Filed under Public Health and HIPAA

HIPAA 2013-Public Health Disclosures Without Authorization-What Happened?

HIPAA 2013 Continues to Allow for and


Public Health Reporting



My discussion of HIPAA 2013 regulations threatens to violate a principle of this blog which is to generally discuss things related to HIPAA and privacy in ways that people can understand, regardless of whether they are lawyers, doctors or Indian Chiefs.

By necessity, my post on HIPAA 2013 may get a little weedy.  If you hate weeds, take an airboat over them and skip to the end of the post for a quick  summary.

Quick Background on HIPAA & Public Health

HIPAA historically contained an exemption to the authorization requirement for public health reporting.  This means that covered entities can and must report certain events to public health authortieis and can do so without patient authorization.  Public health activities include the reporting of a disease or injury; reporting vital events, such as births or deaths; and conducting public health surveillance, investigations, or interventions.   You can probably see why it’s important that health care providers help public health authorities track things like disease outbreaks and sexually transmitted diseases.

Carrying this theme forward,  Section 13405(d)(2) of HITECH contained an exception to the authorization requirement for exchanges of protected health information for  public health activities, as described at § 164.512(b) of the HIPAA Privacy Rule.

Another quick historical fact is that HIPAA generally frowns upon the “sale” of protected health information without patient consent.  It’s a pretty big no-no. However, some providers may charge a fee to the public health authority for providing public health data.  Generally, the providers charge only the cost to them of making the report, as well as a reasonable charge for their time.  This practice has not been historically considered “sale” of data and there has been a recognized exception carved out for public health reporting.  However, if charges get out of hand, the HHS Secretary has the authority to restrict the amount charged.  There had been some discussion about whether this restriction would be made in the new rules.

It was not.  In HIPAA 2013, HHS  did not limit the exception to only those disclosures where all the covered entity receives as remuneration is a cost-based fee to cover the cost to prepare and transmit the data. So, although the sky is not the limit, there appears to be some room for covered entities to charge actual costs plus their time.

My prediction is, however, that if covered entities attempt to make public health reporting a profit center, HHS will quickly revisit the issue.  The takeaway is that  covered entities should keep their costs fair and reasonable.

Again,  HIPAA 2013 regulations continue to allow covered entities to exchange information for public health activities and for covered entities to charge a fee for reporting.

One small addition was made to  §164.502  to reference 164.514(e) of the Privacy Rule to ensure that disclosures of protected health information for public health activities in limited data set form would also be excepted from the authorization requirement, in addition to disclosures that may occur under § 164.512(b) with more identifiable information. A limited data set  is protected health information that excludes many direct identifiers of the individual or of relatives, employers, or household members of the individual such as names, postal addresses other than town, city, state and zip code and social security numbers.  There was a need to reference limited data sets because it can often be time and resource-consuming for a covered entity to produce them.


AIRBOAT THROUGH HIPAA 2013 Public Health Reporting

1.  Covered entities can and should still report everything mandated by state and federal law to the public health authority and can do it without the patient authorizing it.

2.  Covered entities can charge a fee for doing it.  They shouldn’t get too cute with it.

3.  Public health reporting is good public policy and HHS continues to recognize this.



Tomorrow I will discuss the impact of the HIPAA 2013 Changes to Public Health as it relates to immunizations.

Sleep well!

HIPAA 2013-Public Health Updates

HIPAA 2013

Julie Meadows-Keefe

HIPAA 2013 is HERE!


The Health Insurance Portability and Accountability Act of 1996, as modified by the American Recovery and Reinvestment Act (ARRA) of 2009 and it’s Health Information for Clinical and Economic Health (HITECH) provisions brought to bear the necessity of a whole new slew of regulations which were handed down last week amid much fanfare.  In the next few days, I’ll be posting some updates summarizing the highlights of HIPAA 2013!

A friend requested that I start with taking a look at HIPAA provisions relating to public health reporting and activities.

HIPAA 2013 Emphasizes That Covered

Entities Should NOT Use their Business

Associates for Public Health Reporting!


HHS emphasized that business associates do not have their own health care operations (see the definition of health care operations which is limited to activities of the covered entity).  Business associate functions and activities include: claims processing or administration; data analysis, processing or administration; utilization review; quality assurance; billing; benefit management; practice management; and repricing.  Business associate services are: legal; actuarial; accounting; consulting; data aggregation; management; administrative; accreditation; and financial. See the definition of “business associate” at 45 CFR 160.103.

While a business associate does not have health care operations, it is permitted to use and disclose protected health information as necessary for its own management and administration if the business associate agreement permits such activities, or to carry out its legal responsibilities. Other than the exceptions for the business associate’s management and administration and for data aggregation services relating to the health care operations of the covered entity, the business associate may not use or disclose protected health information in a manner that would not be permissible if done by the covered entity (even if such a use or disclosure is permitted by the business associate agreement).


Make sure that if you are a covered entity that you are doing your public health reporting, as required by state and federal law and NOT delegating that function to a business associate.

 HIPAA 2013-What’s Coming Tomorrow

Tomorrow I will provide a quick overview of what’s become of the exception to the authorization requirement for public health exchanges in order to conduct public health activities.

I invite your to leave a comment and stay in touch!


Tagged , ,