|
Most public health entities engage in
traditional public health activities such as disease
surveillance and investigation, collecting and maintaining vital
records, and education and intervention. These traditional
public health activities are considered a public function under
HIPAA, which are generally subject to certain exceptions or
special requirements for privacy. Public entities performing
public functions, even if they must comply with HIPAA, can
generally continue to use and disclose health information for
those functions as in the past. However, since many public
programs perform more than one function, the program must
understand and identify these public functions to aid in
determining when and where specific privacy exceptions and
conditions apply.
The public health authority function is not directly impacted by
HIPAA, and uses and disclosures for that function can
continue as always. However, your public health function may be
part of a larger entity that must comply with HIPAA; if so, that
function may be required to comply with some of the HIPAA
provisions as directed by your department or agency. This
situation often causes difficulties in determining when and
where HIPAA privacy provisions in particular may apply.
The HIPAA definition of public health authority provides the
context for this set of tables:
A government agency or entity acting
under authority from a public agency that is responsible for
public health matters as part of its official mandate. These
entities are generally authorized by law to collect or
receive information for the purpose of preventing or
controlling disease, injury, or disability, including but
not limited to, the reporting of disease, injury, vital
events such as birth or death, and the conduct of public
health surveillance, public health investigations, and
public health interventions.
Examples include receipt and/or reporting of
mandated health information, such as for communicable disease
reporting, outbreak investigations, and obtaining selected
health information as related to screenings and assessments,
such as general health assessments, and tests or screenings for
particular conditions such as genetic disorders, HIV, or breast
cancer.
Note that this description may only correspond to some of the
activities your specific department/program performs; however,
the HIPAA provisions for public health authority apply ONLY to
the types of activities specified in the definition above. If
your department/program performs other functions, such as
provider, payer, health oversight, or other, then other privacy
rules apply and must be followed.
Another common function performed by public health departments
and programs is health oversight. Health oversight includes
regulatory activities such as professional licensing and
discipline, and facility inspections to assure standards
compliance. HIPAA defines health oversight as:
A government agency or entity acting on
behalf of a public agency, with legal authority to oversee
the public and/or private health care system, or government
programs where health information is necessary to determine
eligibility, compliance, or to enforce civil rights.
Examples include auditing whether a recipient
received appropriate services or benefits or auditing a health
care facility for compliance with licensure or program
participation requirements. The health oversight function, like
the public health authority function, is not directly impacted
by the HIPAA, and uses and disclosures for that function can
continue as always. In general, the information in these tables
will also be applicable to health oversight functions. However,
your health oversight function may be part of a larger entity
that must comply with HIPAA; if so, that function may be
required to comply with some of the HIPAA provisions as directed
by your department or agency.
PRISM Privacy Tables
Select the type of data disclosure in which you are interested.
Use the “back” button to return to the previous menu. Click here to download the entire set
of tables. Please note that this PDF is (4.91MB/1181 pages) and may take
several minutes to download.
TABLE 1: WHO
CONTROLS INFORMATION ABOUT INDIVIDUALS
TABLE 2: DISCLOSURES FOR
TREATMENT, PAYMENT AND HEALTH CARE OPERATIONS
TABLE 3: DISCLOSURES TO PERSONS
INVOLVED IN INDIVIDUAL’S CARE; FOR NOTIFICATION PURPOSES
TABLE 4: DISCLOSURES REQUIRED BY
LAW; FOR PUBLIC HEALTH ACTIVITIES; FOR HEALTH OVERSIGHT; FDA
REGULATED PRODUCTS (NON-TPO DISCLOSURES ALLOWED WITHOUT
AUTHORIZATION)
TABLE 5: DISCLOSURES TO AVERT
SERIOUS THREAT TO HEALTH AND SAFETY; FOR ORGAN DONATIONS; TO
WHISTLEBLOWERS AND WORKFORCE MEMBER CRIME VICTIMS (NON-TPO
DISCLOSURES ALLOWED WITHOUT AUTHORIZATION)
TABLE 6: DISCLOSURES FOR
JUDICIAL AND ADMINISTRATIVE PROCEEDINGS; LAW ENFORCEMENT
PURPOSES; CORRECTIONS AGENCY; BOARDS OF PRACTICE (NON-TPO
DISCLOSURES ALLOWED WITHOUT AUTHORIZATION)
TABLE 7:DISCLOSURES FOR
SPECIALIZED GOVERNMENT FUNCTIONS; WORKERS’ COMPENSATION;
BUSINESS ASSOCIATES (NON-TPO DISCLOSURES ALLOWED WITHOUT
AUTHORIZATION)
TABLE 8: DISCLOSURES FOR
RESEARCH; TO HHS; FOR MARKETING; FUNDRAISING (NON-TPO
DISCLOSURES ALLOWED WITHOUT AUTHORIZATION)
TABLE 9: DISCLOSURES TO SCHOOLS;
TO CORONERS AND MEDICAL EXAMINERS; TO LAW ENFORCEMENT ABOUT
CRIME VICTIMS; PUBLIC BENEFITS PROGRAMS (NON-TPO DISCLOSURES
ALLOWED WITHOUT AUTHORIZATION)
TABLE 10: DISCLOSURES TO
GOVERNMENT DEPARTMENTS AND AGENCIES PERFORMING BUSINESS
ASSOCIATE FUNCTIONS: COUNTY AND STATE FINANCE AND ACCOUNTING;
CENTRAL IT; COUNTY AND STATE ATTORNEYS; ARCHIVES (NON-TPO
DISCLOSURES ALLOWED WITHOUT AUTHORIZATION)
|
