OCR Issues Fact Sheet Regarding Disclosure to Public Health Agencies

The Department of Health & Human Services, Office for Civil Rights (OCR) and the Office of the National Coordinator for Health Information Technology issued a fact sheet that provides guidance through the use of hypothetical situations as to a covered entity’s (CE) obligations under HIPAA related to disclosure to public health agencies. HIPAA provides that a CE may disclose protected health information (PHI) to public health agencies, such as the Centers for Disease Control and Prevention, who are authorized by state or federal law to collect such information.

Importantly, while HIPAA requires CE’s to provide the minimum amount of information necessary, a CE may reasonably rely that a public health authority’s request for information satisfies this requirement. Examples of when public health authorities collect information include: disease reporting and surveillance information; public health investigations; public health interventions; studies; medical device recalls; viral outbreaks and communicable disease exposure; and workplace medical surveillance. The fact sheet may be found here.