashReferences to non-CDC sites on the Internet are provided as a service to MMWR readers and do not constitute or imply endorsement ofthese organizations or their programs by CDC or the US Department of Health and Human Services CDC is not responsible for thecontent of these sites URL addresses listed in MMWR were current as of the date of publication
MMWR
The Morbidity and Mortality Weekly Report (MMWR) series is prepared by the Centers for Disease Control and Prevention (CDC) andis available free of charge in electronic format and on a paid subscription basis for paper copy To receive an electronic copy each week sendan e-mail message to listservlistservcdcgov The body content should read SUBscribe mmwr-toc Electronic copy also is available fromCDCrsquos Internet server at httpwwwcdcgovmmwr or from CDCrsquos file transfer protocol server at ftpftpcdcgovpubpublicationsmmwr Tosubscribe for paper copy contact Superintendent of Documents US Government Printing Office Washington DC 20402 telephone202-512-1800
Data in the weekly MMWR are provisional based on weekly reports to CDC by state health departments The reporting weekconcludes at close of business on Friday compiled data on a national basis are officially released to the public on the following FridayAddress inquiries about the MMWR series including material to be considered for publication to Editor MMWR Series Mailstop C-08CDC 1600 Clifton Rd NE Atlanta GA 30333 telephone 888-232-3228
All material in the MMWR series is in the public domain and may be used and reprinted without permission however citation of thesource is appreciated
US Government Printing Office 2003-533-15569108 Region IV
Introduction
Impact on Public Health
Overview of the Privacy Rule
Who Is Covered
Types of Health Information
What is Required
The Privacy Rule and Public Health
Disclosures for Public Health Purposes
Requirements for Covered Entities
The Privacy Rule and Public Health Research
Research Versus Practice
The Privacy Rule and Other Laws
Online Resources
Federal Government Resources
State Government Resources
Associations Nonprofit Organizations and Academic Resources
Acknowledgments
References
Appendix A
Appendix B
6 MMWR April 11 2003
activities preparatory to research and 3) for research on adecedentrsquos information
bull Abuse neglect or domestic violence PHI may be dis-closed to report abuse neglect or domestic violenceunder specified circumstances
bull Law enforcement Covered entities may under specifiedconditions disclose PHI to law enforcement officials pur-suant to a court order subpoena or other legal order tohelp identify and locate a suspect fugitive or missingperson to provide information related to a victim of acrime or a death that may have resulted from a crime orto report a crime
bull Judicial and administrative proceedings A covered entitymay disclose PHI in the course of a judicial or adminis-trative proceeding under specified circumstances
bull Cadaveric organ eye or tissue donation purposesOrgan-procurement agencies may use PHI for the pur-poses of facilitating transplant
bull Oversight Covered entities may usually disclose PHI to ahealth oversight agency for oversight activities authorizedby law
bull Workerrsquos compensation The Privacy Rule permits dis-closure of work-related health information as authorizedby and to the extent necessary to comply with workersrsquocompensation programs
Other Authorized Disclosures
A valid authorization is required for any use or disclosureof PHI that is not required or otherwise permitted withoutauthorization by the Privacy Rule In general these authoriza-tions must
bull specifically identify the PHI to be used or disclosedbull provide the names of persons or organizations or classes
of persons or organizations who will receive use or dis-close the PHI
bull state the purpose for each requestbull notify individuals of their right to refuse to sign the
authorization without negative consequences to treatmentpayment or health plan enrollment or benefit eligibilityexcept under specific circumstances
bull be signed and dated by the individual or the individualrsquospersonal representative
bull be written in plain languagebull include an expiration date or eventbull notify the individual of the right to revoke authorization
at any time in writing and how to exercise that right andany applicable exceptions to that right under the PrivacyRule and
bull explain the potential for the information to be subject toredisclosure by recipient and no longer protected by thePrivacy Rule
The Privacy Rule and Public Health The Privacy Rule recognizes 1) the legitimate need for pub-
lic health authorities and others responsible for ensuring thepublicrsquos health and safety to have access to PHI to conducttheir missions and 2) the importance of public health report-ing by covered entities to identify threats to the public andindividuals Accordingly the rule 1) permits PHI disclosureswithout a written patient authorization for specified publichealth purposes to public health authorities legally authorizedto collect and receive the information for such purposes and2) permits disclosures that are required by state and local pub-lic health or other laws However because the Privacy Ruleaffects the traditional ways PHI is used and exchanged amongcovered entities (eg doctors hospitals and health insurers)it can affect public health practice and research in multipleways To prevent misconceptions understanding the PrivacyRule is important for public health practice Some illustrativeexamples are presented in this report (Box 4) Also providedare sample letters that might prove useful in clarifying rela-tionships involving public health and the Privacy Rule(Appendix B)
A public health authority is broadly defined as includingagencies or authorities of the United States states territoriespolitical subdivisions of states or territories American Indiantribes or an individual or entity acting under a grant ofauthority from such agencies and responsible for public healthmatters as part of an official mandate Public health authori-ties include federal public health agencies (eg CDCNational Institutes of Health [NIH] Health Resources andServices Administration [HRSA] Substance Abuse and Men-tal Health Services Administration [SAMHSA] Food andDrug Administration [FDA] or Occupational Safety andHealth Administration [OSHA]) tribal health agencies statepublic health agencies (eg public health departments ordivisions state cancer registries and vital statistics depart-ments) local public health agencies and anyone performingpublic health functions under a grant of authority from a publichealth agency [45 CFR sect 164501]
Public health agencies often conduct their authorized pub-lic health activities with other entities by using different mecha-nisms (eg contracts and memoranda or letters of agreement)These other entities are public health authorities under thePrivacy Rule with respect to the activities they conduct undera grant of authority from such a public health agency Acovered entity may disclose PHI to public health authorities
Vol 52 Early Release MMWR 7
State cancer registry Under a state law health-care provid-ers are required to report cancer cases to a statersquos cancer regis-try Names are included to prevent duplicate reporting andcounting State law protects the confidentiality of the dataCan covered entities disclose the information under the Pri-vacy Rule
Privacy Rule effect Covered entities may disclose PHI to apublic health agency or any other entity when the disclosureis required by law However as covered entities the providersmust give an accounting to the persons whose PHI has beenshared The state agency may use and further disclose the PHIconsistent with applicable state law
State university-maintained cancer registry Under a statelaw health-care providers are mandated to report cancer casesto a state health departmentrsquos cancer registry The state healthdepartment contracts with a state university to receive thereports and maintain its registry As covered entities can health-care providers disclose PHI to the state university under thePrivacy Rule
Privacy Rule effect As noted in the previous example cov-ered entities may disclose without authorization PHI to thecancer registry under the Privacy Rule which expressly per-mits disclosure of PHI as required by law and sharing of PHIwith public health authorities for public health purposes Thestate university is acting under a grant of authority from a publichealth authority the state health department The universitycan use and disclose the information without authorizationconsistent with its agreement with the state health departmentand applicable state law
Early hearing detection and intervention An early hear-ing detection and intervention program in a state needs datafrom two large hospitals The state does not have a law requir-ing reporting of hearing loss Under the Privacy Rule can cov-ered entities release results of newborn hearing-screening teststo the state program
Privacy Rule effect The Privacy Rule expressly permitsrelease of PHI without authorization from a covered entityto a public health authority (eg the state health department)which is authorized by law to receive PHI for the purpose of
BOX 4 Examples of situations related to the Privacy Rule and public health
controlling disease injury or disability The rule does notrequire a state law mandating such disclosures for PHI to bereleased to a public health authority Finally the coveredentities may rely upon the statersquos representation that theinformation requested is the minimum necessary for the pur-poses of the registry
Disease registry maintained by private foundation Aprivate foundation maintains a disease registry as a way tosupport research and service for those with the disease Canhealth-care providers release PHI to the foundation underthe Privacy Rule
Privacy Rule effect Nongovernment disease registries (egthose maintained by foundations and other private organiza-tions) are not considered public health authorities unless theyhave a grant of authority from a public health authority Withsuch a grant covered entities may disclose PHI to the foun-dations But without a grant of authority PHI may bereleased only under one of the following situations
bull Release is authorized by the patientbull The PHI is de-identifiedbull The PHI is contained in a limited data set governed by
a data-use agreementbull Release of PHI is in accord with the rulersquos provisions
for disclosure for research without authorizationbull Release is otherwise permitted by the rule (eg to
entities subject to the jurisdiction of the Food and DrugAdministration (FDA) [45 CFR sect 164512(b)(1)(iii)]
Surveillance project A state health department that is nota covered entity conducts a surveillance project on humanimmunodeficiency virus (HIV) and acquired immunodefi-ciency syndrome (AIDS) The HIVAIDS surveillance projectis an interview study It asks for self-reported informationfrom participants including dates of diagnosis and visits forcare Is this PHI covered by the Privacy Rule
Privacy Rule effect Information collected directly frompersons by a person agency or institution that is not a cov-ered entity including individually identifiable informationis not covered by the Privacy Rule
and to these designated entities pursuant to the public healthprovisions of the Privacy Rule
The Privacy Rule permits covered entities to disclose PHIwithout authorization to public health authorities or otherentities who are legally authorized to receive such reports forthe purpose of preventing or controlling disease injury ordisability This includes the reporting of disease or injuryreporting vital events (eg births or deaths) conducting pub-lic health surveillance investigations or interventions report-ing child abuse and neglect and monitoring adverse outcomes
related to food (including dietary supplements) drugs bio-logical products and medical devices [45 CFR 164512(b)]Covered entities may report adverse events related to FDA-regulated products or activities to public agencies and privateentities that are subject to FDA jurisdiction [45 CFR164512(b)(1)(iii)] To protect the health of the public pub-lic health authorities might need to obtain informationrelated to the individuals affected by a disease In certain casesthey might need to contact those affected to determine thecause of the disease to allow for actions to prevent further
8 MMWR April 11 2003
illness Also covered entities may at the direction of a publichealth authority disclose protected health information to aforeign government agency that is acting in collaboration witha public health authority [45 CFR 164512(b)(1)(i)]
To receive PHI for public health purposes public healthauthorities should be prepared to verify their status and iden-tity as public health authorities under the Privacy Rule Toverify its identity an agency could provide any one of the fol-lowing
bull if the request is made in person presentation of an agencyidentification badge other official credentials or otherproof of government status
bull if the request is in writing the request is on the appropri-ate government letterhead
bull if the disclosure is to a person acting on behalf of a publichealth authority a written statement on appropriate gov-ernment letterhead that the person is acting under thegovernmentrsquos authority [45 CFR sect 164514(h)(2)]
Public health authorities receiving information from coveredentities as required or authorized by law [45 CFR 164512(a)][45 CFR 164512(b)] are not business associates of the cov-ered entities and therefore are not required to enter into busi-ness associate agreements Public health authorities that arenot covered entities also are not required to enter into busi-ness associate agreements with their public health partners andcontractors Also after PHI is disclosed to a public healthauthority pursuant to the Privacy Rule the public healthauthority (if it is not a covered entity) may maintain use anddisclose the data consistent with the laws regulations andpolicies applicable to the public health authority
Disclosures for Public Health PurposesThe Privacy Rule allows covered entities to disclose PHI to
public health authorities when required by federal tribal stateor local laws [45 CFR 164512(a)] This includes state laws(or state procedures established under such law) that providefor receiving reporting of disease or injury child abuse birthor death or conducting public health surveillance investiga-tion or intervention
For disclosures not required by law covered entities maystill disclose without authorization to a public health authorityauthorized by law to collect or receive the information for thepurpose of preventing or controlling disease injury or dis-ability the minimum necessary information to accomplish theintended public health purpose of the disclosure [45 CFR164512 (b)] (Box 1)
For example to protect the health of the public public healthofficials might need to obtain information related to personsaffected by a disease In certain cases they might need to con-
tact those affected to determine the cause of the disease toallow for actions to prevent further illness The Privacy Rulecontinues to allow for the existing practice of sharing PHIwith public health authorities who are authorized by law tocollect or receive such information to aid them in their mis-sion of protecting the health of the public Examples of suchactivities include those directed at the reporting of disease orinjury reporting adverse events reporting births and deathsand investigating the occurrence and cause of injury and dis-ease (1)
Although it is not a defined term DHHS interpreted thephrase ldquoauthorized by lawrdquo to mean that a legal basis exists forthe activity Further DHHS called the phrase ldquoa term of artrdquoincluding both actions that are permitted and actions that arerequired by law [64 FR 59929 November 3 1999] This doesnot mean a public health authority at the federal tribal stateor local level must have multiple disease or condition-specificlaws that authorize each collection of information Publichealth authorities operate under broad mandates to protectthe health of their constituent populations
Requirements for Covered Entities
Accounting for Public Health Disclosures
Although the Privacy Rule permits disclosures of PHI topublic health authorities covered entities must comply withcertain requirements related to these disclosures One suchrequirement is that a covered entity must be able to providean individual upon request with an accounting of certaindisclosures of PHI The covered entity is not required toaccount for all disclosures of PHI For example an account-ing is not required for disclosures made
bull prior to the covered entityrsquos compliance datebull for TPO purposesbull to the individual or pursuant to the individualrsquos written
authorization orbull as part of a limited data setHowever usually an accounting is required for disclosures
made without authorization including public health purposesThe required accounting for disclosures may be
accomplished in different ways Typically the covered entitymust provide the individual with an accounting of eachdisclosure by date the PHI disclosed the identity of therecipient of the PHI and the purpose of the disclosureHowever where the covered entity has during the accountingperiod made multiple disclosures to the same recipient forthe same purpose the Privacy Rule provides for a simplifiedmeans of accounting In such cases the covered entity needonly identify the recipient of such repetitive disclosures the
Vol 52 Early Release MMWR 9
purpose of the disclosure and describe the PHI routinelydisclosed The date of each disclosure need not be trackedRather the accounting may include the date of the first andlast such disclosure during the accounting period and adescription of the frequency or periodicity of such disclosuresFor example the vast amount of data exchanged betweencovered entities and public health authorities is made throughongoing regular reporting or inspection requirements Acovered health-care provider may routinely report all cases ofmeasles it diagnoses to the local public health authority Anaccounting of such disclosures to a requesting individual wouldneed to identify the local public health authority receivingthe PHI the PHI disclosed the purpose of the disclosure(required for communicable disease surveillance) theperiodicity (weekly) and the first and last dates of suchdisclosures during the accounting period (May 1 2003 toJune 1 2003) Thus the covered entity would not need toannotate each patientrsquos medical record whenever a routinepublic health disclosure was made
Notice of Privacy Practices
With certain exceptions under the Privacy Rule individu-als have the right to adequate notice of the uses and disclo-sures of PHI that may be made by the covered entity as well astheir rights and the covered entityrsquos legal obligations Noticesmust be in plain language and clearly posted Certain coveredentities must make a good faith effort to obtain an individualrsquosacknowledgment of receipt of this notice In certain casesnotice may be provided electronically
Minimum Necessary Standard
The Privacy Rule usually directs covered entities to limitthe amount of information disclosed to the minimum neces-sary to achieve the specified goal [45 CFR sect 164514(d)(1)]This requirement usually applies to disclosures to a publichealth agency It would not apply however if the disclosurewere required by law authorized by the individual or for treat-ment purposes A covered entity may also reasonably rely on apublic officialrsquos determination that the information requestedis the minimum necessary for the public health purpose
Public Health Authorities Performing CoveredFunctions
Public health authorities at the federal tribal state or locallevels that perform covered functions (eg providing healthcare or insuring individuals for health-care costs) may be sub-ject to the Privacy Rulersquos provisions as covered entities Forexample a local public health authority that operates a healthclinic providing essential health-care services to low-incomepersons and performs certain electronic transactions might be
defined under the Privacy Rule as a covered health-care pro-vider and therefore a covered entity Flow charts and interac-tive tools designed to help determine covered entity status areprovided online by the Centers for Medicare and MedicaidServices available at httpwwwcmsgovhipaahipaa2sup-porttoolsdecisionsupportdefaultasp
The following are examples of public health authority func-tions that make them covered entities
bull Public health authorities as covered health-care pro-viders A public health authority that conducts health careas part of its activities is a covered health-care provider ifit also performs electronic transactions covered by theHIPAA Transactions Rule as part of these activities Thefact that these activities are conducted in pursuit of a publichealth goal (eg vaccinating children or screening a tar-geted population for sexually transmitted diseases) doesnot preclude the public health authority from being a cov-ered entity
bull Public health authorities as health plans Under thePrivacy Rule a health plan is an individual or group planthat provides or pays the cost of medical care This spe-cifically includes government health plans (eg MedicareMedicaid or Veterans Health Administration) Howeverthe Privacy Rule defines health plan to exclude govern-ment-funded programs whose principal activity is the di-rect provision of health care to persons or the making ofgrants to fund the direct provision of health care to per-sons [45 CFR sect 160103] Examples include the RyanWhite Comprehensive AIDS Resources Emergency ActAlthough certain government programs that fund provid-ers directly may not be health plans government programsthat reimburse providers or otherwise fund providers toperform direct health-care services should carefully ana-lyze the details of their programs to determine if they areperforming covered functions
bull Public health authorities as health-care clearinghousesAlthough unlikely a public health authority might be ahealth-care clearinghouse if it receives health informationfrom another entity and translates that information froma nonstandard format into a standard transaction or stan-dard data elements (or vice versa) Operators of commu-nity health information systems should carefully considerwhether they meet the definition for a health-care clear-inghouse
bull Public health agencies as hybrid entities A public healthagency that is a covered entity and has both covered andnoncovered functions may become a hybrid entity by des-ignating its health-care components By designating itselfas a hybrid entity a public health authority can carve outits noncovered functions so that the majority of Privacy
10 MMWR April 11 2003
Rule provisions apply only to its health-care componentwhich is required to comply with the Privacy Rulerequirements including using and disclosing PHI only asauthorized meeting the administrative requirementsaccounting for disclosure of PHI and providing a noticeof practices However such a designation does not pre-clude the public health authority from continuing to con-duct authorized public health functions A covered entitythat is also a public health authority may use as well asdisclose PHI for public health purposes to the sameextent it would be permitted to disclose the PHI as a pub-lic health authority
The Privacy Rule and PublicHealth Research
The topic of research under the Privacy Rule is covered indepth in the DHHS report Protecting Personal Health Infor-mation in Research mdash Understanding the HIPAA Privacy Rule(6) The Privacy Rule provides separate provisions for disclo-sure without individual authorization for public health pur-poses and for certain research [45 CFR sect 164512(b)] [45CFR sect 164512(i)] Other federal law pertaining to researchstresses the importance of distinguishing between research andpractice to ensure that human subjects are appropriately pro-tected [45 CFR Part 46] For certain activities this distinc-tion is not always clear A full discussion of the distinctionsbetween public health practice and research is beyond the scopeof this document However CDC and others provide guid-ance in this area (7ndash9)
Research Versus PracticeThe definition of research is the same for the Privacy Rule
and the Common Rule (10) mdash systematic investigationincluding research development testing and evaluationdesigned to develop or contribute to generalizable knowledgeResearch is designed to test a hypothesis permit conclusionsto be drawn and thereby to develop or contribute to general-izable knowledge The majority of public health activities (egpublic health surveillance and disease prevention and controlprojects) are based on scientific evidence and data collectionor analytic methods similar to those used in research How-ever they are not designed to contribute to generalizable knowl-edge Their primary purpose is to protect the health of thepopulation through such activities as disease surveillance pre-vention or control
The Belmont Report (11) defines practice as interventionsdesigned solely to enhance the well-being of a person patient
or client and which have reasonable expectation of successThe report further states that the purpose of medical orbehavioral practice is to provide diagnosis preventive treat-ment or therapy to particular patients For public health agen-cies the patient is the community Public health practiceactivities (eg public health surveillance disease control orprogram evaluation) are undertaken with the intent to benefita specific community although occasionally they may pro-vide unintended generalizable benefits to others
Some public health activities that are initially public healthpractice may subsequently evolve into a research activity (egan investigation to determine the cause of an outbreak thatincorporates a research study evaluating the efficacy of a newdrug to treat the illness) When that is the case the disclosuresmay be made initially under the public health provisions ofthe Privacy Rule But when the activity becomes an ongoingresearch activity the entity should consider application of therelevant research disclosures provisions to continue to obtaininformation for this purpose Moreover there may be caseswhere the activity is both research and public health practice(eg an ongoing survey to monitor health conditions in thepopulation data from which can also be analyzed for researchpurposes) In those cases disclosures may be made either un-der the research provisions or the public health provisions asappropriate mdash the covered entity need not comply with bothsets of requirements
The Privacy Rule and Other Lawsbull Federal laws Covered entities subject to the Privacy Rule
are also subject to other federal statutes and regulationsThe specific relationship of the Privacy Rule and certainfederal laws is discussed in the preamble to the December2000 Final Rule [65 FedReg 82481] In certain instancesthe Privacy Rule imposes requirements in direct conflictwith other federal laws or regulations In those instancesan analysis will be necessary to determine whether the laterprovision was intended to overrule the prior law or regu-lation
bull State laws As a federal regulatory standard the PrivacyRule preempts only those contrary state laws relating tothe privacy of individually identifiable health informa-tion that have less stringent requirements or standards thanthe Privacy Rule (ie more stringent laws remain ineffect) In addition DHHS may upon specific requestfrom a state or other entity or person determine that aprovision of state law that is contrary to the federalrequirements and that meets certain additional criteriawill not be preempted by the federal requirements Thus
Vol 52 Early Release MMWR 11
preemption of a contrary state law will not occur if theSecretary or designated DHHS official determines inresponse to a request that the state law 1) is necessary toprevent fraud and abuse related to the provision of or pay-ment for health care 2) is necessary to ensure appropriatestate regulation of insurance and health plans to theextent expressly authorized by statute or regulation 3) isnecessary for state reporting on health-care delivery orcosts 4) is necessary to serve a compelling public healthsafety or welfare need and if a Privacy Rule provision isat issue if the Secretary determines that the intrusion intoprivacy is warranted when balanced against the need to beserved or 5) has as its principal purpose the regulation ofthe manufacture registration distribution dispensing orother control of any controlled substances The PrivacyRule specifically does not preempt contrary state publichealth laws that provide for the reporting of disease orinjury child abuse birth or death or for the conduct ofpublic health surveillance investigation or intervention[45 CFR sect 160202]
Online ResourcesReferences to non-DHHS sites on the Internet are provided
as a service to MMWR readers and do not constitute or implyendorsement of these organizations or their programs by CDCor the US Department of Health and Human Services CDCis not responsible for the content of these sites URL addresseslisted in MMWR were current as of the date of publication
Federal Government ResourcesDHHS Office for Civil Rights mdash HIPAA guidelines
North Carolina Healthcare Information and Communica-tions Alliance
httpwwwnchicaorgPublic Health Grand Rounds HIPAA Privacy RuleEnhancing or Harming Public Health
httpwwwpublichealthgrandroundsunceduStanford University Medical School mdash HIPAA
httpwwwmedstanfordeduHIPAAWorkgroup for Electronic Data Interchange mdash StrategicNational Implementation Process
httpwwwwediorgsnip
AcknowledgmentsThis report was prepared by Salvatore Lucido MPA and Denise
Koo MD Office of the Associate Director for ScienceEpidemiology Program Office CDC in collaboration with JamesG Hodge Jr JD Center for Law and the Publicrsquos HealthGeorgetown and Johns Hopkins Universities Baltimore MarylandThe preparers are grateful for the participation of Deborah Tress
JD Kenya Ford JD and Heather Horton JD Office of theGeneral Counsel Department of Health and Human Services CDCATSDR Branch the CDC Working Group on the Privacy Ruleand Beverly Dozier JD Lance A Gable JD Lawrence O GostinJD Gail Horlick JD and Jennifer Kurle
The preparers also thank the following partners for their valuableinput Association of State and Territorial Health Officers Councilof State and Territorial Epidemiologists National Association ofCounty and City Health Officials National Association of HealthData Organizations Association of Public Health Laboratories andNational Association for Public Health Statistics and InformationSystems
References1 Gostin LO Hodge JG Jr Personal privacy and common goods a frame-
work Minnesota Law Review 2002861439ndash802 Health Insurance Portability and Accountability Act of 1996 Pub L
No 104-191 110 Stat 1936 (1996)3 Office for Civil Rights Department of Health and Human Services
Title 45 of the Code of Federal Regulations Parts 160 and 164 Avail-able at httpwwwdhhsgovocrcombinedregtextpdf
4 Office for Civil Rights OCR guidance explaining significant aspects ofthe Privacy Rule 2002 Department of Health and Human ServicesAvailable at httpwwwhhsgovocrhipaa
5 Gostin LO Hodge JG Jr Privacy Law Advisory Committee Modelstate public health information privacy act 1999 Available at httpwwwpublichealthlawnetResourcesResourcesPDFsmodelprivactpdf
6 Department of Health and Human Services Protecting personal healthinformation in research mdash understanding the HIPAA Privacy RuleDepartment of Health and Human Services Washington DC 2003(in press)
7 Snider DE Stroup DF Defining research when it comes to public healthPublic Health Rep 199711229ndash32
8 CDC Guidelines for defining public health research and public healthnonresearch Available at httpwwwcdcgovodadsopspoll1htm
9 Amoroso PJ Middaugh JP Research vs public health practice whendoes a study require IRB review Prev Med 200336250ndash3
10 Office for Protection from Research Risks National Institutes of HealthDepartment of Health and Human Services Public welfare protectionof human subjects 2001 [45 CFR 46] Available at httpohrposophsdhhsgovhumansubjectsguidance45cfr46htm
11 National Commission for the Protection of Human Subjects of Bio-medical and Behavioral Research Belmont report ethical principles andguidelines for the protection of human subjects of research Depart-ment of Health Education and Welfare Available at httpwwwmedumicheduirbmedethicsbelmontBELMONTRHTM
Vol 52 Early Release MMWR 13
The following concepts and definitions are adapted fromthe regulatory language For further information see the cita-tions to the Privacy Rule
Accounting An individual has a right to receive an account-ing of disclosures of protected health information made by acovered entity in the six years prior to the date on which theaccounting is requested except for disclosures (a) to carry outtreatment payment and health care operations [45 CFR sect164506] (b) to individuals of protected health informationabout them [45 CFR sect 164502] (c) incident to a use or dis-closure otherwise permitted or required by this subpart asprovided in 45 CFR sect164502 (d) pursuant to an authoriza-tion as provided in 45 CFR sect164508 (e) for the facilityrsquosdirectory or to persons involved in the individualrsquos care orother notification purposes as provided in 45 CFR sect164510(f ) for national security or intelligence purposes as providedin 45 CFR sect164512(k)(2) (g) to correctional institutions orlaw enforcement officials as provided in 45 CFR sect164512(k)(5) or (h) as part of a limited data set in accordance with45 CFR sect164514(e) or (i) that occurred prior to the compli-ance date for the covered entityhellip Such an accounting mustmeet the following requirements (1) except as otherwise pro-vided by paragraph (a) of this section the accounting mustinclude disclosures of protected health information thatoccurred during the six years (or such shorter time period atthe request of the individual as provided in paragraph (a)(3)of this section) prior to the date of the request for an account-ing including disclosures to or by business associates of thecovered entity (2) except as otherwise provided by paragraphs(b)(3) or (b)(4) of this section the accounting must includefor each disclosure the date of the disclosure the name of theentity or person who received the protected health informa-tion and if known the address of such entity or person abrief description of the protected health information disclosedand a brief statement of the purpose of the disclosure thatreasonably informs the individual of the basis for the disclo-sure or in lieu of such a statement a copy of the individualrsquoswritten authorization pursuant to 45 CFR sect 164508 or acopy of a written request for a disclosure under 45 CFR sect164502(a)(2)(ii) or 45 CFR sect 164512 if any
If during the period covered by the accounting the coveredentity has made multiple disclosures of protected healthinformation to the same person or entity for a single purposeunder 45 CFR sect 164502(a)(2)(ii) or 45 CFR sect 164512 theaccounting may with respect to such multiple disclosures
provide the information required by paragraph (b)(2) of 45CFR sect 164528 for the first disclosure during the accountingperiod the frequency periodicity or number of the disclo-sures made during the accounting period and the date of thelast such disclosure during the accounting period [45 CFR sect164528]
Modified accounting procedures are also provided for cov-ered entities making research disclosures involving gt50 per-sons [45 CFR sect 164528(b)(4)]
Business associate A person who on behalf of a coveredentity or of an organized health care arrangement [45 CFR sect154501] in which the covered entity participates but otherthan in the capacity of a member of the workforce of suchcovered entity or arrangement performs or assists in the per-formance of a function or activity involving the use ordisclosure of individually identifiable health informationincluding claims processing or administration data analysisprocessing or administration utilization review quality assur-ance billing benefit management practice management andrepricing or any other function or activity regulated by thissubchapter or provides other than in the capacity of a mem-ber of the workforce of such covered entity legal actuarialaccounting consulting data aggregation [45 CFR sect 164501]management administrative accreditation or financial ser-vices to or for such covered entity or to or for an organizedhealth-care arrangement in which the covered entity partici-pates where the provision of the service involves the disclo-sure of individually identifiable health information from suchcovered entity or arrangement or from another business asso-ciate of such covered entity or arrangement to the individual[45 CFR sect 160103]
Covered entity 1) a health plan 2) a health-care clearing-house 3) a health-care provider who transmits any healthinformation in electronic form in connection with a transac-tion [45 CFR sect 160103]
Covered functions Those functions of a covered entity theperformance of which makes the entity a health planhealth-care provider or health-care clearinghouse [45 CFR sect164103]
Data aggregation With respect to protected health infor-mation created or received by a business associate in its capac-ity as the business associate of a covered entity the combiningof such protected health information by the business associatewith the protected health information received by the busi-ness associate in its capacity as a business associate of another
Appendix ASelected Privacy Rule Concepts and Definitions
14 MMWR April 11 2003
covered entity to permit data analyses that relate to the health-care operations of the respective covered entities [45 CFRsect164501]
De-identified health information Health information thatdoes not identify an individual and with respect to which noreasonable basis exists to believe that the information can beused to identify an individual is not individually identifiableinformation [45 CFR sect 164514(a)]
Disclosure The release transfer provision of access to ordivulging in any other manner of information outside the entityholding the information [45 CFR sect 160103]
Electronic media 1) Electronic storage media includingmemory devices in computers (hard drives) and any remov-abletransportable digital memory medium such as magnetictape or disk optical disk or digital memory card or 2) trans-mission media used to exchange information already in elec-tronic storage media Transmission media include for examplethe Internet (wide open) extranet (using Internet technologyto link a business with information accessible only to collabo-rating parties) leased lines dial-up lines private networksand the physical movement of removabletransportable elec-tronic storage media Certain transmissions including ofpaper via facsimile and of voice via telephone are not con-sidered to be transmissions via electronic media because theinformation being exchanged did not exist in electronic formbefore the transmission [45 CFR sect 160103]
Health care Care services or supplies related to the healthof an individual It includes but is not limited to 1) preven-tive diagnostic therapeutic rehabilitative maintenance orpalliative care and counseling service assessment or proce-dure with respect to the physical or mental condition or func-tional status of an individual or that affects the structure orfunction of the body and 2) sale or dispensing of a drugdevice equipment or other item in accordance with a pre-scription [45 CFR sect 160103]
Health-care clearinghouse A public or private entityincluding a billing service repricing company communityhealth management information system community healthinformation system or value-added network or switch that 1)processes or facilitates the processing of health informationreceived from another entity in a nonstandard format or con-taining nonstandard data content into standard data elementsor a standard transaction or 2) receives a standard transactionfrom another entity and processes or facilitates the processingof health information into nonstandard format or nonstand-ard data content for the receiving entity [45 CFR sect 160103]
Health-care operations Any of the following activities ofthe covered entity to the extent that the activities are related tocovered functions 1) conducting quality assessment andimprovement activities population-based activities and
related functions that do not include treatment 2) reviewingthe competence or qualifications of health care professionalsevaluating practitioner provider and health plan performanceconducting training programs where students learn to prac-tice or improve their skills as health-care providers training ofnonhealth-care professionals accreditation certificationlicensing or credentialing activities 3) underwriting premiumrating and other activities relating to the creation renewal orreplacement of a contract of health insurance or benefits 4)conducting or arranging for medical review legal services andauditing functions including fraud and abuse detection andcompliance programs 5) business planning and developmentsuch as conducting cost-management and planning-relatedanalyses related to managing and operating the entity includ-ing formulary development and administration developmentor improvement of methods of payment or coverage policiesand 6) business management and general administrativeactivities of the entity [45 CFR sect 164501]
Health-care provider A provider of services (as defined insection 1861(u) of the Act 42 USC 1395x(u)) a providerof medical or health-care services (as defined in section 1861(s)of the Act 42 USC 1395x(s)) and any other individual ororganization that furnishes bills or is paid for health care inthe normal course of business [45 CFR sect 160103]
Health information Any information whether oral orrecorded in any form or medium that 1) is created or receivedby a health-care provider health plan public health authorityemployer life insurer school or university or health-care clear-inghouse and 2) relates to the past present or future physicalor mental health or condition of an individual the provisionof health care to an individual or the past present or futurepayment for the provision of health care to an individual [45CFR sect 160103]
Health plan An individual or group plan that provides orpays the cost of medical care (as defined in section 2791(a)(2)of the PHS Act 42 USC 300gg-91(a)(2)) Health planincludes the following singly or in combination (i) a grouphealth plan as defined in 45 CFR sect 160103 of the PrivacyRule (ii) a health insurance issuer as defined in 45 CFR sect160103 of the Privacy Rule (iii) an HMO as defined in 45CFR sect 160103 of the Privacy Rule (iv) Part A or B of theMedicare program under title XVIII of the Act (v) the Med-icaid program under title XIX of the Act 42 USC 1396 etseq (vi) an issuer of a Medicare supplemental policy (asdefined in section 1882(g)(1) of the Act 42 USC1395ss(g)(1)) (vii) an issuer of a long-term care policyexcluding a nursing home fixed-indemnity policy (viii) anemployee welfare benefit plan or any other arrangement thatis established or maintained for the purpose of offering or pro-viding health benefits to the employees of two or more
Vol 52 Early Release MMWR 15
employers (ix) the health care program for active military per-sonnel under title 10 USC (x) the veterans health-care pro-gram under 38 USC Ch 17 (xi) the Civilian Health andMedical Program of the Uniformed Services (CHAMPUS)(as defined in 10 USC 1072(4)) (xii) the Indian HealthService program under the Indian Health Care ImprovementAct 25 USC 1601 et seq (xiii) the Federal EmployeesHealth Benefits Program under 5 USC 8902 et seq (xiv)an approved state child health plan under title XXI of the Actproviding benefits for child health assistance that meet therequirements of section 2103 of the Act 42 USC 1397 etseq (xv) the Medicare+Choice program under Part C of titleXVIII of the Act 42 USC 1395w-21 through 1395w-28(xvi) a high risk pool that is a mechanism established understate law to provide health insurance coverage or comparablecoverage to eligible individuals (xvii) any other individual orgroup plan or combination of individual or group plans thatprovides or pays for the cost of medical care (as defined insection 2791(a)(2) of the PHS Act 42 USC 300gg-91(a)(2))[45 CFR sect 160103]
The term health plan excludes (i) any policy plan or pro-gram to the extent that it provides or pays for the cost ofexcepted benefits that are listed in sect2791(c)(1) of the PHSAct 42 USC 300gg-91(c)(1) and (ii) a government-fundedprogram other than the one listed in items (i)-(xvi) abovewhose principal purpose is other than providing or payingthe cost of health care or whose principal activity is 1) thedirect provision of health care to individuals or 2) the mak-ing of grants to fund the direct provision of health care toindividuals [45 CFR sect 160103]
Hybrid entity A single legal entity 1) that is a covered entity 2) whose business activities include both covered andnoncovered functions and 3) that designates its health-carecomponents [45 CFR sect 164103]
Individually identifiable health information A subset ofhealth information including demographic information col-lected from an individual and 1) is created or received by ahealth-care provider health plan employer or health-care clear-inghouse and 2) relates to the past present or future physi-cal or mental health or condition of an individual the provisionof health care to an individual or the past present or futurepayment for the provision of health care to an individual andthat identifies the individual or where there is a reasonablebasis to believe the information can be used to identify theindividual [45 CFR sect 164501]
Limited data set Protected health information that excludescertain direct identifiers of the individual or of relativesemployers or household members of the individual Directidentifiers to be excluded can be found in 45 CFR sect164514(e)(2)
Minimum necessary For any type of disclosure that a cov-ered entity makes on a routine and recurring basis that thecovered entity must implement policies and procedures (whichmay be standard protocols) that limit the protected healthinformation disclosed to the amount reasonably necessary toachieve the purpose of the disclosure For all other disclosurescovered entities must develop and implement criteria designedto limit the protected health information disclosed to theinformation reasonably necessary to accomplish the purposefor which disclosure is sought and review requests for disclo-sure on an individual basis in accordance with such criteria Acovered entity may rely if such reliance is reasonable underthe circumstances on a requested disclosure as the minimumnecessary for the stated purpose when (a) making disclosuresto public officials that are permitted under 45 CFR sect 164512if the public official represents that the information requestedis the minimum necessary for the stated purpose (b) if theinformation is requested by another covered entity (c) theirbusiness associates providing personal services or (d) docu-mentation or representations that comply with the applicablerequirements of 45 CFR sect 164512(i) have been provided byan individual requesting the information for research purposes[45 CFR sect 164514(d)(3)]
The minimum necessary standard also applies to uses ofprotected health information [45 CFR sect 164514(d)(2)] andrequests for protected health information [45 CFR sect164514(d)(4)]
Notice An individual with certain exceptions has a rightto adequate notice of the uses and disclosures of protectedhealth information that may be made by the covered entityand of the individualrsquos rights and the covered entityrsquos legalduties with respect to protected health information Thenotice must be written in plain language and contain the fol-lowing elements (i) a header as specified in the rule (ii) adescription including at least one example of the types ofuses and disclosures that the covered entity is permitted tomake for treatment payment and health care operations anda description of each of the other purposes for which the cov-ered entity is permitted or required to use or disclose pro-tected health information without the individualrsquos writtenconsent or authorization If a use or disclosure is prohibitedor materially limited by other applicable law the descriptionof such use or disclosure must reflect the more stringent law(as defined in 45 CFR sect 160202) Each description mustinclude sufficient detail to place the individual on notice ofthe uses and disclosures that are permitted or required by thePrivacy Rule or other applicable law and a statement that otheruses and disclosures will be made only with the individualrsquoswritten authorization and that the individual may revoke suchauthorization as provided by 45 CFR sect 164508(b)(5)
16 MMWR April 11 2003
A separate statement must be included in the notice if acovered entity intends to engage in any of the followingactivities The statement should explain that 1) the coveredentity may contact the individual to provide appointmentreminders or information regarding treatment alternatives orother health-related benefits 2) the covered entity may con-tact the individual to raise funds for the covered entity or 3) agroup health plan health insurer or HMO with respect to agroup health plan may disclose protected health informationto the sponsor of the plan
The notice must contain a statement of the individualrsquos rightswith respect to the protected health information and a briefdescription of how the individual may exercise these rights astatement of the covered entityrsquos duties a statement that indi-viduals may complain to the covered entity or the Secretary ifthey believe their privacy rights have been violated contactinformation and the effective date of the notice [45 CFR sect164520]
Payment 1) The activities undertaken by (i) a health planto obtain premiums or to determine or fulfill its responsibilityfor coverage and provision of benefits under the health planor (ii) a health-care provider or health plan to obtain or pro-vide reimbursement for the provision of health care and 2)the activities relate to the individual to whom health care isprovided and include but are not limited to (i) determina-tions of eligibility or coverage and adjudication or subroga-tion of health benefit claims (ii) risk adjusting amounts duebased on enrollee health status and demographic characteris-tics (iii) billing claims management collection activitiesobtaining payment under a contract for reinsurance (includ-ing stop-loss insurance) and related health-care data process-ing (iv) review of health-care services with respect to medicalnecessity coverage under a health plan appropriateness of careor justification of charges (v) utilization review activitiesincluding precertification and preauthorization of services con-current and retrospective review of services and (vi) disclo-sure to consumer reporting agencies of any of the followingprotected health information relating to collection of premi-ums or reimbursement (a) name and address (b) date of birth(c) social security number (d) payment history (e) accountnumber and (f ) name and address of the health-care provideror health plan [45 CFR sect 164501]
Protected health information (PHI) Individually identi-fiable health information that is transmitted by electronicmedia maintained in electronic media or transmitted ormaintained in any other form or medium PHI excludes indi-vidually identifiable health information in (i) educationrecords covered by the Family Education Rights and PrivacyAct (20 USC 1232g) (ii) records described at 20 USC
1232g(a)(4)(B)(iv) and (iii) employment records held by acovered entity in its role as employer [45 CFR sect 160103]
Public health authority An agency or authority of theUnited States a state a territory a political subdivision of astate or territory or an Indian tribe or an individual or entityacting under a grant of authority from or contract with suchpublic agency including the employees or agents of such pub-lic agency or its contractors or individuals or entities to whomit has granted authority that is responsible for public healthmatters as part of its official mandate [45 CFR sect 164501]
Examples of public health authorities include state andlocal health departments CDC National Institutes of Health(NIH) Food and Drug Administration (FDA) and Occupa-tional Safety and Health Administration (OSHA)
Required by law A mandate contained in law that compelsan entity to make a use or disclosure of protected health infor-mation and that is enforceable in a court of law This termincludes but is not limited to court orders and court-orderedwarrants subpoenas or summons issued by a court grand jurya governmental or tribal inspector general or an administra-tive body authorized to require the production of informa-tion a civil or an authorized investigative demand Medicareconditions of participation with respect to health-care provid-ers participating in the program and statutes or regulationsthat require the production of information including statutesor regulations that require such information if payment issought under a government program providing public ben-efits [45 CFR sect 164103]
Research A systematic investigation including researchdevelopment testing and evaluation designed to develop orcontribute to generalizable knowledge [45 CFR sect sect164501]
Statistical de-identification A properly qualified statisti-cian using accepted analytical techniques concludes that therisk is limited that the information could be used alone or incombination with other reasonably available information toidentify the subject of the information [45 CFR sect 164514(b)]
Safe harbor method A covered entity or its agent removesa comprehensive set of identifiers enumerated in the PrivacyRule which includes but is not limited to names geographicsubdivisions smaller than states dates more specific than yearscontact information identification numbers and photographicimages and has no actual knowledge that the remaininginformation could be used alone or in combination with otherinformation to identify the individual who is a subject of theinformation or the individualrsquos relatives employers or house-hold members Eighteen specific identifiers will need to beremoved to achieve de-identification [45 CFR sect 164514(b)]
Transaction The transmission of information between twoparties to carry out financial or administrative activities
Vol 52 Early Release MMWR 17
related to health care It includes the following types of infor-mation transmissions health care claims or equivalent encoun-ter information health care payment and remittance advicecoordination of benefits health care claim status enrollmentand disenrollment in a health plan eligibility for a health planhealth plan premium payments referral certification andauthorization first report of injury health claims attachmentsand other transactions that the Secretary may prescribe by regu-lation [45 CFR sect 164103]
Treatment The provision coordination or managementof health care and related services by one or more health-care
providers including the coordination or management of healthcare by a health-care provider with a third party consultationbetween health-care providers relating to a patient or thereferral of a patient for health care from one health-care pro-vider to another [45 CFR sect 164501]
Use With respect to individually identifiable health infor-mation the sharing employment application utilizationexamination or analysis of such information within an entitythat maintains such information [45 CFR sect 160103]
18 MMWR April 11 2003
Vol 52 Early Release MMWR 19
Appendix BSample Text That Can Be Used To Clarify Public Health Issues
Under the Privacy Rule
pursuant to the Standards for Privacy of Individually Identifi-able Health Information promulgated under the HealthInsurance Portability and Accountability Act (HIPAA) [45CFR Parts 160 and 164)] Under this rule covered entitiesmay disclose without individual authorization protectedhealth information to public health authorities ldquo autho-rized by law to collect or receive such information for the pur-pose of preventing or controlling disease injury or disabilityincluding but not limited to the reporting of disease injuryvital events such as birth or death and the conduct of publichealth surveillance public health investigations and publichealth interventions rdquo The definition of a public health au-thority includes ldquo an individual or entity acting under a grantof authority from or contract with such public agency rdquo
[Authorized agency] is acting under [contract grant coop-erative agreement] with [public health authority] to conduct[project] which is authorized by [law or regulation] [Publichealth authority] grants this authority to [authorized agency]for purposes of this project Further [public health authority]considers this to be [activity type] for which disclosure ofprotected health information by covered entities is authorizedby 45 CFR sect 164512(b) of the Privacy Rule
From a public health authority to a covered entity con-firming grant of authority to an authorized agencyTo Whom It May Concern
[Public health authority] is an agency of [parent authority]and is a public health authority as defined by the HealthInsurance Portability and Accountability Act (HIPAA) Stan-dards for Privacy of Individually Identifiable Health Informa-tion Final Rule (Privacy Rule)[45 CFR sect 164501] Pursuantto 45 CFR sect 164512(b) of the Privacy Rule covered entitiesmay disclose protected health information to public healthauthorities ldquo authorized by law to collect or receive suchinformation for the purpose of preventing or controlling dis-ease injury or disability including but not limited to thereporting of disease injury vital events such as birth or deathand the conduct of public health surveillance public healthinvestigations and public health interventions rdquo The defi-nition of public health authority includes ldquo an individualor entity acting under a grant of authority from or contractwith such public agency rdquo [45 CFR sect 164501] [Autho-rized agency] is acting under [contract grant or cooperativeagreement] with [public health authority] to carry out [project]
Following are sample letters that can be used to help clarifyPrivacy Rule issues among covered entities and public healthauthorities (eg CDC National Institutes of Health Foodand Drug Administration Substance Abuse and Mental HealthServices Administration Health Resources and ServicesAdministration state and local health departments) Publichealth authorities can use these letters as templates by insert-ing names of the appropriate individuals projects agreementslaws activity types covered entities public health authoritiesand authorized agencies
From a public health authority to a covered entity clari-fying rules regarding disclosureTo Whom it May Concern
[Public health authority] is an agency of [parent authority]and is conducting the activity described here in its capacity asa public health authority as defined by the Health InsurancePortability and Accountability Act (HIPAA) Standards forPrivacy of Individually Identifiable Health Information FinalRule (Privacy Rule) [45 CFR sect164501] Pursuant to 45 CFRsect164512(b) of the Privacy Rule covered entities such as yourorganization may disclose without individual authorizationprotected health information to public health authorities ldquo authorized by law to collect or receive such information forthe purpose of preventing or controlling disease injury ordisability including but not limited to the reporting of dis-ease injury vital events such as birth or death and the con-duct of public health surveillance public health investigationsand public health interventions rdquo
[Public health authority] is conducting [project] a publichealth activity as described by 45 CFR sect 164512(b) and isauthorized by [law or regulation] The information beingrequested represents the minimum necessary to carry out thepublic health purposes of this project pursuant to 45 CFRsect164514(d) of the Privacy Rule
If you have questions or concerns please contact [projectleader]
From a public health authority to an authorized agencyproviding grant of authorityDear [authorized agency]
This letter serves as verification of a grant of authority from[public health authority] for you to conduct the public healthactivities described here acting as a public health authority
20 MMWR April 11 2003
Through this grant of authority [authorized agency] may func-tion as a public health authority under the Privacy Rule forpurposes of this project
[Project] is a public health activity as described by 45 CFRsect 164512(b) referenced previously and is authorized by [lawor regulation] The information being requested represents theminimum necessary to carry out the public health purposes ofthis project pursuant to 45 CFR sect 164514(d) of the PrivacyRule The Privacy Rule provides that covered entities ldquo
may rely if such reliance is reasonable under the circumstanceson a requested disclosure as the minimum necessary for thestated purposes when making disclosures to public officialsthat are permitted under 45 CFR sect 164512 if the publicofficial represents that the information requested is the mini-mum necessary for the stated purposes(s)rdquo
If you have questions or concerns please contact [projectleader for authorized agency public health authority contact]
All MMWR references are available on the Internet at httpwwwcdcgovmmwr Use the search function to find specific articlesmdashmdashmdashmdashmdashmdash
Use of trade names and commercial sources is for identification only and does not imply endorsement by the US Department of Healthand Human Services
mdashmdashmdashmdashmdashmdashReferences to non-CDC sites on the Internet are provided as a service to MMWR readers and do not constitute or imply endorsement ofthese organizations or their programs by CDC or the US Department of Health and Human Services CDC is not responsible for thecontent of these sites URL addresses listed in MMWR were current as of the date of publication
MMWR
The Morbidity and Mortality Weekly Report (MMWR) series is prepared by the Centers for Disease Control and Prevention (CDC) andis available free of charge in electronic format and on a paid subscription basis for paper copy To receive an electronic copy each week sendan e-mail message to listservlistservcdcgov The body content should read SUBscribe mmwr-toc Electronic copy also is available fromCDCrsquos Internet server at httpwwwcdcgovmmwr or from CDCrsquos file transfer protocol server at ftpftpcdcgovpubpublicationsmmwr Tosubscribe for paper copy contact Superintendent of Documents US Government Printing Office Washington DC 20402 telephone202-512-1800
Data in the weekly MMWR are provisional based on weekly reports to CDC by state health departments The reporting weekconcludes at close of business on Friday compiled data on a national basis are officially released to the public on the following FridayAddress inquiries about the MMWR series including material to be considered for publication to Editor MMWR Series Mailstop C-08CDC 1600 Clifton Rd NE Atlanta GA 30333 telephone 888-232-3228
All material in the MMWR series is in the public domain and may be used and reprinted without permission however citation of thesource is appreciated
US Government Printing Office 2003-533-15569108 Region IV
Introduction
Impact on Public Health
Overview of the Privacy Rule
Who Is Covered
Types of Health Information
What is Required
The Privacy Rule and Public Health
Disclosures for Public Health Purposes
Requirements for Covered Entities
The Privacy Rule and Public Health Research
Research Versus Practice
The Privacy Rule and Other Laws
Online Resources
Federal Government Resources
State Government Resources
Associations Nonprofit Organizations and Academic Resources
Acknowledgments
References
Appendix A
Appendix B
Vol 52 Early Release MMWR 7
State cancer registry Under a state law health-care provid-ers are required to report cancer cases to a statersquos cancer regis-try Names are included to prevent duplicate reporting andcounting State law protects the confidentiality of the dataCan covered entities disclose the information under the Pri-vacy Rule
Privacy Rule effect Covered entities may disclose PHI to apublic health agency or any other entity when the disclosureis required by law However as covered entities the providersmust give an accounting to the persons whose PHI has beenshared The state agency may use and further disclose the PHIconsistent with applicable state law
State university-maintained cancer registry Under a statelaw health-care providers are mandated to report cancer casesto a state health departmentrsquos cancer registry The state healthdepartment contracts with a state university to receive thereports and maintain its registry As covered entities can health-care providers disclose PHI to the state university under thePrivacy Rule
Privacy Rule effect As noted in the previous example cov-ered entities may disclose without authorization PHI to thecancer registry under the Privacy Rule which expressly per-mits disclosure of PHI as required by law and sharing of PHIwith public health authorities for public health purposes Thestate university is acting under a grant of authority from a publichealth authority the state health department The universitycan use and disclose the information without authorizationconsistent with its agreement with the state health departmentand applicable state law
Early hearing detection and intervention An early hear-ing detection and intervention program in a state needs datafrom two large hospitals The state does not have a law requir-ing reporting of hearing loss Under the Privacy Rule can cov-ered entities release results of newborn hearing-screening teststo the state program
Privacy Rule effect The Privacy Rule expressly permitsrelease of PHI without authorization from a covered entityto a public health authority (eg the state health department)which is authorized by law to receive PHI for the purpose of
BOX 4 Examples of situations related to the Privacy Rule and public health
controlling disease injury or disability The rule does notrequire a state law mandating such disclosures for PHI to bereleased to a public health authority Finally the coveredentities may rely upon the statersquos representation that theinformation requested is the minimum necessary for the pur-poses of the registry
Disease registry maintained by private foundation Aprivate foundation maintains a disease registry as a way tosupport research and service for those with the disease Canhealth-care providers release PHI to the foundation underthe Privacy Rule
Privacy Rule effect Nongovernment disease registries (egthose maintained by foundations and other private organiza-tions) are not considered public health authorities unless theyhave a grant of authority from a public health authority Withsuch a grant covered entities may disclose PHI to the foun-dations But without a grant of authority PHI may bereleased only under one of the following situations
bull Release is authorized by the patientbull The PHI is de-identifiedbull The PHI is contained in a limited data set governed by
a data-use agreementbull Release of PHI is in accord with the rulersquos provisions
for disclosure for research without authorizationbull Release is otherwise permitted by the rule (eg to
entities subject to the jurisdiction of the Food and DrugAdministration (FDA) [45 CFR sect 164512(b)(1)(iii)]
Surveillance project A state health department that is nota covered entity conducts a surveillance project on humanimmunodeficiency virus (HIV) and acquired immunodefi-ciency syndrome (AIDS) The HIVAIDS surveillance projectis an interview study It asks for self-reported informationfrom participants including dates of diagnosis and visits forcare Is this PHI covered by the Privacy Rule
Privacy Rule effect Information collected directly frompersons by a person agency or institution that is not a cov-ered entity including individually identifiable informationis not covered by the Privacy Rule
and to these designated entities pursuant to the public healthprovisions of the Privacy Rule
The Privacy Rule permits covered entities to disclose PHIwithout authorization to public health authorities or otherentities who are legally authorized to receive such reports forthe purpose of preventing or controlling disease injury ordisability This includes the reporting of disease or injuryreporting vital events (eg births or deaths) conducting pub-lic health surveillance investigations or interventions report-ing child abuse and neglect and monitoring adverse outcomes
related to food (including dietary supplements) drugs bio-logical products and medical devices [45 CFR 164512(b)]Covered entities may report adverse events related to FDA-regulated products or activities to public agencies and privateentities that are subject to FDA jurisdiction [45 CFR164512(b)(1)(iii)] To protect the health of the public pub-lic health authorities might need to obtain informationrelated to the individuals affected by a disease In certain casesthey might need to contact those affected to determine thecause of the disease to allow for actions to prevent further
8 MMWR April 11 2003
illness Also covered entities may at the direction of a publichealth authority disclose protected health information to aforeign government agency that is acting in collaboration witha public health authority [45 CFR 164512(b)(1)(i)]
To receive PHI for public health purposes public healthauthorities should be prepared to verify their status and iden-tity as public health authorities under the Privacy Rule Toverify its identity an agency could provide any one of the fol-lowing
bull if the request is made in person presentation of an agencyidentification badge other official credentials or otherproof of government status
bull if the request is in writing the request is on the appropri-ate government letterhead
bull if the disclosure is to a person acting on behalf of a publichealth authority a written statement on appropriate gov-ernment letterhead that the person is acting under thegovernmentrsquos authority [45 CFR sect 164514(h)(2)]
Public health authorities receiving information from coveredentities as required or authorized by law [45 CFR 164512(a)][45 CFR 164512(b)] are not business associates of the cov-ered entities and therefore are not required to enter into busi-ness associate agreements Public health authorities that arenot covered entities also are not required to enter into busi-ness associate agreements with their public health partners andcontractors Also after PHI is disclosed to a public healthauthority pursuant to the Privacy Rule the public healthauthority (if it is not a covered entity) may maintain use anddisclose the data consistent with the laws regulations andpolicies applicable to the public health authority
Disclosures for Public Health PurposesThe Privacy Rule allows covered entities to disclose PHI to
public health authorities when required by federal tribal stateor local laws [45 CFR 164512(a)] This includes state laws(or state procedures established under such law) that providefor receiving reporting of disease or injury child abuse birthor death or conducting public health surveillance investiga-tion or intervention
For disclosures not required by law covered entities maystill disclose without authorization to a public health authorityauthorized by law to collect or receive the information for thepurpose of preventing or controlling disease injury or dis-ability the minimum necessary information to accomplish theintended public health purpose of the disclosure [45 CFR164512 (b)] (Box 1)
For example to protect the health of the public public healthofficials might need to obtain information related to personsaffected by a disease In certain cases they might need to con-
tact those affected to determine the cause of the disease toallow for actions to prevent further illness The Privacy Rulecontinues to allow for the existing practice of sharing PHIwith public health authorities who are authorized by law tocollect or receive such information to aid them in their mis-sion of protecting the health of the public Examples of suchactivities include those directed at the reporting of disease orinjury reporting adverse events reporting births and deathsand investigating the occurrence and cause of injury and dis-ease (1)
Although it is not a defined term DHHS interpreted thephrase ldquoauthorized by lawrdquo to mean that a legal basis exists forthe activity Further DHHS called the phrase ldquoa term of artrdquoincluding both actions that are permitted and actions that arerequired by law [64 FR 59929 November 3 1999] This doesnot mean a public health authority at the federal tribal stateor local level must have multiple disease or condition-specificlaws that authorize each collection of information Publichealth authorities operate under broad mandates to protectthe health of their constituent populations
Requirements for Covered Entities
Accounting for Public Health Disclosures
Although the Privacy Rule permits disclosures of PHI topublic health authorities covered entities must comply withcertain requirements related to these disclosures One suchrequirement is that a covered entity must be able to providean individual upon request with an accounting of certaindisclosures of PHI The covered entity is not required toaccount for all disclosures of PHI For example an account-ing is not required for disclosures made
bull prior to the covered entityrsquos compliance datebull for TPO purposesbull to the individual or pursuant to the individualrsquos written
authorization orbull as part of a limited data setHowever usually an accounting is required for disclosures
made without authorization including public health purposesThe required accounting for disclosures may be
accomplished in different ways Typically the covered entitymust provide the individual with an accounting of eachdisclosure by date the PHI disclosed the identity of therecipient of the PHI and the purpose of the disclosureHowever where the covered entity has during the accountingperiod made multiple disclosures to the same recipient forthe same purpose the Privacy Rule provides for a simplifiedmeans of accounting In such cases the covered entity needonly identify the recipient of such repetitive disclosures the
Vol 52 Early Release MMWR 9
purpose of the disclosure and describe the PHI routinelydisclosed The date of each disclosure need not be trackedRather the accounting may include the date of the first andlast such disclosure during the accounting period and adescription of the frequency or periodicity of such disclosuresFor example the vast amount of data exchanged betweencovered entities and public health authorities is made throughongoing regular reporting or inspection requirements Acovered health-care provider may routinely report all cases ofmeasles it diagnoses to the local public health authority Anaccounting of such disclosures to a requesting individual wouldneed to identify the local public health authority receivingthe PHI the PHI disclosed the purpose of the disclosure(required for communicable disease surveillance) theperiodicity (weekly) and the first and last dates of suchdisclosures during the accounting period (May 1 2003 toJune 1 2003) Thus the covered entity would not need toannotate each patientrsquos medical record whenever a routinepublic health disclosure was made
Notice of Privacy Practices
With certain exceptions under the Privacy Rule individu-als have the right to adequate notice of the uses and disclo-sures of PHI that may be made by the covered entity as well astheir rights and the covered entityrsquos legal obligations Noticesmust be in plain language and clearly posted Certain coveredentities must make a good faith effort to obtain an individualrsquosacknowledgment of receipt of this notice In certain casesnotice may be provided electronically
Minimum Necessary Standard
The Privacy Rule usually directs covered entities to limitthe amount of information disclosed to the minimum neces-sary to achieve the specified goal [45 CFR sect 164514(d)(1)]This requirement usually applies to disclosures to a publichealth agency It would not apply however if the disclosurewere required by law authorized by the individual or for treat-ment purposes A covered entity may also reasonably rely on apublic officialrsquos determination that the information requestedis the minimum necessary for the public health purpose
Public Health Authorities Performing CoveredFunctions
Public health authorities at the federal tribal state or locallevels that perform covered functions (eg providing healthcare or insuring individuals for health-care costs) may be sub-ject to the Privacy Rulersquos provisions as covered entities Forexample a local public health authority that operates a healthclinic providing essential health-care services to low-incomepersons and performs certain electronic transactions might be
defined under the Privacy Rule as a covered health-care pro-vider and therefore a covered entity Flow charts and interac-tive tools designed to help determine covered entity status areprovided online by the Centers for Medicare and MedicaidServices available at httpwwwcmsgovhipaahipaa2sup-porttoolsdecisionsupportdefaultasp
The following are examples of public health authority func-tions that make them covered entities
bull Public health authorities as covered health-care pro-viders A public health authority that conducts health careas part of its activities is a covered health-care provider ifit also performs electronic transactions covered by theHIPAA Transactions Rule as part of these activities Thefact that these activities are conducted in pursuit of a publichealth goal (eg vaccinating children or screening a tar-geted population for sexually transmitted diseases) doesnot preclude the public health authority from being a cov-ered entity
bull Public health authorities as health plans Under thePrivacy Rule a health plan is an individual or group planthat provides or pays the cost of medical care This spe-cifically includes government health plans (eg MedicareMedicaid or Veterans Health Administration) Howeverthe Privacy Rule defines health plan to exclude govern-ment-funded programs whose principal activity is the di-rect provision of health care to persons or the making ofgrants to fund the direct provision of health care to per-sons [45 CFR sect 160103] Examples include the RyanWhite Comprehensive AIDS Resources Emergency ActAlthough certain government programs that fund provid-ers directly may not be health plans government programsthat reimburse providers or otherwise fund providers toperform direct health-care services should carefully ana-lyze the details of their programs to determine if they areperforming covered functions
bull Public health authorities as health-care clearinghousesAlthough unlikely a public health authority might be ahealth-care clearinghouse if it receives health informationfrom another entity and translates that information froma nonstandard format into a standard transaction or stan-dard data elements (or vice versa) Operators of commu-nity health information systems should carefully considerwhether they meet the definition for a health-care clear-inghouse
bull Public health agencies as hybrid entities A public healthagency that is a covered entity and has both covered andnoncovered functions may become a hybrid entity by des-ignating its health-care components By designating itselfas a hybrid entity a public health authority can carve outits noncovered functions so that the majority of Privacy
10 MMWR April 11 2003
Rule provisions apply only to its health-care componentwhich is required to comply with the Privacy Rulerequirements including using and disclosing PHI only asauthorized meeting the administrative requirementsaccounting for disclosure of PHI and providing a noticeof practices However such a designation does not pre-clude the public health authority from continuing to con-duct authorized public health functions A covered entitythat is also a public health authority may use as well asdisclose PHI for public health purposes to the sameextent it would be permitted to disclose the PHI as a pub-lic health authority
The Privacy Rule and PublicHealth Research
The topic of research under the Privacy Rule is covered indepth in the DHHS report Protecting Personal Health Infor-mation in Research mdash Understanding the HIPAA Privacy Rule(6) The Privacy Rule provides separate provisions for disclo-sure without individual authorization for public health pur-poses and for certain research [45 CFR sect 164512(b)] [45CFR sect 164512(i)] Other federal law pertaining to researchstresses the importance of distinguishing between research andpractice to ensure that human subjects are appropriately pro-tected [45 CFR Part 46] For certain activities this distinc-tion is not always clear A full discussion of the distinctionsbetween public health practice and research is beyond the scopeof this document However CDC and others provide guid-ance in this area (7ndash9)
Research Versus PracticeThe definition of research is the same for the Privacy Rule
and the Common Rule (10) mdash systematic investigationincluding research development testing and evaluationdesigned to develop or contribute to generalizable knowledgeResearch is designed to test a hypothesis permit conclusionsto be drawn and thereby to develop or contribute to general-izable knowledge The majority of public health activities (egpublic health surveillance and disease prevention and controlprojects) are based on scientific evidence and data collectionor analytic methods similar to those used in research How-ever they are not designed to contribute to generalizable knowl-edge Their primary purpose is to protect the health of thepopulation through such activities as disease surveillance pre-vention or control
The Belmont Report (11) defines practice as interventionsdesigned solely to enhance the well-being of a person patient
or client and which have reasonable expectation of successThe report further states that the purpose of medical orbehavioral practice is to provide diagnosis preventive treat-ment or therapy to particular patients For public health agen-cies the patient is the community Public health practiceactivities (eg public health surveillance disease control orprogram evaluation) are undertaken with the intent to benefita specific community although occasionally they may pro-vide unintended generalizable benefits to others
Some public health activities that are initially public healthpractice may subsequently evolve into a research activity (egan investigation to determine the cause of an outbreak thatincorporates a research study evaluating the efficacy of a newdrug to treat the illness) When that is the case the disclosuresmay be made initially under the public health provisions ofthe Privacy Rule But when the activity becomes an ongoingresearch activity the entity should consider application of therelevant research disclosures provisions to continue to obtaininformation for this purpose Moreover there may be caseswhere the activity is both research and public health practice(eg an ongoing survey to monitor health conditions in thepopulation data from which can also be analyzed for researchpurposes) In those cases disclosures may be made either un-der the research provisions or the public health provisions asappropriate mdash the covered entity need not comply with bothsets of requirements
The Privacy Rule and Other Lawsbull Federal laws Covered entities subject to the Privacy Rule
are also subject to other federal statutes and regulationsThe specific relationship of the Privacy Rule and certainfederal laws is discussed in the preamble to the December2000 Final Rule [65 FedReg 82481] In certain instancesthe Privacy Rule imposes requirements in direct conflictwith other federal laws or regulations In those instancesan analysis will be necessary to determine whether the laterprovision was intended to overrule the prior law or regu-lation
bull State laws As a federal regulatory standard the PrivacyRule preempts only those contrary state laws relating tothe privacy of individually identifiable health informa-tion that have less stringent requirements or standards thanthe Privacy Rule (ie more stringent laws remain ineffect) In addition DHHS may upon specific requestfrom a state or other entity or person determine that aprovision of state law that is contrary to the federalrequirements and that meets certain additional criteriawill not be preempted by the federal requirements Thus
Vol 52 Early Release MMWR 11
preemption of a contrary state law will not occur if theSecretary or designated DHHS official determines inresponse to a request that the state law 1) is necessary toprevent fraud and abuse related to the provision of or pay-ment for health care 2) is necessary to ensure appropriatestate regulation of insurance and health plans to theextent expressly authorized by statute or regulation 3) isnecessary for state reporting on health-care delivery orcosts 4) is necessary to serve a compelling public healthsafety or welfare need and if a Privacy Rule provision isat issue if the Secretary determines that the intrusion intoprivacy is warranted when balanced against the need to beserved or 5) has as its principal purpose the regulation ofthe manufacture registration distribution dispensing orother control of any controlled substances The PrivacyRule specifically does not preempt contrary state publichealth laws that provide for the reporting of disease orinjury child abuse birth or death or for the conduct ofpublic health surveillance investigation or intervention[45 CFR sect 160202]
Online ResourcesReferences to non-DHHS sites on the Internet are provided
as a service to MMWR readers and do not constitute or implyendorsement of these organizations or their programs by CDCor the US Department of Health and Human Services CDCis not responsible for the content of these sites URL addresseslisted in MMWR were current as of the date of publication
Federal Government ResourcesDHHS Office for Civil Rights mdash HIPAA guidelines
North Carolina Healthcare Information and Communica-tions Alliance
httpwwwnchicaorgPublic Health Grand Rounds HIPAA Privacy RuleEnhancing or Harming Public Health
httpwwwpublichealthgrandroundsunceduStanford University Medical School mdash HIPAA
httpwwwmedstanfordeduHIPAAWorkgroup for Electronic Data Interchange mdash StrategicNational Implementation Process
httpwwwwediorgsnip
AcknowledgmentsThis report was prepared by Salvatore Lucido MPA and Denise
Koo MD Office of the Associate Director for ScienceEpidemiology Program Office CDC in collaboration with JamesG Hodge Jr JD Center for Law and the Publicrsquos HealthGeorgetown and Johns Hopkins Universities Baltimore MarylandThe preparers are grateful for the participation of Deborah Tress
JD Kenya Ford JD and Heather Horton JD Office of theGeneral Counsel Department of Health and Human Services CDCATSDR Branch the CDC Working Group on the Privacy Ruleand Beverly Dozier JD Lance A Gable JD Lawrence O GostinJD Gail Horlick JD and Jennifer Kurle
The preparers also thank the following partners for their valuableinput Association of State and Territorial Health Officers Councilof State and Territorial Epidemiologists National Association ofCounty and City Health Officials National Association of HealthData Organizations Association of Public Health Laboratories andNational Association for Public Health Statistics and InformationSystems
References1 Gostin LO Hodge JG Jr Personal privacy and common goods a frame-
work Minnesota Law Review 2002861439ndash802 Health Insurance Portability and Accountability Act of 1996 Pub L
No 104-191 110 Stat 1936 (1996)3 Office for Civil Rights Department of Health and Human Services
Title 45 of the Code of Federal Regulations Parts 160 and 164 Avail-able at httpwwwdhhsgovocrcombinedregtextpdf
4 Office for Civil Rights OCR guidance explaining significant aspects ofthe Privacy Rule 2002 Department of Health and Human ServicesAvailable at httpwwwhhsgovocrhipaa
5 Gostin LO Hodge JG Jr Privacy Law Advisory Committee Modelstate public health information privacy act 1999 Available at httpwwwpublichealthlawnetResourcesResourcesPDFsmodelprivactpdf
6 Department of Health and Human Services Protecting personal healthinformation in research mdash understanding the HIPAA Privacy RuleDepartment of Health and Human Services Washington DC 2003(in press)
7 Snider DE Stroup DF Defining research when it comes to public healthPublic Health Rep 199711229ndash32
8 CDC Guidelines for defining public health research and public healthnonresearch Available at httpwwwcdcgovodadsopspoll1htm
9 Amoroso PJ Middaugh JP Research vs public health practice whendoes a study require IRB review Prev Med 200336250ndash3
10 Office for Protection from Research Risks National Institutes of HealthDepartment of Health and Human Services Public welfare protectionof human subjects 2001 [45 CFR 46] Available at httpohrposophsdhhsgovhumansubjectsguidance45cfr46htm
11 National Commission for the Protection of Human Subjects of Bio-medical and Behavioral Research Belmont report ethical principles andguidelines for the protection of human subjects of research Depart-ment of Health Education and Welfare Available at httpwwwmedumicheduirbmedethicsbelmontBELMONTRHTM
Vol 52 Early Release MMWR 13
The following concepts and definitions are adapted fromthe regulatory language For further information see the cita-tions to the Privacy Rule
Accounting An individual has a right to receive an account-ing of disclosures of protected health information made by acovered entity in the six years prior to the date on which theaccounting is requested except for disclosures (a) to carry outtreatment payment and health care operations [45 CFR sect164506] (b) to individuals of protected health informationabout them [45 CFR sect 164502] (c) incident to a use or dis-closure otherwise permitted or required by this subpart asprovided in 45 CFR sect164502 (d) pursuant to an authoriza-tion as provided in 45 CFR sect164508 (e) for the facilityrsquosdirectory or to persons involved in the individualrsquos care orother notification purposes as provided in 45 CFR sect164510(f ) for national security or intelligence purposes as providedin 45 CFR sect164512(k)(2) (g) to correctional institutions orlaw enforcement officials as provided in 45 CFR sect164512(k)(5) or (h) as part of a limited data set in accordance with45 CFR sect164514(e) or (i) that occurred prior to the compli-ance date for the covered entityhellip Such an accounting mustmeet the following requirements (1) except as otherwise pro-vided by paragraph (a) of this section the accounting mustinclude disclosures of protected health information thatoccurred during the six years (or such shorter time period atthe request of the individual as provided in paragraph (a)(3)of this section) prior to the date of the request for an account-ing including disclosures to or by business associates of thecovered entity (2) except as otherwise provided by paragraphs(b)(3) or (b)(4) of this section the accounting must includefor each disclosure the date of the disclosure the name of theentity or person who received the protected health informa-tion and if known the address of such entity or person abrief description of the protected health information disclosedand a brief statement of the purpose of the disclosure thatreasonably informs the individual of the basis for the disclo-sure or in lieu of such a statement a copy of the individualrsquoswritten authorization pursuant to 45 CFR sect 164508 or acopy of a written request for a disclosure under 45 CFR sect164502(a)(2)(ii) or 45 CFR sect 164512 if any
If during the period covered by the accounting the coveredentity has made multiple disclosures of protected healthinformation to the same person or entity for a single purposeunder 45 CFR sect 164502(a)(2)(ii) or 45 CFR sect 164512 theaccounting may with respect to such multiple disclosures
provide the information required by paragraph (b)(2) of 45CFR sect 164528 for the first disclosure during the accountingperiod the frequency periodicity or number of the disclo-sures made during the accounting period and the date of thelast such disclosure during the accounting period [45 CFR sect164528]
Modified accounting procedures are also provided for cov-ered entities making research disclosures involving gt50 per-sons [45 CFR sect 164528(b)(4)]
Business associate A person who on behalf of a coveredentity or of an organized health care arrangement [45 CFR sect154501] in which the covered entity participates but otherthan in the capacity of a member of the workforce of suchcovered entity or arrangement performs or assists in the per-formance of a function or activity involving the use ordisclosure of individually identifiable health informationincluding claims processing or administration data analysisprocessing or administration utilization review quality assur-ance billing benefit management practice management andrepricing or any other function or activity regulated by thissubchapter or provides other than in the capacity of a mem-ber of the workforce of such covered entity legal actuarialaccounting consulting data aggregation [45 CFR sect 164501]management administrative accreditation or financial ser-vices to or for such covered entity or to or for an organizedhealth-care arrangement in which the covered entity partici-pates where the provision of the service involves the disclo-sure of individually identifiable health information from suchcovered entity or arrangement or from another business asso-ciate of such covered entity or arrangement to the individual[45 CFR sect 160103]
Covered entity 1) a health plan 2) a health-care clearing-house 3) a health-care provider who transmits any healthinformation in electronic form in connection with a transac-tion [45 CFR sect 160103]
Covered functions Those functions of a covered entity theperformance of which makes the entity a health planhealth-care provider or health-care clearinghouse [45 CFR sect164103]
Data aggregation With respect to protected health infor-mation created or received by a business associate in its capac-ity as the business associate of a covered entity the combiningof such protected health information by the business associatewith the protected health information received by the busi-ness associate in its capacity as a business associate of another
Appendix ASelected Privacy Rule Concepts and Definitions
14 MMWR April 11 2003
covered entity to permit data analyses that relate to the health-care operations of the respective covered entities [45 CFRsect164501]
De-identified health information Health information thatdoes not identify an individual and with respect to which noreasonable basis exists to believe that the information can beused to identify an individual is not individually identifiableinformation [45 CFR sect 164514(a)]
Disclosure The release transfer provision of access to ordivulging in any other manner of information outside the entityholding the information [45 CFR sect 160103]
Electronic media 1) Electronic storage media includingmemory devices in computers (hard drives) and any remov-abletransportable digital memory medium such as magnetictape or disk optical disk or digital memory card or 2) trans-mission media used to exchange information already in elec-tronic storage media Transmission media include for examplethe Internet (wide open) extranet (using Internet technologyto link a business with information accessible only to collabo-rating parties) leased lines dial-up lines private networksand the physical movement of removabletransportable elec-tronic storage media Certain transmissions including ofpaper via facsimile and of voice via telephone are not con-sidered to be transmissions via electronic media because theinformation being exchanged did not exist in electronic formbefore the transmission [45 CFR sect 160103]
Health care Care services or supplies related to the healthof an individual It includes but is not limited to 1) preven-tive diagnostic therapeutic rehabilitative maintenance orpalliative care and counseling service assessment or proce-dure with respect to the physical or mental condition or func-tional status of an individual or that affects the structure orfunction of the body and 2) sale or dispensing of a drugdevice equipment or other item in accordance with a pre-scription [45 CFR sect 160103]
Health-care clearinghouse A public or private entityincluding a billing service repricing company communityhealth management information system community healthinformation system or value-added network or switch that 1)processes or facilitates the processing of health informationreceived from another entity in a nonstandard format or con-taining nonstandard data content into standard data elementsor a standard transaction or 2) receives a standard transactionfrom another entity and processes or facilitates the processingof health information into nonstandard format or nonstand-ard data content for the receiving entity [45 CFR sect 160103]
Health-care operations Any of the following activities ofthe covered entity to the extent that the activities are related tocovered functions 1) conducting quality assessment andimprovement activities population-based activities and
related functions that do not include treatment 2) reviewingthe competence or qualifications of health care professionalsevaluating practitioner provider and health plan performanceconducting training programs where students learn to prac-tice or improve their skills as health-care providers training ofnonhealth-care professionals accreditation certificationlicensing or credentialing activities 3) underwriting premiumrating and other activities relating to the creation renewal orreplacement of a contract of health insurance or benefits 4)conducting or arranging for medical review legal services andauditing functions including fraud and abuse detection andcompliance programs 5) business planning and developmentsuch as conducting cost-management and planning-relatedanalyses related to managing and operating the entity includ-ing formulary development and administration developmentor improvement of methods of payment or coverage policiesand 6) business management and general administrativeactivities of the entity [45 CFR sect 164501]
Health-care provider A provider of services (as defined insection 1861(u) of the Act 42 USC 1395x(u)) a providerof medical or health-care services (as defined in section 1861(s)of the Act 42 USC 1395x(s)) and any other individual ororganization that furnishes bills or is paid for health care inthe normal course of business [45 CFR sect 160103]
Health information Any information whether oral orrecorded in any form or medium that 1) is created or receivedby a health-care provider health plan public health authorityemployer life insurer school or university or health-care clear-inghouse and 2) relates to the past present or future physicalor mental health or condition of an individual the provisionof health care to an individual or the past present or futurepayment for the provision of health care to an individual [45CFR sect 160103]
Health plan An individual or group plan that provides orpays the cost of medical care (as defined in section 2791(a)(2)of the PHS Act 42 USC 300gg-91(a)(2)) Health planincludes the following singly or in combination (i) a grouphealth plan as defined in 45 CFR sect 160103 of the PrivacyRule (ii) a health insurance issuer as defined in 45 CFR sect160103 of the Privacy Rule (iii) an HMO as defined in 45CFR sect 160103 of the Privacy Rule (iv) Part A or B of theMedicare program under title XVIII of the Act (v) the Med-icaid program under title XIX of the Act 42 USC 1396 etseq (vi) an issuer of a Medicare supplemental policy (asdefined in section 1882(g)(1) of the Act 42 USC1395ss(g)(1)) (vii) an issuer of a long-term care policyexcluding a nursing home fixed-indemnity policy (viii) anemployee welfare benefit plan or any other arrangement thatis established or maintained for the purpose of offering or pro-viding health benefits to the employees of two or more
Vol 52 Early Release MMWR 15
employers (ix) the health care program for active military per-sonnel under title 10 USC (x) the veterans health-care pro-gram under 38 USC Ch 17 (xi) the Civilian Health andMedical Program of the Uniformed Services (CHAMPUS)(as defined in 10 USC 1072(4)) (xii) the Indian HealthService program under the Indian Health Care ImprovementAct 25 USC 1601 et seq (xiii) the Federal EmployeesHealth Benefits Program under 5 USC 8902 et seq (xiv)an approved state child health plan under title XXI of the Actproviding benefits for child health assistance that meet therequirements of section 2103 of the Act 42 USC 1397 etseq (xv) the Medicare+Choice program under Part C of titleXVIII of the Act 42 USC 1395w-21 through 1395w-28(xvi) a high risk pool that is a mechanism established understate law to provide health insurance coverage or comparablecoverage to eligible individuals (xvii) any other individual orgroup plan or combination of individual or group plans thatprovides or pays for the cost of medical care (as defined insection 2791(a)(2) of the PHS Act 42 USC 300gg-91(a)(2))[45 CFR sect 160103]
The term health plan excludes (i) any policy plan or pro-gram to the extent that it provides or pays for the cost ofexcepted benefits that are listed in sect2791(c)(1) of the PHSAct 42 USC 300gg-91(c)(1) and (ii) a government-fundedprogram other than the one listed in items (i)-(xvi) abovewhose principal purpose is other than providing or payingthe cost of health care or whose principal activity is 1) thedirect provision of health care to individuals or 2) the mak-ing of grants to fund the direct provision of health care toindividuals [45 CFR sect 160103]
Hybrid entity A single legal entity 1) that is a covered entity 2) whose business activities include both covered andnoncovered functions and 3) that designates its health-carecomponents [45 CFR sect 164103]
Individually identifiable health information A subset ofhealth information including demographic information col-lected from an individual and 1) is created or received by ahealth-care provider health plan employer or health-care clear-inghouse and 2) relates to the past present or future physi-cal or mental health or condition of an individual the provisionof health care to an individual or the past present or futurepayment for the provision of health care to an individual andthat identifies the individual or where there is a reasonablebasis to believe the information can be used to identify theindividual [45 CFR sect 164501]
Limited data set Protected health information that excludescertain direct identifiers of the individual or of relativesemployers or household members of the individual Directidentifiers to be excluded can be found in 45 CFR sect164514(e)(2)
Minimum necessary For any type of disclosure that a cov-ered entity makes on a routine and recurring basis that thecovered entity must implement policies and procedures (whichmay be standard protocols) that limit the protected healthinformation disclosed to the amount reasonably necessary toachieve the purpose of the disclosure For all other disclosurescovered entities must develop and implement criteria designedto limit the protected health information disclosed to theinformation reasonably necessary to accomplish the purposefor which disclosure is sought and review requests for disclo-sure on an individual basis in accordance with such criteria Acovered entity may rely if such reliance is reasonable underthe circumstances on a requested disclosure as the minimumnecessary for the stated purpose when (a) making disclosuresto public officials that are permitted under 45 CFR sect 164512if the public official represents that the information requestedis the minimum necessary for the stated purpose (b) if theinformation is requested by another covered entity (c) theirbusiness associates providing personal services or (d) docu-mentation or representations that comply with the applicablerequirements of 45 CFR sect 164512(i) have been provided byan individual requesting the information for research purposes[45 CFR sect 164514(d)(3)]
The minimum necessary standard also applies to uses ofprotected health information [45 CFR sect 164514(d)(2)] andrequests for protected health information [45 CFR sect164514(d)(4)]
Notice An individual with certain exceptions has a rightto adequate notice of the uses and disclosures of protectedhealth information that may be made by the covered entityand of the individualrsquos rights and the covered entityrsquos legalduties with respect to protected health information Thenotice must be written in plain language and contain the fol-lowing elements (i) a header as specified in the rule (ii) adescription including at least one example of the types ofuses and disclosures that the covered entity is permitted tomake for treatment payment and health care operations anda description of each of the other purposes for which the cov-ered entity is permitted or required to use or disclose pro-tected health information without the individualrsquos writtenconsent or authorization If a use or disclosure is prohibitedor materially limited by other applicable law the descriptionof such use or disclosure must reflect the more stringent law(as defined in 45 CFR sect 160202) Each description mustinclude sufficient detail to place the individual on notice ofthe uses and disclosures that are permitted or required by thePrivacy Rule or other applicable law and a statement that otheruses and disclosures will be made only with the individualrsquoswritten authorization and that the individual may revoke suchauthorization as provided by 45 CFR sect 164508(b)(5)
16 MMWR April 11 2003
A separate statement must be included in the notice if acovered entity intends to engage in any of the followingactivities The statement should explain that 1) the coveredentity may contact the individual to provide appointmentreminders or information regarding treatment alternatives orother health-related benefits 2) the covered entity may con-tact the individual to raise funds for the covered entity or 3) agroup health plan health insurer or HMO with respect to agroup health plan may disclose protected health informationto the sponsor of the plan
The notice must contain a statement of the individualrsquos rightswith respect to the protected health information and a briefdescription of how the individual may exercise these rights astatement of the covered entityrsquos duties a statement that indi-viduals may complain to the covered entity or the Secretary ifthey believe their privacy rights have been violated contactinformation and the effective date of the notice [45 CFR sect164520]
Payment 1) The activities undertaken by (i) a health planto obtain premiums or to determine or fulfill its responsibilityfor coverage and provision of benefits under the health planor (ii) a health-care provider or health plan to obtain or pro-vide reimbursement for the provision of health care and 2)the activities relate to the individual to whom health care isprovided and include but are not limited to (i) determina-tions of eligibility or coverage and adjudication or subroga-tion of health benefit claims (ii) risk adjusting amounts duebased on enrollee health status and demographic characteris-tics (iii) billing claims management collection activitiesobtaining payment under a contract for reinsurance (includ-ing stop-loss insurance) and related health-care data process-ing (iv) review of health-care services with respect to medicalnecessity coverage under a health plan appropriateness of careor justification of charges (v) utilization review activitiesincluding precertification and preauthorization of services con-current and retrospective review of services and (vi) disclo-sure to consumer reporting agencies of any of the followingprotected health information relating to collection of premi-ums or reimbursement (a) name and address (b) date of birth(c) social security number (d) payment history (e) accountnumber and (f ) name and address of the health-care provideror health plan [45 CFR sect 164501]
Protected health information (PHI) Individually identi-fiable health information that is transmitted by electronicmedia maintained in electronic media or transmitted ormaintained in any other form or medium PHI excludes indi-vidually identifiable health information in (i) educationrecords covered by the Family Education Rights and PrivacyAct (20 USC 1232g) (ii) records described at 20 USC
1232g(a)(4)(B)(iv) and (iii) employment records held by acovered entity in its role as employer [45 CFR sect 160103]
Public health authority An agency or authority of theUnited States a state a territory a political subdivision of astate or territory or an Indian tribe or an individual or entityacting under a grant of authority from or contract with suchpublic agency including the employees or agents of such pub-lic agency or its contractors or individuals or entities to whomit has granted authority that is responsible for public healthmatters as part of its official mandate [45 CFR sect 164501]
Examples of public health authorities include state andlocal health departments CDC National Institutes of Health(NIH) Food and Drug Administration (FDA) and Occupa-tional Safety and Health Administration (OSHA)
Required by law A mandate contained in law that compelsan entity to make a use or disclosure of protected health infor-mation and that is enforceable in a court of law This termincludes but is not limited to court orders and court-orderedwarrants subpoenas or summons issued by a court grand jurya governmental or tribal inspector general or an administra-tive body authorized to require the production of informa-tion a civil or an authorized investigative demand Medicareconditions of participation with respect to health-care provid-ers participating in the program and statutes or regulationsthat require the production of information including statutesor regulations that require such information if payment issought under a government program providing public ben-efits [45 CFR sect 164103]
Research A systematic investigation including researchdevelopment testing and evaluation designed to develop orcontribute to generalizable knowledge [45 CFR sect sect164501]
Statistical de-identification A properly qualified statisti-cian using accepted analytical techniques concludes that therisk is limited that the information could be used alone or incombination with other reasonably available information toidentify the subject of the information [45 CFR sect 164514(b)]
Safe harbor method A covered entity or its agent removesa comprehensive set of identifiers enumerated in the PrivacyRule which includes but is not limited to names geographicsubdivisions smaller than states dates more specific than yearscontact information identification numbers and photographicimages and has no actual knowledge that the remaininginformation could be used alone or in combination with otherinformation to identify the individual who is a subject of theinformation or the individualrsquos relatives employers or house-hold members Eighteen specific identifiers will need to beremoved to achieve de-identification [45 CFR sect 164514(b)]
Transaction The transmission of information between twoparties to carry out financial or administrative activities
Vol 52 Early Release MMWR 17
related to health care It includes the following types of infor-mation transmissions health care claims or equivalent encoun-ter information health care payment and remittance advicecoordination of benefits health care claim status enrollmentand disenrollment in a health plan eligibility for a health planhealth plan premium payments referral certification andauthorization first report of injury health claims attachmentsand other transactions that the Secretary may prescribe by regu-lation [45 CFR sect 164103]
Treatment The provision coordination or managementof health care and related services by one or more health-care
providers including the coordination or management of healthcare by a health-care provider with a third party consultationbetween health-care providers relating to a patient or thereferral of a patient for health care from one health-care pro-vider to another [45 CFR sect 164501]
Use With respect to individually identifiable health infor-mation the sharing employment application utilizationexamination or analysis of such information within an entitythat maintains such information [45 CFR sect 160103]
18 MMWR April 11 2003
Vol 52 Early Release MMWR 19
Appendix BSample Text That Can Be Used To Clarify Public Health Issues
Under the Privacy Rule
pursuant to the Standards for Privacy of Individually Identifi-able Health Information promulgated under the HealthInsurance Portability and Accountability Act (HIPAA) [45CFR Parts 160 and 164)] Under this rule covered entitiesmay disclose without individual authorization protectedhealth information to public health authorities ldquo autho-rized by law to collect or receive such information for the pur-pose of preventing or controlling disease injury or disabilityincluding but not limited to the reporting of disease injuryvital events such as birth or death and the conduct of publichealth surveillance public health investigations and publichealth interventions rdquo The definition of a public health au-thority includes ldquo an individual or entity acting under a grantof authority from or contract with such public agency rdquo
[Authorized agency] is acting under [contract grant coop-erative agreement] with [public health authority] to conduct[project] which is authorized by [law or regulation] [Publichealth authority] grants this authority to [authorized agency]for purposes of this project Further [public health authority]considers this to be [activity type] for which disclosure ofprotected health information by covered entities is authorizedby 45 CFR sect 164512(b) of the Privacy Rule
From a public health authority to a covered entity con-firming grant of authority to an authorized agencyTo Whom It May Concern
[Public health authority] is an agency of [parent authority]and is a public health authority as defined by the HealthInsurance Portability and Accountability Act (HIPAA) Stan-dards for Privacy of Individually Identifiable Health Informa-tion Final Rule (Privacy Rule)[45 CFR sect 164501] Pursuantto 45 CFR sect 164512(b) of the Privacy Rule covered entitiesmay disclose protected health information to public healthauthorities ldquo authorized by law to collect or receive suchinformation for the purpose of preventing or controlling dis-ease injury or disability including but not limited to thereporting of disease injury vital events such as birth or deathand the conduct of public health surveillance public healthinvestigations and public health interventions rdquo The defi-nition of public health authority includes ldquo an individualor entity acting under a grant of authority from or contractwith such public agency rdquo [45 CFR sect 164501] [Autho-rized agency] is acting under [contract grant or cooperativeagreement] with [public health authority] to carry out [project]
Following are sample letters that can be used to help clarifyPrivacy Rule issues among covered entities and public healthauthorities (eg CDC National Institutes of Health Foodand Drug Administration Substance Abuse and Mental HealthServices Administration Health Resources and ServicesAdministration state and local health departments) Publichealth authorities can use these letters as templates by insert-ing names of the appropriate individuals projects agreementslaws activity types covered entities public health authoritiesand authorized agencies
From a public health authority to a covered entity clari-fying rules regarding disclosureTo Whom it May Concern
[Public health authority] is an agency of [parent authority]and is conducting the activity described here in its capacity asa public health authority as defined by the Health InsurancePortability and Accountability Act (HIPAA) Standards forPrivacy of Individually Identifiable Health Information FinalRule (Privacy Rule) [45 CFR sect164501] Pursuant to 45 CFRsect164512(b) of the Privacy Rule covered entities such as yourorganization may disclose without individual authorizationprotected health information to public health authorities ldquo authorized by law to collect or receive such information forthe purpose of preventing or controlling disease injury ordisability including but not limited to the reporting of dis-ease injury vital events such as birth or death and the con-duct of public health surveillance public health investigationsand public health interventions rdquo
[Public health authority] is conducting [project] a publichealth activity as described by 45 CFR sect 164512(b) and isauthorized by [law or regulation] The information beingrequested represents the minimum necessary to carry out thepublic health purposes of this project pursuant to 45 CFRsect164514(d) of the Privacy Rule
If you have questions or concerns please contact [projectleader]
From a public health authority to an authorized agencyproviding grant of authorityDear [authorized agency]
This letter serves as verification of a grant of authority from[public health authority] for you to conduct the public healthactivities described here acting as a public health authority
20 MMWR April 11 2003
Through this grant of authority [authorized agency] may func-tion as a public health authority under the Privacy Rule forpurposes of this project
[Project] is a public health activity as described by 45 CFRsect 164512(b) referenced previously and is authorized by [lawor regulation] The information being requested represents theminimum necessary to carry out the public health purposes ofthis project pursuant to 45 CFR sect 164514(d) of the PrivacyRule The Privacy Rule provides that covered entities ldquo
may rely if such reliance is reasonable under the circumstanceson a requested disclosure as the minimum necessary for thestated purposes when making disclosures to public officialsthat are permitted under 45 CFR sect 164512 if the publicofficial represents that the information requested is the mini-mum necessary for the stated purposes(s)rdquo
If you have questions or concerns please contact [projectleader for authorized agency public health authority contact]
All MMWR references are available on the Internet at httpwwwcdcgovmmwr Use the search function to find specific articlesmdashmdashmdashmdashmdashmdash
Use of trade names and commercial sources is for identification only and does not imply endorsement by the US Department of Healthand Human Services
mdashmdashmdashmdashmdashmdashReferences to non-CDC sites on the Internet are provided as a service to MMWR readers and do not constitute or imply endorsement ofthese organizations or their programs by CDC or the US Department of Health and Human Services CDC is not responsible for thecontent of these sites URL addresses listed in MMWR were current as of the date of publication
MMWR
The Morbidity and Mortality Weekly Report (MMWR) series is prepared by the Centers for Disease Control and Prevention (CDC) andis available free of charge in electronic format and on a paid subscription basis for paper copy To receive an electronic copy each week sendan e-mail message to listservlistservcdcgov The body content should read SUBscribe mmwr-toc Electronic copy also is available fromCDCrsquos Internet server at httpwwwcdcgovmmwr or from CDCrsquos file transfer protocol server at ftpftpcdcgovpubpublicationsmmwr Tosubscribe for paper copy contact Superintendent of Documents US Government Printing Office Washington DC 20402 telephone202-512-1800
Data in the weekly MMWR are provisional based on weekly reports to CDC by state health departments The reporting weekconcludes at close of business on Friday compiled data on a national basis are officially released to the public on the following FridayAddress inquiries about the MMWR series including material to be considered for publication to Editor MMWR Series Mailstop C-08CDC 1600 Clifton Rd NE Atlanta GA 30333 telephone 888-232-3228
All material in the MMWR series is in the public domain and may be used and reprinted without permission however citation of thesource is appreciated
US Government Printing Office 2003-533-15569108 Region IV
Introduction
Impact on Public Health
Overview of the Privacy Rule
Who Is Covered
Types of Health Information
What is Required
The Privacy Rule and Public Health
Disclosures for Public Health Purposes
Requirements for Covered Entities
The Privacy Rule and Public Health Research
Research Versus Practice
The Privacy Rule and Other Laws
Online Resources
Federal Government Resources
State Government Resources
Associations Nonprofit Organizations and Academic Resources
Acknowledgments
References
Appendix A
Appendix B
8 MMWR April 11 2003
illness Also covered entities may at the direction of a publichealth authority disclose protected health information to aforeign government agency that is acting in collaboration witha public health authority [45 CFR 164512(b)(1)(i)]
To receive PHI for public health purposes public healthauthorities should be prepared to verify their status and iden-tity as public health authorities under the Privacy Rule Toverify its identity an agency could provide any one of the fol-lowing
bull if the request is made in person presentation of an agencyidentification badge other official credentials or otherproof of government status
bull if the request is in writing the request is on the appropri-ate government letterhead
bull if the disclosure is to a person acting on behalf of a publichealth authority a written statement on appropriate gov-ernment letterhead that the person is acting under thegovernmentrsquos authority [45 CFR sect 164514(h)(2)]
Public health authorities receiving information from coveredentities as required or authorized by law [45 CFR 164512(a)][45 CFR 164512(b)] are not business associates of the cov-ered entities and therefore are not required to enter into busi-ness associate agreements Public health authorities that arenot covered entities also are not required to enter into busi-ness associate agreements with their public health partners andcontractors Also after PHI is disclosed to a public healthauthority pursuant to the Privacy Rule the public healthauthority (if it is not a covered entity) may maintain use anddisclose the data consistent with the laws regulations andpolicies applicable to the public health authority
Disclosures for Public Health PurposesThe Privacy Rule allows covered entities to disclose PHI to
public health authorities when required by federal tribal stateor local laws [45 CFR 164512(a)] This includes state laws(or state procedures established under such law) that providefor receiving reporting of disease or injury child abuse birthor death or conducting public health surveillance investiga-tion or intervention
For disclosures not required by law covered entities maystill disclose without authorization to a public health authorityauthorized by law to collect or receive the information for thepurpose of preventing or controlling disease injury or dis-ability the minimum necessary information to accomplish theintended public health purpose of the disclosure [45 CFR164512 (b)] (Box 1)
For example to protect the health of the public public healthofficials might need to obtain information related to personsaffected by a disease In certain cases they might need to con-
tact those affected to determine the cause of the disease toallow for actions to prevent further illness The Privacy Rulecontinues to allow for the existing practice of sharing PHIwith public health authorities who are authorized by law tocollect or receive such information to aid them in their mis-sion of protecting the health of the public Examples of suchactivities include those directed at the reporting of disease orinjury reporting adverse events reporting births and deathsand investigating the occurrence and cause of injury and dis-ease (1)
Although it is not a defined term DHHS interpreted thephrase ldquoauthorized by lawrdquo to mean that a legal basis exists forthe activity Further DHHS called the phrase ldquoa term of artrdquoincluding both actions that are permitted and actions that arerequired by law [64 FR 59929 November 3 1999] This doesnot mean a public health authority at the federal tribal stateor local level must have multiple disease or condition-specificlaws that authorize each collection of information Publichealth authorities operate under broad mandates to protectthe health of their constituent populations
Requirements for Covered Entities
Accounting for Public Health Disclosures
Although the Privacy Rule permits disclosures of PHI topublic health authorities covered entities must comply withcertain requirements related to these disclosures One suchrequirement is that a covered entity must be able to providean individual upon request with an accounting of certaindisclosures of PHI The covered entity is not required toaccount for all disclosures of PHI For example an account-ing is not required for disclosures made
bull prior to the covered entityrsquos compliance datebull for TPO purposesbull to the individual or pursuant to the individualrsquos written
authorization orbull as part of a limited data setHowever usually an accounting is required for disclosures
made without authorization including public health purposesThe required accounting for disclosures may be
accomplished in different ways Typically the covered entitymust provide the individual with an accounting of eachdisclosure by date the PHI disclosed the identity of therecipient of the PHI and the purpose of the disclosureHowever where the covered entity has during the accountingperiod made multiple disclosures to the same recipient forthe same purpose the Privacy Rule provides for a simplifiedmeans of accounting In such cases the covered entity needonly identify the recipient of such repetitive disclosures the
Vol 52 Early Release MMWR 9
purpose of the disclosure and describe the PHI routinelydisclosed The date of each disclosure need not be trackedRather the accounting may include the date of the first andlast such disclosure during the accounting period and adescription of the frequency or periodicity of such disclosuresFor example the vast amount of data exchanged betweencovered entities and public health authorities is made throughongoing regular reporting or inspection requirements Acovered health-care provider may routinely report all cases ofmeasles it diagnoses to the local public health authority Anaccounting of such disclosures to a requesting individual wouldneed to identify the local public health authority receivingthe PHI the PHI disclosed the purpose of the disclosure(required for communicable disease surveillance) theperiodicity (weekly) and the first and last dates of suchdisclosures during the accounting period (May 1 2003 toJune 1 2003) Thus the covered entity would not need toannotate each patientrsquos medical record whenever a routinepublic health disclosure was made
Notice of Privacy Practices
With certain exceptions under the Privacy Rule individu-als have the right to adequate notice of the uses and disclo-sures of PHI that may be made by the covered entity as well astheir rights and the covered entityrsquos legal obligations Noticesmust be in plain language and clearly posted Certain coveredentities must make a good faith effort to obtain an individualrsquosacknowledgment of receipt of this notice In certain casesnotice may be provided electronically
Minimum Necessary Standard
The Privacy Rule usually directs covered entities to limitthe amount of information disclosed to the minimum neces-sary to achieve the specified goal [45 CFR sect 164514(d)(1)]This requirement usually applies to disclosures to a publichealth agency It would not apply however if the disclosurewere required by law authorized by the individual or for treat-ment purposes A covered entity may also reasonably rely on apublic officialrsquos determination that the information requestedis the minimum necessary for the public health purpose
Public Health Authorities Performing CoveredFunctions
Public health authorities at the federal tribal state or locallevels that perform covered functions (eg providing healthcare or insuring individuals for health-care costs) may be sub-ject to the Privacy Rulersquos provisions as covered entities Forexample a local public health authority that operates a healthclinic providing essential health-care services to low-incomepersons and performs certain electronic transactions might be
defined under the Privacy Rule as a covered health-care pro-vider and therefore a covered entity Flow charts and interac-tive tools designed to help determine covered entity status areprovided online by the Centers for Medicare and MedicaidServices available at httpwwwcmsgovhipaahipaa2sup-porttoolsdecisionsupportdefaultasp
The following are examples of public health authority func-tions that make them covered entities
bull Public health authorities as covered health-care pro-viders A public health authority that conducts health careas part of its activities is a covered health-care provider ifit also performs electronic transactions covered by theHIPAA Transactions Rule as part of these activities Thefact that these activities are conducted in pursuit of a publichealth goal (eg vaccinating children or screening a tar-geted population for sexually transmitted diseases) doesnot preclude the public health authority from being a cov-ered entity
bull Public health authorities as health plans Under thePrivacy Rule a health plan is an individual or group planthat provides or pays the cost of medical care This spe-cifically includes government health plans (eg MedicareMedicaid or Veterans Health Administration) Howeverthe Privacy Rule defines health plan to exclude govern-ment-funded programs whose principal activity is the di-rect provision of health care to persons or the making ofgrants to fund the direct provision of health care to per-sons [45 CFR sect 160103] Examples include the RyanWhite Comprehensive AIDS Resources Emergency ActAlthough certain government programs that fund provid-ers directly may not be health plans government programsthat reimburse providers or otherwise fund providers toperform direct health-care services should carefully ana-lyze the details of their programs to determine if they areperforming covered functions
bull Public health authorities as health-care clearinghousesAlthough unlikely a public health authority might be ahealth-care clearinghouse if it receives health informationfrom another entity and translates that information froma nonstandard format into a standard transaction or stan-dard data elements (or vice versa) Operators of commu-nity health information systems should carefully considerwhether they meet the definition for a health-care clear-inghouse
bull Public health agencies as hybrid entities A public healthagency that is a covered entity and has both covered andnoncovered functions may become a hybrid entity by des-ignating its health-care components By designating itselfas a hybrid entity a public health authority can carve outits noncovered functions so that the majority of Privacy
10 MMWR April 11 2003
Rule provisions apply only to its health-care componentwhich is required to comply with the Privacy Rulerequirements including using and disclosing PHI only asauthorized meeting the administrative requirementsaccounting for disclosure of PHI and providing a noticeof practices However such a designation does not pre-clude the public health authority from continuing to con-duct authorized public health functions A covered entitythat is also a public health authority may use as well asdisclose PHI for public health purposes to the sameextent it would be permitted to disclose the PHI as a pub-lic health authority
The Privacy Rule and PublicHealth Research
The topic of research under the Privacy Rule is covered indepth in the DHHS report Protecting Personal Health Infor-mation in Research mdash Understanding the HIPAA Privacy Rule(6) The Privacy Rule provides separate provisions for disclo-sure without individual authorization for public health pur-poses and for certain research [45 CFR sect 164512(b)] [45CFR sect 164512(i)] Other federal law pertaining to researchstresses the importance of distinguishing between research andpractice to ensure that human subjects are appropriately pro-tected [45 CFR Part 46] For certain activities this distinc-tion is not always clear A full discussion of the distinctionsbetween public health practice and research is beyond the scopeof this document However CDC and others provide guid-ance in this area (7ndash9)
Research Versus PracticeThe definition of research is the same for the Privacy Rule
and the Common Rule (10) mdash systematic investigationincluding research development testing and evaluationdesigned to develop or contribute to generalizable knowledgeResearch is designed to test a hypothesis permit conclusionsto be drawn and thereby to develop or contribute to general-izable knowledge The majority of public health activities (egpublic health surveillance and disease prevention and controlprojects) are based on scientific evidence and data collectionor analytic methods similar to those used in research How-ever they are not designed to contribute to generalizable knowl-edge Their primary purpose is to protect the health of thepopulation through such activities as disease surveillance pre-vention or control
The Belmont Report (11) defines practice as interventionsdesigned solely to enhance the well-being of a person patient
or client and which have reasonable expectation of successThe report further states that the purpose of medical orbehavioral practice is to provide diagnosis preventive treat-ment or therapy to particular patients For public health agen-cies the patient is the community Public health practiceactivities (eg public health surveillance disease control orprogram evaluation) are undertaken with the intent to benefita specific community although occasionally they may pro-vide unintended generalizable benefits to others
Some public health activities that are initially public healthpractice may subsequently evolve into a research activity (egan investigation to determine the cause of an outbreak thatincorporates a research study evaluating the efficacy of a newdrug to treat the illness) When that is the case the disclosuresmay be made initially under the public health provisions ofthe Privacy Rule But when the activity becomes an ongoingresearch activity the entity should consider application of therelevant research disclosures provisions to continue to obtaininformation for this purpose Moreover there may be caseswhere the activity is both research and public health practice(eg an ongoing survey to monitor health conditions in thepopulation data from which can also be analyzed for researchpurposes) In those cases disclosures may be made either un-der the research provisions or the public health provisions asappropriate mdash the covered entity need not comply with bothsets of requirements
The Privacy Rule and Other Lawsbull Federal laws Covered entities subject to the Privacy Rule
are also subject to other federal statutes and regulationsThe specific relationship of the Privacy Rule and certainfederal laws is discussed in the preamble to the December2000 Final Rule [65 FedReg 82481] In certain instancesthe Privacy Rule imposes requirements in direct conflictwith other federal laws or regulations In those instancesan analysis will be necessary to determine whether the laterprovision was intended to overrule the prior law or regu-lation
bull State laws As a federal regulatory standard the PrivacyRule preempts only those contrary state laws relating tothe privacy of individually identifiable health informa-tion that have less stringent requirements or standards thanthe Privacy Rule (ie more stringent laws remain ineffect) In addition DHHS may upon specific requestfrom a state or other entity or person determine that aprovision of state law that is contrary to the federalrequirements and that meets certain additional criteriawill not be preempted by the federal requirements Thus
Vol 52 Early Release MMWR 11
preemption of a contrary state law will not occur if theSecretary or designated DHHS official determines inresponse to a request that the state law 1) is necessary toprevent fraud and abuse related to the provision of or pay-ment for health care 2) is necessary to ensure appropriatestate regulation of insurance and health plans to theextent expressly authorized by statute or regulation 3) isnecessary for state reporting on health-care delivery orcosts 4) is necessary to serve a compelling public healthsafety or welfare need and if a Privacy Rule provision isat issue if the Secretary determines that the intrusion intoprivacy is warranted when balanced against the need to beserved or 5) has as its principal purpose the regulation ofthe manufacture registration distribution dispensing orother control of any controlled substances The PrivacyRule specifically does not preempt contrary state publichealth laws that provide for the reporting of disease orinjury child abuse birth or death or for the conduct ofpublic health surveillance investigation or intervention[45 CFR sect 160202]
Online ResourcesReferences to non-DHHS sites on the Internet are provided
as a service to MMWR readers and do not constitute or implyendorsement of these organizations or their programs by CDCor the US Department of Health and Human Services CDCis not responsible for the content of these sites URL addresseslisted in MMWR were current as of the date of publication
Federal Government ResourcesDHHS Office for Civil Rights mdash HIPAA guidelines
North Carolina Healthcare Information and Communica-tions Alliance
httpwwwnchicaorgPublic Health Grand Rounds HIPAA Privacy RuleEnhancing or Harming Public Health
httpwwwpublichealthgrandroundsunceduStanford University Medical School mdash HIPAA
httpwwwmedstanfordeduHIPAAWorkgroup for Electronic Data Interchange mdash StrategicNational Implementation Process
httpwwwwediorgsnip
AcknowledgmentsThis report was prepared by Salvatore Lucido MPA and Denise
Koo MD Office of the Associate Director for ScienceEpidemiology Program Office CDC in collaboration with JamesG Hodge Jr JD Center for Law and the Publicrsquos HealthGeorgetown and Johns Hopkins Universities Baltimore MarylandThe preparers are grateful for the participation of Deborah Tress
JD Kenya Ford JD and Heather Horton JD Office of theGeneral Counsel Department of Health and Human Services CDCATSDR Branch the CDC Working Group on the Privacy Ruleand Beverly Dozier JD Lance A Gable JD Lawrence O GostinJD Gail Horlick JD and Jennifer Kurle
The preparers also thank the following partners for their valuableinput Association of State and Territorial Health Officers Councilof State and Territorial Epidemiologists National Association ofCounty and City Health Officials National Association of HealthData Organizations Association of Public Health Laboratories andNational Association for Public Health Statistics and InformationSystems
References1 Gostin LO Hodge JG Jr Personal privacy and common goods a frame-
work Minnesota Law Review 2002861439ndash802 Health Insurance Portability and Accountability Act of 1996 Pub L
No 104-191 110 Stat 1936 (1996)3 Office for Civil Rights Department of Health and Human Services
Title 45 of the Code of Federal Regulations Parts 160 and 164 Avail-able at httpwwwdhhsgovocrcombinedregtextpdf
4 Office for Civil Rights OCR guidance explaining significant aspects ofthe Privacy Rule 2002 Department of Health and Human ServicesAvailable at httpwwwhhsgovocrhipaa
5 Gostin LO Hodge JG Jr Privacy Law Advisory Committee Modelstate public health information privacy act 1999 Available at httpwwwpublichealthlawnetResourcesResourcesPDFsmodelprivactpdf
6 Department of Health and Human Services Protecting personal healthinformation in research mdash understanding the HIPAA Privacy RuleDepartment of Health and Human Services Washington DC 2003(in press)
7 Snider DE Stroup DF Defining research when it comes to public healthPublic Health Rep 199711229ndash32
8 CDC Guidelines for defining public health research and public healthnonresearch Available at httpwwwcdcgovodadsopspoll1htm
9 Amoroso PJ Middaugh JP Research vs public health practice whendoes a study require IRB review Prev Med 200336250ndash3
10 Office for Protection from Research Risks National Institutes of HealthDepartment of Health and Human Services Public welfare protectionof human subjects 2001 [45 CFR 46] Available at httpohrposophsdhhsgovhumansubjectsguidance45cfr46htm
11 National Commission for the Protection of Human Subjects of Bio-medical and Behavioral Research Belmont report ethical principles andguidelines for the protection of human subjects of research Depart-ment of Health Education and Welfare Available at httpwwwmedumicheduirbmedethicsbelmontBELMONTRHTM
Vol 52 Early Release MMWR 13
The following concepts and definitions are adapted fromthe regulatory language For further information see the cita-tions to the Privacy Rule
Accounting An individual has a right to receive an account-ing of disclosures of protected health information made by acovered entity in the six years prior to the date on which theaccounting is requested except for disclosures (a) to carry outtreatment payment and health care operations [45 CFR sect164506] (b) to individuals of protected health informationabout them [45 CFR sect 164502] (c) incident to a use or dis-closure otherwise permitted or required by this subpart asprovided in 45 CFR sect164502 (d) pursuant to an authoriza-tion as provided in 45 CFR sect164508 (e) for the facilityrsquosdirectory or to persons involved in the individualrsquos care orother notification purposes as provided in 45 CFR sect164510(f ) for national security or intelligence purposes as providedin 45 CFR sect164512(k)(2) (g) to correctional institutions orlaw enforcement officials as provided in 45 CFR sect164512(k)(5) or (h) as part of a limited data set in accordance with45 CFR sect164514(e) or (i) that occurred prior to the compli-ance date for the covered entityhellip Such an accounting mustmeet the following requirements (1) except as otherwise pro-vided by paragraph (a) of this section the accounting mustinclude disclosures of protected health information thatoccurred during the six years (or such shorter time period atthe request of the individual as provided in paragraph (a)(3)of this section) prior to the date of the request for an account-ing including disclosures to or by business associates of thecovered entity (2) except as otherwise provided by paragraphs(b)(3) or (b)(4) of this section the accounting must includefor each disclosure the date of the disclosure the name of theentity or person who received the protected health informa-tion and if known the address of such entity or person abrief description of the protected health information disclosedand a brief statement of the purpose of the disclosure thatreasonably informs the individual of the basis for the disclo-sure or in lieu of such a statement a copy of the individualrsquoswritten authorization pursuant to 45 CFR sect 164508 or acopy of a written request for a disclosure under 45 CFR sect164502(a)(2)(ii) or 45 CFR sect 164512 if any
If during the period covered by the accounting the coveredentity has made multiple disclosures of protected healthinformation to the same person or entity for a single purposeunder 45 CFR sect 164502(a)(2)(ii) or 45 CFR sect 164512 theaccounting may with respect to such multiple disclosures
provide the information required by paragraph (b)(2) of 45CFR sect 164528 for the first disclosure during the accountingperiod the frequency periodicity or number of the disclo-sures made during the accounting period and the date of thelast such disclosure during the accounting period [45 CFR sect164528]
Modified accounting procedures are also provided for cov-ered entities making research disclosures involving gt50 per-sons [45 CFR sect 164528(b)(4)]
Business associate A person who on behalf of a coveredentity or of an organized health care arrangement [45 CFR sect154501] in which the covered entity participates but otherthan in the capacity of a member of the workforce of suchcovered entity or arrangement performs or assists in the per-formance of a function or activity involving the use ordisclosure of individually identifiable health informationincluding claims processing or administration data analysisprocessing or administration utilization review quality assur-ance billing benefit management practice management andrepricing or any other function or activity regulated by thissubchapter or provides other than in the capacity of a mem-ber of the workforce of such covered entity legal actuarialaccounting consulting data aggregation [45 CFR sect 164501]management administrative accreditation or financial ser-vices to or for such covered entity or to or for an organizedhealth-care arrangement in which the covered entity partici-pates where the provision of the service involves the disclo-sure of individually identifiable health information from suchcovered entity or arrangement or from another business asso-ciate of such covered entity or arrangement to the individual[45 CFR sect 160103]
Covered entity 1) a health plan 2) a health-care clearing-house 3) a health-care provider who transmits any healthinformation in electronic form in connection with a transac-tion [45 CFR sect 160103]
Covered functions Those functions of a covered entity theperformance of which makes the entity a health planhealth-care provider or health-care clearinghouse [45 CFR sect164103]
Data aggregation With respect to protected health infor-mation created or received by a business associate in its capac-ity as the business associate of a covered entity the combiningof such protected health information by the business associatewith the protected health information received by the busi-ness associate in its capacity as a business associate of another
Appendix ASelected Privacy Rule Concepts and Definitions
14 MMWR April 11 2003
covered entity to permit data analyses that relate to the health-care operations of the respective covered entities [45 CFRsect164501]
De-identified health information Health information thatdoes not identify an individual and with respect to which noreasonable basis exists to believe that the information can beused to identify an individual is not individually identifiableinformation [45 CFR sect 164514(a)]
Disclosure The release transfer provision of access to ordivulging in any other manner of information outside the entityholding the information [45 CFR sect 160103]
Electronic media 1) Electronic storage media includingmemory devices in computers (hard drives) and any remov-abletransportable digital memory medium such as magnetictape or disk optical disk or digital memory card or 2) trans-mission media used to exchange information already in elec-tronic storage media Transmission media include for examplethe Internet (wide open) extranet (using Internet technologyto link a business with information accessible only to collabo-rating parties) leased lines dial-up lines private networksand the physical movement of removabletransportable elec-tronic storage media Certain transmissions including ofpaper via facsimile and of voice via telephone are not con-sidered to be transmissions via electronic media because theinformation being exchanged did not exist in electronic formbefore the transmission [45 CFR sect 160103]
Health care Care services or supplies related to the healthof an individual It includes but is not limited to 1) preven-tive diagnostic therapeutic rehabilitative maintenance orpalliative care and counseling service assessment or proce-dure with respect to the physical or mental condition or func-tional status of an individual or that affects the structure orfunction of the body and 2) sale or dispensing of a drugdevice equipment or other item in accordance with a pre-scription [45 CFR sect 160103]
Health-care clearinghouse A public or private entityincluding a billing service repricing company communityhealth management information system community healthinformation system or value-added network or switch that 1)processes or facilitates the processing of health informationreceived from another entity in a nonstandard format or con-taining nonstandard data content into standard data elementsor a standard transaction or 2) receives a standard transactionfrom another entity and processes or facilitates the processingof health information into nonstandard format or nonstand-ard data content for the receiving entity [45 CFR sect 160103]
Health-care operations Any of the following activities ofthe covered entity to the extent that the activities are related tocovered functions 1) conducting quality assessment andimprovement activities population-based activities and
related functions that do not include treatment 2) reviewingthe competence or qualifications of health care professionalsevaluating practitioner provider and health plan performanceconducting training programs where students learn to prac-tice or improve their skills as health-care providers training ofnonhealth-care professionals accreditation certificationlicensing or credentialing activities 3) underwriting premiumrating and other activities relating to the creation renewal orreplacement of a contract of health insurance or benefits 4)conducting or arranging for medical review legal services andauditing functions including fraud and abuse detection andcompliance programs 5) business planning and developmentsuch as conducting cost-management and planning-relatedanalyses related to managing and operating the entity includ-ing formulary development and administration developmentor improvement of methods of payment or coverage policiesand 6) business management and general administrativeactivities of the entity [45 CFR sect 164501]
Health-care provider A provider of services (as defined insection 1861(u) of the Act 42 USC 1395x(u)) a providerof medical or health-care services (as defined in section 1861(s)of the Act 42 USC 1395x(s)) and any other individual ororganization that furnishes bills or is paid for health care inthe normal course of business [45 CFR sect 160103]
Health information Any information whether oral orrecorded in any form or medium that 1) is created or receivedby a health-care provider health plan public health authorityemployer life insurer school or university or health-care clear-inghouse and 2) relates to the past present or future physicalor mental health or condition of an individual the provisionof health care to an individual or the past present or futurepayment for the provision of health care to an individual [45CFR sect 160103]
Health plan An individual or group plan that provides orpays the cost of medical care (as defined in section 2791(a)(2)of the PHS Act 42 USC 300gg-91(a)(2)) Health planincludes the following singly or in combination (i) a grouphealth plan as defined in 45 CFR sect 160103 of the PrivacyRule (ii) a health insurance issuer as defined in 45 CFR sect160103 of the Privacy Rule (iii) an HMO as defined in 45CFR sect 160103 of the Privacy Rule (iv) Part A or B of theMedicare program under title XVIII of the Act (v) the Med-icaid program under title XIX of the Act 42 USC 1396 etseq (vi) an issuer of a Medicare supplemental policy (asdefined in section 1882(g)(1) of the Act 42 USC1395ss(g)(1)) (vii) an issuer of a long-term care policyexcluding a nursing home fixed-indemnity policy (viii) anemployee welfare benefit plan or any other arrangement thatis established or maintained for the purpose of offering or pro-viding health benefits to the employees of two or more
Vol 52 Early Release MMWR 15
employers (ix) the health care program for active military per-sonnel under title 10 USC (x) the veterans health-care pro-gram under 38 USC Ch 17 (xi) the Civilian Health andMedical Program of the Uniformed Services (CHAMPUS)(as defined in 10 USC 1072(4)) (xii) the Indian HealthService program under the Indian Health Care ImprovementAct 25 USC 1601 et seq (xiii) the Federal EmployeesHealth Benefits Program under 5 USC 8902 et seq (xiv)an approved state child health plan under title XXI of the Actproviding benefits for child health assistance that meet therequirements of section 2103 of the Act 42 USC 1397 etseq (xv) the Medicare+Choice program under Part C of titleXVIII of the Act 42 USC 1395w-21 through 1395w-28(xvi) a high risk pool that is a mechanism established understate law to provide health insurance coverage or comparablecoverage to eligible individuals (xvii) any other individual orgroup plan or combination of individual or group plans thatprovides or pays for the cost of medical care (as defined insection 2791(a)(2) of the PHS Act 42 USC 300gg-91(a)(2))[45 CFR sect 160103]
The term health plan excludes (i) any policy plan or pro-gram to the extent that it provides or pays for the cost ofexcepted benefits that are listed in sect2791(c)(1) of the PHSAct 42 USC 300gg-91(c)(1) and (ii) a government-fundedprogram other than the one listed in items (i)-(xvi) abovewhose principal purpose is other than providing or payingthe cost of health care or whose principal activity is 1) thedirect provision of health care to individuals or 2) the mak-ing of grants to fund the direct provision of health care toindividuals [45 CFR sect 160103]
Hybrid entity A single legal entity 1) that is a covered entity 2) whose business activities include both covered andnoncovered functions and 3) that designates its health-carecomponents [45 CFR sect 164103]
Individually identifiable health information A subset ofhealth information including demographic information col-lected from an individual and 1) is created or received by ahealth-care provider health plan employer or health-care clear-inghouse and 2) relates to the past present or future physi-cal or mental health or condition of an individual the provisionof health care to an individual or the past present or futurepayment for the provision of health care to an individual andthat identifies the individual or where there is a reasonablebasis to believe the information can be used to identify theindividual [45 CFR sect 164501]
Limited data set Protected health information that excludescertain direct identifiers of the individual or of relativesemployers or household members of the individual Directidentifiers to be excluded can be found in 45 CFR sect164514(e)(2)
Minimum necessary For any type of disclosure that a cov-ered entity makes on a routine and recurring basis that thecovered entity must implement policies and procedures (whichmay be standard protocols) that limit the protected healthinformation disclosed to the amount reasonably necessary toachieve the purpose of the disclosure For all other disclosurescovered entities must develop and implement criteria designedto limit the protected health information disclosed to theinformation reasonably necessary to accomplish the purposefor which disclosure is sought and review requests for disclo-sure on an individual basis in accordance with such criteria Acovered entity may rely if such reliance is reasonable underthe circumstances on a requested disclosure as the minimumnecessary for the stated purpose when (a) making disclosuresto public officials that are permitted under 45 CFR sect 164512if the public official represents that the information requestedis the minimum necessary for the stated purpose (b) if theinformation is requested by another covered entity (c) theirbusiness associates providing personal services or (d) docu-mentation or representations that comply with the applicablerequirements of 45 CFR sect 164512(i) have been provided byan individual requesting the information for research purposes[45 CFR sect 164514(d)(3)]
The minimum necessary standard also applies to uses ofprotected health information [45 CFR sect 164514(d)(2)] andrequests for protected health information [45 CFR sect164514(d)(4)]
Notice An individual with certain exceptions has a rightto adequate notice of the uses and disclosures of protectedhealth information that may be made by the covered entityand of the individualrsquos rights and the covered entityrsquos legalduties with respect to protected health information Thenotice must be written in plain language and contain the fol-lowing elements (i) a header as specified in the rule (ii) adescription including at least one example of the types ofuses and disclosures that the covered entity is permitted tomake for treatment payment and health care operations anda description of each of the other purposes for which the cov-ered entity is permitted or required to use or disclose pro-tected health information without the individualrsquos writtenconsent or authorization If a use or disclosure is prohibitedor materially limited by other applicable law the descriptionof such use or disclosure must reflect the more stringent law(as defined in 45 CFR sect 160202) Each description mustinclude sufficient detail to place the individual on notice ofthe uses and disclosures that are permitted or required by thePrivacy Rule or other applicable law and a statement that otheruses and disclosures will be made only with the individualrsquoswritten authorization and that the individual may revoke suchauthorization as provided by 45 CFR sect 164508(b)(5)
16 MMWR April 11 2003
A separate statement must be included in the notice if acovered entity intends to engage in any of the followingactivities The statement should explain that 1) the coveredentity may contact the individual to provide appointmentreminders or information regarding treatment alternatives orother health-related benefits 2) the covered entity may con-tact the individual to raise funds for the covered entity or 3) agroup health plan health insurer or HMO with respect to agroup health plan may disclose protected health informationto the sponsor of the plan
The notice must contain a statement of the individualrsquos rightswith respect to the protected health information and a briefdescription of how the individual may exercise these rights astatement of the covered entityrsquos duties a statement that indi-viduals may complain to the covered entity or the Secretary ifthey believe their privacy rights have been violated contactinformation and the effective date of the notice [45 CFR sect164520]
Payment 1) The activities undertaken by (i) a health planto obtain premiums or to determine or fulfill its responsibilityfor coverage and provision of benefits under the health planor (ii) a health-care provider or health plan to obtain or pro-vide reimbursement for the provision of health care and 2)the activities relate to the individual to whom health care isprovided and include but are not limited to (i) determina-tions of eligibility or coverage and adjudication or subroga-tion of health benefit claims (ii) risk adjusting amounts duebased on enrollee health status and demographic characteris-tics (iii) billing claims management collection activitiesobtaining payment under a contract for reinsurance (includ-ing stop-loss insurance) and related health-care data process-ing (iv) review of health-care services with respect to medicalnecessity coverage under a health plan appropriateness of careor justification of charges (v) utilization review activitiesincluding precertification and preauthorization of services con-current and retrospective review of services and (vi) disclo-sure to consumer reporting agencies of any of the followingprotected health information relating to collection of premi-ums or reimbursement (a) name and address (b) date of birth(c) social security number (d) payment history (e) accountnumber and (f ) name and address of the health-care provideror health plan [45 CFR sect 164501]
Protected health information (PHI) Individually identi-fiable health information that is transmitted by electronicmedia maintained in electronic media or transmitted ormaintained in any other form or medium PHI excludes indi-vidually identifiable health information in (i) educationrecords covered by the Family Education Rights and PrivacyAct (20 USC 1232g) (ii) records described at 20 USC
1232g(a)(4)(B)(iv) and (iii) employment records held by acovered entity in its role as employer [45 CFR sect 160103]
Public health authority An agency or authority of theUnited States a state a territory a political subdivision of astate or territory or an Indian tribe or an individual or entityacting under a grant of authority from or contract with suchpublic agency including the employees or agents of such pub-lic agency or its contractors or individuals or entities to whomit has granted authority that is responsible for public healthmatters as part of its official mandate [45 CFR sect 164501]
Examples of public health authorities include state andlocal health departments CDC National Institutes of Health(NIH) Food and Drug Administration (FDA) and Occupa-tional Safety and Health Administration (OSHA)
Required by law A mandate contained in law that compelsan entity to make a use or disclosure of protected health infor-mation and that is enforceable in a court of law This termincludes but is not limited to court orders and court-orderedwarrants subpoenas or summons issued by a court grand jurya governmental or tribal inspector general or an administra-tive body authorized to require the production of informa-tion a civil or an authorized investigative demand Medicareconditions of participation with respect to health-care provid-ers participating in the program and statutes or regulationsthat require the production of information including statutesor regulations that require such information if payment issought under a government program providing public ben-efits [45 CFR sect 164103]
Research A systematic investigation including researchdevelopment testing and evaluation designed to develop orcontribute to generalizable knowledge [45 CFR sect sect164501]
Statistical de-identification A properly qualified statisti-cian using accepted analytical techniques concludes that therisk is limited that the information could be used alone or incombination with other reasonably available information toidentify the subject of the information [45 CFR sect 164514(b)]
Safe harbor method A covered entity or its agent removesa comprehensive set of identifiers enumerated in the PrivacyRule which includes but is not limited to names geographicsubdivisions smaller than states dates more specific than yearscontact information identification numbers and photographicimages and has no actual knowledge that the remaininginformation could be used alone or in combination with otherinformation to identify the individual who is a subject of theinformation or the individualrsquos relatives employers or house-hold members Eighteen specific identifiers will need to beremoved to achieve de-identification [45 CFR sect 164514(b)]
Transaction The transmission of information between twoparties to carry out financial or administrative activities
Vol 52 Early Release MMWR 17
related to health care It includes the following types of infor-mation transmissions health care claims or equivalent encoun-ter information health care payment and remittance advicecoordination of benefits health care claim status enrollmentand disenrollment in a health plan eligibility for a health planhealth plan premium payments referral certification andauthorization first report of injury health claims attachmentsand other transactions that the Secretary may prescribe by regu-lation [45 CFR sect 164103]
Treatment The provision coordination or managementof health care and related services by one or more health-care
providers including the coordination or management of healthcare by a health-care provider with a third party consultationbetween health-care providers relating to a patient or thereferral of a patient for health care from one health-care pro-vider to another [45 CFR sect 164501]
Use With respect to individually identifiable health infor-mation the sharing employment application utilizationexamination or analysis of such information within an entitythat maintains such information [45 CFR sect 160103]
18 MMWR April 11 2003
Vol 52 Early Release MMWR 19
Appendix BSample Text That Can Be Used To Clarify Public Health Issues
Under the Privacy Rule
pursuant to the Standards for Privacy of Individually Identifi-able Health Information promulgated under the HealthInsurance Portability and Accountability Act (HIPAA) [45CFR Parts 160 and 164)] Under this rule covered entitiesmay disclose without individual authorization protectedhealth information to public health authorities ldquo autho-rized by law to collect or receive such information for the pur-pose of preventing or controlling disease injury or disabilityincluding but not limited to the reporting of disease injuryvital events such as birth or death and the conduct of publichealth surveillance public health investigations and publichealth interventions rdquo The definition of a public health au-thority includes ldquo an individual or entity acting under a grantof authority from or contract with such public agency rdquo
[Authorized agency] is acting under [contract grant coop-erative agreement] with [public health authority] to conduct[project] which is authorized by [law or regulation] [Publichealth authority] grants this authority to [authorized agency]for purposes of this project Further [public health authority]considers this to be [activity type] for which disclosure ofprotected health information by covered entities is authorizedby 45 CFR sect 164512(b) of the Privacy Rule
From a public health authority to a covered entity con-firming grant of authority to an authorized agencyTo Whom It May Concern
[Public health authority] is an agency of [parent authority]and is a public health authority as defined by the HealthInsurance Portability and Accountability Act (HIPAA) Stan-dards for Privacy of Individually Identifiable Health Informa-tion Final Rule (Privacy Rule)[45 CFR sect 164501] Pursuantto 45 CFR sect 164512(b) of the Privacy Rule covered entitiesmay disclose protected health information to public healthauthorities ldquo authorized by law to collect or receive suchinformation for the purpose of preventing or controlling dis-ease injury or disability including but not limited to thereporting of disease injury vital events such as birth or deathand the conduct of public health surveillance public healthinvestigations and public health interventions rdquo The defi-nition of public health authority includes ldquo an individualor entity acting under a grant of authority from or contractwith such public agency rdquo [45 CFR sect 164501] [Autho-rized agency] is acting under [contract grant or cooperativeagreement] with [public health authority] to carry out [project]
Following are sample letters that can be used to help clarifyPrivacy Rule issues among covered entities and public healthauthorities (eg CDC National Institutes of Health Foodand Drug Administration Substance Abuse and Mental HealthServices Administration Health Resources and ServicesAdministration state and local health departments) Publichealth authorities can use these letters as templates by insert-ing names of the appropriate individuals projects agreementslaws activity types covered entities public health authoritiesand authorized agencies
From a public health authority to a covered entity clari-fying rules regarding disclosureTo Whom it May Concern
[Public health authority] is an agency of [parent authority]and is conducting the activity described here in its capacity asa public health authority as defined by the Health InsurancePortability and Accountability Act (HIPAA) Standards forPrivacy of Individually Identifiable Health Information FinalRule (Privacy Rule) [45 CFR sect164501] Pursuant to 45 CFRsect164512(b) of the Privacy Rule covered entities such as yourorganization may disclose without individual authorizationprotected health information to public health authorities ldquo authorized by law to collect or receive such information forthe purpose of preventing or controlling disease injury ordisability including but not limited to the reporting of dis-ease injury vital events such as birth or death and the con-duct of public health surveillance public health investigationsand public health interventions rdquo
[Public health authority] is conducting [project] a publichealth activity as described by 45 CFR sect 164512(b) and isauthorized by [law or regulation] The information beingrequested represents the minimum necessary to carry out thepublic health purposes of this project pursuant to 45 CFRsect164514(d) of the Privacy Rule
If you have questions or concerns please contact [projectleader]
From a public health authority to an authorized agencyproviding grant of authorityDear [authorized agency]
This letter serves as verification of a grant of authority from[public health authority] for you to conduct the public healthactivities described here acting as a public health authority
20 MMWR April 11 2003
Through this grant of authority [authorized agency] may func-tion as a public health authority under the Privacy Rule forpurposes of this project
[Project] is a public health activity as described by 45 CFRsect 164512(b) referenced previously and is authorized by [lawor regulation] The information being requested represents theminimum necessary to carry out the public health purposes ofthis project pursuant to 45 CFR sect 164514(d) of the PrivacyRule The Privacy Rule provides that covered entities ldquo
may rely if such reliance is reasonable under the circumstanceson a requested disclosure as the minimum necessary for thestated purposes when making disclosures to public officialsthat are permitted under 45 CFR sect 164512 if the publicofficial represents that the information requested is the mini-mum necessary for the stated purposes(s)rdquo
If you have questions or concerns please contact [projectleader for authorized agency public health authority contact]
All MMWR references are available on the Internet at httpwwwcdcgovmmwr Use the search function to find specific articlesmdashmdashmdashmdashmdashmdash
Use of trade names and commercial sources is for identification only and does not imply endorsement by the US Department of Healthand Human Services
mdashmdashmdashmdashmdashmdashReferences to non-CDC sites on the Internet are provided as a service to MMWR readers and do not constitute or imply endorsement ofthese organizations or their programs by CDC or the US Department of Health and Human Services CDC is not responsible for thecontent of these sites URL addresses listed in MMWR were current as of the date of publication
MMWR
The Morbidity and Mortality Weekly Report (MMWR) series is prepared by the Centers for Disease Control and Prevention (CDC) andis available free of charge in electronic format and on a paid subscription basis for paper copy To receive an electronic copy each week sendan e-mail message to listservlistservcdcgov The body content should read SUBscribe mmwr-toc Electronic copy also is available fromCDCrsquos Internet server at httpwwwcdcgovmmwr or from CDCrsquos file transfer protocol server at ftpftpcdcgovpubpublicationsmmwr Tosubscribe for paper copy contact Superintendent of Documents US Government Printing Office Washington DC 20402 telephone202-512-1800
Data in the weekly MMWR are provisional based on weekly reports to CDC by state health departments The reporting weekconcludes at close of business on Friday compiled data on a national basis are officially released to the public on the following FridayAddress inquiries about the MMWR series including material to be considered for publication to Editor MMWR Series Mailstop C-08CDC 1600 Clifton Rd NE Atlanta GA 30333 telephone 888-232-3228
All material in the MMWR series is in the public domain and may be used and reprinted without permission however citation of thesource is appreciated
US Government Printing Office 2003-533-15569108 Region IV
Introduction
Impact on Public Health
Overview of the Privacy Rule
Who Is Covered
Types of Health Information
What is Required
The Privacy Rule and Public Health
Disclosures for Public Health Purposes
Requirements for Covered Entities
The Privacy Rule and Public Health Research
Research Versus Practice
The Privacy Rule and Other Laws
Online Resources
Federal Government Resources
State Government Resources
Associations Nonprofit Organizations and Academic Resources
Acknowledgments
References
Appendix A
Appendix B
Vol 52 Early Release MMWR 9
purpose of the disclosure and describe the PHI routinelydisclosed The date of each disclosure need not be trackedRather the accounting may include the date of the first andlast such disclosure during the accounting period and adescription of the frequency or periodicity of such disclosuresFor example the vast amount of data exchanged betweencovered entities and public health authorities is made throughongoing regular reporting or inspection requirements Acovered health-care provider may routinely report all cases ofmeasles it diagnoses to the local public health authority Anaccounting of such disclosures to a requesting individual wouldneed to identify the local public health authority receivingthe PHI the PHI disclosed the purpose of the disclosure(required for communicable disease surveillance) theperiodicity (weekly) and the first and last dates of suchdisclosures during the accounting period (May 1 2003 toJune 1 2003) Thus the covered entity would not need toannotate each patientrsquos medical record whenever a routinepublic health disclosure was made
Notice of Privacy Practices
With certain exceptions under the Privacy Rule individu-als have the right to adequate notice of the uses and disclo-sures of PHI that may be made by the covered entity as well astheir rights and the covered entityrsquos legal obligations Noticesmust be in plain language and clearly posted Certain coveredentities must make a good faith effort to obtain an individualrsquosacknowledgment of receipt of this notice In certain casesnotice may be provided electronically
Minimum Necessary Standard
The Privacy Rule usually directs covered entities to limitthe amount of information disclosed to the minimum neces-sary to achieve the specified goal [45 CFR sect 164514(d)(1)]This requirement usually applies to disclosures to a publichealth agency It would not apply however if the disclosurewere required by law authorized by the individual or for treat-ment purposes A covered entity may also reasonably rely on apublic officialrsquos determination that the information requestedis the minimum necessary for the public health purpose
Public Health Authorities Performing CoveredFunctions
Public health authorities at the federal tribal state or locallevels that perform covered functions (eg providing healthcare or insuring individuals for health-care costs) may be sub-ject to the Privacy Rulersquos provisions as covered entities Forexample a local public health authority that operates a healthclinic providing essential health-care services to low-incomepersons and performs certain electronic transactions might be
defined under the Privacy Rule as a covered health-care pro-vider and therefore a covered entity Flow charts and interac-tive tools designed to help determine covered entity status areprovided online by the Centers for Medicare and MedicaidServices available at httpwwwcmsgovhipaahipaa2sup-porttoolsdecisionsupportdefaultasp
The following are examples of public health authority func-tions that make them covered entities
bull Public health authorities as covered health-care pro-viders A public health authority that conducts health careas part of its activities is a covered health-care provider ifit also performs electronic transactions covered by theHIPAA Transactions Rule as part of these activities Thefact that these activities are conducted in pursuit of a publichealth goal (eg vaccinating children or screening a tar-geted population for sexually transmitted diseases) doesnot preclude the public health authority from being a cov-ered entity
bull Public health authorities as health plans Under thePrivacy Rule a health plan is an individual or group planthat provides or pays the cost of medical care This spe-cifically includes government health plans (eg MedicareMedicaid or Veterans Health Administration) Howeverthe Privacy Rule defines health plan to exclude govern-ment-funded programs whose principal activity is the di-rect provision of health care to persons or the making ofgrants to fund the direct provision of health care to per-sons [45 CFR sect 160103] Examples include the RyanWhite Comprehensive AIDS Resources Emergency ActAlthough certain government programs that fund provid-ers directly may not be health plans government programsthat reimburse providers or otherwise fund providers toperform direct health-care services should carefully ana-lyze the details of their programs to determine if they areperforming covered functions
bull Public health authorities as health-care clearinghousesAlthough unlikely a public health authority might be ahealth-care clearinghouse if it receives health informationfrom another entity and translates that information froma nonstandard format into a standard transaction or stan-dard data elements (or vice versa) Operators of commu-nity health information systems should carefully considerwhether they meet the definition for a health-care clear-inghouse
bull Public health agencies as hybrid entities A public healthagency that is a covered entity and has both covered andnoncovered functions may become a hybrid entity by des-ignating its health-care components By designating itselfas a hybrid entity a public health authority can carve outits noncovered functions so that the majority of Privacy
10 MMWR April 11 2003
Rule provisions apply only to its health-care componentwhich is required to comply with the Privacy Rulerequirements including using and disclosing PHI only asauthorized meeting the administrative requirementsaccounting for disclosure of PHI and providing a noticeof practices However such a designation does not pre-clude the public health authority from continuing to con-duct authorized public health functions A covered entitythat is also a public health authority may use as well asdisclose PHI for public health purposes to the sameextent it would be permitted to disclose the PHI as a pub-lic health authority
The Privacy Rule and PublicHealth Research
The topic of research under the Privacy Rule is covered indepth in the DHHS report Protecting Personal Health Infor-mation in Research mdash Understanding the HIPAA Privacy Rule(6) The Privacy Rule provides separate provisions for disclo-sure without individual authorization for public health pur-poses and for certain research [45 CFR sect 164512(b)] [45CFR sect 164512(i)] Other federal law pertaining to researchstresses the importance of distinguishing between research andpractice to ensure that human subjects are appropriately pro-tected [45 CFR Part 46] For certain activities this distinc-tion is not always clear A full discussion of the distinctionsbetween public health practice and research is beyond the scopeof this document However CDC and others provide guid-ance in this area (7ndash9)
Research Versus PracticeThe definition of research is the same for the Privacy Rule
and the Common Rule (10) mdash systematic investigationincluding research development testing and evaluationdesigned to develop or contribute to generalizable knowledgeResearch is designed to test a hypothesis permit conclusionsto be drawn and thereby to develop or contribute to general-izable knowledge The majority of public health activities (egpublic health surveillance and disease prevention and controlprojects) are based on scientific evidence and data collectionor analytic methods similar to those used in research How-ever they are not designed to contribute to generalizable knowl-edge Their primary purpose is to protect the health of thepopulation through such activities as disease surveillance pre-vention or control
The Belmont Report (11) defines practice as interventionsdesigned solely to enhance the well-being of a person patient
or client and which have reasonable expectation of successThe report further states that the purpose of medical orbehavioral practice is to provide diagnosis preventive treat-ment or therapy to particular patients For public health agen-cies the patient is the community Public health practiceactivities (eg public health surveillance disease control orprogram evaluation) are undertaken with the intent to benefita specific community although occasionally they may pro-vide unintended generalizable benefits to others
Some public health activities that are initially public healthpractice may subsequently evolve into a research activity (egan investigation to determine the cause of an outbreak thatincorporates a research study evaluating the efficacy of a newdrug to treat the illness) When that is the case the disclosuresmay be made initially under the public health provisions ofthe Privacy Rule But when the activity becomes an ongoingresearch activity the entity should consider application of therelevant research disclosures provisions to continue to obtaininformation for this purpose Moreover there may be caseswhere the activity is both research and public health practice(eg an ongoing survey to monitor health conditions in thepopulation data from which can also be analyzed for researchpurposes) In those cases disclosures may be made either un-der the research provisions or the public health provisions asappropriate mdash the covered entity need not comply with bothsets of requirements
The Privacy Rule and Other Lawsbull Federal laws Covered entities subject to the Privacy Rule
are also subject to other federal statutes and regulationsThe specific relationship of the Privacy Rule and certainfederal laws is discussed in the preamble to the December2000 Final Rule [65 FedReg 82481] In certain instancesthe Privacy Rule imposes requirements in direct conflictwith other federal laws or regulations In those instancesan analysis will be necessary to determine whether the laterprovision was intended to overrule the prior law or regu-lation
bull State laws As a federal regulatory standard the PrivacyRule preempts only those contrary state laws relating tothe privacy of individually identifiable health informa-tion that have less stringent requirements or standards thanthe Privacy Rule (ie more stringent laws remain ineffect) In addition DHHS may upon specific requestfrom a state or other entity or person determine that aprovision of state law that is contrary to the federalrequirements and that meets certain additional criteriawill not be preempted by the federal requirements Thus
Vol 52 Early Release MMWR 11
preemption of a contrary state law will not occur if theSecretary or designated DHHS official determines inresponse to a request that the state law 1) is necessary toprevent fraud and abuse related to the provision of or pay-ment for health care 2) is necessary to ensure appropriatestate regulation of insurance and health plans to theextent expressly authorized by statute or regulation 3) isnecessary for state reporting on health-care delivery orcosts 4) is necessary to serve a compelling public healthsafety or welfare need and if a Privacy Rule provision isat issue if the Secretary determines that the intrusion intoprivacy is warranted when balanced against the need to beserved or 5) has as its principal purpose the regulation ofthe manufacture registration distribution dispensing orother control of any controlled substances The PrivacyRule specifically does not preempt contrary state publichealth laws that provide for the reporting of disease orinjury child abuse birth or death or for the conduct ofpublic health surveillance investigation or intervention[45 CFR sect 160202]
Online ResourcesReferences to non-DHHS sites on the Internet are provided
as a service to MMWR readers and do not constitute or implyendorsement of these organizations or their programs by CDCor the US Department of Health and Human Services CDCis not responsible for the content of these sites URL addresseslisted in MMWR were current as of the date of publication
Federal Government ResourcesDHHS Office for Civil Rights mdash HIPAA guidelines
North Carolina Healthcare Information and Communica-tions Alliance
httpwwwnchicaorgPublic Health Grand Rounds HIPAA Privacy RuleEnhancing or Harming Public Health
httpwwwpublichealthgrandroundsunceduStanford University Medical School mdash HIPAA
httpwwwmedstanfordeduHIPAAWorkgroup for Electronic Data Interchange mdash StrategicNational Implementation Process
httpwwwwediorgsnip
AcknowledgmentsThis report was prepared by Salvatore Lucido MPA and Denise
Koo MD Office of the Associate Director for ScienceEpidemiology Program Office CDC in collaboration with JamesG Hodge Jr JD Center for Law and the Publicrsquos HealthGeorgetown and Johns Hopkins Universities Baltimore MarylandThe preparers are grateful for the participation of Deborah Tress
JD Kenya Ford JD and Heather Horton JD Office of theGeneral Counsel Department of Health and Human Services CDCATSDR Branch the CDC Working Group on the Privacy Ruleand Beverly Dozier JD Lance A Gable JD Lawrence O GostinJD Gail Horlick JD and Jennifer Kurle
The preparers also thank the following partners for their valuableinput Association of State and Territorial Health Officers Councilof State and Territorial Epidemiologists National Association ofCounty and City Health Officials National Association of HealthData Organizations Association of Public Health Laboratories andNational Association for Public Health Statistics and InformationSystems
References1 Gostin LO Hodge JG Jr Personal privacy and common goods a frame-
work Minnesota Law Review 2002861439ndash802 Health Insurance Portability and Accountability Act of 1996 Pub L
No 104-191 110 Stat 1936 (1996)3 Office for Civil Rights Department of Health and Human Services
Title 45 of the Code of Federal Regulations Parts 160 and 164 Avail-able at httpwwwdhhsgovocrcombinedregtextpdf
4 Office for Civil Rights OCR guidance explaining significant aspects ofthe Privacy Rule 2002 Department of Health and Human ServicesAvailable at httpwwwhhsgovocrhipaa
5 Gostin LO Hodge JG Jr Privacy Law Advisory Committee Modelstate public health information privacy act 1999 Available at httpwwwpublichealthlawnetResourcesResourcesPDFsmodelprivactpdf
6 Department of Health and Human Services Protecting personal healthinformation in research mdash understanding the HIPAA Privacy RuleDepartment of Health and Human Services Washington DC 2003(in press)
7 Snider DE Stroup DF Defining research when it comes to public healthPublic Health Rep 199711229ndash32
8 CDC Guidelines for defining public health research and public healthnonresearch Available at httpwwwcdcgovodadsopspoll1htm
9 Amoroso PJ Middaugh JP Research vs public health practice whendoes a study require IRB review Prev Med 200336250ndash3
10 Office for Protection from Research Risks National Institutes of HealthDepartment of Health and Human Services Public welfare protectionof human subjects 2001 [45 CFR 46] Available at httpohrposophsdhhsgovhumansubjectsguidance45cfr46htm
11 National Commission for the Protection of Human Subjects of Bio-medical and Behavioral Research Belmont report ethical principles andguidelines for the protection of human subjects of research Depart-ment of Health Education and Welfare Available at httpwwwmedumicheduirbmedethicsbelmontBELMONTRHTM
Vol 52 Early Release MMWR 13
The following concepts and definitions are adapted fromthe regulatory language For further information see the cita-tions to the Privacy Rule
Accounting An individual has a right to receive an account-ing of disclosures of protected health information made by acovered entity in the six years prior to the date on which theaccounting is requested except for disclosures (a) to carry outtreatment payment and health care operations [45 CFR sect164506] (b) to individuals of protected health informationabout them [45 CFR sect 164502] (c) incident to a use or dis-closure otherwise permitted or required by this subpart asprovided in 45 CFR sect164502 (d) pursuant to an authoriza-tion as provided in 45 CFR sect164508 (e) for the facilityrsquosdirectory or to persons involved in the individualrsquos care orother notification purposes as provided in 45 CFR sect164510(f ) for national security or intelligence purposes as providedin 45 CFR sect164512(k)(2) (g) to correctional institutions orlaw enforcement officials as provided in 45 CFR sect164512(k)(5) or (h) as part of a limited data set in accordance with45 CFR sect164514(e) or (i) that occurred prior to the compli-ance date for the covered entityhellip Such an accounting mustmeet the following requirements (1) except as otherwise pro-vided by paragraph (a) of this section the accounting mustinclude disclosures of protected health information thatoccurred during the six years (or such shorter time period atthe request of the individual as provided in paragraph (a)(3)of this section) prior to the date of the request for an account-ing including disclosures to or by business associates of thecovered entity (2) except as otherwise provided by paragraphs(b)(3) or (b)(4) of this section the accounting must includefor each disclosure the date of the disclosure the name of theentity or person who received the protected health informa-tion and if known the address of such entity or person abrief description of the protected health information disclosedand a brief statement of the purpose of the disclosure thatreasonably informs the individual of the basis for the disclo-sure or in lieu of such a statement a copy of the individualrsquoswritten authorization pursuant to 45 CFR sect 164508 or acopy of a written request for a disclosure under 45 CFR sect164502(a)(2)(ii) or 45 CFR sect 164512 if any
If during the period covered by the accounting the coveredentity has made multiple disclosures of protected healthinformation to the same person or entity for a single purposeunder 45 CFR sect 164502(a)(2)(ii) or 45 CFR sect 164512 theaccounting may with respect to such multiple disclosures
provide the information required by paragraph (b)(2) of 45CFR sect 164528 for the first disclosure during the accountingperiod the frequency periodicity or number of the disclo-sures made during the accounting period and the date of thelast such disclosure during the accounting period [45 CFR sect164528]
Modified accounting procedures are also provided for cov-ered entities making research disclosures involving gt50 per-sons [45 CFR sect 164528(b)(4)]
Business associate A person who on behalf of a coveredentity or of an organized health care arrangement [45 CFR sect154501] in which the covered entity participates but otherthan in the capacity of a member of the workforce of suchcovered entity or arrangement performs or assists in the per-formance of a function or activity involving the use ordisclosure of individually identifiable health informationincluding claims processing or administration data analysisprocessing or administration utilization review quality assur-ance billing benefit management practice management andrepricing or any other function or activity regulated by thissubchapter or provides other than in the capacity of a mem-ber of the workforce of such covered entity legal actuarialaccounting consulting data aggregation [45 CFR sect 164501]management administrative accreditation or financial ser-vices to or for such covered entity or to or for an organizedhealth-care arrangement in which the covered entity partici-pates where the provision of the service involves the disclo-sure of individually identifiable health information from suchcovered entity or arrangement or from another business asso-ciate of such covered entity or arrangement to the individual[45 CFR sect 160103]
Covered entity 1) a health plan 2) a health-care clearing-house 3) a health-care provider who transmits any healthinformation in electronic form in connection with a transac-tion [45 CFR sect 160103]
Covered functions Those functions of a covered entity theperformance of which makes the entity a health planhealth-care provider or health-care clearinghouse [45 CFR sect164103]
Data aggregation With respect to protected health infor-mation created or received by a business associate in its capac-ity as the business associate of a covered entity the combiningof such protected health information by the business associatewith the protected health information received by the busi-ness associate in its capacity as a business associate of another
Appendix ASelected Privacy Rule Concepts and Definitions
14 MMWR April 11 2003
covered entity to permit data analyses that relate to the health-care operations of the respective covered entities [45 CFRsect164501]
De-identified health information Health information thatdoes not identify an individual and with respect to which noreasonable basis exists to believe that the information can beused to identify an individual is not individually identifiableinformation [45 CFR sect 164514(a)]
Disclosure The release transfer provision of access to ordivulging in any other manner of information outside the entityholding the information [45 CFR sect 160103]
Electronic media 1) Electronic storage media includingmemory devices in computers (hard drives) and any remov-abletransportable digital memory medium such as magnetictape or disk optical disk or digital memory card or 2) trans-mission media used to exchange information already in elec-tronic storage media Transmission media include for examplethe Internet (wide open) extranet (using Internet technologyto link a business with information accessible only to collabo-rating parties) leased lines dial-up lines private networksand the physical movement of removabletransportable elec-tronic storage media Certain transmissions including ofpaper via facsimile and of voice via telephone are not con-sidered to be transmissions via electronic media because theinformation being exchanged did not exist in electronic formbefore the transmission [45 CFR sect 160103]
Health care Care services or supplies related to the healthof an individual It includes but is not limited to 1) preven-tive diagnostic therapeutic rehabilitative maintenance orpalliative care and counseling service assessment or proce-dure with respect to the physical or mental condition or func-tional status of an individual or that affects the structure orfunction of the body and 2) sale or dispensing of a drugdevice equipment or other item in accordance with a pre-scription [45 CFR sect 160103]
Health-care clearinghouse A public or private entityincluding a billing service repricing company communityhealth management information system community healthinformation system or value-added network or switch that 1)processes or facilitates the processing of health informationreceived from another entity in a nonstandard format or con-taining nonstandard data content into standard data elementsor a standard transaction or 2) receives a standard transactionfrom another entity and processes or facilitates the processingof health information into nonstandard format or nonstand-ard data content for the receiving entity [45 CFR sect 160103]
Health-care operations Any of the following activities ofthe covered entity to the extent that the activities are related tocovered functions 1) conducting quality assessment andimprovement activities population-based activities and
related functions that do not include treatment 2) reviewingthe competence or qualifications of health care professionalsevaluating practitioner provider and health plan performanceconducting training programs where students learn to prac-tice or improve their skills as health-care providers training ofnonhealth-care professionals accreditation certificationlicensing or credentialing activities 3) underwriting premiumrating and other activities relating to the creation renewal orreplacement of a contract of health insurance or benefits 4)conducting or arranging for medical review legal services andauditing functions including fraud and abuse detection andcompliance programs 5) business planning and developmentsuch as conducting cost-management and planning-relatedanalyses related to managing and operating the entity includ-ing formulary development and administration developmentor improvement of methods of payment or coverage policiesand 6) business management and general administrativeactivities of the entity [45 CFR sect 164501]
Health-care provider A provider of services (as defined insection 1861(u) of the Act 42 USC 1395x(u)) a providerof medical or health-care services (as defined in section 1861(s)of the Act 42 USC 1395x(s)) and any other individual ororganization that furnishes bills or is paid for health care inthe normal course of business [45 CFR sect 160103]
Health information Any information whether oral orrecorded in any form or medium that 1) is created or receivedby a health-care provider health plan public health authorityemployer life insurer school or university or health-care clear-inghouse and 2) relates to the past present or future physicalor mental health or condition of an individual the provisionof health care to an individual or the past present or futurepayment for the provision of health care to an individual [45CFR sect 160103]
Health plan An individual or group plan that provides orpays the cost of medical care (as defined in section 2791(a)(2)of the PHS Act 42 USC 300gg-91(a)(2)) Health planincludes the following singly or in combination (i) a grouphealth plan as defined in 45 CFR sect 160103 of the PrivacyRule (ii) a health insurance issuer as defined in 45 CFR sect160103 of the Privacy Rule (iii) an HMO as defined in 45CFR sect 160103 of the Privacy Rule (iv) Part A or B of theMedicare program under title XVIII of the Act (v) the Med-icaid program under title XIX of the Act 42 USC 1396 etseq (vi) an issuer of a Medicare supplemental policy (asdefined in section 1882(g)(1) of the Act 42 USC1395ss(g)(1)) (vii) an issuer of a long-term care policyexcluding a nursing home fixed-indemnity policy (viii) anemployee welfare benefit plan or any other arrangement thatis established or maintained for the purpose of offering or pro-viding health benefits to the employees of two or more
Vol 52 Early Release MMWR 15
employers (ix) the health care program for active military per-sonnel under title 10 USC (x) the veterans health-care pro-gram under 38 USC Ch 17 (xi) the Civilian Health andMedical Program of the Uniformed Services (CHAMPUS)(as defined in 10 USC 1072(4)) (xii) the Indian HealthService program under the Indian Health Care ImprovementAct 25 USC 1601 et seq (xiii) the Federal EmployeesHealth Benefits Program under 5 USC 8902 et seq (xiv)an approved state child health plan under title XXI of the Actproviding benefits for child health assistance that meet therequirements of section 2103 of the Act 42 USC 1397 etseq (xv) the Medicare+Choice program under Part C of titleXVIII of the Act 42 USC 1395w-21 through 1395w-28(xvi) a high risk pool that is a mechanism established understate law to provide health insurance coverage or comparablecoverage to eligible individuals (xvii) any other individual orgroup plan or combination of individual or group plans thatprovides or pays for the cost of medical care (as defined insection 2791(a)(2) of the PHS Act 42 USC 300gg-91(a)(2))[45 CFR sect 160103]
The term health plan excludes (i) any policy plan or pro-gram to the extent that it provides or pays for the cost ofexcepted benefits that are listed in sect2791(c)(1) of the PHSAct 42 USC 300gg-91(c)(1) and (ii) a government-fundedprogram other than the one listed in items (i)-(xvi) abovewhose principal purpose is other than providing or payingthe cost of health care or whose principal activity is 1) thedirect provision of health care to individuals or 2) the mak-ing of grants to fund the direct provision of health care toindividuals [45 CFR sect 160103]
Hybrid entity A single legal entity 1) that is a covered entity 2) whose business activities include both covered andnoncovered functions and 3) that designates its health-carecomponents [45 CFR sect 164103]
Individually identifiable health information A subset ofhealth information including demographic information col-lected from an individual and 1) is created or received by ahealth-care provider health plan employer or health-care clear-inghouse and 2) relates to the past present or future physi-cal or mental health or condition of an individual the provisionof health care to an individual or the past present or futurepayment for the provision of health care to an individual andthat identifies the individual or where there is a reasonablebasis to believe the information can be used to identify theindividual [45 CFR sect 164501]
Limited data set Protected health information that excludescertain direct identifiers of the individual or of relativesemployers or household members of the individual Directidentifiers to be excluded can be found in 45 CFR sect164514(e)(2)
Minimum necessary For any type of disclosure that a cov-ered entity makes on a routine and recurring basis that thecovered entity must implement policies and procedures (whichmay be standard protocols) that limit the protected healthinformation disclosed to the amount reasonably necessary toachieve the purpose of the disclosure For all other disclosurescovered entities must develop and implement criteria designedto limit the protected health information disclosed to theinformation reasonably necessary to accomplish the purposefor which disclosure is sought and review requests for disclo-sure on an individual basis in accordance with such criteria Acovered entity may rely if such reliance is reasonable underthe circumstances on a requested disclosure as the minimumnecessary for the stated purpose when (a) making disclosuresto public officials that are permitted under 45 CFR sect 164512if the public official represents that the information requestedis the minimum necessary for the stated purpose (b) if theinformation is requested by another covered entity (c) theirbusiness associates providing personal services or (d) docu-mentation or representations that comply with the applicablerequirements of 45 CFR sect 164512(i) have been provided byan individual requesting the information for research purposes[45 CFR sect 164514(d)(3)]
The minimum necessary standard also applies to uses ofprotected health information [45 CFR sect 164514(d)(2)] andrequests for protected health information [45 CFR sect164514(d)(4)]
Notice An individual with certain exceptions has a rightto adequate notice of the uses and disclosures of protectedhealth information that may be made by the covered entityand of the individualrsquos rights and the covered entityrsquos legalduties with respect to protected health information Thenotice must be written in plain language and contain the fol-lowing elements (i) a header as specified in the rule (ii) adescription including at least one example of the types ofuses and disclosures that the covered entity is permitted tomake for treatment payment and health care operations anda description of each of the other purposes for which the cov-ered entity is permitted or required to use or disclose pro-tected health information without the individualrsquos writtenconsent or authorization If a use or disclosure is prohibitedor materially limited by other applicable law the descriptionof such use or disclosure must reflect the more stringent law(as defined in 45 CFR sect 160202) Each description mustinclude sufficient detail to place the individual on notice ofthe uses and disclosures that are permitted or required by thePrivacy Rule or other applicable law and a statement that otheruses and disclosures will be made only with the individualrsquoswritten authorization and that the individual may revoke suchauthorization as provided by 45 CFR sect 164508(b)(5)
16 MMWR April 11 2003
A separate statement must be included in the notice if acovered entity intends to engage in any of the followingactivities The statement should explain that 1) the coveredentity may contact the individual to provide appointmentreminders or information regarding treatment alternatives orother health-related benefits 2) the covered entity may con-tact the individual to raise funds for the covered entity or 3) agroup health plan health insurer or HMO with respect to agroup health plan may disclose protected health informationto the sponsor of the plan
The notice must contain a statement of the individualrsquos rightswith respect to the protected health information and a briefdescription of how the individual may exercise these rights astatement of the covered entityrsquos duties a statement that indi-viduals may complain to the covered entity or the Secretary ifthey believe their privacy rights have been violated contactinformation and the effective date of the notice [45 CFR sect164520]
Payment 1) The activities undertaken by (i) a health planto obtain premiums or to determine or fulfill its responsibilityfor coverage and provision of benefits under the health planor (ii) a health-care provider or health plan to obtain or pro-vide reimbursement for the provision of health care and 2)the activities relate to the individual to whom health care isprovided and include but are not limited to (i) determina-tions of eligibility or coverage and adjudication or subroga-tion of health benefit claims (ii) risk adjusting amounts duebased on enrollee health status and demographic characteris-tics (iii) billing claims management collection activitiesobtaining payment under a contract for reinsurance (includ-ing stop-loss insurance) and related health-care data process-ing (iv) review of health-care services with respect to medicalnecessity coverage under a health plan appropriateness of careor justification of charges (v) utilization review activitiesincluding precertification and preauthorization of services con-current and retrospective review of services and (vi) disclo-sure to consumer reporting agencies of any of the followingprotected health information relating to collection of premi-ums or reimbursement (a) name and address (b) date of birth(c) social security number (d) payment history (e) accountnumber and (f ) name and address of the health-care provideror health plan [45 CFR sect 164501]
Protected health information (PHI) Individually identi-fiable health information that is transmitted by electronicmedia maintained in electronic media or transmitted ormaintained in any other form or medium PHI excludes indi-vidually identifiable health information in (i) educationrecords covered by the Family Education Rights and PrivacyAct (20 USC 1232g) (ii) records described at 20 USC
1232g(a)(4)(B)(iv) and (iii) employment records held by acovered entity in its role as employer [45 CFR sect 160103]
Public health authority An agency or authority of theUnited States a state a territory a political subdivision of astate or territory or an Indian tribe or an individual or entityacting under a grant of authority from or contract with suchpublic agency including the employees or agents of such pub-lic agency or its contractors or individuals or entities to whomit has granted authority that is responsible for public healthmatters as part of its official mandate [45 CFR sect 164501]
Examples of public health authorities include state andlocal health departments CDC National Institutes of Health(NIH) Food and Drug Administration (FDA) and Occupa-tional Safety and Health Administration (OSHA)
Required by law A mandate contained in law that compelsan entity to make a use or disclosure of protected health infor-mation and that is enforceable in a court of law This termincludes but is not limited to court orders and court-orderedwarrants subpoenas or summons issued by a court grand jurya governmental or tribal inspector general or an administra-tive body authorized to require the production of informa-tion a civil or an authorized investigative demand Medicareconditions of participation with respect to health-care provid-ers participating in the program and statutes or regulationsthat require the production of information including statutesor regulations that require such information if payment issought under a government program providing public ben-efits [45 CFR sect 164103]
Research A systematic investigation including researchdevelopment testing and evaluation designed to develop orcontribute to generalizable knowledge [45 CFR sect sect164501]
Statistical de-identification A properly qualified statisti-cian using accepted analytical techniques concludes that therisk is limited that the information could be used alone or incombination with other reasonably available information toidentify the subject of the information [45 CFR sect 164514(b)]
Safe harbor method A covered entity or its agent removesa comprehensive set of identifiers enumerated in the PrivacyRule which includes but is not limited to names geographicsubdivisions smaller than states dates more specific than yearscontact information identification numbers and photographicimages and has no actual knowledge that the remaininginformation could be used alone or in combination with otherinformation to identify the individual who is a subject of theinformation or the individualrsquos relatives employers or house-hold members Eighteen specific identifiers will need to beremoved to achieve de-identification [45 CFR sect 164514(b)]
Transaction The transmission of information between twoparties to carry out financial or administrative activities
Vol 52 Early Release MMWR 17
related to health care It includes the following types of infor-mation transmissions health care claims or equivalent encoun-ter information health care payment and remittance advicecoordination of benefits health care claim status enrollmentand disenrollment in a health plan eligibility for a health planhealth plan premium payments referral certification andauthorization first report of injury health claims attachmentsand other transactions that the Secretary may prescribe by regu-lation [45 CFR sect 164103]
Treatment The provision coordination or managementof health care and related services by one or more health-care
providers including the coordination or management of healthcare by a health-care provider with a third party consultationbetween health-care providers relating to a patient or thereferral of a patient for health care from one health-care pro-vider to another [45 CFR sect 164501]
Use With respect to individually identifiable health infor-mation the sharing employment application utilizationexamination or analysis of such information within an entitythat maintains such information [45 CFR sect 160103]
18 MMWR April 11 2003
Vol 52 Early Release MMWR 19
Appendix BSample Text That Can Be Used To Clarify Public Health Issues
Under the Privacy Rule
pursuant to the Standards for Privacy of Individually Identifi-able Health Information promulgated under the HealthInsurance Portability and Accountability Act (HIPAA) [45CFR Parts 160 and 164)] Under this rule covered entitiesmay disclose without individual authorization protectedhealth information to public health authorities ldquo autho-rized by law to collect or receive such information for the pur-pose of preventing or controlling disease injury or disabilityincluding but not limited to the reporting of disease injuryvital events such as birth or death and the conduct of publichealth surveillance public health investigations and publichealth interventions rdquo The definition of a public health au-thority includes ldquo an individual or entity acting under a grantof authority from or contract with such public agency rdquo
[Authorized agency] is acting under [contract grant coop-erative agreement] with [public health authority] to conduct[project] which is authorized by [law or regulation] [Publichealth authority] grants this authority to [authorized agency]for purposes of this project Further [public health authority]considers this to be [activity type] for which disclosure ofprotected health information by covered entities is authorizedby 45 CFR sect 164512(b) of the Privacy Rule
From a public health authority to a covered entity con-firming grant of authority to an authorized agencyTo Whom It May Concern
[Public health authority] is an agency of [parent authority]and is a public health authority as defined by the HealthInsurance Portability and Accountability Act (HIPAA) Stan-dards for Privacy of Individually Identifiable Health Informa-tion Final Rule (Privacy Rule)[45 CFR sect 164501] Pursuantto 45 CFR sect 164512(b) of the Privacy Rule covered entitiesmay disclose protected health information to public healthauthorities ldquo authorized by law to collect or receive suchinformation for the purpose of preventing or controlling dis-ease injury or disability including but not limited to thereporting of disease injury vital events such as birth or deathand the conduct of public health surveillance public healthinvestigations and public health interventions rdquo The defi-nition of public health authority includes ldquo an individualor entity acting under a grant of authority from or contractwith such public agency rdquo [45 CFR sect 164501] [Autho-rized agency] is acting under [contract grant or cooperativeagreement] with [public health authority] to carry out [project]
Following are sample letters that can be used to help clarifyPrivacy Rule issues among covered entities and public healthauthorities (eg CDC National Institutes of Health Foodand Drug Administration Substance Abuse and Mental HealthServices Administration Health Resources and ServicesAdministration state and local health departments) Publichealth authorities can use these letters as templates by insert-ing names of the appropriate individuals projects agreementslaws activity types covered entities public health authoritiesand authorized agencies
From a public health authority to a covered entity clari-fying rules regarding disclosureTo Whom it May Concern
[Public health authority] is an agency of [parent authority]and is conducting the activity described here in its capacity asa public health authority as defined by the Health InsurancePortability and Accountability Act (HIPAA) Standards forPrivacy of Individually Identifiable Health Information FinalRule (Privacy Rule) [45 CFR sect164501] Pursuant to 45 CFRsect164512(b) of the Privacy Rule covered entities such as yourorganization may disclose without individual authorizationprotected health information to public health authorities ldquo authorized by law to collect or receive such information forthe purpose of preventing or controlling disease injury ordisability including but not limited to the reporting of dis-ease injury vital events such as birth or death and the con-duct of public health surveillance public health investigationsand public health interventions rdquo
[Public health authority] is conducting [project] a publichealth activity as described by 45 CFR sect 164512(b) and isauthorized by [law or regulation] The information beingrequested represents the minimum necessary to carry out thepublic health purposes of this project pursuant to 45 CFRsect164514(d) of the Privacy Rule
If you have questions or concerns please contact [projectleader]
From a public health authority to an authorized agencyproviding grant of authorityDear [authorized agency]
This letter serves as verification of a grant of authority from[public health authority] for you to conduct the public healthactivities described here acting as a public health authority
20 MMWR April 11 2003
Through this grant of authority [authorized agency] may func-tion as a public health authority under the Privacy Rule forpurposes of this project
[Project] is a public health activity as described by 45 CFRsect 164512(b) referenced previously and is authorized by [lawor regulation] The information being requested represents theminimum necessary to carry out the public health purposes ofthis project pursuant to 45 CFR sect 164514(d) of the PrivacyRule The Privacy Rule provides that covered entities ldquo
may rely if such reliance is reasonable under the circumstanceson a requested disclosure as the minimum necessary for thestated purposes when making disclosures to public officialsthat are permitted under 45 CFR sect 164512 if the publicofficial represents that the information requested is the mini-mum necessary for the stated purposes(s)rdquo
If you have questions or concerns please contact [projectleader for authorized agency public health authority contact]
All MMWR references are available on the Internet at httpwwwcdcgovmmwr Use the search function to find specific articlesmdashmdashmdashmdashmdashmdash
Use of trade names and commercial sources is for identification only and does not imply endorsement by the US Department of Healthand Human Services
mdashmdashmdashmdashmdashmdashReferences to non-CDC sites on the Internet are provided as a service to MMWR readers and do not constitute or imply endorsement ofthese organizations or their programs by CDC or the US Department of Health and Human Services CDC is not responsible for thecontent of these sites URL addresses listed in MMWR were current as of the date of publication
MMWR
The Morbidity and Mortality Weekly Report (MMWR) series is prepared by the Centers for Disease Control and Prevention (CDC) andis available free of charge in electronic format and on a paid subscription basis for paper copy To receive an electronic copy each week sendan e-mail message to listservlistservcdcgov The body content should read SUBscribe mmwr-toc Electronic copy also is available fromCDCrsquos Internet server at httpwwwcdcgovmmwr or from CDCrsquos file transfer protocol server at ftpftpcdcgovpubpublicationsmmwr Tosubscribe for paper copy contact Superintendent of Documents US Government Printing Office Washington DC 20402 telephone202-512-1800
Data in the weekly MMWR are provisional based on weekly reports to CDC by state health departments The reporting weekconcludes at close of business on Friday compiled data on a national basis are officially released to the public on the following FridayAddress inquiries about the MMWR series including material to be considered for publication to Editor MMWR Series Mailstop C-08CDC 1600 Clifton Rd NE Atlanta GA 30333 telephone 888-232-3228
All material in the MMWR series is in the public domain and may be used and reprinted without permission however citation of thesource is appreciated
US Government Printing Office 2003-533-15569108 Region IV
Introduction
Impact on Public Health
Overview of the Privacy Rule
Who Is Covered
Types of Health Information
What is Required
The Privacy Rule and Public Health
Disclosures for Public Health Purposes
Requirements for Covered Entities
The Privacy Rule and Public Health Research
Research Versus Practice
The Privacy Rule and Other Laws
Online Resources
Federal Government Resources
State Government Resources
Associations Nonprofit Organizations and Academic Resources
Acknowledgments
References
Appendix A
Appendix B
10 MMWR April 11 2003
Rule provisions apply only to its health-care componentwhich is required to comply with the Privacy Rulerequirements including using and disclosing PHI only asauthorized meeting the administrative requirementsaccounting for disclosure of PHI and providing a noticeof practices However such a designation does not pre-clude the public health authority from continuing to con-duct authorized public health functions A covered entitythat is also a public health authority may use as well asdisclose PHI for public health purposes to the sameextent it would be permitted to disclose the PHI as a pub-lic health authority
The Privacy Rule and PublicHealth Research
The topic of research under the Privacy Rule is covered indepth in the DHHS report Protecting Personal Health Infor-mation in Research mdash Understanding the HIPAA Privacy Rule(6) The Privacy Rule provides separate provisions for disclo-sure without individual authorization for public health pur-poses and for certain research [45 CFR sect 164512(b)] [45CFR sect 164512(i)] Other federal law pertaining to researchstresses the importance of distinguishing between research andpractice to ensure that human subjects are appropriately pro-tected [45 CFR Part 46] For certain activities this distinc-tion is not always clear A full discussion of the distinctionsbetween public health practice and research is beyond the scopeof this document However CDC and others provide guid-ance in this area (7ndash9)
Research Versus PracticeThe definition of research is the same for the Privacy Rule
and the Common Rule (10) mdash systematic investigationincluding research development testing and evaluationdesigned to develop or contribute to generalizable knowledgeResearch is designed to test a hypothesis permit conclusionsto be drawn and thereby to develop or contribute to general-izable knowledge The majority of public health activities (egpublic health surveillance and disease prevention and controlprojects) are based on scientific evidence and data collectionor analytic methods similar to those used in research How-ever they are not designed to contribute to generalizable knowl-edge Their primary purpose is to protect the health of thepopulation through such activities as disease surveillance pre-vention or control
The Belmont Report (11) defines practice as interventionsdesigned solely to enhance the well-being of a person patient
or client and which have reasonable expectation of successThe report further states that the purpose of medical orbehavioral practice is to provide diagnosis preventive treat-ment or therapy to particular patients For public health agen-cies the patient is the community Public health practiceactivities (eg public health surveillance disease control orprogram evaluation) are undertaken with the intent to benefita specific community although occasionally they may pro-vide unintended generalizable benefits to others
Some public health activities that are initially public healthpractice may subsequently evolve into a research activity (egan investigation to determine the cause of an outbreak thatincorporates a research study evaluating the efficacy of a newdrug to treat the illness) When that is the case the disclosuresmay be made initially under the public health provisions ofthe Privacy Rule But when the activity becomes an ongoingresearch activity the entity should consider application of therelevant research disclosures provisions to continue to obtaininformation for this purpose Moreover there may be caseswhere the activity is both research and public health practice(eg an ongoing survey to monitor health conditions in thepopulation data from which can also be analyzed for researchpurposes) In those cases disclosures may be made either un-der the research provisions or the public health provisions asappropriate mdash the covered entity need not comply with bothsets of requirements
The Privacy Rule and Other Lawsbull Federal laws Covered entities subject to the Privacy Rule
are also subject to other federal statutes and regulationsThe specific relationship of the Privacy Rule and certainfederal laws is discussed in the preamble to the December2000 Final Rule [65 FedReg 82481] In certain instancesthe Privacy Rule imposes requirements in direct conflictwith other federal laws or regulations In those instancesan analysis will be necessary to determine whether the laterprovision was intended to overrule the prior law or regu-lation
bull State laws As a federal regulatory standard the PrivacyRule preempts only those contrary state laws relating tothe privacy of individually identifiable health informa-tion that have less stringent requirements or standards thanthe Privacy Rule (ie more stringent laws remain ineffect) In addition DHHS may upon specific requestfrom a state or other entity or person determine that aprovision of state law that is contrary to the federalrequirements and that meets certain additional criteriawill not be preempted by the federal requirements Thus
Vol 52 Early Release MMWR 11
preemption of a contrary state law will not occur if theSecretary or designated DHHS official determines inresponse to a request that the state law 1) is necessary toprevent fraud and abuse related to the provision of or pay-ment for health care 2) is necessary to ensure appropriatestate regulation of insurance and health plans to theextent expressly authorized by statute or regulation 3) isnecessary for state reporting on health-care delivery orcosts 4) is necessary to serve a compelling public healthsafety or welfare need and if a Privacy Rule provision isat issue if the Secretary determines that the intrusion intoprivacy is warranted when balanced against the need to beserved or 5) has as its principal purpose the regulation ofthe manufacture registration distribution dispensing orother control of any controlled substances The PrivacyRule specifically does not preempt contrary state publichealth laws that provide for the reporting of disease orinjury child abuse birth or death or for the conduct ofpublic health surveillance investigation or intervention[45 CFR sect 160202]
Online ResourcesReferences to non-DHHS sites on the Internet are provided
as a service to MMWR readers and do not constitute or implyendorsement of these organizations or their programs by CDCor the US Department of Health and Human Services CDCis not responsible for the content of these sites URL addresseslisted in MMWR were current as of the date of publication
Federal Government ResourcesDHHS Office for Civil Rights mdash HIPAA guidelines
North Carolina Healthcare Information and Communica-tions Alliance
httpwwwnchicaorgPublic Health Grand Rounds HIPAA Privacy RuleEnhancing or Harming Public Health
httpwwwpublichealthgrandroundsunceduStanford University Medical School mdash HIPAA
httpwwwmedstanfordeduHIPAAWorkgroup for Electronic Data Interchange mdash StrategicNational Implementation Process
httpwwwwediorgsnip
AcknowledgmentsThis report was prepared by Salvatore Lucido MPA and Denise
Koo MD Office of the Associate Director for ScienceEpidemiology Program Office CDC in collaboration with JamesG Hodge Jr JD Center for Law and the Publicrsquos HealthGeorgetown and Johns Hopkins Universities Baltimore MarylandThe preparers are grateful for the participation of Deborah Tress
JD Kenya Ford JD and Heather Horton JD Office of theGeneral Counsel Department of Health and Human Services CDCATSDR Branch the CDC Working Group on the Privacy Ruleand Beverly Dozier JD Lance A Gable JD Lawrence O GostinJD Gail Horlick JD and Jennifer Kurle
The preparers also thank the following partners for their valuableinput Association of State and Territorial Health Officers Councilof State and Territorial Epidemiologists National Association ofCounty and City Health Officials National Association of HealthData Organizations Association of Public Health Laboratories andNational Association for Public Health Statistics and InformationSystems
References1 Gostin LO Hodge JG Jr Personal privacy and common goods a frame-
work Minnesota Law Review 2002861439ndash802 Health Insurance Portability and Accountability Act of 1996 Pub L
No 104-191 110 Stat 1936 (1996)3 Office for Civil Rights Department of Health and Human Services
Title 45 of the Code of Federal Regulations Parts 160 and 164 Avail-able at httpwwwdhhsgovocrcombinedregtextpdf
4 Office for Civil Rights OCR guidance explaining significant aspects ofthe Privacy Rule 2002 Department of Health and Human ServicesAvailable at httpwwwhhsgovocrhipaa
5 Gostin LO Hodge JG Jr Privacy Law Advisory Committee Modelstate public health information privacy act 1999 Available at httpwwwpublichealthlawnetResourcesResourcesPDFsmodelprivactpdf
6 Department of Health and Human Services Protecting personal healthinformation in research mdash understanding the HIPAA Privacy RuleDepartment of Health and Human Services Washington DC 2003(in press)
7 Snider DE Stroup DF Defining research when it comes to public healthPublic Health Rep 199711229ndash32
8 CDC Guidelines for defining public health research and public healthnonresearch Available at httpwwwcdcgovodadsopspoll1htm
9 Amoroso PJ Middaugh JP Research vs public health practice whendoes a study require IRB review Prev Med 200336250ndash3
10 Office for Protection from Research Risks National Institutes of HealthDepartment of Health and Human Services Public welfare protectionof human subjects 2001 [45 CFR 46] Available at httpohrposophsdhhsgovhumansubjectsguidance45cfr46htm
11 National Commission for the Protection of Human Subjects of Bio-medical and Behavioral Research Belmont report ethical principles andguidelines for the protection of human subjects of research Depart-ment of Health Education and Welfare Available at httpwwwmedumicheduirbmedethicsbelmontBELMONTRHTM
Vol 52 Early Release MMWR 13
The following concepts and definitions are adapted fromthe regulatory language For further information see the cita-tions to the Privacy Rule
Accounting An individual has a right to receive an account-ing of disclosures of protected health information made by acovered entity in the six years prior to the date on which theaccounting is requested except for disclosures (a) to carry outtreatment payment and health care operations [45 CFR sect164506] (b) to individuals of protected health informationabout them [45 CFR sect 164502] (c) incident to a use or dis-closure otherwise permitted or required by this subpart asprovided in 45 CFR sect164502 (d) pursuant to an authoriza-tion as provided in 45 CFR sect164508 (e) for the facilityrsquosdirectory or to persons involved in the individualrsquos care orother notification purposes as provided in 45 CFR sect164510(f ) for national security or intelligence purposes as providedin 45 CFR sect164512(k)(2) (g) to correctional institutions orlaw enforcement officials as provided in 45 CFR sect164512(k)(5) or (h) as part of a limited data set in accordance with45 CFR sect164514(e) or (i) that occurred prior to the compli-ance date for the covered entityhellip Such an accounting mustmeet the following requirements (1) except as otherwise pro-vided by paragraph (a) of this section the accounting mustinclude disclosures of protected health information thatoccurred during the six years (or such shorter time period atthe request of the individual as provided in paragraph (a)(3)of this section) prior to the date of the request for an account-ing including disclosures to or by business associates of thecovered entity (2) except as otherwise provided by paragraphs(b)(3) or (b)(4) of this section the accounting must includefor each disclosure the date of the disclosure the name of theentity or person who received the protected health informa-tion and if known the address of such entity or person abrief description of the protected health information disclosedand a brief statement of the purpose of the disclosure thatreasonably informs the individual of the basis for the disclo-sure or in lieu of such a statement a copy of the individualrsquoswritten authorization pursuant to 45 CFR sect 164508 or acopy of a written request for a disclosure under 45 CFR sect164502(a)(2)(ii) or 45 CFR sect 164512 if any
If during the period covered by the accounting the coveredentity has made multiple disclosures of protected healthinformation to the same person or entity for a single purposeunder 45 CFR sect 164502(a)(2)(ii) or 45 CFR sect 164512 theaccounting may with respect to such multiple disclosures
provide the information required by paragraph (b)(2) of 45CFR sect 164528 for the first disclosure during the accountingperiod the frequency periodicity or number of the disclo-sures made during the accounting period and the date of thelast such disclosure during the accounting period [45 CFR sect164528]
Modified accounting procedures are also provided for cov-ered entities making research disclosures involving gt50 per-sons [45 CFR sect 164528(b)(4)]
Business associate A person who on behalf of a coveredentity or of an organized health care arrangement [45 CFR sect154501] in which the covered entity participates but otherthan in the capacity of a member of the workforce of suchcovered entity or arrangement performs or assists in the per-formance of a function or activity involving the use ordisclosure of individually identifiable health informationincluding claims processing or administration data analysisprocessing or administration utilization review quality assur-ance billing benefit management practice management andrepricing or any other function or activity regulated by thissubchapter or provides other than in the capacity of a mem-ber of the workforce of such covered entity legal actuarialaccounting consulting data aggregation [45 CFR sect 164501]management administrative accreditation or financial ser-vices to or for such covered entity or to or for an organizedhealth-care arrangement in which the covered entity partici-pates where the provision of the service involves the disclo-sure of individually identifiable health information from suchcovered entity or arrangement or from another business asso-ciate of such covered entity or arrangement to the individual[45 CFR sect 160103]
Covered entity 1) a health plan 2) a health-care clearing-house 3) a health-care provider who transmits any healthinformation in electronic form in connection with a transac-tion [45 CFR sect 160103]
Covered functions Those functions of a covered entity theperformance of which makes the entity a health planhealth-care provider or health-care clearinghouse [45 CFR sect164103]
Data aggregation With respect to protected health infor-mation created or received by a business associate in its capac-ity as the business associate of a covered entity the combiningof such protected health information by the business associatewith the protected health information received by the busi-ness associate in its capacity as a business associate of another
Appendix ASelected Privacy Rule Concepts and Definitions
14 MMWR April 11 2003
covered entity to permit data analyses that relate to the health-care operations of the respective covered entities [45 CFRsect164501]
De-identified health information Health information thatdoes not identify an individual and with respect to which noreasonable basis exists to believe that the information can beused to identify an individual is not individually identifiableinformation [45 CFR sect 164514(a)]
Disclosure The release transfer provision of access to ordivulging in any other manner of information outside the entityholding the information [45 CFR sect 160103]
Electronic media 1) Electronic storage media includingmemory devices in computers (hard drives) and any remov-abletransportable digital memory medium such as magnetictape or disk optical disk or digital memory card or 2) trans-mission media used to exchange information already in elec-tronic storage media Transmission media include for examplethe Internet (wide open) extranet (using Internet technologyto link a business with information accessible only to collabo-rating parties) leased lines dial-up lines private networksand the physical movement of removabletransportable elec-tronic storage media Certain transmissions including ofpaper via facsimile and of voice via telephone are not con-sidered to be transmissions via electronic media because theinformation being exchanged did not exist in electronic formbefore the transmission [45 CFR sect 160103]
Health care Care services or supplies related to the healthof an individual It includes but is not limited to 1) preven-tive diagnostic therapeutic rehabilitative maintenance orpalliative care and counseling service assessment or proce-dure with respect to the physical or mental condition or func-tional status of an individual or that affects the structure orfunction of the body and 2) sale or dispensing of a drugdevice equipment or other item in accordance with a pre-scription [45 CFR sect 160103]
Health-care clearinghouse A public or private entityincluding a billing service repricing company communityhealth management information system community healthinformation system or value-added network or switch that 1)processes or facilitates the processing of health informationreceived from another entity in a nonstandard format or con-taining nonstandard data content into standard data elementsor a standard transaction or 2) receives a standard transactionfrom another entity and processes or facilitates the processingof health information into nonstandard format or nonstand-ard data content for the receiving entity [45 CFR sect 160103]
Health-care operations Any of the following activities ofthe covered entity to the extent that the activities are related tocovered functions 1) conducting quality assessment andimprovement activities population-based activities and
related functions that do not include treatment 2) reviewingthe competence or qualifications of health care professionalsevaluating practitioner provider and health plan performanceconducting training programs where students learn to prac-tice or improve their skills as health-care providers training ofnonhealth-care professionals accreditation certificationlicensing or credentialing activities 3) underwriting premiumrating and other activities relating to the creation renewal orreplacement of a contract of health insurance or benefits 4)conducting or arranging for medical review legal services andauditing functions including fraud and abuse detection andcompliance programs 5) business planning and developmentsuch as conducting cost-management and planning-relatedanalyses related to managing and operating the entity includ-ing formulary development and administration developmentor improvement of methods of payment or coverage policiesand 6) business management and general administrativeactivities of the entity [45 CFR sect 164501]
Health-care provider A provider of services (as defined insection 1861(u) of the Act 42 USC 1395x(u)) a providerof medical or health-care services (as defined in section 1861(s)of the Act 42 USC 1395x(s)) and any other individual ororganization that furnishes bills or is paid for health care inthe normal course of business [45 CFR sect 160103]
Health information Any information whether oral orrecorded in any form or medium that 1) is created or receivedby a health-care provider health plan public health authorityemployer life insurer school or university or health-care clear-inghouse and 2) relates to the past present or future physicalor mental health or condition of an individual the provisionof health care to an individual or the past present or futurepayment for the provision of health care to an individual [45CFR sect 160103]
Health plan An individual or group plan that provides orpays the cost of medical care (as defined in section 2791(a)(2)of the PHS Act 42 USC 300gg-91(a)(2)) Health planincludes the following singly or in combination (i) a grouphealth plan as defined in 45 CFR sect 160103 of the PrivacyRule (ii) a health insurance issuer as defined in 45 CFR sect160103 of the Privacy Rule (iii) an HMO as defined in 45CFR sect 160103 of the Privacy Rule (iv) Part A or B of theMedicare program under title XVIII of the Act (v) the Med-icaid program under title XIX of the Act 42 USC 1396 etseq (vi) an issuer of a Medicare supplemental policy (asdefined in section 1882(g)(1) of the Act 42 USC1395ss(g)(1)) (vii) an issuer of a long-term care policyexcluding a nursing home fixed-indemnity policy (viii) anemployee welfare benefit plan or any other arrangement thatis established or maintained for the purpose of offering or pro-viding health benefits to the employees of two or more
Vol 52 Early Release MMWR 15
employers (ix) the health care program for active military per-sonnel under title 10 USC (x) the veterans health-care pro-gram under 38 USC Ch 17 (xi) the Civilian Health andMedical Program of the Uniformed Services (CHAMPUS)(as defined in 10 USC 1072(4)) (xii) the Indian HealthService program under the Indian Health Care ImprovementAct 25 USC 1601 et seq (xiii) the Federal EmployeesHealth Benefits Program under 5 USC 8902 et seq (xiv)an approved state child health plan under title XXI of the Actproviding benefits for child health assistance that meet therequirements of section 2103 of the Act 42 USC 1397 etseq (xv) the Medicare+Choice program under Part C of titleXVIII of the Act 42 USC 1395w-21 through 1395w-28(xvi) a high risk pool that is a mechanism established understate law to provide health insurance coverage or comparablecoverage to eligible individuals (xvii) any other individual orgroup plan or combination of individual or group plans thatprovides or pays for the cost of medical care (as defined insection 2791(a)(2) of the PHS Act 42 USC 300gg-91(a)(2))[45 CFR sect 160103]
The term health plan excludes (i) any policy plan or pro-gram to the extent that it provides or pays for the cost ofexcepted benefits that are listed in sect2791(c)(1) of the PHSAct 42 USC 300gg-91(c)(1) and (ii) a government-fundedprogram other than the one listed in items (i)-(xvi) abovewhose principal purpose is other than providing or payingthe cost of health care or whose principal activity is 1) thedirect provision of health care to individuals or 2) the mak-ing of grants to fund the direct provision of health care toindividuals [45 CFR sect 160103]
Hybrid entity A single legal entity 1) that is a covered entity 2) whose business activities include both covered andnoncovered functions and 3) that designates its health-carecomponents [45 CFR sect 164103]
Individually identifiable health information A subset ofhealth information including demographic information col-lected from an individual and 1) is created or received by ahealth-care provider health plan employer or health-care clear-inghouse and 2) relates to the past present or future physi-cal or mental health or condition of an individual the provisionof health care to an individual or the past present or futurepayment for the provision of health care to an individual andthat identifies the individual or where there is a reasonablebasis to believe the information can be used to identify theindividual [45 CFR sect 164501]
Limited data set Protected health information that excludescertain direct identifiers of the individual or of relativesemployers or household members of the individual Directidentifiers to be excluded can be found in 45 CFR sect164514(e)(2)
Minimum necessary For any type of disclosure that a cov-ered entity makes on a routine and recurring basis that thecovered entity must implement policies and procedures (whichmay be standard protocols) that limit the protected healthinformation disclosed to the amount reasonably necessary toachieve the purpose of the disclosure For all other disclosurescovered entities must develop and implement criteria designedto limit the protected health information disclosed to theinformation reasonably necessary to accomplish the purposefor which disclosure is sought and review requests for disclo-sure on an individual basis in accordance with such criteria Acovered entity may rely if such reliance is reasonable underthe circumstances on a requested disclosure as the minimumnecessary for the stated purpose when (a) making disclosuresto public officials that are permitted under 45 CFR sect 164512if the public official represents that the information requestedis the minimum necessary for the stated purpose (b) if theinformation is requested by another covered entity (c) theirbusiness associates providing personal services or (d) docu-mentation or representations that comply with the applicablerequirements of 45 CFR sect 164512(i) have been provided byan individual requesting the information for research purposes[45 CFR sect 164514(d)(3)]
The minimum necessary standard also applies to uses ofprotected health information [45 CFR sect 164514(d)(2)] andrequests for protected health information [45 CFR sect164514(d)(4)]
Notice An individual with certain exceptions has a rightto adequate notice of the uses and disclosures of protectedhealth information that may be made by the covered entityand of the individualrsquos rights and the covered entityrsquos legalduties with respect to protected health information Thenotice must be written in plain language and contain the fol-lowing elements (i) a header as specified in the rule (ii) adescription including at least one example of the types ofuses and disclosures that the covered entity is permitted tomake for treatment payment and health care operations anda description of each of the other purposes for which the cov-ered entity is permitted or required to use or disclose pro-tected health information without the individualrsquos writtenconsent or authorization If a use or disclosure is prohibitedor materially limited by other applicable law the descriptionof such use or disclosure must reflect the more stringent law(as defined in 45 CFR sect 160202) Each description mustinclude sufficient detail to place the individual on notice ofthe uses and disclosures that are permitted or required by thePrivacy Rule or other applicable law and a statement that otheruses and disclosures will be made only with the individualrsquoswritten authorization and that the individual may revoke suchauthorization as provided by 45 CFR sect 164508(b)(5)
16 MMWR April 11 2003
A separate statement must be included in the notice if acovered entity intends to engage in any of the followingactivities The statement should explain that 1) the coveredentity may contact the individual to provide appointmentreminders or information regarding treatment alternatives orother health-related benefits 2) the covered entity may con-tact the individual to raise funds for the covered entity or 3) agroup health plan health insurer or HMO with respect to agroup health plan may disclose protected health informationto the sponsor of the plan
The notice must contain a statement of the individualrsquos rightswith respect to the protected health information and a briefdescription of how the individual may exercise these rights astatement of the covered entityrsquos duties a statement that indi-viduals may complain to the covered entity or the Secretary ifthey believe their privacy rights have been violated contactinformation and the effective date of the notice [45 CFR sect164520]
Payment 1) The activities undertaken by (i) a health planto obtain premiums or to determine or fulfill its responsibilityfor coverage and provision of benefits under the health planor (ii) a health-care provider or health plan to obtain or pro-vide reimbursement for the provision of health care and 2)the activities relate to the individual to whom health care isprovided and include but are not limited to (i) determina-tions of eligibility or coverage and adjudication or subroga-tion of health benefit claims (ii) risk adjusting amounts duebased on enrollee health status and demographic characteris-tics (iii) billing claims management collection activitiesobtaining payment under a contract for reinsurance (includ-ing stop-loss insurance) and related health-care data process-ing (iv) review of health-care services with respect to medicalnecessity coverage under a health plan appropriateness of careor justification of charges (v) utilization review activitiesincluding precertification and preauthorization of services con-current and retrospective review of services and (vi) disclo-sure to consumer reporting agencies of any of the followingprotected health information relating to collection of premi-ums or reimbursement (a) name and address (b) date of birth(c) social security number (d) payment history (e) accountnumber and (f ) name and address of the health-care provideror health plan [45 CFR sect 164501]
Protected health information (PHI) Individually identi-fiable health information that is transmitted by electronicmedia maintained in electronic media or transmitted ormaintained in any other form or medium PHI excludes indi-vidually identifiable health information in (i) educationrecords covered by the Family Education Rights and PrivacyAct (20 USC 1232g) (ii) records described at 20 USC
1232g(a)(4)(B)(iv) and (iii) employment records held by acovered entity in its role as employer [45 CFR sect 160103]
Public health authority An agency or authority of theUnited States a state a territory a political subdivision of astate or territory or an Indian tribe or an individual or entityacting under a grant of authority from or contract with suchpublic agency including the employees or agents of such pub-lic agency or its contractors or individuals or entities to whomit has granted authority that is responsible for public healthmatters as part of its official mandate [45 CFR sect 164501]
Examples of public health authorities include state andlocal health departments CDC National Institutes of Health(NIH) Food and Drug Administration (FDA) and Occupa-tional Safety and Health Administration (OSHA)
Required by law A mandate contained in law that compelsan entity to make a use or disclosure of protected health infor-mation and that is enforceable in a court of law This termincludes but is not limited to court orders and court-orderedwarrants subpoenas or summons issued by a court grand jurya governmental or tribal inspector general or an administra-tive body authorized to require the production of informa-tion a civil or an authorized investigative demand Medicareconditions of participation with respect to health-care provid-ers participating in the program and statutes or regulationsthat require the production of information including statutesor regulations that require such information if payment issought under a government program providing public ben-efits [45 CFR sect 164103]
Research A systematic investigation including researchdevelopment testing and evaluation designed to develop orcontribute to generalizable knowledge [45 CFR sect sect164501]
Statistical de-identification A properly qualified statisti-cian using accepted analytical techniques concludes that therisk is limited that the information could be used alone or incombination with other reasonably available information toidentify the subject of the information [45 CFR sect 164514(b)]
Safe harbor method A covered entity or its agent removesa comprehensive set of identifiers enumerated in the PrivacyRule which includes but is not limited to names geographicsubdivisions smaller than states dates more specific than yearscontact information identification numbers and photographicimages and has no actual knowledge that the remaininginformation could be used alone or in combination with otherinformation to identify the individual who is a subject of theinformation or the individualrsquos relatives employers or house-hold members Eighteen specific identifiers will need to beremoved to achieve de-identification [45 CFR sect 164514(b)]
Transaction The transmission of information between twoparties to carry out financial or administrative activities
Vol 52 Early Release MMWR 17
related to health care It includes the following types of infor-mation transmissions health care claims or equivalent encoun-ter information health care payment and remittance advicecoordination of benefits health care claim status enrollmentand disenrollment in a health plan eligibility for a health planhealth plan premium payments referral certification andauthorization first report of injury health claims attachmentsand other transactions that the Secretary may prescribe by regu-lation [45 CFR sect 164103]
Treatment The provision coordination or managementof health care and related services by one or more health-care
providers including the coordination or management of healthcare by a health-care provider with a third party consultationbetween health-care providers relating to a patient or thereferral of a patient for health care from one health-care pro-vider to another [45 CFR sect 164501]
Use With respect to individually identifiable health infor-mation the sharing employment application utilizationexamination or analysis of such information within an entitythat maintains such information [45 CFR sect 160103]
18 MMWR April 11 2003
Vol 52 Early Release MMWR 19
Appendix BSample Text That Can Be Used To Clarify Public Health Issues
Under the Privacy Rule
pursuant to the Standards for Privacy of Individually Identifi-able Health Information promulgated under the HealthInsurance Portability and Accountability Act (HIPAA) [45CFR Parts 160 and 164)] Under this rule covered entitiesmay disclose without individual authorization protectedhealth information to public health authorities ldquo autho-rized by law to collect or receive such information for the pur-pose of preventing or controlling disease injury or disabilityincluding but not limited to the reporting of disease injuryvital events such as birth or death and the conduct of publichealth surveillance public health investigations and publichealth interventions rdquo The definition of a public health au-thority includes ldquo an individual or entity acting under a grantof authority from or contract with such public agency rdquo
[Authorized agency] is acting under [contract grant coop-erative agreement] with [public health authority] to conduct[project] which is authorized by [law or regulation] [Publichealth authority] grants this authority to [authorized agency]for purposes of this project Further [public health authority]considers this to be [activity type] for which disclosure ofprotected health information by covered entities is authorizedby 45 CFR sect 164512(b) of the Privacy Rule
From a public health authority to a covered entity con-firming grant of authority to an authorized agencyTo Whom It May Concern
[Public health authority] is an agency of [parent authority]and is a public health authority as defined by the HealthInsurance Portability and Accountability Act (HIPAA) Stan-dards for Privacy of Individually Identifiable Health Informa-tion Final Rule (Privacy Rule)[45 CFR sect 164501] Pursuantto 45 CFR sect 164512(b) of the Privacy Rule covered entitiesmay disclose protected health information to public healthauthorities ldquo authorized by law to collect or receive suchinformation for the purpose of preventing or controlling dis-ease injury or disability including but not limited to thereporting of disease injury vital events such as birth or deathand the conduct of public health surveillance public healthinvestigations and public health interventions rdquo The defi-nition of public health authority includes ldquo an individualor entity acting under a grant of authority from or contractwith such public agency rdquo [45 CFR sect 164501] [Autho-rized agency] is acting under [contract grant or cooperativeagreement] with [public health authority] to carry out [project]
Following are sample letters that can be used to help clarifyPrivacy Rule issues among covered entities and public healthauthorities (eg CDC National Institutes of Health Foodand Drug Administration Substance Abuse and Mental HealthServices Administration Health Resources and ServicesAdministration state and local health departments) Publichealth authorities can use these letters as templates by insert-ing names of the appropriate individuals projects agreementslaws activity types covered entities public health authoritiesand authorized agencies
From a public health authority to a covered entity clari-fying rules regarding disclosureTo Whom it May Concern
[Public health authority] is an agency of [parent authority]and is conducting the activity described here in its capacity asa public health authority as defined by the Health InsurancePortability and Accountability Act (HIPAA) Standards forPrivacy of Individually Identifiable Health Information FinalRule (Privacy Rule) [45 CFR sect164501] Pursuant to 45 CFRsect164512(b) of the Privacy Rule covered entities such as yourorganization may disclose without individual authorizationprotected health information to public health authorities ldquo authorized by law to collect or receive such information forthe purpose of preventing or controlling disease injury ordisability including but not limited to the reporting of dis-ease injury vital events such as birth or death and the con-duct of public health surveillance public health investigationsand public health interventions rdquo
[Public health authority] is conducting [project] a publichealth activity as described by 45 CFR sect 164512(b) and isauthorized by [law or regulation] The information beingrequested represents the minimum necessary to carry out thepublic health purposes of this project pursuant to 45 CFRsect164514(d) of the Privacy Rule
If you have questions or concerns please contact [projectleader]
From a public health authority to an authorized agencyproviding grant of authorityDear [authorized agency]
This letter serves as verification of a grant of authority from[public health authority] for you to conduct the public healthactivities described here acting as a public health authority
20 MMWR April 11 2003
Through this grant of authority [authorized agency] may func-tion as a public health authority under the Privacy Rule forpurposes of this project
[Project] is a public health activity as described by 45 CFRsect 164512(b) referenced previously and is authorized by [lawor regulation] The information being requested represents theminimum necessary to carry out the public health purposes ofthis project pursuant to 45 CFR sect 164514(d) of the PrivacyRule The Privacy Rule provides that covered entities ldquo
may rely if such reliance is reasonable under the circumstanceson a requested disclosure as the minimum necessary for thestated purposes when making disclosures to public officialsthat are permitted under 45 CFR sect 164512 if the publicofficial represents that the information requested is the mini-mum necessary for the stated purposes(s)rdquo
If you have questions or concerns please contact [projectleader for authorized agency public health authority contact]
All MMWR references are available on the Internet at httpwwwcdcgovmmwr Use the search function to find specific articlesmdashmdashmdashmdashmdashmdash
Use of trade names and commercial sources is for identification only and does not imply endorsement by the US Department of Healthand Human Services
mdashmdashmdashmdashmdashmdashReferences to non-CDC sites on the Internet are provided as a service to MMWR readers and do not constitute or imply endorsement ofthese organizations or their programs by CDC or the US Department of Health and Human Services CDC is not responsible for thecontent of these sites URL addresses listed in MMWR were current as of the date of publication
MMWR
The Morbidity and Mortality Weekly Report (MMWR) series is prepared by the Centers for Disease Control and Prevention (CDC) andis available free of charge in electronic format and on a paid subscription basis for paper copy To receive an electronic copy each week sendan e-mail message to listservlistservcdcgov The body content should read SUBscribe mmwr-toc Electronic copy also is available fromCDCrsquos Internet server at httpwwwcdcgovmmwr or from CDCrsquos file transfer protocol server at ftpftpcdcgovpubpublicationsmmwr Tosubscribe for paper copy contact Superintendent of Documents US Government Printing Office Washington DC 20402 telephone202-512-1800
Data in the weekly MMWR are provisional based on weekly reports to CDC by state health departments The reporting weekconcludes at close of business on Friday compiled data on a national basis are officially released to the public on the following FridayAddress inquiries about the MMWR series including material to be considered for publication to Editor MMWR Series Mailstop C-08CDC 1600 Clifton Rd NE Atlanta GA 30333 telephone 888-232-3228
All material in the MMWR series is in the public domain and may be used and reprinted without permission however citation of thesource is appreciated
US Government Printing Office 2003-533-15569108 Region IV
Introduction
Impact on Public Health
Overview of the Privacy Rule
Who Is Covered
Types of Health Information
What is Required
The Privacy Rule and Public Health
Disclosures for Public Health Purposes
Requirements for Covered Entities
The Privacy Rule and Public Health Research
Research Versus Practice
The Privacy Rule and Other Laws
Online Resources
Federal Government Resources
State Government Resources
Associations Nonprofit Organizations and Academic Resources
Acknowledgments
References
Appendix A
Appendix B
Vol 52 Early Release MMWR 11
preemption of a contrary state law will not occur if theSecretary or designated DHHS official determines inresponse to a request that the state law 1) is necessary toprevent fraud and abuse related to the provision of or pay-ment for health care 2) is necessary to ensure appropriatestate regulation of insurance and health plans to theextent expressly authorized by statute or regulation 3) isnecessary for state reporting on health-care delivery orcosts 4) is necessary to serve a compelling public healthsafety or welfare need and if a Privacy Rule provision isat issue if the Secretary determines that the intrusion intoprivacy is warranted when balanced against the need to beserved or 5) has as its principal purpose the regulation ofthe manufacture registration distribution dispensing orother control of any controlled substances The PrivacyRule specifically does not preempt contrary state publichealth laws that provide for the reporting of disease orinjury child abuse birth or death or for the conduct ofpublic health surveillance investigation or intervention[45 CFR sect 160202]
Online ResourcesReferences to non-DHHS sites on the Internet are provided
as a service to MMWR readers and do not constitute or implyendorsement of these organizations or their programs by CDCor the US Department of Health and Human Services CDCis not responsible for the content of these sites URL addresseslisted in MMWR were current as of the date of publication
Federal Government ResourcesDHHS Office for Civil Rights mdash HIPAA guidelines
North Carolina Healthcare Information and Communica-tions Alliance
httpwwwnchicaorgPublic Health Grand Rounds HIPAA Privacy RuleEnhancing or Harming Public Health
httpwwwpublichealthgrandroundsunceduStanford University Medical School mdash HIPAA
httpwwwmedstanfordeduHIPAAWorkgroup for Electronic Data Interchange mdash StrategicNational Implementation Process
httpwwwwediorgsnip
AcknowledgmentsThis report was prepared by Salvatore Lucido MPA and Denise
Koo MD Office of the Associate Director for ScienceEpidemiology Program Office CDC in collaboration with JamesG Hodge Jr JD Center for Law and the Publicrsquos HealthGeorgetown and Johns Hopkins Universities Baltimore MarylandThe preparers are grateful for the participation of Deborah Tress
JD Kenya Ford JD and Heather Horton JD Office of theGeneral Counsel Department of Health and Human Services CDCATSDR Branch the CDC Working Group on the Privacy Ruleand Beverly Dozier JD Lance A Gable JD Lawrence O GostinJD Gail Horlick JD and Jennifer Kurle
The preparers also thank the following partners for their valuableinput Association of State and Territorial Health Officers Councilof State and Territorial Epidemiologists National Association ofCounty and City Health Officials National Association of HealthData Organizations Association of Public Health Laboratories andNational Association for Public Health Statistics and InformationSystems
References1 Gostin LO Hodge JG Jr Personal privacy and common goods a frame-
work Minnesota Law Review 2002861439ndash802 Health Insurance Portability and Accountability Act of 1996 Pub L
No 104-191 110 Stat 1936 (1996)3 Office for Civil Rights Department of Health and Human Services
Title 45 of the Code of Federal Regulations Parts 160 and 164 Avail-able at httpwwwdhhsgovocrcombinedregtextpdf
4 Office for Civil Rights OCR guidance explaining significant aspects ofthe Privacy Rule 2002 Department of Health and Human ServicesAvailable at httpwwwhhsgovocrhipaa
5 Gostin LO Hodge JG Jr Privacy Law Advisory Committee Modelstate public health information privacy act 1999 Available at httpwwwpublichealthlawnetResourcesResourcesPDFsmodelprivactpdf
6 Department of Health and Human Services Protecting personal healthinformation in research mdash understanding the HIPAA Privacy RuleDepartment of Health and Human Services Washington DC 2003(in press)
7 Snider DE Stroup DF Defining research when it comes to public healthPublic Health Rep 199711229ndash32
8 CDC Guidelines for defining public health research and public healthnonresearch Available at httpwwwcdcgovodadsopspoll1htm
9 Amoroso PJ Middaugh JP Research vs public health practice whendoes a study require IRB review Prev Med 200336250ndash3
10 Office for Protection from Research Risks National Institutes of HealthDepartment of Health and Human Services Public welfare protectionof human subjects 2001 [45 CFR 46] Available at httpohrposophsdhhsgovhumansubjectsguidance45cfr46htm
11 National Commission for the Protection of Human Subjects of Bio-medical and Behavioral Research Belmont report ethical principles andguidelines for the protection of human subjects of research Depart-ment of Health Education and Welfare Available at httpwwwmedumicheduirbmedethicsbelmontBELMONTRHTM
Vol 52 Early Release MMWR 13
The following concepts and definitions are adapted fromthe regulatory language For further information see the cita-tions to the Privacy Rule
Accounting An individual has a right to receive an account-ing of disclosures of protected health information made by acovered entity in the six years prior to the date on which theaccounting is requested except for disclosures (a) to carry outtreatment payment and health care operations [45 CFR sect164506] (b) to individuals of protected health informationabout them [45 CFR sect 164502] (c) incident to a use or dis-closure otherwise permitted or required by this subpart asprovided in 45 CFR sect164502 (d) pursuant to an authoriza-tion as provided in 45 CFR sect164508 (e) for the facilityrsquosdirectory or to persons involved in the individualrsquos care orother notification purposes as provided in 45 CFR sect164510(f ) for national security or intelligence purposes as providedin 45 CFR sect164512(k)(2) (g) to correctional institutions orlaw enforcement officials as provided in 45 CFR sect164512(k)(5) or (h) as part of a limited data set in accordance with45 CFR sect164514(e) or (i) that occurred prior to the compli-ance date for the covered entityhellip Such an accounting mustmeet the following requirements (1) except as otherwise pro-vided by paragraph (a) of this section the accounting mustinclude disclosures of protected health information thatoccurred during the six years (or such shorter time period atthe request of the individual as provided in paragraph (a)(3)of this section) prior to the date of the request for an account-ing including disclosures to or by business associates of thecovered entity (2) except as otherwise provided by paragraphs(b)(3) or (b)(4) of this section the accounting must includefor each disclosure the date of the disclosure the name of theentity or person who received the protected health informa-tion and if known the address of such entity or person abrief description of the protected health information disclosedand a brief statement of the purpose of the disclosure thatreasonably informs the individual of the basis for the disclo-sure or in lieu of such a statement a copy of the individualrsquoswritten authorization pursuant to 45 CFR sect 164508 or acopy of a written request for a disclosure under 45 CFR sect164502(a)(2)(ii) or 45 CFR sect 164512 if any
If during the period covered by the accounting the coveredentity has made multiple disclosures of protected healthinformation to the same person or entity for a single purposeunder 45 CFR sect 164502(a)(2)(ii) or 45 CFR sect 164512 theaccounting may with respect to such multiple disclosures
provide the information required by paragraph (b)(2) of 45CFR sect 164528 for the first disclosure during the accountingperiod the frequency periodicity or number of the disclo-sures made during the accounting period and the date of thelast such disclosure during the accounting period [45 CFR sect164528]
Modified accounting procedures are also provided for cov-ered entities making research disclosures involving gt50 per-sons [45 CFR sect 164528(b)(4)]
Business associate A person who on behalf of a coveredentity or of an organized health care arrangement [45 CFR sect154501] in which the covered entity participates but otherthan in the capacity of a member of the workforce of suchcovered entity or arrangement performs or assists in the per-formance of a function or activity involving the use ordisclosure of individually identifiable health informationincluding claims processing or administration data analysisprocessing or administration utilization review quality assur-ance billing benefit management practice management andrepricing or any other function or activity regulated by thissubchapter or provides other than in the capacity of a mem-ber of the workforce of such covered entity legal actuarialaccounting consulting data aggregation [45 CFR sect 164501]management administrative accreditation or financial ser-vices to or for such covered entity or to or for an organizedhealth-care arrangement in which the covered entity partici-pates where the provision of the service involves the disclo-sure of individually identifiable health information from suchcovered entity or arrangement or from another business asso-ciate of such covered entity or arrangement to the individual[45 CFR sect 160103]
Covered entity 1) a health plan 2) a health-care clearing-house 3) a health-care provider who transmits any healthinformation in electronic form in connection with a transac-tion [45 CFR sect 160103]
Covered functions Those functions of a covered entity theperformance of which makes the entity a health planhealth-care provider or health-care clearinghouse [45 CFR sect164103]
Data aggregation With respect to protected health infor-mation created or received by a business associate in its capac-ity as the business associate of a covered entity the combiningof such protected health information by the business associatewith the protected health information received by the busi-ness associate in its capacity as a business associate of another
Appendix ASelected Privacy Rule Concepts and Definitions
14 MMWR April 11 2003
covered entity to permit data analyses that relate to the health-care operations of the respective covered entities [45 CFRsect164501]
De-identified health information Health information thatdoes not identify an individual and with respect to which noreasonable basis exists to believe that the information can beused to identify an individual is not individually identifiableinformation [45 CFR sect 164514(a)]
Disclosure The release transfer provision of access to ordivulging in any other manner of information outside the entityholding the information [45 CFR sect 160103]
Electronic media 1) Electronic storage media includingmemory devices in computers (hard drives) and any remov-abletransportable digital memory medium such as magnetictape or disk optical disk or digital memory card or 2) trans-mission media used to exchange information already in elec-tronic storage media Transmission media include for examplethe Internet (wide open) extranet (using Internet technologyto link a business with information accessible only to collabo-rating parties) leased lines dial-up lines private networksand the physical movement of removabletransportable elec-tronic storage media Certain transmissions including ofpaper via facsimile and of voice via telephone are not con-sidered to be transmissions via electronic media because theinformation being exchanged did not exist in electronic formbefore the transmission [45 CFR sect 160103]
Health care Care services or supplies related to the healthof an individual It includes but is not limited to 1) preven-tive diagnostic therapeutic rehabilitative maintenance orpalliative care and counseling service assessment or proce-dure with respect to the physical or mental condition or func-tional status of an individual or that affects the structure orfunction of the body and 2) sale or dispensing of a drugdevice equipment or other item in accordance with a pre-scription [45 CFR sect 160103]
Health-care clearinghouse A public or private entityincluding a billing service repricing company communityhealth management information system community healthinformation system or value-added network or switch that 1)processes or facilitates the processing of health informationreceived from another entity in a nonstandard format or con-taining nonstandard data content into standard data elementsor a standard transaction or 2) receives a standard transactionfrom another entity and processes or facilitates the processingof health information into nonstandard format or nonstand-ard data content for the receiving entity [45 CFR sect 160103]
Health-care operations Any of the following activities ofthe covered entity to the extent that the activities are related tocovered functions 1) conducting quality assessment andimprovement activities population-based activities and
related functions that do not include treatment 2) reviewingthe competence or qualifications of health care professionalsevaluating practitioner provider and health plan performanceconducting training programs where students learn to prac-tice or improve their skills as health-care providers training ofnonhealth-care professionals accreditation certificationlicensing or credentialing activities 3) underwriting premiumrating and other activities relating to the creation renewal orreplacement of a contract of health insurance or benefits 4)conducting or arranging for medical review legal services andauditing functions including fraud and abuse detection andcompliance programs 5) business planning and developmentsuch as conducting cost-management and planning-relatedanalyses related to managing and operating the entity includ-ing formulary development and administration developmentor improvement of methods of payment or coverage policiesand 6) business management and general administrativeactivities of the entity [45 CFR sect 164501]
Health-care provider A provider of services (as defined insection 1861(u) of the Act 42 USC 1395x(u)) a providerof medical or health-care services (as defined in section 1861(s)of the Act 42 USC 1395x(s)) and any other individual ororganization that furnishes bills or is paid for health care inthe normal course of business [45 CFR sect 160103]
Health information Any information whether oral orrecorded in any form or medium that 1) is created or receivedby a health-care provider health plan public health authorityemployer life insurer school or university or health-care clear-inghouse and 2) relates to the past present or future physicalor mental health or condition of an individual the provisionof health care to an individual or the past present or futurepayment for the provision of health care to an individual [45CFR sect 160103]
Health plan An individual or group plan that provides orpays the cost of medical care (as defined in section 2791(a)(2)of the PHS Act 42 USC 300gg-91(a)(2)) Health planincludes the following singly or in combination (i) a grouphealth plan as defined in 45 CFR sect 160103 of the PrivacyRule (ii) a health insurance issuer as defined in 45 CFR sect160103 of the Privacy Rule (iii) an HMO as defined in 45CFR sect 160103 of the Privacy Rule (iv) Part A or B of theMedicare program under title XVIII of the Act (v) the Med-icaid program under title XIX of the Act 42 USC 1396 etseq (vi) an issuer of a Medicare supplemental policy (asdefined in section 1882(g)(1) of the Act 42 USC1395ss(g)(1)) (vii) an issuer of a long-term care policyexcluding a nursing home fixed-indemnity policy (viii) anemployee welfare benefit plan or any other arrangement thatis established or maintained for the purpose of offering or pro-viding health benefits to the employees of two or more
Vol 52 Early Release MMWR 15
employers (ix) the health care program for active military per-sonnel under title 10 USC (x) the veterans health-care pro-gram under 38 USC Ch 17 (xi) the Civilian Health andMedical Program of the Uniformed Services (CHAMPUS)(as defined in 10 USC 1072(4)) (xii) the Indian HealthService program under the Indian Health Care ImprovementAct 25 USC 1601 et seq (xiii) the Federal EmployeesHealth Benefits Program under 5 USC 8902 et seq (xiv)an approved state child health plan under title XXI of the Actproviding benefits for child health assistance that meet therequirements of section 2103 of the Act 42 USC 1397 etseq (xv) the Medicare+Choice program under Part C of titleXVIII of the Act 42 USC 1395w-21 through 1395w-28(xvi) a high risk pool that is a mechanism established understate law to provide health insurance coverage or comparablecoverage to eligible individuals (xvii) any other individual orgroup plan or combination of individual or group plans thatprovides or pays for the cost of medical care (as defined insection 2791(a)(2) of the PHS Act 42 USC 300gg-91(a)(2))[45 CFR sect 160103]
The term health plan excludes (i) any policy plan or pro-gram to the extent that it provides or pays for the cost ofexcepted benefits that are listed in sect2791(c)(1) of the PHSAct 42 USC 300gg-91(c)(1) and (ii) a government-fundedprogram other than the one listed in items (i)-(xvi) abovewhose principal purpose is other than providing or payingthe cost of health care or whose principal activity is 1) thedirect provision of health care to individuals or 2) the mak-ing of grants to fund the direct provision of health care toindividuals [45 CFR sect 160103]
Hybrid entity A single legal entity 1) that is a covered entity 2) whose business activities include both covered andnoncovered functions and 3) that designates its health-carecomponents [45 CFR sect 164103]
Individually identifiable health information A subset ofhealth information including demographic information col-lected from an individual and 1) is created or received by ahealth-care provider health plan employer or health-care clear-inghouse and 2) relates to the past present or future physi-cal or mental health or condition of an individual the provisionof health care to an individual or the past present or futurepayment for the provision of health care to an individual andthat identifies the individual or where there is a reasonablebasis to believe the information can be used to identify theindividual [45 CFR sect 164501]
Limited data set Protected health information that excludescertain direct identifiers of the individual or of relativesemployers or household members of the individual Directidentifiers to be excluded can be found in 45 CFR sect164514(e)(2)
Minimum necessary For any type of disclosure that a cov-ered entity makes on a routine and recurring basis that thecovered entity must implement policies and procedures (whichmay be standard protocols) that limit the protected healthinformation disclosed to the amount reasonably necessary toachieve the purpose of the disclosure For all other disclosurescovered entities must develop and implement criteria designedto limit the protected health information disclosed to theinformation reasonably necessary to accomplish the purposefor which disclosure is sought and review requests for disclo-sure on an individual basis in accordance with such criteria Acovered entity may rely if such reliance is reasonable underthe circumstances on a requested disclosure as the minimumnecessary for the stated purpose when (a) making disclosuresto public officials that are permitted under 45 CFR sect 164512if the public official represents that the information requestedis the minimum necessary for the stated purpose (b) if theinformation is requested by another covered entity (c) theirbusiness associates providing personal services or (d) docu-mentation or representations that comply with the applicablerequirements of 45 CFR sect 164512(i) have been provided byan individual requesting the information for research purposes[45 CFR sect 164514(d)(3)]
The minimum necessary standard also applies to uses ofprotected health information [45 CFR sect 164514(d)(2)] andrequests for protected health information [45 CFR sect164514(d)(4)]
Notice An individual with certain exceptions has a rightto adequate notice of the uses and disclosures of protectedhealth information that may be made by the covered entityand of the individualrsquos rights and the covered entityrsquos legalduties with respect to protected health information Thenotice must be written in plain language and contain the fol-lowing elements (i) a header as specified in the rule (ii) adescription including at least one example of the types ofuses and disclosures that the covered entity is permitted tomake for treatment payment and health care operations anda description of each of the other purposes for which the cov-ered entity is permitted or required to use or disclose pro-tected health information without the individualrsquos writtenconsent or authorization If a use or disclosure is prohibitedor materially limited by other applicable law the descriptionof such use or disclosure must reflect the more stringent law(as defined in 45 CFR sect 160202) Each description mustinclude sufficient detail to place the individual on notice ofthe uses and disclosures that are permitted or required by thePrivacy Rule or other applicable law and a statement that otheruses and disclosures will be made only with the individualrsquoswritten authorization and that the individual may revoke suchauthorization as provided by 45 CFR sect 164508(b)(5)
16 MMWR April 11 2003
A separate statement must be included in the notice if acovered entity intends to engage in any of the followingactivities The statement should explain that 1) the coveredentity may contact the individual to provide appointmentreminders or information regarding treatment alternatives orother health-related benefits 2) the covered entity may con-tact the individual to raise funds for the covered entity or 3) agroup health plan health insurer or HMO with respect to agroup health plan may disclose protected health informationto the sponsor of the plan
The notice must contain a statement of the individualrsquos rightswith respect to the protected health information and a briefdescription of how the individual may exercise these rights astatement of the covered entityrsquos duties a statement that indi-viduals may complain to the covered entity or the Secretary ifthey believe their privacy rights have been violated contactinformation and the effective date of the notice [45 CFR sect164520]
Payment 1) The activities undertaken by (i) a health planto obtain premiums or to determine or fulfill its responsibilityfor coverage and provision of benefits under the health planor (ii) a health-care provider or health plan to obtain or pro-vide reimbursement for the provision of health care and 2)the activities relate to the individual to whom health care isprovided and include but are not limited to (i) determina-tions of eligibility or coverage and adjudication or subroga-tion of health benefit claims (ii) risk adjusting amounts duebased on enrollee health status and demographic characteris-tics (iii) billing claims management collection activitiesobtaining payment under a contract for reinsurance (includ-ing stop-loss insurance) and related health-care data process-ing (iv) review of health-care services with respect to medicalnecessity coverage under a health plan appropriateness of careor justification of charges (v) utilization review activitiesincluding precertification and preauthorization of services con-current and retrospective review of services and (vi) disclo-sure to consumer reporting agencies of any of the followingprotected health information relating to collection of premi-ums or reimbursement (a) name and address (b) date of birth(c) social security number (d) payment history (e) accountnumber and (f ) name and address of the health-care provideror health plan [45 CFR sect 164501]
Protected health information (PHI) Individually identi-fiable health information that is transmitted by electronicmedia maintained in electronic media or transmitted ormaintained in any other form or medium PHI excludes indi-vidually identifiable health information in (i) educationrecords covered by the Family Education Rights and PrivacyAct (20 USC 1232g) (ii) records described at 20 USC
1232g(a)(4)(B)(iv) and (iii) employment records held by acovered entity in its role as employer [45 CFR sect 160103]
Public health authority An agency or authority of theUnited States a state a territory a political subdivision of astate or territory or an Indian tribe or an individual or entityacting under a grant of authority from or contract with suchpublic agency including the employees or agents of such pub-lic agency or its contractors or individuals or entities to whomit has granted authority that is responsible for public healthmatters as part of its official mandate [45 CFR sect 164501]
Examples of public health authorities include state andlocal health departments CDC National Institutes of Health(NIH) Food and Drug Administration (FDA) and Occupa-tional Safety and Health Administration (OSHA)
Required by law A mandate contained in law that compelsan entity to make a use or disclosure of protected health infor-mation and that is enforceable in a court of law This termincludes but is not limited to court orders and court-orderedwarrants subpoenas or summons issued by a court grand jurya governmental or tribal inspector general or an administra-tive body authorized to require the production of informa-tion a civil or an authorized investigative demand Medicareconditions of participation with respect to health-care provid-ers participating in the program and statutes or regulationsthat require the production of information including statutesor regulations that require such information if payment issought under a government program providing public ben-efits [45 CFR sect 164103]
Research A systematic investigation including researchdevelopment testing and evaluation designed to develop orcontribute to generalizable knowledge [45 CFR sect sect164501]
Statistical de-identification A properly qualified statisti-cian using accepted analytical techniques concludes that therisk is limited that the information could be used alone or incombination with other reasonably available information toidentify the subject of the information [45 CFR sect 164514(b)]
Safe harbor method A covered entity or its agent removesa comprehensive set of identifiers enumerated in the PrivacyRule which includes but is not limited to names geographicsubdivisions smaller than states dates more specific than yearscontact information identification numbers and photographicimages and has no actual knowledge that the remaininginformation could be used alone or in combination with otherinformation to identify the individual who is a subject of theinformation or the individualrsquos relatives employers or house-hold members Eighteen specific identifiers will need to beremoved to achieve de-identification [45 CFR sect 164514(b)]
Transaction The transmission of information between twoparties to carry out financial or administrative activities
Vol 52 Early Release MMWR 17
related to health care It includes the following types of infor-mation transmissions health care claims or equivalent encoun-ter information health care payment and remittance advicecoordination of benefits health care claim status enrollmentand disenrollment in a health plan eligibility for a health planhealth plan premium payments referral certification andauthorization first report of injury health claims attachmentsand other transactions that the Secretary may prescribe by regu-lation [45 CFR sect 164103]
Treatment The provision coordination or managementof health care and related services by one or more health-care
providers including the coordination or management of healthcare by a health-care provider with a third party consultationbetween health-care providers relating to a patient or thereferral of a patient for health care from one health-care pro-vider to another [45 CFR sect 164501]
Use With respect to individually identifiable health infor-mation the sharing employment application utilizationexamination or analysis of such information within an entitythat maintains such information [45 CFR sect 160103]
18 MMWR April 11 2003
Vol 52 Early Release MMWR 19
Appendix BSample Text That Can Be Used To Clarify Public Health Issues
Under the Privacy Rule
pursuant to the Standards for Privacy of Individually Identifi-able Health Information promulgated under the HealthInsurance Portability and Accountability Act (HIPAA) [45CFR Parts 160 and 164)] Under this rule covered entitiesmay disclose without individual authorization protectedhealth information to public health authorities ldquo autho-rized by law to collect or receive such information for the pur-pose of preventing or controlling disease injury or disabilityincluding but not limited to the reporting of disease injuryvital events such as birth or death and the conduct of publichealth surveillance public health investigations and publichealth interventions rdquo The definition of a public health au-thority includes ldquo an individual or entity acting under a grantof authority from or contract with such public agency rdquo
[Authorized agency] is acting under [contract grant coop-erative agreement] with [public health authority] to conduct[project] which is authorized by [law or regulation] [Publichealth authority] grants this authority to [authorized agency]for purposes of this project Further [public health authority]considers this to be [activity type] for which disclosure ofprotected health information by covered entities is authorizedby 45 CFR sect 164512(b) of the Privacy Rule
From a public health authority to a covered entity con-firming grant of authority to an authorized agencyTo Whom It May Concern
[Public health authority] is an agency of [parent authority]and is a public health authority as defined by the HealthInsurance Portability and Accountability Act (HIPAA) Stan-dards for Privacy of Individually Identifiable Health Informa-tion Final Rule (Privacy Rule)[45 CFR sect 164501] Pursuantto 45 CFR sect 164512(b) of the Privacy Rule covered entitiesmay disclose protected health information to public healthauthorities ldquo authorized by law to collect or receive suchinformation for the purpose of preventing or controlling dis-ease injury or disability including but not limited to thereporting of disease injury vital events such as birth or deathand the conduct of public health surveillance public healthinvestigations and public health interventions rdquo The defi-nition of public health authority includes ldquo an individualor entity acting under a grant of authority from or contractwith such public agency rdquo [45 CFR sect 164501] [Autho-rized agency] is acting under [contract grant or cooperativeagreement] with [public health authority] to carry out [project]
Following are sample letters that can be used to help clarifyPrivacy Rule issues among covered entities and public healthauthorities (eg CDC National Institutes of Health Foodand Drug Administration Substance Abuse and Mental HealthServices Administration Health Resources and ServicesAdministration state and local health departments) Publichealth authorities can use these letters as templates by insert-ing names of the appropriate individuals projects agreementslaws activity types covered entities public health authoritiesand authorized agencies
From a public health authority to a covered entity clari-fying rules regarding disclosureTo Whom it May Concern
[Public health authority] is an agency of [parent authority]and is conducting the activity described here in its capacity asa public health authority as defined by the Health InsurancePortability and Accountability Act (HIPAA) Standards forPrivacy of Individually Identifiable Health Information FinalRule (Privacy Rule) [45 CFR sect164501] Pursuant to 45 CFRsect164512(b) of the Privacy Rule covered entities such as yourorganization may disclose without individual authorizationprotected health information to public health authorities ldquo authorized by law to collect or receive such information forthe purpose of preventing or controlling disease injury ordisability including but not limited to the reporting of dis-ease injury vital events such as birth or death and the con-duct of public health surveillance public health investigationsand public health interventions rdquo
[Public health authority] is conducting [project] a publichealth activity as described by 45 CFR sect 164512(b) and isauthorized by [law or regulation] The information beingrequested represents the minimum necessary to carry out thepublic health purposes of this project pursuant to 45 CFRsect164514(d) of the Privacy Rule
If you have questions or concerns please contact [projectleader]
From a public health authority to an authorized agencyproviding grant of authorityDear [authorized agency]
This letter serves as verification of a grant of authority from[public health authority] for you to conduct the public healthactivities described here acting as a public health authority
20 MMWR April 11 2003
Through this grant of authority [authorized agency] may func-tion as a public health authority under the Privacy Rule forpurposes of this project
[Project] is a public health activity as described by 45 CFRsect 164512(b) referenced previously and is authorized by [lawor regulation] The information being requested represents theminimum necessary to carry out the public health purposes ofthis project pursuant to 45 CFR sect 164514(d) of the PrivacyRule The Privacy Rule provides that covered entities ldquo
may rely if such reliance is reasonable under the circumstanceson a requested disclosure as the minimum necessary for thestated purposes when making disclosures to public officialsthat are permitted under 45 CFR sect 164512 if the publicofficial represents that the information requested is the mini-mum necessary for the stated purposes(s)rdquo
If you have questions or concerns please contact [projectleader for authorized agency public health authority contact]
All MMWR references are available on the Internet at httpwwwcdcgovmmwr Use the search function to find specific articlesmdashmdashmdashmdashmdashmdash
Use of trade names and commercial sources is for identification only and does not imply endorsement by the US Department of Healthand Human Services
mdashmdashmdashmdashmdashmdashReferences to non-CDC sites on the Internet are provided as a service to MMWR readers and do not constitute or imply endorsement ofthese organizations or their programs by CDC or the US Department of Health and Human Services CDC is not responsible for thecontent of these sites URL addresses listed in MMWR were current as of the date of publication
MMWR
The Morbidity and Mortality Weekly Report (MMWR) series is prepared by the Centers for Disease Control and Prevention (CDC) andis available free of charge in electronic format and on a paid subscription basis for paper copy To receive an electronic copy each week sendan e-mail message to listservlistservcdcgov The body content should read SUBscribe mmwr-toc Electronic copy also is available fromCDCrsquos Internet server at httpwwwcdcgovmmwr or from CDCrsquos file transfer protocol server at ftpftpcdcgovpubpublicationsmmwr Tosubscribe for paper copy contact Superintendent of Documents US Government Printing Office Washington DC 20402 telephone202-512-1800
Data in the weekly MMWR are provisional based on weekly reports to CDC by state health departments The reporting weekconcludes at close of business on Friday compiled data on a national basis are officially released to the public on the following FridayAddress inquiries about the MMWR series including material to be considered for publication to Editor MMWR Series Mailstop C-08CDC 1600 Clifton Rd NE Atlanta GA 30333 telephone 888-232-3228
All material in the MMWR series is in the public domain and may be used and reprinted without permission however citation of thesource is appreciated
US Government Printing Office 2003-533-15569108 Region IV
Introduction
Impact on Public Health
Overview of the Privacy Rule
Who Is Covered
Types of Health Information
What is Required
The Privacy Rule and Public Health
Disclosures for Public Health Purposes
Requirements for Covered Entities
The Privacy Rule and Public Health Research
Research Versus Practice
The Privacy Rule and Other Laws
Online Resources
Federal Government Resources
State Government Resources
Associations Nonprofit Organizations and Academic Resources
Acknowledgments
References
Appendix A
Appendix B
12 MMWR April 11 2003
Associations Nonprofit Organizationsand Academic ResourcesAmerican Hospital Association mdash HIPAA
North Carolina Healthcare Information and Communica-tions Alliance
httpwwwnchicaorgPublic Health Grand Rounds HIPAA Privacy RuleEnhancing or Harming Public Health
httpwwwpublichealthgrandroundsunceduStanford University Medical School mdash HIPAA
httpwwwmedstanfordeduHIPAAWorkgroup for Electronic Data Interchange mdash StrategicNational Implementation Process
httpwwwwediorgsnip
AcknowledgmentsThis report was prepared by Salvatore Lucido MPA and Denise
Koo MD Office of the Associate Director for ScienceEpidemiology Program Office CDC in collaboration with JamesG Hodge Jr JD Center for Law and the Publicrsquos HealthGeorgetown and Johns Hopkins Universities Baltimore MarylandThe preparers are grateful for the participation of Deborah Tress
JD Kenya Ford JD and Heather Horton JD Office of theGeneral Counsel Department of Health and Human Services CDCATSDR Branch the CDC Working Group on the Privacy Ruleand Beverly Dozier JD Lance A Gable JD Lawrence O GostinJD Gail Horlick JD and Jennifer Kurle
The preparers also thank the following partners for their valuableinput Association of State and Territorial Health Officers Councilof State and Territorial Epidemiologists National Association ofCounty and City Health Officials National Association of HealthData Organizations Association of Public Health Laboratories andNational Association for Public Health Statistics and InformationSystems
References1 Gostin LO Hodge JG Jr Personal privacy and common goods a frame-
work Minnesota Law Review 2002861439ndash802 Health Insurance Portability and Accountability Act of 1996 Pub L
No 104-191 110 Stat 1936 (1996)3 Office for Civil Rights Department of Health and Human Services
Title 45 of the Code of Federal Regulations Parts 160 and 164 Avail-able at httpwwwdhhsgovocrcombinedregtextpdf
4 Office for Civil Rights OCR guidance explaining significant aspects ofthe Privacy Rule 2002 Department of Health and Human ServicesAvailable at httpwwwhhsgovocrhipaa
5 Gostin LO Hodge JG Jr Privacy Law Advisory Committee Modelstate public health information privacy act 1999 Available at httpwwwpublichealthlawnetResourcesResourcesPDFsmodelprivactpdf
6 Department of Health and Human Services Protecting personal healthinformation in research mdash understanding the HIPAA Privacy RuleDepartment of Health and Human Services Washington DC 2003(in press)
7 Snider DE Stroup DF Defining research when it comes to public healthPublic Health Rep 199711229ndash32
8 CDC Guidelines for defining public health research and public healthnonresearch Available at httpwwwcdcgovodadsopspoll1htm
9 Amoroso PJ Middaugh JP Research vs public health practice whendoes a study require IRB review Prev Med 200336250ndash3
10 Office for Protection from Research Risks National Institutes of HealthDepartment of Health and Human Services Public welfare protectionof human subjects 2001 [45 CFR 46] Available at httpohrposophsdhhsgovhumansubjectsguidance45cfr46htm
11 National Commission for the Protection of Human Subjects of Bio-medical and Behavioral Research Belmont report ethical principles andguidelines for the protection of human subjects of research Depart-ment of Health Education and Welfare Available at httpwwwmedumicheduirbmedethicsbelmontBELMONTRHTM
Vol 52 Early Release MMWR 13
The following concepts and definitions are adapted fromthe regulatory language For further information see the cita-tions to the Privacy Rule
Accounting An individual has a right to receive an account-ing of disclosures of protected health information made by acovered entity in the six years prior to the date on which theaccounting is requested except for disclosures (a) to carry outtreatment payment and health care operations [45 CFR sect164506] (b) to individuals of protected health informationabout them [45 CFR sect 164502] (c) incident to a use or dis-closure otherwise permitted or required by this subpart asprovided in 45 CFR sect164502 (d) pursuant to an authoriza-tion as provided in 45 CFR sect164508 (e) for the facilityrsquosdirectory or to persons involved in the individualrsquos care orother notification purposes as provided in 45 CFR sect164510(f ) for national security or intelligence purposes as providedin 45 CFR sect164512(k)(2) (g) to correctional institutions orlaw enforcement officials as provided in 45 CFR sect164512(k)(5) or (h) as part of a limited data set in accordance with45 CFR sect164514(e) or (i) that occurred prior to the compli-ance date for the covered entityhellip Such an accounting mustmeet the following requirements (1) except as otherwise pro-vided by paragraph (a) of this section the accounting mustinclude disclosures of protected health information thatoccurred during the six years (or such shorter time period atthe request of the individual as provided in paragraph (a)(3)of this section) prior to the date of the request for an account-ing including disclosures to or by business associates of thecovered entity (2) except as otherwise provided by paragraphs(b)(3) or (b)(4) of this section the accounting must includefor each disclosure the date of the disclosure the name of theentity or person who received the protected health informa-tion and if known the address of such entity or person abrief description of the protected health information disclosedand a brief statement of the purpose of the disclosure thatreasonably informs the individual of the basis for the disclo-sure or in lieu of such a statement a copy of the individualrsquoswritten authorization pursuant to 45 CFR sect 164508 or acopy of a written request for a disclosure under 45 CFR sect164502(a)(2)(ii) or 45 CFR sect 164512 if any
If during the period covered by the accounting the coveredentity has made multiple disclosures of protected healthinformation to the same person or entity for a single purposeunder 45 CFR sect 164502(a)(2)(ii) or 45 CFR sect 164512 theaccounting may with respect to such multiple disclosures
provide the information required by paragraph (b)(2) of 45CFR sect 164528 for the first disclosure during the accountingperiod the frequency periodicity or number of the disclo-sures made during the accounting period and the date of thelast such disclosure during the accounting period [45 CFR sect164528]
Modified accounting procedures are also provided for cov-ered entities making research disclosures involving gt50 per-sons [45 CFR sect 164528(b)(4)]
Business associate A person who on behalf of a coveredentity or of an organized health care arrangement [45 CFR sect154501] in which the covered entity participates but otherthan in the capacity of a member of the workforce of suchcovered entity or arrangement performs or assists in the per-formance of a function or activity involving the use ordisclosure of individually identifiable health informationincluding claims processing or administration data analysisprocessing or administration utilization review quality assur-ance billing benefit management practice management andrepricing or any other function or activity regulated by thissubchapter or provides other than in the capacity of a mem-ber of the workforce of such covered entity legal actuarialaccounting consulting data aggregation [45 CFR sect 164501]management administrative accreditation or financial ser-vices to or for such covered entity or to or for an organizedhealth-care arrangement in which the covered entity partici-pates where the provision of the service involves the disclo-sure of individually identifiable health information from suchcovered entity or arrangement or from another business asso-ciate of such covered entity or arrangement to the individual[45 CFR sect 160103]
Covered entity 1) a health plan 2) a health-care clearing-house 3) a health-care provider who transmits any healthinformation in electronic form in connection with a transac-tion [45 CFR sect 160103]
Covered functions Those functions of a covered entity theperformance of which makes the entity a health planhealth-care provider or health-care clearinghouse [45 CFR sect164103]
Data aggregation With respect to protected health infor-mation created or received by a business associate in its capac-ity as the business associate of a covered entity the combiningof such protected health information by the business associatewith the protected health information received by the busi-ness associate in its capacity as a business associate of another
Appendix ASelected Privacy Rule Concepts and Definitions
14 MMWR April 11 2003
covered entity to permit data analyses that relate to the health-care operations of the respective covered entities [45 CFRsect164501]
De-identified health information Health information thatdoes not identify an individual and with respect to which noreasonable basis exists to believe that the information can beused to identify an individual is not individually identifiableinformation [45 CFR sect 164514(a)]
Disclosure The release transfer provision of access to ordivulging in any other manner of information outside the entityholding the information [45 CFR sect 160103]
Electronic media 1) Electronic storage media includingmemory devices in computers (hard drives) and any remov-abletransportable digital memory medium such as magnetictape or disk optical disk or digital memory card or 2) trans-mission media used to exchange information already in elec-tronic storage media Transmission media include for examplethe Internet (wide open) extranet (using Internet technologyto link a business with information accessible only to collabo-rating parties) leased lines dial-up lines private networksand the physical movement of removabletransportable elec-tronic storage media Certain transmissions including ofpaper via facsimile and of voice via telephone are not con-sidered to be transmissions via electronic media because theinformation being exchanged did not exist in electronic formbefore the transmission [45 CFR sect 160103]
Health care Care services or supplies related to the healthof an individual It includes but is not limited to 1) preven-tive diagnostic therapeutic rehabilitative maintenance orpalliative care and counseling service assessment or proce-dure with respect to the physical or mental condition or func-tional status of an individual or that affects the structure orfunction of the body and 2) sale or dispensing of a drugdevice equipment or other item in accordance with a pre-scription [45 CFR sect 160103]
Health-care clearinghouse A public or private entityincluding a billing service repricing company communityhealth management information system community healthinformation system or value-added network or switch that 1)processes or facilitates the processing of health informationreceived from another entity in a nonstandard format or con-taining nonstandard data content into standard data elementsor a standard transaction or 2) receives a standard transactionfrom another entity and processes or facilitates the processingof health information into nonstandard format or nonstand-ard data content for the receiving entity [45 CFR sect 160103]
Health-care operations Any of the following activities ofthe covered entity to the extent that the activities are related tocovered functions 1) conducting quality assessment andimprovement activities population-based activities and
related functions that do not include treatment 2) reviewingthe competence or qualifications of health care professionalsevaluating practitioner provider and health plan performanceconducting training programs where students learn to prac-tice or improve their skills as health-care providers training ofnonhealth-care professionals accreditation certificationlicensing or credentialing activities 3) underwriting premiumrating and other activities relating to the creation renewal orreplacement of a contract of health insurance or benefits 4)conducting or arranging for medical review legal services andauditing functions including fraud and abuse detection andcompliance programs 5) business planning and developmentsuch as conducting cost-management and planning-relatedanalyses related to managing and operating the entity includ-ing formulary development and administration developmentor improvement of methods of payment or coverage policiesand 6) business management and general administrativeactivities of the entity [45 CFR sect 164501]
Health-care provider A provider of services (as defined insection 1861(u) of the Act 42 USC 1395x(u)) a providerof medical or health-care services (as defined in section 1861(s)of the Act 42 USC 1395x(s)) and any other individual ororganization that furnishes bills or is paid for health care inthe normal course of business [45 CFR sect 160103]
Health information Any information whether oral orrecorded in any form or medium that 1) is created or receivedby a health-care provider health plan public health authorityemployer life insurer school or university or health-care clear-inghouse and 2) relates to the past present or future physicalor mental health or condition of an individual the provisionof health care to an individual or the past present or futurepayment for the provision of health care to an individual [45CFR sect 160103]
Health plan An individual or group plan that provides orpays the cost of medical care (as defined in section 2791(a)(2)of the PHS Act 42 USC 300gg-91(a)(2)) Health planincludes the following singly or in combination (i) a grouphealth plan as defined in 45 CFR sect 160103 of the PrivacyRule (ii) a health insurance issuer as defined in 45 CFR sect160103 of the Privacy Rule (iii) an HMO as defined in 45CFR sect 160103 of the Privacy Rule (iv) Part A or B of theMedicare program under title XVIII of the Act (v) the Med-icaid program under title XIX of the Act 42 USC 1396 etseq (vi) an issuer of a Medicare supplemental policy (asdefined in section 1882(g)(1) of the Act 42 USC1395ss(g)(1)) (vii) an issuer of a long-term care policyexcluding a nursing home fixed-indemnity policy (viii) anemployee welfare benefit plan or any other arrangement thatis established or maintained for the purpose of offering or pro-viding health benefits to the employees of two or more
Vol 52 Early Release MMWR 15
employers (ix) the health care program for active military per-sonnel under title 10 USC (x) the veterans health-care pro-gram under 38 USC Ch 17 (xi) the Civilian Health andMedical Program of the Uniformed Services (CHAMPUS)(as defined in 10 USC 1072(4)) (xii) the Indian HealthService program under the Indian Health Care ImprovementAct 25 USC 1601 et seq (xiii) the Federal EmployeesHealth Benefits Program under 5 USC 8902 et seq (xiv)an approved state child health plan under title XXI of the Actproviding benefits for child health assistance that meet therequirements of section 2103 of the Act 42 USC 1397 etseq (xv) the Medicare+Choice program under Part C of titleXVIII of the Act 42 USC 1395w-21 through 1395w-28(xvi) a high risk pool that is a mechanism established understate law to provide health insurance coverage or comparablecoverage to eligible individuals (xvii) any other individual orgroup plan or combination of individual or group plans thatprovides or pays for the cost of medical care (as defined insection 2791(a)(2) of the PHS Act 42 USC 300gg-91(a)(2))[45 CFR sect 160103]
The term health plan excludes (i) any policy plan or pro-gram to the extent that it provides or pays for the cost ofexcepted benefits that are listed in sect2791(c)(1) of the PHSAct 42 USC 300gg-91(c)(1) and (ii) a government-fundedprogram other than the one listed in items (i)-(xvi) abovewhose principal purpose is other than providing or payingthe cost of health care or whose principal activity is 1) thedirect provision of health care to individuals or 2) the mak-ing of grants to fund the direct provision of health care toindividuals [45 CFR sect 160103]
Hybrid entity A single legal entity 1) that is a covered entity 2) whose business activities include both covered andnoncovered functions and 3) that designates its health-carecomponents [45 CFR sect 164103]
Individually identifiable health information A subset ofhealth information including demographic information col-lected from an individual and 1) is created or received by ahealth-care provider health plan employer or health-care clear-inghouse and 2) relates to the past present or future physi-cal or mental health or condition of an individual the provisionof health care to an individual or the past present or futurepayment for the provision of health care to an individual andthat identifies the individual or where there is a reasonablebasis to believe the information can be used to identify theindividual [45 CFR sect 164501]
Limited data set Protected health information that excludescertain direct identifiers of the individual or of relativesemployers or household members of the individual Directidentifiers to be excluded can be found in 45 CFR sect164514(e)(2)
Minimum necessary For any type of disclosure that a cov-ered entity makes on a routine and recurring basis that thecovered entity must implement policies and procedures (whichmay be standard protocols) that limit the protected healthinformation disclosed to the amount reasonably necessary toachieve the purpose of the disclosure For all other disclosurescovered entities must develop and implement criteria designedto limit the protected health information disclosed to theinformation reasonably necessary to accomplish the purposefor which disclosure is sought and review requests for disclo-sure on an individual basis in accordance with such criteria Acovered entity may rely if such reliance is reasonable underthe circumstances on a requested disclosure as the minimumnecessary for the stated purpose when (a) making disclosuresto public officials that are permitted under 45 CFR sect 164512if the public official represents that the information requestedis the minimum necessary for the stated purpose (b) if theinformation is requested by another covered entity (c) theirbusiness associates providing personal services or (d) docu-mentation or representations that comply with the applicablerequirements of 45 CFR sect 164512(i) have been provided byan individual requesting the information for research purposes[45 CFR sect 164514(d)(3)]
The minimum necessary standard also applies to uses ofprotected health information [45 CFR sect 164514(d)(2)] andrequests for protected health information [45 CFR sect164514(d)(4)]
Notice An individual with certain exceptions has a rightto adequate notice of the uses and disclosures of protectedhealth information that may be made by the covered entityand of the individualrsquos rights and the covered entityrsquos legalduties with respect to protected health information Thenotice must be written in plain language and contain the fol-lowing elements (i) a header as specified in the rule (ii) adescription including at least one example of the types ofuses and disclosures that the covered entity is permitted tomake for treatment payment and health care operations anda description of each of the other purposes for which the cov-ered entity is permitted or required to use or disclose pro-tected health information without the individualrsquos writtenconsent or authorization If a use or disclosure is prohibitedor materially limited by other applicable law the descriptionof such use or disclosure must reflect the more stringent law(as defined in 45 CFR sect 160202) Each description mustinclude sufficient detail to place the individual on notice ofthe uses and disclosures that are permitted or required by thePrivacy Rule or other applicable law and a statement that otheruses and disclosures will be made only with the individualrsquoswritten authorization and that the individual may revoke suchauthorization as provided by 45 CFR sect 164508(b)(5)
16 MMWR April 11 2003
A separate statement must be included in the notice if acovered entity intends to engage in any of the followingactivities The statement should explain that 1) the coveredentity may contact the individual to provide appointmentreminders or information regarding treatment alternatives orother health-related benefits 2) the covered entity may con-tact the individual to raise funds for the covered entity or 3) agroup health plan health insurer or HMO with respect to agroup health plan may disclose protected health informationto the sponsor of the plan
The notice must contain a statement of the individualrsquos rightswith respect to the protected health information and a briefdescription of how the individual may exercise these rights astatement of the covered entityrsquos duties a statement that indi-viduals may complain to the covered entity or the Secretary ifthey believe their privacy rights have been violated contactinformation and the effective date of the notice [45 CFR sect164520]
Payment 1) The activities undertaken by (i) a health planto obtain premiums or to determine or fulfill its responsibilityfor coverage and provision of benefits under the health planor (ii) a health-care provider or health plan to obtain or pro-vide reimbursement for the provision of health care and 2)the activities relate to the individual to whom health care isprovided and include but are not limited to (i) determina-tions of eligibility or coverage and adjudication or subroga-tion of health benefit claims (ii) risk adjusting amounts duebased on enrollee health status and demographic characteris-tics (iii) billing claims management collection activitiesobtaining payment under a contract for reinsurance (includ-ing stop-loss insurance) and related health-care data process-ing (iv) review of health-care services with respect to medicalnecessity coverage under a health plan appropriateness of careor justification of charges (v) utilization review activitiesincluding precertification and preauthorization of services con-current and retrospective review of services and (vi) disclo-sure to consumer reporting agencies of any of the followingprotected health information relating to collection of premi-ums or reimbursement (a) name and address (b) date of birth(c) social security number (d) payment history (e) accountnumber and (f ) name and address of the health-care provideror health plan [45 CFR sect 164501]
Protected health information (PHI) Individually identi-fiable health information that is transmitted by electronicmedia maintained in electronic media or transmitted ormaintained in any other form or medium PHI excludes indi-vidually identifiable health information in (i) educationrecords covered by the Family Education Rights and PrivacyAct (20 USC 1232g) (ii) records described at 20 USC
1232g(a)(4)(B)(iv) and (iii) employment records held by acovered entity in its role as employer [45 CFR sect 160103]
Public health authority An agency or authority of theUnited States a state a territory a political subdivision of astate or territory or an Indian tribe or an individual or entityacting under a grant of authority from or contract with suchpublic agency including the employees or agents of such pub-lic agency or its contractors or individuals or entities to whomit has granted authority that is responsible for public healthmatters as part of its official mandate [45 CFR sect 164501]
Examples of public health authorities include state andlocal health departments CDC National Institutes of Health(NIH) Food and Drug Administration (FDA) and Occupa-tional Safety and Health Administration (OSHA)
Required by law A mandate contained in law that compelsan entity to make a use or disclosure of protected health infor-mation and that is enforceable in a court of law This termincludes but is not limited to court orders and court-orderedwarrants subpoenas or summons issued by a court grand jurya governmental or tribal inspector general or an administra-tive body authorized to require the production of informa-tion a civil or an authorized investigative demand Medicareconditions of participation with respect to health-care provid-ers participating in the program and statutes or regulationsthat require the production of information including statutesor regulations that require such information if payment issought under a government program providing public ben-efits [45 CFR sect 164103]
Research A systematic investigation including researchdevelopment testing and evaluation designed to develop orcontribute to generalizable knowledge [45 CFR sect sect164501]
Statistical de-identification A properly qualified statisti-cian using accepted analytical techniques concludes that therisk is limited that the information could be used alone or incombination with other reasonably available information toidentify the subject of the information [45 CFR sect 164514(b)]
Safe harbor method A covered entity or its agent removesa comprehensive set of identifiers enumerated in the PrivacyRule which includes but is not limited to names geographicsubdivisions smaller than states dates more specific than yearscontact information identification numbers and photographicimages and has no actual knowledge that the remaininginformation could be used alone or in combination with otherinformation to identify the individual who is a subject of theinformation or the individualrsquos relatives employers or house-hold members Eighteen specific identifiers will need to beremoved to achieve de-identification [45 CFR sect 164514(b)]
Transaction The transmission of information between twoparties to carry out financial or administrative activities
Vol 52 Early Release MMWR 17
related to health care It includes the following types of infor-mation transmissions health care claims or equivalent encoun-ter information health care payment and remittance advicecoordination of benefits health care claim status enrollmentand disenrollment in a health plan eligibility for a health planhealth plan premium payments referral certification andauthorization first report of injury health claims attachmentsand other transactions that the Secretary may prescribe by regu-lation [45 CFR sect 164103]
Treatment The provision coordination or managementof health care and related services by one or more health-care
providers including the coordination or management of healthcare by a health-care provider with a third party consultationbetween health-care providers relating to a patient or thereferral of a patient for health care from one health-care pro-vider to another [45 CFR sect 164501]
Use With respect to individually identifiable health infor-mation the sharing employment application utilizationexamination or analysis of such information within an entitythat maintains such information [45 CFR sect 160103]
18 MMWR April 11 2003
Vol 52 Early Release MMWR 19
Appendix BSample Text That Can Be Used To Clarify Public Health Issues
Under the Privacy Rule
pursuant to the Standards for Privacy of Individually Identifi-able Health Information promulgated under the HealthInsurance Portability and Accountability Act (HIPAA) [45CFR Parts 160 and 164)] Under this rule covered entitiesmay disclose without individual authorization protectedhealth information to public health authorities ldquo autho-rized by law to collect or receive such information for the pur-pose of preventing or controlling disease injury or disabilityincluding but not limited to the reporting of disease injuryvital events such as birth or death and the conduct of publichealth surveillance public health investigations and publichealth interventions rdquo The definition of a public health au-thority includes ldquo an individual or entity acting under a grantof authority from or contract with such public agency rdquo
[Authorized agency] is acting under [contract grant coop-erative agreement] with [public health authority] to conduct[project] which is authorized by [law or regulation] [Publichealth authority] grants this authority to [authorized agency]for purposes of this project Further [public health authority]considers this to be [activity type] for which disclosure ofprotected health information by covered entities is authorizedby 45 CFR sect 164512(b) of the Privacy Rule
From a public health authority to a covered entity con-firming grant of authority to an authorized agencyTo Whom It May Concern
[Public health authority] is an agency of [parent authority]and is a public health authority as defined by the HealthInsurance Portability and Accountability Act (HIPAA) Stan-dards for Privacy of Individually Identifiable Health Informa-tion Final Rule (Privacy Rule)[45 CFR sect 164501] Pursuantto 45 CFR sect 164512(b) of the Privacy Rule covered entitiesmay disclose protected health information to public healthauthorities ldquo authorized by law to collect or receive suchinformation for the purpose of preventing or controlling dis-ease injury or disability including but not limited to thereporting of disease injury vital events such as birth or deathand the conduct of public health surveillance public healthinvestigations and public health interventions rdquo The defi-nition of public health authority includes ldquo an individualor entity acting under a grant of authority from or contractwith such public agency rdquo [45 CFR sect 164501] [Autho-rized agency] is acting under [contract grant or cooperativeagreement] with [public health authority] to carry out [project]
Following are sample letters that can be used to help clarifyPrivacy Rule issues among covered entities and public healthauthorities (eg CDC National Institutes of Health Foodand Drug Administration Substance Abuse and Mental HealthServices Administration Health Resources and ServicesAdministration state and local health departments) Publichealth authorities can use these letters as templates by insert-ing names of the appropriate individuals projects agreementslaws activity types covered entities public health authoritiesand authorized agencies
From a public health authority to a covered entity clari-fying rules regarding disclosureTo Whom it May Concern
[Public health authority] is an agency of [parent authority]and is conducting the activity described here in its capacity asa public health authority as defined by the Health InsurancePortability and Accountability Act (HIPAA) Standards forPrivacy of Individually Identifiable Health Information FinalRule (Privacy Rule) [45 CFR sect164501] Pursuant to 45 CFRsect164512(b) of the Privacy Rule covered entities such as yourorganization may disclose without individual authorizationprotected health information to public health authorities ldquo authorized by law to collect or receive such information forthe purpose of preventing or controlling disease injury ordisability including but not limited to the reporting of dis-ease injury vital events such as birth or death and the con-duct of public health surveillance public health investigationsand public health interventions rdquo
[Public health authority] is conducting [project] a publichealth activity as described by 45 CFR sect 164512(b) and isauthorized by [law or regulation] The information beingrequested represents the minimum necessary to carry out thepublic health purposes of this project pursuant to 45 CFRsect164514(d) of the Privacy Rule
If you have questions or concerns please contact [projectleader]
From a public health authority to an authorized agencyproviding grant of authorityDear [authorized agency]
This letter serves as verification of a grant of authority from[public health authority] for you to conduct the public healthactivities described here acting as a public health authority
20 MMWR April 11 2003
Through this grant of authority [authorized agency] may func-tion as a public health authority under the Privacy Rule forpurposes of this project
[Project] is a public health activity as described by 45 CFRsect 164512(b) referenced previously and is authorized by [lawor regulation] The information being requested represents theminimum necessary to carry out the public health purposes ofthis project pursuant to 45 CFR sect 164514(d) of the PrivacyRule The Privacy Rule provides that covered entities ldquo
may rely if such reliance is reasonable under the circumstanceson a requested disclosure as the minimum necessary for thestated purposes when making disclosures to public officialsthat are permitted under 45 CFR sect 164512 if the publicofficial represents that the information requested is the mini-mum necessary for the stated purposes(s)rdquo
If you have questions or concerns please contact [projectleader for authorized agency public health authority contact]
All MMWR references are available on the Internet at httpwwwcdcgovmmwr Use the search function to find specific articlesmdashmdashmdashmdashmdashmdash
Use of trade names and commercial sources is for identification only and does not imply endorsement by the US Department of Healthand Human Services
mdashmdashmdashmdashmdashmdashReferences to non-CDC sites on the Internet are provided as a service to MMWR readers and do not constitute or imply endorsement ofthese organizations or their programs by CDC or the US Department of Health and Human Services CDC is not responsible for thecontent of these sites URL addresses listed in MMWR were current as of the date of publication
MMWR
The Morbidity and Mortality Weekly Report (MMWR) series is prepared by the Centers for Disease Control and Prevention (CDC) andis available free of charge in electronic format and on a paid subscription basis for paper copy To receive an electronic copy each week sendan e-mail message to listservlistservcdcgov The body content should read SUBscribe mmwr-toc Electronic copy also is available fromCDCrsquos Internet server at httpwwwcdcgovmmwr or from CDCrsquos file transfer protocol server at ftpftpcdcgovpubpublicationsmmwr Tosubscribe for paper copy contact Superintendent of Documents US Government Printing Office Washington DC 20402 telephone202-512-1800
Data in the weekly MMWR are provisional based on weekly reports to CDC by state health departments The reporting weekconcludes at close of business on Friday compiled data on a national basis are officially released to the public on the following FridayAddress inquiries about the MMWR series including material to be considered for publication to Editor MMWR Series Mailstop C-08CDC 1600 Clifton Rd NE Atlanta GA 30333 telephone 888-232-3228
All material in the MMWR series is in the public domain and may be used and reprinted without permission however citation of thesource is appreciated
US Government Printing Office 2003-533-15569108 Region IV
Introduction
Impact on Public Health
Overview of the Privacy Rule
Who Is Covered
Types of Health Information
What is Required
The Privacy Rule and Public Health
Disclosures for Public Health Purposes
Requirements for Covered Entities
The Privacy Rule and Public Health Research
Research Versus Practice
The Privacy Rule and Other Laws
Online Resources
Federal Government Resources
State Government Resources
Associations Nonprofit Organizations and Academic Resources
Acknowledgments
References
Appendix A
Appendix B
Vol 52 Early Release MMWR 13
The following concepts and definitions are adapted fromthe regulatory language For further information see the cita-tions to the Privacy Rule
Accounting An individual has a right to receive an account-ing of disclosures of protected health information made by acovered entity in the six years prior to the date on which theaccounting is requested except for disclosures (a) to carry outtreatment payment and health care operations [45 CFR sect164506] (b) to individuals of protected health informationabout them [45 CFR sect 164502] (c) incident to a use or dis-closure otherwise permitted or required by this subpart asprovided in 45 CFR sect164502 (d) pursuant to an authoriza-tion as provided in 45 CFR sect164508 (e) for the facilityrsquosdirectory or to persons involved in the individualrsquos care orother notification purposes as provided in 45 CFR sect164510(f ) for national security or intelligence purposes as providedin 45 CFR sect164512(k)(2) (g) to correctional institutions orlaw enforcement officials as provided in 45 CFR sect164512(k)(5) or (h) as part of a limited data set in accordance with45 CFR sect164514(e) or (i) that occurred prior to the compli-ance date for the covered entityhellip Such an accounting mustmeet the following requirements (1) except as otherwise pro-vided by paragraph (a) of this section the accounting mustinclude disclosures of protected health information thatoccurred during the six years (or such shorter time period atthe request of the individual as provided in paragraph (a)(3)of this section) prior to the date of the request for an account-ing including disclosures to or by business associates of thecovered entity (2) except as otherwise provided by paragraphs(b)(3) or (b)(4) of this section the accounting must includefor each disclosure the date of the disclosure the name of theentity or person who received the protected health informa-tion and if known the address of such entity or person abrief description of the protected health information disclosedand a brief statement of the purpose of the disclosure thatreasonably informs the individual of the basis for the disclo-sure or in lieu of such a statement a copy of the individualrsquoswritten authorization pursuant to 45 CFR sect 164508 or acopy of a written request for a disclosure under 45 CFR sect164502(a)(2)(ii) or 45 CFR sect 164512 if any
If during the period covered by the accounting the coveredentity has made multiple disclosures of protected healthinformation to the same person or entity for a single purposeunder 45 CFR sect 164502(a)(2)(ii) or 45 CFR sect 164512 theaccounting may with respect to such multiple disclosures
provide the information required by paragraph (b)(2) of 45CFR sect 164528 for the first disclosure during the accountingperiod the frequency periodicity or number of the disclo-sures made during the accounting period and the date of thelast such disclosure during the accounting period [45 CFR sect164528]
Modified accounting procedures are also provided for cov-ered entities making research disclosures involving gt50 per-sons [45 CFR sect 164528(b)(4)]
Business associate A person who on behalf of a coveredentity or of an organized health care arrangement [45 CFR sect154501] in which the covered entity participates but otherthan in the capacity of a member of the workforce of suchcovered entity or arrangement performs or assists in the per-formance of a function or activity involving the use ordisclosure of individually identifiable health informationincluding claims processing or administration data analysisprocessing or administration utilization review quality assur-ance billing benefit management practice management andrepricing or any other function or activity regulated by thissubchapter or provides other than in the capacity of a mem-ber of the workforce of such covered entity legal actuarialaccounting consulting data aggregation [45 CFR sect 164501]management administrative accreditation or financial ser-vices to or for such covered entity or to or for an organizedhealth-care arrangement in which the covered entity partici-pates where the provision of the service involves the disclo-sure of individually identifiable health information from suchcovered entity or arrangement or from another business asso-ciate of such covered entity or arrangement to the individual[45 CFR sect 160103]
Covered entity 1) a health plan 2) a health-care clearing-house 3) a health-care provider who transmits any healthinformation in electronic form in connection with a transac-tion [45 CFR sect 160103]
Covered functions Those functions of a covered entity theperformance of which makes the entity a health planhealth-care provider or health-care clearinghouse [45 CFR sect164103]
Data aggregation With respect to protected health infor-mation created or received by a business associate in its capac-ity as the business associate of a covered entity the combiningof such protected health information by the business associatewith the protected health information received by the busi-ness associate in its capacity as a business associate of another
Appendix ASelected Privacy Rule Concepts and Definitions
14 MMWR April 11 2003
covered entity to permit data analyses that relate to the health-care operations of the respective covered entities [45 CFRsect164501]
De-identified health information Health information thatdoes not identify an individual and with respect to which noreasonable basis exists to believe that the information can beused to identify an individual is not individually identifiableinformation [45 CFR sect 164514(a)]
Disclosure The release transfer provision of access to ordivulging in any other manner of information outside the entityholding the information [45 CFR sect 160103]
Electronic media 1) Electronic storage media includingmemory devices in computers (hard drives) and any remov-abletransportable digital memory medium such as magnetictape or disk optical disk or digital memory card or 2) trans-mission media used to exchange information already in elec-tronic storage media Transmission media include for examplethe Internet (wide open) extranet (using Internet technologyto link a business with information accessible only to collabo-rating parties) leased lines dial-up lines private networksand the physical movement of removabletransportable elec-tronic storage media Certain transmissions including ofpaper via facsimile and of voice via telephone are not con-sidered to be transmissions via electronic media because theinformation being exchanged did not exist in electronic formbefore the transmission [45 CFR sect 160103]
Health care Care services or supplies related to the healthof an individual It includes but is not limited to 1) preven-tive diagnostic therapeutic rehabilitative maintenance orpalliative care and counseling service assessment or proce-dure with respect to the physical or mental condition or func-tional status of an individual or that affects the structure orfunction of the body and 2) sale or dispensing of a drugdevice equipment or other item in accordance with a pre-scription [45 CFR sect 160103]
Health-care clearinghouse A public or private entityincluding a billing service repricing company communityhealth management information system community healthinformation system or value-added network or switch that 1)processes or facilitates the processing of health informationreceived from another entity in a nonstandard format or con-taining nonstandard data content into standard data elementsor a standard transaction or 2) receives a standard transactionfrom another entity and processes or facilitates the processingof health information into nonstandard format or nonstand-ard data content for the receiving entity [45 CFR sect 160103]
Health-care operations Any of the following activities ofthe covered entity to the extent that the activities are related tocovered functions 1) conducting quality assessment andimprovement activities population-based activities and
related functions that do not include treatment 2) reviewingthe competence or qualifications of health care professionalsevaluating practitioner provider and health plan performanceconducting training programs where students learn to prac-tice or improve their skills as health-care providers training ofnonhealth-care professionals accreditation certificationlicensing or credentialing activities 3) underwriting premiumrating and other activities relating to the creation renewal orreplacement of a contract of health insurance or benefits 4)conducting or arranging for medical review legal services andauditing functions including fraud and abuse detection andcompliance programs 5) business planning and developmentsuch as conducting cost-management and planning-relatedanalyses related to managing and operating the entity includ-ing formulary development and administration developmentor improvement of methods of payment or coverage policiesand 6) business management and general administrativeactivities of the entity [45 CFR sect 164501]
Health-care provider A provider of services (as defined insection 1861(u) of the Act 42 USC 1395x(u)) a providerof medical or health-care services (as defined in section 1861(s)of the Act 42 USC 1395x(s)) and any other individual ororganization that furnishes bills or is paid for health care inthe normal course of business [45 CFR sect 160103]
Health information Any information whether oral orrecorded in any form or medium that 1) is created or receivedby a health-care provider health plan public health authorityemployer life insurer school or university or health-care clear-inghouse and 2) relates to the past present or future physicalor mental health or condition of an individual the provisionof health care to an individual or the past present or futurepayment for the provision of health care to an individual [45CFR sect 160103]
Health plan An individual or group plan that provides orpays the cost of medical care (as defined in section 2791(a)(2)of the PHS Act 42 USC 300gg-91(a)(2)) Health planincludes the following singly or in combination (i) a grouphealth plan as defined in 45 CFR sect 160103 of the PrivacyRule (ii) a health insurance issuer as defined in 45 CFR sect160103 of the Privacy Rule (iii) an HMO as defined in 45CFR sect 160103 of the Privacy Rule (iv) Part A or B of theMedicare program under title XVIII of the Act (v) the Med-icaid program under title XIX of the Act 42 USC 1396 etseq (vi) an issuer of a Medicare supplemental policy (asdefined in section 1882(g)(1) of the Act 42 USC1395ss(g)(1)) (vii) an issuer of a long-term care policyexcluding a nursing home fixed-indemnity policy (viii) anemployee welfare benefit plan or any other arrangement thatis established or maintained for the purpose of offering or pro-viding health benefits to the employees of two or more
Vol 52 Early Release MMWR 15
employers (ix) the health care program for active military per-sonnel under title 10 USC (x) the veterans health-care pro-gram under 38 USC Ch 17 (xi) the Civilian Health andMedical Program of the Uniformed Services (CHAMPUS)(as defined in 10 USC 1072(4)) (xii) the Indian HealthService program under the Indian Health Care ImprovementAct 25 USC 1601 et seq (xiii) the Federal EmployeesHealth Benefits Program under 5 USC 8902 et seq (xiv)an approved state child health plan under title XXI of the Actproviding benefits for child health assistance that meet therequirements of section 2103 of the Act 42 USC 1397 etseq (xv) the Medicare+Choice program under Part C of titleXVIII of the Act 42 USC 1395w-21 through 1395w-28(xvi) a high risk pool that is a mechanism established understate law to provide health insurance coverage or comparablecoverage to eligible individuals (xvii) any other individual orgroup plan or combination of individual or group plans thatprovides or pays for the cost of medical care (as defined insection 2791(a)(2) of the PHS Act 42 USC 300gg-91(a)(2))[45 CFR sect 160103]
The term health plan excludes (i) any policy plan or pro-gram to the extent that it provides or pays for the cost ofexcepted benefits that are listed in sect2791(c)(1) of the PHSAct 42 USC 300gg-91(c)(1) and (ii) a government-fundedprogram other than the one listed in items (i)-(xvi) abovewhose principal purpose is other than providing or payingthe cost of health care or whose principal activity is 1) thedirect provision of health care to individuals or 2) the mak-ing of grants to fund the direct provision of health care toindividuals [45 CFR sect 160103]
Hybrid entity A single legal entity 1) that is a covered entity 2) whose business activities include both covered andnoncovered functions and 3) that designates its health-carecomponents [45 CFR sect 164103]
Individually identifiable health information A subset ofhealth information including demographic information col-lected from an individual and 1) is created or received by ahealth-care provider health plan employer or health-care clear-inghouse and 2) relates to the past present or future physi-cal or mental health or condition of an individual the provisionof health care to an individual or the past present or futurepayment for the provision of health care to an individual andthat identifies the individual or where there is a reasonablebasis to believe the information can be used to identify theindividual [45 CFR sect 164501]
Limited data set Protected health information that excludescertain direct identifiers of the individual or of relativesemployers or household members of the individual Directidentifiers to be excluded can be found in 45 CFR sect164514(e)(2)
Minimum necessary For any type of disclosure that a cov-ered entity makes on a routine and recurring basis that thecovered entity must implement policies and procedures (whichmay be standard protocols) that limit the protected healthinformation disclosed to the amount reasonably necessary toachieve the purpose of the disclosure For all other disclosurescovered entities must develop and implement criteria designedto limit the protected health information disclosed to theinformation reasonably necessary to accomplish the purposefor which disclosure is sought and review requests for disclo-sure on an individual basis in accordance with such criteria Acovered entity may rely if such reliance is reasonable underthe circumstances on a requested disclosure as the minimumnecessary for the stated purpose when (a) making disclosuresto public officials that are permitted under 45 CFR sect 164512if the public official represents that the information requestedis the minimum necessary for the stated purpose (b) if theinformation is requested by another covered entity (c) theirbusiness associates providing personal services or (d) docu-mentation or representations that comply with the applicablerequirements of 45 CFR sect 164512(i) have been provided byan individual requesting the information for research purposes[45 CFR sect 164514(d)(3)]
The minimum necessary standard also applies to uses ofprotected health information [45 CFR sect 164514(d)(2)] andrequests for protected health information [45 CFR sect164514(d)(4)]
Notice An individual with certain exceptions has a rightto adequate notice of the uses and disclosures of protectedhealth information that may be made by the covered entityand of the individualrsquos rights and the covered entityrsquos legalduties with respect to protected health information Thenotice must be written in plain language and contain the fol-lowing elements (i) a header as specified in the rule (ii) adescription including at least one example of the types ofuses and disclosures that the covered entity is permitted tomake for treatment payment and health care operations anda description of each of the other purposes for which the cov-ered entity is permitted or required to use or disclose pro-tected health information without the individualrsquos writtenconsent or authorization If a use or disclosure is prohibitedor materially limited by other applicable law the descriptionof such use or disclosure must reflect the more stringent law(as defined in 45 CFR sect 160202) Each description mustinclude sufficient detail to place the individual on notice ofthe uses and disclosures that are permitted or required by thePrivacy Rule or other applicable law and a statement that otheruses and disclosures will be made only with the individualrsquoswritten authorization and that the individual may revoke suchauthorization as provided by 45 CFR sect 164508(b)(5)
16 MMWR April 11 2003
A separate statement must be included in the notice if acovered entity intends to engage in any of the followingactivities The statement should explain that 1) the coveredentity may contact the individual to provide appointmentreminders or information regarding treatment alternatives orother health-related benefits 2) the covered entity may con-tact the individual to raise funds for the covered entity or 3) agroup health plan health insurer or HMO with respect to agroup health plan may disclose protected health informationto the sponsor of the plan
The notice must contain a statement of the individualrsquos rightswith respect to the protected health information and a briefdescription of how the individual may exercise these rights astatement of the covered entityrsquos duties a statement that indi-viduals may complain to the covered entity or the Secretary ifthey believe their privacy rights have been violated contactinformation and the effective date of the notice [45 CFR sect164520]
Payment 1) The activities undertaken by (i) a health planto obtain premiums or to determine or fulfill its responsibilityfor coverage and provision of benefits under the health planor (ii) a health-care provider or health plan to obtain or pro-vide reimbursement for the provision of health care and 2)the activities relate to the individual to whom health care isprovided and include but are not limited to (i) determina-tions of eligibility or coverage and adjudication or subroga-tion of health benefit claims (ii) risk adjusting amounts duebased on enrollee health status and demographic characteris-tics (iii) billing claims management collection activitiesobtaining payment under a contract for reinsurance (includ-ing stop-loss insurance) and related health-care data process-ing (iv) review of health-care services with respect to medicalnecessity coverage under a health plan appropriateness of careor justification of charges (v) utilization review activitiesincluding precertification and preauthorization of services con-current and retrospective review of services and (vi) disclo-sure to consumer reporting agencies of any of the followingprotected health information relating to collection of premi-ums or reimbursement (a) name and address (b) date of birth(c) social security number (d) payment history (e) accountnumber and (f ) name and address of the health-care provideror health plan [45 CFR sect 164501]
Protected health information (PHI) Individually identi-fiable health information that is transmitted by electronicmedia maintained in electronic media or transmitted ormaintained in any other form or medium PHI excludes indi-vidually identifiable health information in (i) educationrecords covered by the Family Education Rights and PrivacyAct (20 USC 1232g) (ii) records described at 20 USC
1232g(a)(4)(B)(iv) and (iii) employment records held by acovered entity in its role as employer [45 CFR sect 160103]
Public health authority An agency or authority of theUnited States a state a territory a political subdivision of astate or territory or an Indian tribe or an individual or entityacting under a grant of authority from or contract with suchpublic agency including the employees or agents of such pub-lic agency or its contractors or individuals or entities to whomit has granted authority that is responsible for public healthmatters as part of its official mandate [45 CFR sect 164501]
Examples of public health authorities include state andlocal health departments CDC National Institutes of Health(NIH) Food and Drug Administration (FDA) and Occupa-tional Safety and Health Administration (OSHA)
Required by law A mandate contained in law that compelsan entity to make a use or disclosure of protected health infor-mation and that is enforceable in a court of law This termincludes but is not limited to court orders and court-orderedwarrants subpoenas or summons issued by a court grand jurya governmental or tribal inspector general or an administra-tive body authorized to require the production of informa-tion a civil or an authorized investigative demand Medicareconditions of participation with respect to health-care provid-ers participating in the program and statutes or regulationsthat require the production of information including statutesor regulations that require such information if payment issought under a government program providing public ben-efits [45 CFR sect 164103]
Research A systematic investigation including researchdevelopment testing and evaluation designed to develop orcontribute to generalizable knowledge [45 CFR sect sect164501]
Statistical de-identification A properly qualified statisti-cian using accepted analytical techniques concludes that therisk is limited that the information could be used alone or incombination with other reasonably available information toidentify the subject of the information [45 CFR sect 164514(b)]
Safe harbor method A covered entity or its agent removesa comprehensive set of identifiers enumerated in the PrivacyRule which includes but is not limited to names geographicsubdivisions smaller than states dates more specific than yearscontact information identification numbers and photographicimages and has no actual knowledge that the remaininginformation could be used alone or in combination with otherinformation to identify the individual who is a subject of theinformation or the individualrsquos relatives employers or house-hold members Eighteen specific identifiers will need to beremoved to achieve de-identification [45 CFR sect 164514(b)]
Transaction The transmission of information between twoparties to carry out financial or administrative activities
Vol 52 Early Release MMWR 17
related to health care It includes the following types of infor-mation transmissions health care claims or equivalent encoun-ter information health care payment and remittance advicecoordination of benefits health care claim status enrollmentand disenrollment in a health plan eligibility for a health planhealth plan premium payments referral certification andauthorization first report of injury health claims attachmentsand other transactions that the Secretary may prescribe by regu-lation [45 CFR sect 164103]
Treatment The provision coordination or managementof health care and related services by one or more health-care
providers including the coordination or management of healthcare by a health-care provider with a third party consultationbetween health-care providers relating to a patient or thereferral of a patient for health care from one health-care pro-vider to another [45 CFR sect 164501]
Use With respect to individually identifiable health infor-mation the sharing employment application utilizationexamination or analysis of such information within an entitythat maintains such information [45 CFR sect 160103]
18 MMWR April 11 2003
Vol 52 Early Release MMWR 19
Appendix BSample Text That Can Be Used To Clarify Public Health Issues
Under the Privacy Rule
pursuant to the Standards for Privacy of Individually Identifi-able Health Information promulgated under the HealthInsurance Portability and Accountability Act (HIPAA) [45CFR Parts 160 and 164)] Under this rule covered entitiesmay disclose without individual authorization protectedhealth information to public health authorities ldquo autho-rized by law to collect or receive such information for the pur-pose of preventing or controlling disease injury or disabilityincluding but not limited to the reporting of disease injuryvital events such as birth or death and the conduct of publichealth surveillance public health investigations and publichealth interventions rdquo The definition of a public health au-thority includes ldquo an individual or entity acting under a grantof authority from or contract with such public agency rdquo
[Authorized agency] is acting under [contract grant coop-erative agreement] with [public health authority] to conduct[project] which is authorized by [law or regulation] [Publichealth authority] grants this authority to [authorized agency]for purposes of this project Further [public health authority]considers this to be [activity type] for which disclosure ofprotected health information by covered entities is authorizedby 45 CFR sect 164512(b) of the Privacy Rule
From a public health authority to a covered entity con-firming grant of authority to an authorized agencyTo Whom It May Concern
[Public health authority] is an agency of [parent authority]and is a public health authority as defined by the HealthInsurance Portability and Accountability Act (HIPAA) Stan-dards for Privacy of Individually Identifiable Health Informa-tion Final Rule (Privacy Rule)[45 CFR sect 164501] Pursuantto 45 CFR sect 164512(b) of the Privacy Rule covered entitiesmay disclose protected health information to public healthauthorities ldquo authorized by law to collect or receive suchinformation for the purpose of preventing or controlling dis-ease injury or disability including but not limited to thereporting of disease injury vital events such as birth or deathand the conduct of public health surveillance public healthinvestigations and public health interventions rdquo The defi-nition of public health authority includes ldquo an individualor entity acting under a grant of authority from or contractwith such public agency rdquo [45 CFR sect 164501] [Autho-rized agency] is acting under [contract grant or cooperativeagreement] with [public health authority] to carry out [project]
Following are sample letters that can be used to help clarifyPrivacy Rule issues among covered entities and public healthauthorities (eg CDC National Institutes of Health Foodand Drug Administration Substance Abuse and Mental HealthServices Administration Health Resources and ServicesAdministration state and local health departments) Publichealth authorities can use these letters as templates by insert-ing names of the appropriate individuals projects agreementslaws activity types covered entities public health authoritiesand authorized agencies
From a public health authority to a covered entity clari-fying rules regarding disclosureTo Whom it May Concern
[Public health authority] is an agency of [parent authority]and is conducting the activity described here in its capacity asa public health authority as defined by the Health InsurancePortability and Accountability Act (HIPAA) Standards forPrivacy of Individually Identifiable Health Information FinalRule (Privacy Rule) [45 CFR sect164501] Pursuant to 45 CFRsect164512(b) of the Privacy Rule covered entities such as yourorganization may disclose without individual authorizationprotected health information to public health authorities ldquo authorized by law to collect or receive such information forthe purpose of preventing or controlling disease injury ordisability including but not limited to the reporting of dis-ease injury vital events such as birth or death and the con-duct of public health surveillance public health investigationsand public health interventions rdquo
[Public health authority] is conducting [project] a publichealth activity as described by 45 CFR sect 164512(b) and isauthorized by [law or regulation] The information beingrequested represents the minimum necessary to carry out thepublic health purposes of this project pursuant to 45 CFRsect164514(d) of the Privacy Rule
If you have questions or concerns please contact [projectleader]
From a public health authority to an authorized agencyproviding grant of authorityDear [authorized agency]
This letter serves as verification of a grant of authority from[public health authority] for you to conduct the public healthactivities described here acting as a public health authority
20 MMWR April 11 2003
Through this grant of authority [authorized agency] may func-tion as a public health authority under the Privacy Rule forpurposes of this project
[Project] is a public health activity as described by 45 CFRsect 164512(b) referenced previously and is authorized by [lawor regulation] The information being requested represents theminimum necessary to carry out the public health purposes ofthis project pursuant to 45 CFR sect 164514(d) of the PrivacyRule The Privacy Rule provides that covered entities ldquo
may rely if such reliance is reasonable under the circumstanceson a requested disclosure as the minimum necessary for thestated purposes when making disclosures to public officialsthat are permitted under 45 CFR sect 164512 if the publicofficial represents that the information requested is the mini-mum necessary for the stated purposes(s)rdquo
If you have questions or concerns please contact [projectleader for authorized agency public health authority contact]
All MMWR references are available on the Internet at httpwwwcdcgovmmwr Use the search function to find specific articlesmdashmdashmdashmdashmdashmdash
Use of trade names and commercial sources is for identification only and does not imply endorsement by the US Department of Healthand Human Services
mdashmdashmdashmdashmdashmdashReferences to non-CDC sites on the Internet are provided as a service to MMWR readers and do not constitute or imply endorsement ofthese organizations or their programs by CDC or the US Department of Health and Human Services CDC is not responsible for thecontent of these sites URL addresses listed in MMWR were current as of the date of publication
MMWR
The Morbidity and Mortality Weekly Report (MMWR) series is prepared by the Centers for Disease Control and Prevention (CDC) andis available free of charge in electronic format and on a paid subscription basis for paper copy To receive an electronic copy each week sendan e-mail message to listservlistservcdcgov The body content should read SUBscribe mmwr-toc Electronic copy also is available fromCDCrsquos Internet server at httpwwwcdcgovmmwr or from CDCrsquos file transfer protocol server at ftpftpcdcgovpubpublicationsmmwr Tosubscribe for paper copy contact Superintendent of Documents US Government Printing Office Washington DC 20402 telephone202-512-1800
Data in the weekly MMWR are provisional based on weekly reports to CDC by state health departments The reporting weekconcludes at close of business on Friday compiled data on a national basis are officially released to the public on the following FridayAddress inquiries about the MMWR series including material to be considered for publication to Editor MMWR Series Mailstop C-08CDC 1600 Clifton Rd NE Atlanta GA 30333 telephone 888-232-3228
All material in the MMWR series is in the public domain and may be used and reprinted without permission however citation of thesource is appreciated
US Government Printing Office 2003-533-15569108 Region IV
Introduction
Impact on Public Health
Overview of the Privacy Rule
Who Is Covered
Types of Health Information
What is Required
The Privacy Rule and Public Health
Disclosures for Public Health Purposes
Requirements for Covered Entities
The Privacy Rule and Public Health Research
Research Versus Practice
The Privacy Rule and Other Laws
Online Resources
Federal Government Resources
State Government Resources
Associations Nonprofit Organizations and Academic Resources
Acknowledgments
References
Appendix A
Appendix B
14 MMWR April 11 2003
covered entity to permit data analyses that relate to the health-care operations of the respective covered entities [45 CFRsect164501]
De-identified health information Health information thatdoes not identify an individual and with respect to which noreasonable basis exists to believe that the information can beused to identify an individual is not individually identifiableinformation [45 CFR sect 164514(a)]
Disclosure The release transfer provision of access to ordivulging in any other manner of information outside the entityholding the information [45 CFR sect 160103]
Electronic media 1) Electronic storage media includingmemory devices in computers (hard drives) and any remov-abletransportable digital memory medium such as magnetictape or disk optical disk or digital memory card or 2) trans-mission media used to exchange information already in elec-tronic storage media Transmission media include for examplethe Internet (wide open) extranet (using Internet technologyto link a business with information accessible only to collabo-rating parties) leased lines dial-up lines private networksand the physical movement of removabletransportable elec-tronic storage media Certain transmissions including ofpaper via facsimile and of voice via telephone are not con-sidered to be transmissions via electronic media because theinformation being exchanged did not exist in electronic formbefore the transmission [45 CFR sect 160103]
Health care Care services or supplies related to the healthof an individual It includes but is not limited to 1) preven-tive diagnostic therapeutic rehabilitative maintenance orpalliative care and counseling service assessment or proce-dure with respect to the physical or mental condition or func-tional status of an individual or that affects the structure orfunction of the body and 2) sale or dispensing of a drugdevice equipment or other item in accordance with a pre-scription [45 CFR sect 160103]
Health-care clearinghouse A public or private entityincluding a billing service repricing company communityhealth management information system community healthinformation system or value-added network or switch that 1)processes or facilitates the processing of health informationreceived from another entity in a nonstandard format or con-taining nonstandard data content into standard data elementsor a standard transaction or 2) receives a standard transactionfrom another entity and processes or facilitates the processingof health information into nonstandard format or nonstand-ard data content for the receiving entity [45 CFR sect 160103]
Health-care operations Any of the following activities ofthe covered entity to the extent that the activities are related tocovered functions 1) conducting quality assessment andimprovement activities population-based activities and
related functions that do not include treatment 2) reviewingthe competence or qualifications of health care professionalsevaluating practitioner provider and health plan performanceconducting training programs where students learn to prac-tice or improve their skills as health-care providers training ofnonhealth-care professionals accreditation certificationlicensing or credentialing activities 3) underwriting premiumrating and other activities relating to the creation renewal orreplacement of a contract of health insurance or benefits 4)conducting or arranging for medical review legal services andauditing functions including fraud and abuse detection andcompliance programs 5) business planning and developmentsuch as conducting cost-management and planning-relatedanalyses related to managing and operating the entity includ-ing formulary development and administration developmentor improvement of methods of payment or coverage policiesand 6) business management and general administrativeactivities of the entity [45 CFR sect 164501]
Health-care provider A provider of services (as defined insection 1861(u) of the Act 42 USC 1395x(u)) a providerof medical or health-care services (as defined in section 1861(s)of the Act 42 USC 1395x(s)) and any other individual ororganization that furnishes bills or is paid for health care inthe normal course of business [45 CFR sect 160103]
Health information Any information whether oral orrecorded in any form or medium that 1) is created or receivedby a health-care provider health plan public health authorityemployer life insurer school or university or health-care clear-inghouse and 2) relates to the past present or future physicalor mental health or condition of an individual the provisionof health care to an individual or the past present or futurepayment for the provision of health care to an individual [45CFR sect 160103]
Health plan An individual or group plan that provides orpays the cost of medical care (as defined in section 2791(a)(2)of the PHS Act 42 USC 300gg-91(a)(2)) Health planincludes the following singly or in combination (i) a grouphealth plan as defined in 45 CFR sect 160103 of the PrivacyRule (ii) a health insurance issuer as defined in 45 CFR sect160103 of the Privacy Rule (iii) an HMO as defined in 45CFR sect 160103 of the Privacy Rule (iv) Part A or B of theMedicare program under title XVIII of the Act (v) the Med-icaid program under title XIX of the Act 42 USC 1396 etseq (vi) an issuer of a Medicare supplemental policy (asdefined in section 1882(g)(1) of the Act 42 USC1395ss(g)(1)) (vii) an issuer of a long-term care policyexcluding a nursing home fixed-indemnity policy (viii) anemployee welfare benefit plan or any other arrangement thatis established or maintained for the purpose of offering or pro-viding health benefits to the employees of two or more
Vol 52 Early Release MMWR 15
employers (ix) the health care program for active military per-sonnel under title 10 USC (x) the veterans health-care pro-gram under 38 USC Ch 17 (xi) the Civilian Health andMedical Program of the Uniformed Services (CHAMPUS)(as defined in 10 USC 1072(4)) (xii) the Indian HealthService program under the Indian Health Care ImprovementAct 25 USC 1601 et seq (xiii) the Federal EmployeesHealth Benefits Program under 5 USC 8902 et seq (xiv)an approved state child health plan under title XXI of the Actproviding benefits for child health assistance that meet therequirements of section 2103 of the Act 42 USC 1397 etseq (xv) the Medicare+Choice program under Part C of titleXVIII of the Act 42 USC 1395w-21 through 1395w-28(xvi) a high risk pool that is a mechanism established understate law to provide health insurance coverage or comparablecoverage to eligible individuals (xvii) any other individual orgroup plan or combination of individual or group plans thatprovides or pays for the cost of medical care (as defined insection 2791(a)(2) of the PHS Act 42 USC 300gg-91(a)(2))[45 CFR sect 160103]
The term health plan excludes (i) any policy plan or pro-gram to the extent that it provides or pays for the cost ofexcepted benefits that are listed in sect2791(c)(1) of the PHSAct 42 USC 300gg-91(c)(1) and (ii) a government-fundedprogram other than the one listed in items (i)-(xvi) abovewhose principal purpose is other than providing or payingthe cost of health care or whose principal activity is 1) thedirect provision of health care to individuals or 2) the mak-ing of grants to fund the direct provision of health care toindividuals [45 CFR sect 160103]
Hybrid entity A single legal entity 1) that is a covered entity 2) whose business activities include both covered andnoncovered functions and 3) that designates its health-carecomponents [45 CFR sect 164103]
Individually identifiable health information A subset ofhealth information including demographic information col-lected from an individual and 1) is created or received by ahealth-care provider health plan employer or health-care clear-inghouse and 2) relates to the past present or future physi-cal or mental health or condition of an individual the provisionof health care to an individual or the past present or futurepayment for the provision of health care to an individual andthat identifies the individual or where there is a reasonablebasis to believe the information can be used to identify theindividual [45 CFR sect 164501]
Limited data set Protected health information that excludescertain direct identifiers of the individual or of relativesemployers or household members of the individual Directidentifiers to be excluded can be found in 45 CFR sect164514(e)(2)
Minimum necessary For any type of disclosure that a cov-ered entity makes on a routine and recurring basis that thecovered entity must implement policies and procedures (whichmay be standard protocols) that limit the protected healthinformation disclosed to the amount reasonably necessary toachieve the purpose of the disclosure For all other disclosurescovered entities must develop and implement criteria designedto limit the protected health information disclosed to theinformation reasonably necessary to accomplish the purposefor which disclosure is sought and review requests for disclo-sure on an individual basis in accordance with such criteria Acovered entity may rely if such reliance is reasonable underthe circumstances on a requested disclosure as the minimumnecessary for the stated purpose when (a) making disclosuresto public officials that are permitted under 45 CFR sect 164512if the public official represents that the information requestedis the minimum necessary for the stated purpose (b) if theinformation is requested by another covered entity (c) theirbusiness associates providing personal services or (d) docu-mentation or representations that comply with the applicablerequirements of 45 CFR sect 164512(i) have been provided byan individual requesting the information for research purposes[45 CFR sect 164514(d)(3)]
The minimum necessary standard also applies to uses ofprotected health information [45 CFR sect 164514(d)(2)] andrequests for protected health information [45 CFR sect164514(d)(4)]
Notice An individual with certain exceptions has a rightto adequate notice of the uses and disclosures of protectedhealth information that may be made by the covered entityand of the individualrsquos rights and the covered entityrsquos legalduties with respect to protected health information Thenotice must be written in plain language and contain the fol-lowing elements (i) a header as specified in the rule (ii) adescription including at least one example of the types ofuses and disclosures that the covered entity is permitted tomake for treatment payment and health care operations anda description of each of the other purposes for which the cov-ered entity is permitted or required to use or disclose pro-tected health information without the individualrsquos writtenconsent or authorization If a use or disclosure is prohibitedor materially limited by other applicable law the descriptionof such use or disclosure must reflect the more stringent law(as defined in 45 CFR sect 160202) Each description mustinclude sufficient detail to place the individual on notice ofthe uses and disclosures that are permitted or required by thePrivacy Rule or other applicable law and a statement that otheruses and disclosures will be made only with the individualrsquoswritten authorization and that the individual may revoke suchauthorization as provided by 45 CFR sect 164508(b)(5)
16 MMWR April 11 2003
A separate statement must be included in the notice if acovered entity intends to engage in any of the followingactivities The statement should explain that 1) the coveredentity may contact the individual to provide appointmentreminders or information regarding treatment alternatives orother health-related benefits 2) the covered entity may con-tact the individual to raise funds for the covered entity or 3) agroup health plan health insurer or HMO with respect to agroup health plan may disclose protected health informationto the sponsor of the plan
The notice must contain a statement of the individualrsquos rightswith respect to the protected health information and a briefdescription of how the individual may exercise these rights astatement of the covered entityrsquos duties a statement that indi-viduals may complain to the covered entity or the Secretary ifthey believe their privacy rights have been violated contactinformation and the effective date of the notice [45 CFR sect164520]
Payment 1) The activities undertaken by (i) a health planto obtain premiums or to determine or fulfill its responsibilityfor coverage and provision of benefits under the health planor (ii) a health-care provider or health plan to obtain or pro-vide reimbursement for the provision of health care and 2)the activities relate to the individual to whom health care isprovided and include but are not limited to (i) determina-tions of eligibility or coverage and adjudication or subroga-tion of health benefit claims (ii) risk adjusting amounts duebased on enrollee health status and demographic characteris-tics (iii) billing claims management collection activitiesobtaining payment under a contract for reinsurance (includ-ing stop-loss insurance) and related health-care data process-ing (iv) review of health-care services with respect to medicalnecessity coverage under a health plan appropriateness of careor justification of charges (v) utilization review activitiesincluding precertification and preauthorization of services con-current and retrospective review of services and (vi) disclo-sure to consumer reporting agencies of any of the followingprotected health information relating to collection of premi-ums or reimbursement (a) name and address (b) date of birth(c) social security number (d) payment history (e) accountnumber and (f ) name and address of the health-care provideror health plan [45 CFR sect 164501]
Protected health information (PHI) Individually identi-fiable health information that is transmitted by electronicmedia maintained in electronic media or transmitted ormaintained in any other form or medium PHI excludes indi-vidually identifiable health information in (i) educationrecords covered by the Family Education Rights and PrivacyAct (20 USC 1232g) (ii) records described at 20 USC
1232g(a)(4)(B)(iv) and (iii) employment records held by acovered entity in its role as employer [45 CFR sect 160103]
Public health authority An agency or authority of theUnited States a state a territory a political subdivision of astate or territory or an Indian tribe or an individual or entityacting under a grant of authority from or contract with suchpublic agency including the employees or agents of such pub-lic agency or its contractors or individuals or entities to whomit has granted authority that is responsible for public healthmatters as part of its official mandate [45 CFR sect 164501]
Examples of public health authorities include state andlocal health departments CDC National Institutes of Health(NIH) Food and Drug Administration (FDA) and Occupa-tional Safety and Health Administration (OSHA)
Required by law A mandate contained in law that compelsan entity to make a use or disclosure of protected health infor-mation and that is enforceable in a court of law This termincludes but is not limited to court orders and court-orderedwarrants subpoenas or summons issued by a court grand jurya governmental or tribal inspector general or an administra-tive body authorized to require the production of informa-tion a civil or an authorized investigative demand Medicareconditions of participation with respect to health-care provid-ers participating in the program and statutes or regulationsthat require the production of information including statutesor regulations that require such information if payment issought under a government program providing public ben-efits [45 CFR sect 164103]
Research A systematic investigation including researchdevelopment testing and evaluation designed to develop orcontribute to generalizable knowledge [45 CFR sect sect164501]
Statistical de-identification A properly qualified statisti-cian using accepted analytical techniques concludes that therisk is limited that the information could be used alone or incombination with other reasonably available information toidentify the subject of the information [45 CFR sect 164514(b)]
Safe harbor method A covered entity or its agent removesa comprehensive set of identifiers enumerated in the PrivacyRule which includes but is not limited to names geographicsubdivisions smaller than states dates more specific than yearscontact information identification numbers and photographicimages and has no actual knowledge that the remaininginformation could be used alone or in combination with otherinformation to identify the individual who is a subject of theinformation or the individualrsquos relatives employers or house-hold members Eighteen specific identifiers will need to beremoved to achieve de-identification [45 CFR sect 164514(b)]
Transaction The transmission of information between twoparties to carry out financial or administrative activities
Vol 52 Early Release MMWR 17
related to health care It includes the following types of infor-mation transmissions health care claims or equivalent encoun-ter information health care payment and remittance advicecoordination of benefits health care claim status enrollmentand disenrollment in a health plan eligibility for a health planhealth plan premium payments referral certification andauthorization first report of injury health claims attachmentsand other transactions that the Secretary may prescribe by regu-lation [45 CFR sect 164103]
Treatment The provision coordination or managementof health care and related services by one or more health-care
providers including the coordination or management of healthcare by a health-care provider with a third party consultationbetween health-care providers relating to a patient or thereferral of a patient for health care from one health-care pro-vider to another [45 CFR sect 164501]
Use With respect to individually identifiable health infor-mation the sharing employment application utilizationexamination or analysis of such information within an entitythat maintains such information [45 CFR sect 160103]
18 MMWR April 11 2003
Vol 52 Early Release MMWR 19
Appendix BSample Text That Can Be Used To Clarify Public Health Issues
Under the Privacy Rule
pursuant to the Standards for Privacy of Individually Identifi-able Health Information promulgated under the HealthInsurance Portability and Accountability Act (HIPAA) [45CFR Parts 160 and 164)] Under this rule covered entitiesmay disclose without individual authorization protectedhealth information to public health authorities ldquo autho-rized by law to collect or receive such information for the pur-pose of preventing or controlling disease injury or disabilityincluding but not limited to the reporting of disease injuryvital events such as birth or death and the conduct of publichealth surveillance public health investigations and publichealth interventions rdquo The definition of a public health au-thority includes ldquo an individual or entity acting under a grantof authority from or contract with such public agency rdquo
[Authorized agency] is acting under [contract grant coop-erative agreement] with [public health authority] to conduct[project] which is authorized by [law or regulation] [Publichealth authority] grants this authority to [authorized agency]for purposes of this project Further [public health authority]considers this to be [activity type] for which disclosure ofprotected health information by covered entities is authorizedby 45 CFR sect 164512(b) of the Privacy Rule
From a public health authority to a covered entity con-firming grant of authority to an authorized agencyTo Whom It May Concern
[Public health authority] is an agency of [parent authority]and is a public health authority as defined by the HealthInsurance Portability and Accountability Act (HIPAA) Stan-dards for Privacy of Individually Identifiable Health Informa-tion Final Rule (Privacy Rule)[45 CFR sect 164501] Pursuantto 45 CFR sect 164512(b) of the Privacy Rule covered entitiesmay disclose protected health information to public healthauthorities ldquo authorized by law to collect or receive suchinformation for the purpose of preventing or controlling dis-ease injury or disability including but not limited to thereporting of disease injury vital events such as birth or deathand the conduct of public health surveillance public healthinvestigations and public health interventions rdquo The defi-nition of public health authority includes ldquo an individualor entity acting under a grant of authority from or contractwith such public agency rdquo [45 CFR sect 164501] [Autho-rized agency] is acting under [contract grant or cooperativeagreement] with [public health authority] to carry out [project]
Following are sample letters that can be used to help clarifyPrivacy Rule issues among covered entities and public healthauthorities (eg CDC National Institutes of Health Foodand Drug Administration Substance Abuse and Mental HealthServices Administration Health Resources and ServicesAdministration state and local health departments) Publichealth authorities can use these letters as templates by insert-ing names of the appropriate individuals projects agreementslaws activity types covered entities public health authoritiesand authorized agencies
From a public health authority to a covered entity clari-fying rules regarding disclosureTo Whom it May Concern
[Public health authority] is an agency of [parent authority]and is conducting the activity described here in its capacity asa public health authority as defined by the Health InsurancePortability and Accountability Act (HIPAA) Standards forPrivacy of Individually Identifiable Health Information FinalRule (Privacy Rule) [45 CFR sect164501] Pursuant to 45 CFRsect164512(b) of the Privacy Rule covered entities such as yourorganization may disclose without individual authorizationprotected health information to public health authorities ldquo authorized by law to collect or receive such information forthe purpose of preventing or controlling disease injury ordisability including but not limited to the reporting of dis-ease injury vital events such as birth or death and the con-duct of public health surveillance public health investigationsand public health interventions rdquo
[Public health authority] is conducting [project] a publichealth activity as described by 45 CFR sect 164512(b) and isauthorized by [law or regulation] The information beingrequested represents the minimum necessary to carry out thepublic health purposes of this project pursuant to 45 CFRsect164514(d) of the Privacy Rule
If you have questions or concerns please contact [projectleader]
From a public health authority to an authorized agencyproviding grant of authorityDear [authorized agency]
This letter serves as verification of a grant of authority from[public health authority] for you to conduct the public healthactivities described here acting as a public health authority
20 MMWR April 11 2003
Through this grant of authority [authorized agency] may func-tion as a public health authority under the Privacy Rule forpurposes of this project
[Project] is a public health activity as described by 45 CFRsect 164512(b) referenced previously and is authorized by [lawor regulation] The information being requested represents theminimum necessary to carry out the public health purposes ofthis project pursuant to 45 CFR sect 164514(d) of the PrivacyRule The Privacy Rule provides that covered entities ldquo
may rely if such reliance is reasonable under the circumstanceson a requested disclosure as the minimum necessary for thestated purposes when making disclosures to public officialsthat are permitted under 45 CFR sect 164512 if the publicofficial represents that the information requested is the mini-mum necessary for the stated purposes(s)rdquo
If you have questions or concerns please contact [projectleader for authorized agency public health authority contact]
All MMWR references are available on the Internet at httpwwwcdcgovmmwr Use the search function to find specific articlesmdashmdashmdashmdashmdashmdash
Use of trade names and commercial sources is for identification only and does not imply endorsement by the US Department of Healthand Human Services
mdashmdashmdashmdashmdashmdashReferences to non-CDC sites on the Internet are provided as a service to MMWR readers and do not constitute or imply endorsement ofthese organizations or their programs by CDC or the US Department of Health and Human Services CDC is not responsible for thecontent of these sites URL addresses listed in MMWR were current as of the date of publication
MMWR
The Morbidity and Mortality Weekly Report (MMWR) series is prepared by the Centers for Disease Control and Prevention (CDC) andis available free of charge in electronic format and on a paid subscription basis for paper copy To receive an electronic copy each week sendan e-mail message to listservlistservcdcgov The body content should read SUBscribe mmwr-toc Electronic copy also is available fromCDCrsquos Internet server at httpwwwcdcgovmmwr or from CDCrsquos file transfer protocol server at ftpftpcdcgovpubpublicationsmmwr Tosubscribe for paper copy contact Superintendent of Documents US Government Printing Office Washington DC 20402 telephone202-512-1800
Data in the weekly MMWR are provisional based on weekly reports to CDC by state health departments The reporting weekconcludes at close of business on Friday compiled data on a national basis are officially released to the public on the following FridayAddress inquiries about the MMWR series including material to be considered for publication to Editor MMWR Series Mailstop C-08CDC 1600 Clifton Rd NE Atlanta GA 30333 telephone 888-232-3228
All material in the MMWR series is in the public domain and may be used and reprinted without permission however citation of thesource is appreciated
US Government Printing Office 2003-533-15569108 Region IV
Introduction
Impact on Public Health
Overview of the Privacy Rule
Who Is Covered
Types of Health Information
What is Required
The Privacy Rule and Public Health
Disclosures for Public Health Purposes
Requirements for Covered Entities
The Privacy Rule and Public Health Research
Research Versus Practice
The Privacy Rule and Other Laws
Online Resources
Federal Government Resources
State Government Resources
Associations Nonprofit Organizations and Academic Resources
Acknowledgments
References
Appendix A
Appendix B
Vol 52 Early Release MMWR 15
employers (ix) the health care program for active military per-sonnel under title 10 USC (x) the veterans health-care pro-gram under 38 USC Ch 17 (xi) the Civilian Health andMedical Program of the Uniformed Services (CHAMPUS)(as defined in 10 USC 1072(4)) (xii) the Indian HealthService program under the Indian Health Care ImprovementAct 25 USC 1601 et seq (xiii) the Federal EmployeesHealth Benefits Program under 5 USC 8902 et seq (xiv)an approved state child health plan under title XXI of the Actproviding benefits for child health assistance that meet therequirements of section 2103 of the Act 42 USC 1397 etseq (xv) the Medicare+Choice program under Part C of titleXVIII of the Act 42 USC 1395w-21 through 1395w-28(xvi) a high risk pool that is a mechanism established understate law to provide health insurance coverage or comparablecoverage to eligible individuals (xvii) any other individual orgroup plan or combination of individual or group plans thatprovides or pays for the cost of medical care (as defined insection 2791(a)(2) of the PHS Act 42 USC 300gg-91(a)(2))[45 CFR sect 160103]
The term health plan excludes (i) any policy plan or pro-gram to the extent that it provides or pays for the cost ofexcepted benefits that are listed in sect2791(c)(1) of the PHSAct 42 USC 300gg-91(c)(1) and (ii) a government-fundedprogram other than the one listed in items (i)-(xvi) abovewhose principal purpose is other than providing or payingthe cost of health care or whose principal activity is 1) thedirect provision of health care to individuals or 2) the mak-ing of grants to fund the direct provision of health care toindividuals [45 CFR sect 160103]
Hybrid entity A single legal entity 1) that is a covered entity 2) whose business activities include both covered andnoncovered functions and 3) that designates its health-carecomponents [45 CFR sect 164103]
Individually identifiable health information A subset ofhealth information including demographic information col-lected from an individual and 1) is created or received by ahealth-care provider health plan employer or health-care clear-inghouse and 2) relates to the past present or future physi-cal or mental health or condition of an individual the provisionof health care to an individual or the past present or futurepayment for the provision of health care to an individual andthat identifies the individual or where there is a reasonablebasis to believe the information can be used to identify theindividual [45 CFR sect 164501]
Limited data set Protected health information that excludescertain direct identifiers of the individual or of relativesemployers or household members of the individual Directidentifiers to be excluded can be found in 45 CFR sect164514(e)(2)
Minimum necessary For any type of disclosure that a cov-ered entity makes on a routine and recurring basis that thecovered entity must implement policies and procedures (whichmay be standard protocols) that limit the protected healthinformation disclosed to the amount reasonably necessary toachieve the purpose of the disclosure For all other disclosurescovered entities must develop and implement criteria designedto limit the protected health information disclosed to theinformation reasonably necessary to accomplish the purposefor which disclosure is sought and review requests for disclo-sure on an individual basis in accordance with such criteria Acovered entity may rely if such reliance is reasonable underthe circumstances on a requested disclosure as the minimumnecessary for the stated purpose when (a) making disclosuresto public officials that are permitted under 45 CFR sect 164512if the public official represents that the information requestedis the minimum necessary for the stated purpose (b) if theinformation is requested by another covered entity (c) theirbusiness associates providing personal services or (d) docu-mentation or representations that comply with the applicablerequirements of 45 CFR sect 164512(i) have been provided byan individual requesting the information for research purposes[45 CFR sect 164514(d)(3)]
The minimum necessary standard also applies to uses ofprotected health information [45 CFR sect 164514(d)(2)] andrequests for protected health information [45 CFR sect164514(d)(4)]
Notice An individual with certain exceptions has a rightto adequate notice of the uses and disclosures of protectedhealth information that may be made by the covered entityand of the individualrsquos rights and the covered entityrsquos legalduties with respect to protected health information Thenotice must be written in plain language and contain the fol-lowing elements (i) a header as specified in the rule (ii) adescription including at least one example of the types ofuses and disclosures that the covered entity is permitted tomake for treatment payment and health care operations anda description of each of the other purposes for which the cov-ered entity is permitted or required to use or disclose pro-tected health information without the individualrsquos writtenconsent or authorization If a use or disclosure is prohibitedor materially limited by other applicable law the descriptionof such use or disclosure must reflect the more stringent law(as defined in 45 CFR sect 160202) Each description mustinclude sufficient detail to place the individual on notice ofthe uses and disclosures that are permitted or required by thePrivacy Rule or other applicable law and a statement that otheruses and disclosures will be made only with the individualrsquoswritten authorization and that the individual may revoke suchauthorization as provided by 45 CFR sect 164508(b)(5)
16 MMWR April 11 2003
A separate statement must be included in the notice if acovered entity intends to engage in any of the followingactivities The statement should explain that 1) the coveredentity may contact the individual to provide appointmentreminders or information regarding treatment alternatives orother health-related benefits 2) the covered entity may con-tact the individual to raise funds for the covered entity or 3) agroup health plan health insurer or HMO with respect to agroup health plan may disclose protected health informationto the sponsor of the plan
The notice must contain a statement of the individualrsquos rightswith respect to the protected health information and a briefdescription of how the individual may exercise these rights astatement of the covered entityrsquos duties a statement that indi-viduals may complain to the covered entity or the Secretary ifthey believe their privacy rights have been violated contactinformation and the effective date of the notice [45 CFR sect164520]
Payment 1) The activities undertaken by (i) a health planto obtain premiums or to determine or fulfill its responsibilityfor coverage and provision of benefits under the health planor (ii) a health-care provider or health plan to obtain or pro-vide reimbursement for the provision of health care and 2)the activities relate to the individual to whom health care isprovided and include but are not limited to (i) determina-tions of eligibility or coverage and adjudication or subroga-tion of health benefit claims (ii) risk adjusting amounts duebased on enrollee health status and demographic characteris-tics (iii) billing claims management collection activitiesobtaining payment under a contract for reinsurance (includ-ing stop-loss insurance) and related health-care data process-ing (iv) review of health-care services with respect to medicalnecessity coverage under a health plan appropriateness of careor justification of charges (v) utilization review activitiesincluding precertification and preauthorization of services con-current and retrospective review of services and (vi) disclo-sure to consumer reporting agencies of any of the followingprotected health information relating to collection of premi-ums or reimbursement (a) name and address (b) date of birth(c) social security number (d) payment history (e) accountnumber and (f ) name and address of the health-care provideror health plan [45 CFR sect 164501]
Protected health information (PHI) Individually identi-fiable health information that is transmitted by electronicmedia maintained in electronic media or transmitted ormaintained in any other form or medium PHI excludes indi-vidually identifiable health information in (i) educationrecords covered by the Family Education Rights and PrivacyAct (20 USC 1232g) (ii) records described at 20 USC
1232g(a)(4)(B)(iv) and (iii) employment records held by acovered entity in its role as employer [45 CFR sect 160103]
Public health authority An agency or authority of theUnited States a state a territory a political subdivision of astate or territory or an Indian tribe or an individual or entityacting under a grant of authority from or contract with suchpublic agency including the employees or agents of such pub-lic agency or its contractors or individuals or entities to whomit has granted authority that is responsible for public healthmatters as part of its official mandate [45 CFR sect 164501]
Examples of public health authorities include state andlocal health departments CDC National Institutes of Health(NIH) Food and Drug Administration (FDA) and Occupa-tional Safety and Health Administration (OSHA)
Required by law A mandate contained in law that compelsan entity to make a use or disclosure of protected health infor-mation and that is enforceable in a court of law This termincludes but is not limited to court orders and court-orderedwarrants subpoenas or summons issued by a court grand jurya governmental or tribal inspector general or an administra-tive body authorized to require the production of informa-tion a civil or an authorized investigative demand Medicareconditions of participation with respect to health-care provid-ers participating in the program and statutes or regulationsthat require the production of information including statutesor regulations that require such information if payment issought under a government program providing public ben-efits [45 CFR sect 164103]
Research A systematic investigation including researchdevelopment testing and evaluation designed to develop orcontribute to generalizable knowledge [45 CFR sect sect164501]
Statistical de-identification A properly qualified statisti-cian using accepted analytical techniques concludes that therisk is limited that the information could be used alone or incombination with other reasonably available information toidentify the subject of the information [45 CFR sect 164514(b)]
Safe harbor method A covered entity or its agent removesa comprehensive set of identifiers enumerated in the PrivacyRule which includes but is not limited to names geographicsubdivisions smaller than states dates more specific than yearscontact information identification numbers and photographicimages and has no actual knowledge that the remaininginformation could be used alone or in combination with otherinformation to identify the individual who is a subject of theinformation or the individualrsquos relatives employers or house-hold members Eighteen specific identifiers will need to beremoved to achieve de-identification [45 CFR sect 164514(b)]
Transaction The transmission of information between twoparties to carry out financial or administrative activities
Vol 52 Early Release MMWR 17
related to health care It includes the following types of infor-mation transmissions health care claims or equivalent encoun-ter information health care payment and remittance advicecoordination of benefits health care claim status enrollmentand disenrollment in a health plan eligibility for a health planhealth plan premium payments referral certification andauthorization first report of injury health claims attachmentsand other transactions that the Secretary may prescribe by regu-lation [45 CFR sect 164103]
Treatment The provision coordination or managementof health care and related services by one or more health-care
providers including the coordination or management of healthcare by a health-care provider with a third party consultationbetween health-care providers relating to a patient or thereferral of a patient for health care from one health-care pro-vider to another [45 CFR sect 164501]
Use With respect to individually identifiable health infor-mation the sharing employment application utilizationexamination or analysis of such information within an entitythat maintains such information [45 CFR sect 160103]
18 MMWR April 11 2003
Vol 52 Early Release MMWR 19
Appendix BSample Text That Can Be Used To Clarify Public Health Issues
Under the Privacy Rule
pursuant to the Standards for Privacy of Individually Identifi-able Health Information promulgated under the HealthInsurance Portability and Accountability Act (HIPAA) [45CFR Parts 160 and 164)] Under this rule covered entitiesmay disclose without individual authorization protectedhealth information to public health authorities ldquo autho-rized by law to collect or receive such information for the pur-pose of preventing or controlling disease injury or disabilityincluding but not limited to the reporting of disease injuryvital events such as birth or death and the conduct of publichealth surveillance public health investigations and publichealth interventions rdquo The definition of a public health au-thority includes ldquo an individual or entity acting under a grantof authority from or contract with such public agency rdquo
[Authorized agency] is acting under [contract grant coop-erative agreement] with [public health authority] to conduct[project] which is authorized by [law or regulation] [Publichealth authority] grants this authority to [authorized agency]for purposes of this project Further [public health authority]considers this to be [activity type] for which disclosure ofprotected health information by covered entities is authorizedby 45 CFR sect 164512(b) of the Privacy Rule
From a public health authority to a covered entity con-firming grant of authority to an authorized agencyTo Whom It May Concern
[Public health authority] is an agency of [parent authority]and is a public health authority as defined by the HealthInsurance Portability and Accountability Act (HIPAA) Stan-dards for Privacy of Individually Identifiable Health Informa-tion Final Rule (Privacy Rule)[45 CFR sect 164501] Pursuantto 45 CFR sect 164512(b) of the Privacy Rule covered entitiesmay disclose protected health information to public healthauthorities ldquo authorized by law to collect or receive suchinformation for the purpose of preventing or controlling dis-ease injury or disability including but not limited to thereporting of disease injury vital events such as birth or deathand the conduct of public health surveillance public healthinvestigations and public health interventions rdquo The defi-nition of public health authority includes ldquo an individualor entity acting under a grant of authority from or contractwith such public agency rdquo [45 CFR sect 164501] [Autho-rized agency] is acting under [contract grant or cooperativeagreement] with [public health authority] to carry out [project]
Following are sample letters that can be used to help clarifyPrivacy Rule issues among covered entities and public healthauthorities (eg CDC National Institutes of Health Foodand Drug Administration Substance Abuse and Mental HealthServices Administration Health Resources and ServicesAdministration state and local health departments) Publichealth authorities can use these letters as templates by insert-ing names of the appropriate individuals projects agreementslaws activity types covered entities public health authoritiesand authorized agencies
From a public health authority to a covered entity clari-fying rules regarding disclosureTo Whom it May Concern
[Public health authority] is an agency of [parent authority]and is conducting the activity described here in its capacity asa public health authority as defined by the Health InsurancePortability and Accountability Act (HIPAA) Standards forPrivacy of Individually Identifiable Health Information FinalRule (Privacy Rule) [45 CFR sect164501] Pursuant to 45 CFRsect164512(b) of the Privacy Rule covered entities such as yourorganization may disclose without individual authorizationprotected health information to public health authorities ldquo authorized by law to collect or receive such information forthe purpose of preventing or controlling disease injury ordisability including but not limited to the reporting of dis-ease injury vital events such as birth or death and the con-duct of public health surveillance public health investigationsand public health interventions rdquo
[Public health authority] is conducting [project] a publichealth activity as described by 45 CFR sect 164512(b) and isauthorized by [law or regulation] The information beingrequested represents the minimum necessary to carry out thepublic health purposes of this project pursuant to 45 CFRsect164514(d) of the Privacy Rule
If you have questions or concerns please contact [projectleader]
From a public health authority to an authorized agencyproviding grant of authorityDear [authorized agency]
This letter serves as verification of a grant of authority from[public health authority] for you to conduct the public healthactivities described here acting as a public health authority
20 MMWR April 11 2003
Through this grant of authority [authorized agency] may func-tion as a public health authority under the Privacy Rule forpurposes of this project
[Project] is a public health activity as described by 45 CFRsect 164512(b) referenced previously and is authorized by [lawor regulation] The information being requested represents theminimum necessary to carry out the public health purposes ofthis project pursuant to 45 CFR sect 164514(d) of the PrivacyRule The Privacy Rule provides that covered entities ldquo
may rely if such reliance is reasonable under the circumstanceson a requested disclosure as the minimum necessary for thestated purposes when making disclosures to public officialsthat are permitted under 45 CFR sect 164512 if the publicofficial represents that the information requested is the mini-mum necessary for the stated purposes(s)rdquo
If you have questions or concerns please contact [projectleader for authorized agency public health authority contact]
All MMWR references are available on the Internet at httpwwwcdcgovmmwr Use the search function to find specific articlesmdashmdashmdashmdashmdashmdash
Use of trade names and commercial sources is for identification only and does not imply endorsement by the US Department of Healthand Human Services
mdashmdashmdashmdashmdashmdashReferences to non-CDC sites on the Internet are provided as a service to MMWR readers and do not constitute or imply endorsement ofthese organizations or their programs by CDC or the US Department of Health and Human Services CDC is not responsible for thecontent of these sites URL addresses listed in MMWR were current as of the date of publication
MMWR
The Morbidity and Mortality Weekly Report (MMWR) series is prepared by the Centers for Disease Control and Prevention (CDC) andis available free of charge in electronic format and on a paid subscription basis for paper copy To receive an electronic copy each week sendan e-mail message to listservlistservcdcgov The body content should read SUBscribe mmwr-toc Electronic copy also is available fromCDCrsquos Internet server at httpwwwcdcgovmmwr or from CDCrsquos file transfer protocol server at ftpftpcdcgovpubpublicationsmmwr Tosubscribe for paper copy contact Superintendent of Documents US Government Printing Office Washington DC 20402 telephone202-512-1800
Data in the weekly MMWR are provisional based on weekly reports to CDC by state health departments The reporting weekconcludes at close of business on Friday compiled data on a national basis are officially released to the public on the following FridayAddress inquiries about the MMWR series including material to be considered for publication to Editor MMWR Series Mailstop C-08CDC 1600 Clifton Rd NE Atlanta GA 30333 telephone 888-232-3228
All material in the MMWR series is in the public domain and may be used and reprinted without permission however citation of thesource is appreciated
US Government Printing Office 2003-533-15569108 Region IV
Introduction
Impact on Public Health
Overview of the Privacy Rule
Who Is Covered
Types of Health Information
What is Required
The Privacy Rule and Public Health
Disclosures for Public Health Purposes
Requirements for Covered Entities
The Privacy Rule and Public Health Research
Research Versus Practice
The Privacy Rule and Other Laws
Online Resources
Federal Government Resources
State Government Resources
Associations Nonprofit Organizations and Academic Resources
Acknowledgments
References
Appendix A
Appendix B
16 MMWR April 11 2003
A separate statement must be included in the notice if acovered entity intends to engage in any of the followingactivities The statement should explain that 1) the coveredentity may contact the individual to provide appointmentreminders or information regarding treatment alternatives orother health-related benefits 2) the covered entity may con-tact the individual to raise funds for the covered entity or 3) agroup health plan health insurer or HMO with respect to agroup health plan may disclose protected health informationto the sponsor of the plan
The notice must contain a statement of the individualrsquos rightswith respect to the protected health information and a briefdescription of how the individual may exercise these rights astatement of the covered entityrsquos duties a statement that indi-viduals may complain to the covered entity or the Secretary ifthey believe their privacy rights have been violated contactinformation and the effective date of the notice [45 CFR sect164520]
Payment 1) The activities undertaken by (i) a health planto obtain premiums or to determine or fulfill its responsibilityfor coverage and provision of benefits under the health planor (ii) a health-care provider or health plan to obtain or pro-vide reimbursement for the provision of health care and 2)the activities relate to the individual to whom health care isprovided and include but are not limited to (i) determina-tions of eligibility or coverage and adjudication or subroga-tion of health benefit claims (ii) risk adjusting amounts duebased on enrollee health status and demographic characteris-tics (iii) billing claims management collection activitiesobtaining payment under a contract for reinsurance (includ-ing stop-loss insurance) and related health-care data process-ing (iv) review of health-care services with respect to medicalnecessity coverage under a health plan appropriateness of careor justification of charges (v) utilization review activitiesincluding precertification and preauthorization of services con-current and retrospective review of services and (vi) disclo-sure to consumer reporting agencies of any of the followingprotected health information relating to collection of premi-ums or reimbursement (a) name and address (b) date of birth(c) social security number (d) payment history (e) accountnumber and (f ) name and address of the health-care provideror health plan [45 CFR sect 164501]
Protected health information (PHI) Individually identi-fiable health information that is transmitted by electronicmedia maintained in electronic media or transmitted ormaintained in any other form or medium PHI excludes indi-vidually identifiable health information in (i) educationrecords covered by the Family Education Rights and PrivacyAct (20 USC 1232g) (ii) records described at 20 USC
1232g(a)(4)(B)(iv) and (iii) employment records held by acovered entity in its role as employer [45 CFR sect 160103]
Public health authority An agency or authority of theUnited States a state a territory a political subdivision of astate or territory or an Indian tribe or an individual or entityacting under a grant of authority from or contract with suchpublic agency including the employees or agents of such pub-lic agency or its contractors or individuals or entities to whomit has granted authority that is responsible for public healthmatters as part of its official mandate [45 CFR sect 164501]
Examples of public health authorities include state andlocal health departments CDC National Institutes of Health(NIH) Food and Drug Administration (FDA) and Occupa-tional Safety and Health Administration (OSHA)
Required by law A mandate contained in law that compelsan entity to make a use or disclosure of protected health infor-mation and that is enforceable in a court of law This termincludes but is not limited to court orders and court-orderedwarrants subpoenas or summons issued by a court grand jurya governmental or tribal inspector general or an administra-tive body authorized to require the production of informa-tion a civil or an authorized investigative demand Medicareconditions of participation with respect to health-care provid-ers participating in the program and statutes or regulationsthat require the production of information including statutesor regulations that require such information if payment issought under a government program providing public ben-efits [45 CFR sect 164103]
Research A systematic investigation including researchdevelopment testing and evaluation designed to develop orcontribute to generalizable knowledge [45 CFR sect sect164501]
Statistical de-identification A properly qualified statisti-cian using accepted analytical techniques concludes that therisk is limited that the information could be used alone or incombination with other reasonably available information toidentify the subject of the information [45 CFR sect 164514(b)]
Safe harbor method A covered entity or its agent removesa comprehensive set of identifiers enumerated in the PrivacyRule which includes but is not limited to names geographicsubdivisions smaller than states dates more specific than yearscontact information identification numbers and photographicimages and has no actual knowledge that the remaininginformation could be used alone or in combination with otherinformation to identify the individual who is a subject of theinformation or the individualrsquos relatives employers or house-hold members Eighteen specific identifiers will need to beremoved to achieve de-identification [45 CFR sect 164514(b)]
Transaction The transmission of information between twoparties to carry out financial or administrative activities
Vol 52 Early Release MMWR 17
related to health care It includes the following types of infor-mation transmissions health care claims or equivalent encoun-ter information health care payment and remittance advicecoordination of benefits health care claim status enrollmentand disenrollment in a health plan eligibility for a health planhealth plan premium payments referral certification andauthorization first report of injury health claims attachmentsand other transactions that the Secretary may prescribe by regu-lation [45 CFR sect 164103]
Treatment The provision coordination or managementof health care and related services by one or more health-care
providers including the coordination or management of healthcare by a health-care provider with a third party consultationbetween health-care providers relating to a patient or thereferral of a patient for health care from one health-care pro-vider to another [45 CFR sect 164501]
Use With respect to individually identifiable health infor-mation the sharing employment application utilizationexamination or analysis of such information within an entitythat maintains such information [45 CFR sect 160103]
18 MMWR April 11 2003
Vol 52 Early Release MMWR 19
Appendix BSample Text That Can Be Used To Clarify Public Health Issues
Under the Privacy Rule
pursuant to the Standards for Privacy of Individually Identifi-able Health Information promulgated under the HealthInsurance Portability and Accountability Act (HIPAA) [45CFR Parts 160 and 164)] Under this rule covered entitiesmay disclose without individual authorization protectedhealth information to public health authorities ldquo autho-rized by law to collect or receive such information for the pur-pose of preventing or controlling disease injury or disabilityincluding but not limited to the reporting of disease injuryvital events such as birth or death and the conduct of publichealth surveillance public health investigations and publichealth interventions rdquo The definition of a public health au-thority includes ldquo an individual or entity acting under a grantof authority from or contract with such public agency rdquo
[Authorized agency] is acting under [contract grant coop-erative agreement] with [public health authority] to conduct[project] which is authorized by [law or regulation] [Publichealth authority] grants this authority to [authorized agency]for purposes of this project Further [public health authority]considers this to be [activity type] for which disclosure ofprotected health information by covered entities is authorizedby 45 CFR sect 164512(b) of the Privacy Rule
From a public health authority to a covered entity con-firming grant of authority to an authorized agencyTo Whom It May Concern
[Public health authority] is an agency of [parent authority]and is a public health authority as defined by the HealthInsurance Portability and Accountability Act (HIPAA) Stan-dards for Privacy of Individually Identifiable Health Informa-tion Final Rule (Privacy Rule)[45 CFR sect 164501] Pursuantto 45 CFR sect 164512(b) of the Privacy Rule covered entitiesmay disclose protected health information to public healthauthorities ldquo authorized by law to collect or receive suchinformation for the purpose of preventing or controlling dis-ease injury or disability including but not limited to thereporting of disease injury vital events such as birth or deathand the conduct of public health surveillance public healthinvestigations and public health interventions rdquo The defi-nition of public health authority includes ldquo an individualor entity acting under a grant of authority from or contractwith such public agency rdquo [45 CFR sect 164501] [Autho-rized agency] is acting under [contract grant or cooperativeagreement] with [public health authority] to carry out [project]
Following are sample letters that can be used to help clarifyPrivacy Rule issues among covered entities and public healthauthorities (eg CDC National Institutes of Health Foodand Drug Administration Substance Abuse and Mental HealthServices Administration Health Resources and ServicesAdministration state and local health departments) Publichealth authorities can use these letters as templates by insert-ing names of the appropriate individuals projects agreementslaws activity types covered entities public health authoritiesand authorized agencies
From a public health authority to a covered entity clari-fying rules regarding disclosureTo Whom it May Concern
[Public health authority] is an agency of [parent authority]and is conducting the activity described here in its capacity asa public health authority as defined by the Health InsurancePortability and Accountability Act (HIPAA) Standards forPrivacy of Individually Identifiable Health Information FinalRule (Privacy Rule) [45 CFR sect164501] Pursuant to 45 CFRsect164512(b) of the Privacy Rule covered entities such as yourorganization may disclose without individual authorizationprotected health information to public health authorities ldquo authorized by law to collect or receive such information forthe purpose of preventing or controlling disease injury ordisability including but not limited to the reporting of dis-ease injury vital events such as birth or death and the con-duct of public health surveillance public health investigationsand public health interventions rdquo
[Public health authority] is conducting [project] a publichealth activity as described by 45 CFR sect 164512(b) and isauthorized by [law or regulation] The information beingrequested represents the minimum necessary to carry out thepublic health purposes of this project pursuant to 45 CFRsect164514(d) of the Privacy Rule
If you have questions or concerns please contact [projectleader]
From a public health authority to an authorized agencyproviding grant of authorityDear [authorized agency]
This letter serves as verification of a grant of authority from[public health authority] for you to conduct the public healthactivities described here acting as a public health authority
20 MMWR April 11 2003
Through this grant of authority [authorized agency] may func-tion as a public health authority under the Privacy Rule forpurposes of this project
[Project] is a public health activity as described by 45 CFRsect 164512(b) referenced previously and is authorized by [lawor regulation] The information being requested represents theminimum necessary to carry out the public health purposes ofthis project pursuant to 45 CFR sect 164514(d) of the PrivacyRule The Privacy Rule provides that covered entities ldquo
may rely if such reliance is reasonable under the circumstanceson a requested disclosure as the minimum necessary for thestated purposes when making disclosures to public officialsthat are permitted under 45 CFR sect 164512 if the publicofficial represents that the information requested is the mini-mum necessary for the stated purposes(s)rdquo
If you have questions or concerns please contact [projectleader for authorized agency public health authority contact]
All MMWR references are available on the Internet at httpwwwcdcgovmmwr Use the search function to find specific articlesmdashmdashmdashmdashmdashmdash
Use of trade names and commercial sources is for identification only and does not imply endorsement by the US Department of Healthand Human Services
mdashmdashmdashmdashmdashmdashReferences to non-CDC sites on the Internet are provided as a service to MMWR readers and do not constitute or imply endorsement ofthese organizations or their programs by CDC or the US Department of Health and Human Services CDC is not responsible for thecontent of these sites URL addresses listed in MMWR were current as of the date of publication
MMWR
The Morbidity and Mortality Weekly Report (MMWR) series is prepared by the Centers for Disease Control and Prevention (CDC) andis available free of charge in electronic format and on a paid subscription basis for paper copy To receive an electronic copy each week sendan e-mail message to listservlistservcdcgov The body content should read SUBscribe mmwr-toc Electronic copy also is available fromCDCrsquos Internet server at httpwwwcdcgovmmwr or from CDCrsquos file transfer protocol server at ftpftpcdcgovpubpublicationsmmwr Tosubscribe for paper copy contact Superintendent of Documents US Government Printing Office Washington DC 20402 telephone202-512-1800
Data in the weekly MMWR are provisional based on weekly reports to CDC by state health departments The reporting weekconcludes at close of business on Friday compiled data on a national basis are officially released to the public on the following FridayAddress inquiries about the MMWR series including material to be considered for publication to Editor MMWR Series Mailstop C-08CDC 1600 Clifton Rd NE Atlanta GA 30333 telephone 888-232-3228
All material in the MMWR series is in the public domain and may be used and reprinted without permission however citation of thesource is appreciated
US Government Printing Office 2003-533-15569108 Region IV
Introduction
Impact on Public Health
Overview of the Privacy Rule
Who Is Covered
Types of Health Information
What is Required
The Privacy Rule and Public Health
Disclosures for Public Health Purposes
Requirements for Covered Entities
The Privacy Rule and Public Health Research
Research Versus Practice
The Privacy Rule and Other Laws
Online Resources
Federal Government Resources
State Government Resources
Associations Nonprofit Organizations and Academic Resources
Acknowledgments
References
Appendix A
Appendix B
Vol 52 Early Release MMWR 17
related to health care It includes the following types of infor-mation transmissions health care claims or equivalent encoun-ter information health care payment and remittance advicecoordination of benefits health care claim status enrollmentand disenrollment in a health plan eligibility for a health planhealth plan premium payments referral certification andauthorization first report of injury health claims attachmentsand other transactions that the Secretary may prescribe by regu-lation [45 CFR sect 164103]
Treatment The provision coordination or managementof health care and related services by one or more health-care
providers including the coordination or management of healthcare by a health-care provider with a third party consultationbetween health-care providers relating to a patient or thereferral of a patient for health care from one health-care pro-vider to another [45 CFR sect 164501]
Use With respect to individually identifiable health infor-mation the sharing employment application utilizationexamination or analysis of such information within an entitythat maintains such information [45 CFR sect 160103]
18 MMWR April 11 2003
Vol 52 Early Release MMWR 19
Appendix BSample Text That Can Be Used To Clarify Public Health Issues
Under the Privacy Rule
pursuant to the Standards for Privacy of Individually Identifi-able Health Information promulgated under the HealthInsurance Portability and Accountability Act (HIPAA) [45CFR Parts 160 and 164)] Under this rule covered entitiesmay disclose without individual authorization protectedhealth information to public health authorities ldquo autho-rized by law to collect or receive such information for the pur-pose of preventing or controlling disease injury or disabilityincluding but not limited to the reporting of disease injuryvital events such as birth or death and the conduct of publichealth surveillance public health investigations and publichealth interventions rdquo The definition of a public health au-thority includes ldquo an individual or entity acting under a grantof authority from or contract with such public agency rdquo
[Authorized agency] is acting under [contract grant coop-erative agreement] with [public health authority] to conduct[project] which is authorized by [law or regulation] [Publichealth authority] grants this authority to [authorized agency]for purposes of this project Further [public health authority]considers this to be [activity type] for which disclosure ofprotected health information by covered entities is authorizedby 45 CFR sect 164512(b) of the Privacy Rule
From a public health authority to a covered entity con-firming grant of authority to an authorized agencyTo Whom It May Concern
[Public health authority] is an agency of [parent authority]and is a public health authority as defined by the HealthInsurance Portability and Accountability Act (HIPAA) Stan-dards for Privacy of Individually Identifiable Health Informa-tion Final Rule (Privacy Rule)[45 CFR sect 164501] Pursuantto 45 CFR sect 164512(b) of the Privacy Rule covered entitiesmay disclose protected health information to public healthauthorities ldquo authorized by law to collect or receive suchinformation for the purpose of preventing or controlling dis-ease injury or disability including but not limited to thereporting of disease injury vital events such as birth or deathand the conduct of public health surveillance public healthinvestigations and public health interventions rdquo The defi-nition of public health authority includes ldquo an individualor entity acting under a grant of authority from or contractwith such public agency rdquo [45 CFR sect 164501] [Autho-rized agency] is acting under [contract grant or cooperativeagreement] with [public health authority] to carry out [project]
Following are sample letters that can be used to help clarifyPrivacy Rule issues among covered entities and public healthauthorities (eg CDC National Institutes of Health Foodand Drug Administration Substance Abuse and Mental HealthServices Administration Health Resources and ServicesAdministration state and local health departments) Publichealth authorities can use these letters as templates by insert-ing names of the appropriate individuals projects agreementslaws activity types covered entities public health authoritiesand authorized agencies
From a public health authority to a covered entity clari-fying rules regarding disclosureTo Whom it May Concern
[Public health authority] is an agency of [parent authority]and is conducting the activity described here in its capacity asa public health authority as defined by the Health InsurancePortability and Accountability Act (HIPAA) Standards forPrivacy of Individually Identifiable Health Information FinalRule (Privacy Rule) [45 CFR sect164501] Pursuant to 45 CFRsect164512(b) of the Privacy Rule covered entities such as yourorganization may disclose without individual authorizationprotected health information to public health authorities ldquo authorized by law to collect or receive such information forthe purpose of preventing or controlling disease injury ordisability including but not limited to the reporting of dis-ease injury vital events such as birth or death and the con-duct of public health surveillance public health investigationsand public health interventions rdquo
[Public health authority] is conducting [project] a publichealth activity as described by 45 CFR sect 164512(b) and isauthorized by [law or regulation] The information beingrequested represents the minimum necessary to carry out thepublic health purposes of this project pursuant to 45 CFRsect164514(d) of the Privacy Rule
If you have questions or concerns please contact [projectleader]
From a public health authority to an authorized agencyproviding grant of authorityDear [authorized agency]
This letter serves as verification of a grant of authority from[public health authority] for you to conduct the public healthactivities described here acting as a public health authority
20 MMWR April 11 2003
Through this grant of authority [authorized agency] may func-tion as a public health authority under the Privacy Rule forpurposes of this project
[Project] is a public health activity as described by 45 CFRsect 164512(b) referenced previously and is authorized by [lawor regulation] The information being requested represents theminimum necessary to carry out the public health purposes ofthis project pursuant to 45 CFR sect 164514(d) of the PrivacyRule The Privacy Rule provides that covered entities ldquo
may rely if such reliance is reasonable under the circumstanceson a requested disclosure as the minimum necessary for thestated purposes when making disclosures to public officialsthat are permitted under 45 CFR sect 164512 if the publicofficial represents that the information requested is the mini-mum necessary for the stated purposes(s)rdquo
If you have questions or concerns please contact [projectleader for authorized agency public health authority contact]
All MMWR references are available on the Internet at httpwwwcdcgovmmwr Use the search function to find specific articlesmdashmdashmdashmdashmdashmdash
Use of trade names and commercial sources is for identification only and does not imply endorsement by the US Department of Healthand Human Services
mdashmdashmdashmdashmdashmdashReferences to non-CDC sites on the Internet are provided as a service to MMWR readers and do not constitute or imply endorsement ofthese organizations or their programs by CDC or the US Department of Health and Human Services CDC is not responsible for thecontent of these sites URL addresses listed in MMWR were current as of the date of publication
MMWR
The Morbidity and Mortality Weekly Report (MMWR) series is prepared by the Centers for Disease Control and Prevention (CDC) andis available free of charge in electronic format and on a paid subscription basis for paper copy To receive an electronic copy each week sendan e-mail message to listservlistservcdcgov The body content should read SUBscribe mmwr-toc Electronic copy also is available fromCDCrsquos Internet server at httpwwwcdcgovmmwr or from CDCrsquos file transfer protocol server at ftpftpcdcgovpubpublicationsmmwr Tosubscribe for paper copy contact Superintendent of Documents US Government Printing Office Washington DC 20402 telephone202-512-1800
Data in the weekly MMWR are provisional based on weekly reports to CDC by state health departments The reporting weekconcludes at close of business on Friday compiled data on a national basis are officially released to the public on the following FridayAddress inquiries about the MMWR series including material to be considered for publication to Editor MMWR Series Mailstop C-08CDC 1600 Clifton Rd NE Atlanta GA 30333 telephone 888-232-3228
All material in the MMWR series is in the public domain and may be used and reprinted without permission however citation of thesource is appreciated
US Government Printing Office 2003-533-15569108 Region IV
Introduction
Impact on Public Health
Overview of the Privacy Rule
Who Is Covered
Types of Health Information
What is Required
The Privacy Rule and Public Health
Disclosures for Public Health Purposes
Requirements for Covered Entities
The Privacy Rule and Public Health Research
Research Versus Practice
The Privacy Rule and Other Laws
Online Resources
Federal Government Resources
State Government Resources
Associations Nonprofit Organizations and Academic Resources
Acknowledgments
References
Appendix A
Appendix B
18 MMWR April 11 2003
Vol 52 Early Release MMWR 19
Appendix BSample Text That Can Be Used To Clarify Public Health Issues
Under the Privacy Rule
pursuant to the Standards for Privacy of Individually Identifi-able Health Information promulgated under the HealthInsurance Portability and Accountability Act (HIPAA) [45CFR Parts 160 and 164)] Under this rule covered entitiesmay disclose without individual authorization protectedhealth information to public health authorities ldquo autho-rized by law to collect or receive such information for the pur-pose of preventing or controlling disease injury or disabilityincluding but not limited to the reporting of disease injuryvital events such as birth or death and the conduct of publichealth surveillance public health investigations and publichealth interventions rdquo The definition of a public health au-thority includes ldquo an individual or entity acting under a grantof authority from or contract with such public agency rdquo
[Authorized agency] is acting under [contract grant coop-erative agreement] with [public health authority] to conduct[project] which is authorized by [law or regulation] [Publichealth authority] grants this authority to [authorized agency]for purposes of this project Further [public health authority]considers this to be [activity type] for which disclosure ofprotected health information by covered entities is authorizedby 45 CFR sect 164512(b) of the Privacy Rule
From a public health authority to a covered entity con-firming grant of authority to an authorized agencyTo Whom It May Concern
[Public health authority] is an agency of [parent authority]and is a public health authority as defined by the HealthInsurance Portability and Accountability Act (HIPAA) Stan-dards for Privacy of Individually Identifiable Health Informa-tion Final Rule (Privacy Rule)[45 CFR sect 164501] Pursuantto 45 CFR sect 164512(b) of the Privacy Rule covered entitiesmay disclose protected health information to public healthauthorities ldquo authorized by law to collect or receive suchinformation for the purpose of preventing or controlling dis-ease injury or disability including but not limited to thereporting of disease injury vital events such as birth or deathand the conduct of public health surveillance public healthinvestigations and public health interventions rdquo The defi-nition of public health authority includes ldquo an individualor entity acting under a grant of authority from or contractwith such public agency rdquo [45 CFR sect 164501] [Autho-rized agency] is acting under [contract grant or cooperativeagreement] with [public health authority] to carry out [project]
Following are sample letters that can be used to help clarifyPrivacy Rule issues among covered entities and public healthauthorities (eg CDC National Institutes of Health Foodand Drug Administration Substance Abuse and Mental HealthServices Administration Health Resources and ServicesAdministration state and local health departments) Publichealth authorities can use these letters as templates by insert-ing names of the appropriate individuals projects agreementslaws activity types covered entities public health authoritiesand authorized agencies
From a public health authority to a covered entity clari-fying rules regarding disclosureTo Whom it May Concern
[Public health authority] is an agency of [parent authority]and is conducting the activity described here in its capacity asa public health authority as defined by the Health InsurancePortability and Accountability Act (HIPAA) Standards forPrivacy of Individually Identifiable Health Information FinalRule (Privacy Rule) [45 CFR sect164501] Pursuant to 45 CFRsect164512(b) of the Privacy Rule covered entities such as yourorganization may disclose without individual authorizationprotected health information to public health authorities ldquo authorized by law to collect or receive such information forthe purpose of preventing or controlling disease injury ordisability including but not limited to the reporting of dis-ease injury vital events such as birth or death and the con-duct of public health surveillance public health investigationsand public health interventions rdquo
[Public health authority] is conducting [project] a publichealth activity as described by 45 CFR sect 164512(b) and isauthorized by [law or regulation] The information beingrequested represents the minimum necessary to carry out thepublic health purposes of this project pursuant to 45 CFRsect164514(d) of the Privacy Rule
If you have questions or concerns please contact [projectleader]
From a public health authority to an authorized agencyproviding grant of authorityDear [authorized agency]
This letter serves as verification of a grant of authority from[public health authority] for you to conduct the public healthactivities described here acting as a public health authority
20 MMWR April 11 2003
Through this grant of authority [authorized agency] may func-tion as a public health authority under the Privacy Rule forpurposes of this project
[Project] is a public health activity as described by 45 CFRsect 164512(b) referenced previously and is authorized by [lawor regulation] The information being requested represents theminimum necessary to carry out the public health purposes ofthis project pursuant to 45 CFR sect 164514(d) of the PrivacyRule The Privacy Rule provides that covered entities ldquo
may rely if such reliance is reasonable under the circumstanceson a requested disclosure as the minimum necessary for thestated purposes when making disclosures to public officialsthat are permitted under 45 CFR sect 164512 if the publicofficial represents that the information requested is the mini-mum necessary for the stated purposes(s)rdquo
If you have questions or concerns please contact [projectleader for authorized agency public health authority contact]
All MMWR references are available on the Internet at httpwwwcdcgovmmwr Use the search function to find specific articlesmdashmdashmdashmdashmdashmdash
Use of trade names and commercial sources is for identification only and does not imply endorsement by the US Department of Healthand Human Services
mdashmdashmdashmdashmdashmdashReferences to non-CDC sites on the Internet are provided as a service to MMWR readers and do not constitute or imply endorsement ofthese organizations or their programs by CDC or the US Department of Health and Human Services CDC is not responsible for thecontent of these sites URL addresses listed in MMWR were current as of the date of publication
MMWR
The Morbidity and Mortality Weekly Report (MMWR) series is prepared by the Centers for Disease Control and Prevention (CDC) andis available free of charge in electronic format and on a paid subscription basis for paper copy To receive an electronic copy each week sendan e-mail message to listservlistservcdcgov The body content should read SUBscribe mmwr-toc Electronic copy also is available fromCDCrsquos Internet server at httpwwwcdcgovmmwr or from CDCrsquos file transfer protocol server at ftpftpcdcgovpubpublicationsmmwr Tosubscribe for paper copy contact Superintendent of Documents US Government Printing Office Washington DC 20402 telephone202-512-1800
Data in the weekly MMWR are provisional based on weekly reports to CDC by state health departments The reporting weekconcludes at close of business on Friday compiled data on a national basis are officially released to the public on the following FridayAddress inquiries about the MMWR series including material to be considered for publication to Editor MMWR Series Mailstop C-08CDC 1600 Clifton Rd NE Atlanta GA 30333 telephone 888-232-3228
All material in the MMWR series is in the public domain and may be used and reprinted without permission however citation of thesource is appreciated
US Government Printing Office 2003-533-15569108 Region IV
Introduction
Impact on Public Health
Overview of the Privacy Rule
Who Is Covered
Types of Health Information
What is Required
The Privacy Rule and Public Health
Disclosures for Public Health Purposes
Requirements for Covered Entities
The Privacy Rule and Public Health Research
Research Versus Practice
The Privacy Rule and Other Laws
Online Resources
Federal Government Resources
State Government Resources
Associations Nonprofit Organizations and Academic Resources
Acknowledgments
References
Appendix A
Appendix B
Vol 52 Early Release MMWR 19
Appendix BSample Text That Can Be Used To Clarify Public Health Issues
Under the Privacy Rule
pursuant to the Standards for Privacy of Individually Identifi-able Health Information promulgated under the HealthInsurance Portability and Accountability Act (HIPAA) [45CFR Parts 160 and 164)] Under this rule covered entitiesmay disclose without individual authorization protectedhealth information to public health authorities ldquo autho-rized by law to collect or receive such information for the pur-pose of preventing or controlling disease injury or disabilityincluding but not limited to the reporting of disease injuryvital events such as birth or death and the conduct of publichealth surveillance public health investigations and publichealth interventions rdquo The definition of a public health au-thority includes ldquo an individual or entity acting under a grantof authority from or contract with such public agency rdquo
[Authorized agency] is acting under [contract grant coop-erative agreement] with [public health authority] to conduct[project] which is authorized by [law or regulation] [Publichealth authority] grants this authority to [authorized agency]for purposes of this project Further [public health authority]considers this to be [activity type] for which disclosure ofprotected health information by covered entities is authorizedby 45 CFR sect 164512(b) of the Privacy Rule
From a public health authority to a covered entity con-firming grant of authority to an authorized agencyTo Whom It May Concern
[Public health authority] is an agency of [parent authority]and is a public health authority as defined by the HealthInsurance Portability and Accountability Act (HIPAA) Stan-dards for Privacy of Individually Identifiable Health Informa-tion Final Rule (Privacy Rule)[45 CFR sect 164501] Pursuantto 45 CFR sect 164512(b) of the Privacy Rule covered entitiesmay disclose protected health information to public healthauthorities ldquo authorized by law to collect or receive suchinformation for the purpose of preventing or controlling dis-ease injury or disability including but not limited to thereporting of disease injury vital events such as birth or deathand the conduct of public health surveillance public healthinvestigations and public health interventions rdquo The defi-nition of public health authority includes ldquo an individualor entity acting under a grant of authority from or contractwith such public agency rdquo [45 CFR sect 164501] [Autho-rized agency] is acting under [contract grant or cooperativeagreement] with [public health authority] to carry out [project]
Following are sample letters that can be used to help clarifyPrivacy Rule issues among covered entities and public healthauthorities (eg CDC National Institutes of Health Foodand Drug Administration Substance Abuse and Mental HealthServices Administration Health Resources and ServicesAdministration state and local health departments) Publichealth authorities can use these letters as templates by insert-ing names of the appropriate individuals projects agreementslaws activity types covered entities public health authoritiesand authorized agencies
From a public health authority to a covered entity clari-fying rules regarding disclosureTo Whom it May Concern
[Public health authority] is an agency of [parent authority]and is conducting the activity described here in its capacity asa public health authority as defined by the Health InsurancePortability and Accountability Act (HIPAA) Standards forPrivacy of Individually Identifiable Health Information FinalRule (Privacy Rule) [45 CFR sect164501] Pursuant to 45 CFRsect164512(b) of the Privacy Rule covered entities such as yourorganization may disclose without individual authorizationprotected health information to public health authorities ldquo authorized by law to collect or receive such information forthe purpose of preventing or controlling disease injury ordisability including but not limited to the reporting of dis-ease injury vital events such as birth or death and the con-duct of public health surveillance public health investigationsand public health interventions rdquo
[Public health authority] is conducting [project] a publichealth activity as described by 45 CFR sect 164512(b) and isauthorized by [law or regulation] The information beingrequested represents the minimum necessary to carry out thepublic health purposes of this project pursuant to 45 CFRsect164514(d) of the Privacy Rule
If you have questions or concerns please contact [projectleader]
From a public health authority to an authorized agencyproviding grant of authorityDear [authorized agency]
This letter serves as verification of a grant of authority from[public health authority] for you to conduct the public healthactivities described here acting as a public health authority
20 MMWR April 11 2003
Through this grant of authority [authorized agency] may func-tion as a public health authority under the Privacy Rule forpurposes of this project
[Project] is a public health activity as described by 45 CFRsect 164512(b) referenced previously and is authorized by [lawor regulation] The information being requested represents theminimum necessary to carry out the public health purposes ofthis project pursuant to 45 CFR sect 164514(d) of the PrivacyRule The Privacy Rule provides that covered entities ldquo
may rely if such reliance is reasonable under the circumstanceson a requested disclosure as the minimum necessary for thestated purposes when making disclosures to public officialsthat are permitted under 45 CFR sect 164512 if the publicofficial represents that the information requested is the mini-mum necessary for the stated purposes(s)rdquo
If you have questions or concerns please contact [projectleader for authorized agency public health authority contact]
All MMWR references are available on the Internet at httpwwwcdcgovmmwr Use the search function to find specific articlesmdashmdashmdashmdashmdashmdash
Use of trade names and commercial sources is for identification only and does not imply endorsement by the US Department of Healthand Human Services
mdashmdashmdashmdashmdashmdashReferences to non-CDC sites on the Internet are provided as a service to MMWR readers and do not constitute or imply endorsement ofthese organizations or their programs by CDC or the US Department of Health and Human Services CDC is not responsible for thecontent of these sites URL addresses listed in MMWR were current as of the date of publication
MMWR
The Morbidity and Mortality Weekly Report (MMWR) series is prepared by the Centers for Disease Control and Prevention (CDC) andis available free of charge in electronic format and on a paid subscription basis for paper copy To receive an electronic copy each week sendan e-mail message to listservlistservcdcgov The body content should read SUBscribe mmwr-toc Electronic copy also is available fromCDCrsquos Internet server at httpwwwcdcgovmmwr or from CDCrsquos file transfer protocol server at ftpftpcdcgovpubpublicationsmmwr Tosubscribe for paper copy contact Superintendent of Documents US Government Printing Office Washington DC 20402 telephone202-512-1800
Data in the weekly MMWR are provisional based on weekly reports to CDC by state health departments The reporting weekconcludes at close of business on Friday compiled data on a national basis are officially released to the public on the following FridayAddress inquiries about the MMWR series including material to be considered for publication to Editor MMWR Series Mailstop C-08CDC 1600 Clifton Rd NE Atlanta GA 30333 telephone 888-232-3228
All material in the MMWR series is in the public domain and may be used and reprinted without permission however citation of thesource is appreciated
US Government Printing Office 2003-533-15569108 Region IV
Introduction
Impact on Public Health
Overview of the Privacy Rule
Who Is Covered
Types of Health Information
What is Required
The Privacy Rule and Public Health
Disclosures for Public Health Purposes
Requirements for Covered Entities
The Privacy Rule and Public Health Research
Research Versus Practice
The Privacy Rule and Other Laws
Online Resources
Federal Government Resources
State Government Resources
Associations Nonprofit Organizations and Academic Resources
Acknowledgments
References
Appendix A
Appendix B
20 MMWR April 11 2003
Through this grant of authority [authorized agency] may func-tion as a public health authority under the Privacy Rule forpurposes of this project
[Project] is a public health activity as described by 45 CFRsect 164512(b) referenced previously and is authorized by [lawor regulation] The information being requested represents theminimum necessary to carry out the public health purposes ofthis project pursuant to 45 CFR sect 164514(d) of the PrivacyRule The Privacy Rule provides that covered entities ldquo
may rely if such reliance is reasonable under the circumstanceson a requested disclosure as the minimum necessary for thestated purposes when making disclosures to public officialsthat are permitted under 45 CFR sect 164512 if the publicofficial represents that the information requested is the mini-mum necessary for the stated purposes(s)rdquo
If you have questions or concerns please contact [projectleader for authorized agency public health authority contact]
All MMWR references are available on the Internet at httpwwwcdcgovmmwr Use the search function to find specific articlesmdashmdashmdashmdashmdashmdash
Use of trade names and commercial sources is for identification only and does not imply endorsement by the US Department of Healthand Human Services
mdashmdashmdashmdashmdashmdashReferences to non-CDC sites on the Internet are provided as a service to MMWR readers and do not constitute or imply endorsement ofthese organizations or their programs by CDC or the US Department of Health and Human Services CDC is not responsible for thecontent of these sites URL addresses listed in MMWR were current as of the date of publication
MMWR
The Morbidity and Mortality Weekly Report (MMWR) series is prepared by the Centers for Disease Control and Prevention (CDC) andis available free of charge in electronic format and on a paid subscription basis for paper copy To receive an electronic copy each week sendan e-mail message to listservlistservcdcgov The body content should read SUBscribe mmwr-toc Electronic copy also is available fromCDCrsquos Internet server at httpwwwcdcgovmmwr or from CDCrsquos file transfer protocol server at ftpftpcdcgovpubpublicationsmmwr Tosubscribe for paper copy contact Superintendent of Documents US Government Printing Office Washington DC 20402 telephone202-512-1800
Data in the weekly MMWR are provisional based on weekly reports to CDC by state health departments The reporting weekconcludes at close of business on Friday compiled data on a national basis are officially released to the public on the following FridayAddress inquiries about the MMWR series including material to be considered for publication to Editor MMWR Series Mailstop C-08CDC 1600 Clifton Rd NE Atlanta GA 30333 telephone 888-232-3228
All material in the MMWR series is in the public domain and may be used and reprinted without permission however citation of thesource is appreciated
US Government Printing Office 2003-533-15569108 Region IV
Introduction
Impact on Public Health
Overview of the Privacy Rule
Who Is Covered
Types of Health Information
What is Required
The Privacy Rule and Public Health
Disclosures for Public Health Purposes
Requirements for Covered Entities
The Privacy Rule and Public Health Research
Research Versus Practice
The Privacy Rule and Other Laws
Online Resources
Federal Government Resources
State Government Resources
Associations Nonprofit Organizations and Academic Resources
Acknowledgments
References
Appendix A
Appendix B
All MMWR references are available on the Internet at httpwwwcdcgovmmwr Use the search function to find specific articlesmdashmdashmdashmdashmdashmdash
Use of trade names and commercial sources is for identification only and does not imply endorsement by the US Department of Healthand Human Services
mdashmdashmdashmdashmdashmdashReferences to non-CDC sites on the Internet are provided as a service to MMWR readers and do not constitute or imply endorsement ofthese organizations or their programs by CDC or the US Department of Health and Human Services CDC is not responsible for thecontent of these sites URL addresses listed in MMWR were current as of the date of publication
MMWR
The Morbidity and Mortality Weekly Report (MMWR) series is prepared by the Centers for Disease Control and Prevention (CDC) andis available free of charge in electronic format and on a paid subscription basis for paper copy To receive an electronic copy each week sendan e-mail message to listservlistservcdcgov The body content should read SUBscribe mmwr-toc Electronic copy also is available fromCDCrsquos Internet server at httpwwwcdcgovmmwr or from CDCrsquos file transfer protocol server at ftpftpcdcgovpubpublicationsmmwr Tosubscribe for paper copy contact Superintendent of Documents US Government Printing Office Washington DC 20402 telephone202-512-1800
Data in the weekly MMWR are provisional based on weekly reports to CDC by state health departments The reporting weekconcludes at close of business on Friday compiled data on a national basis are officially released to the public on the following FridayAddress inquiries about the MMWR series including material to be considered for publication to Editor MMWR Series Mailstop C-08CDC 1600 Clifton Rd NE Atlanta GA 30333 telephone 888-232-3228
All material in the MMWR series is in the public domain and may be used and reprinted without permission however citation of thesource is appreciated
US Government Printing Office 2003-533-15569108 Region IV
Introduction
Impact on Public Health
Overview of the Privacy Rule
Who Is Covered
Types of Health Information
What is Required
The Privacy Rule and Public Health
Disclosures for Public Health Purposes
Requirements for Covered Entities
The Privacy Rule and Public Health Research
Research Versus Practice
The Privacy Rule and Other Laws
Online Resources
Federal Government Resources
State Government Resources
Associations Nonprofit Organizations and Academic Resources
Acknowledgments
References
Appendix A
Appendix B
MMWR
The Morbidity and Mortality Weekly Report (MMWR) series is prepared by the Centers for Disease Control and Prevention (CDC) andis available free of charge in electronic format and on a paid subscription basis for paper copy To receive an electronic copy each week sendan e-mail message to listservlistservcdcgov The body content should read SUBscribe mmwr-toc Electronic copy also is available fromCDCrsquos Internet server at httpwwwcdcgovmmwr or from CDCrsquos file transfer protocol server at ftpftpcdcgovpubpublicationsmmwr Tosubscribe for paper copy contact Superintendent of Documents US Government Printing Office Washington DC 20402 telephone202-512-1800
Data in the weekly MMWR are provisional based on weekly reports to CDC by state health departments The reporting weekconcludes at close of business on Friday compiled data on a national basis are officially released to the public on the following FridayAddress inquiries about the MMWR series including material to be considered for publication to Editor MMWR Series Mailstop C-08CDC 1600 Clifton Rd NE Atlanta GA 30333 telephone 888-232-3228
All material in the MMWR series is in the public domain and may be used and reprinted without permission however citation of thesource is appreciated
US Government Printing Office 2003-533-15569108 Region IV
Introduction
Impact on Public Health
Overview of the Privacy Rule
Who Is Covered
Types of Health Information
What is Required
The Privacy Rule and Public Health
Disclosures for Public Health Purposes
Requirements for Covered Entities
The Privacy Rule and Public Health Research
Research Versus Practice
The Privacy Rule and Other Laws
Online Resources
Federal Government Resources
State Government Resources
Associations Nonprofit Organizations and Academic Resources
