HIPAA 2013 Continues to Allow for and
Public Health Reporting
My discussion of HIPAA 2013 regulations threatens to violate a principle of this blog which is to generally discuss things related to HIPAA and privacy in ways that people can understand, regardless of whether they are lawyers, doctors or Indian Chiefs.
By necessity, my post on HIPAA 2013 may get a little weedy. If you hate weeds, take an airboat over them and skip to the end of the post for a quick summary.
Quick Background on HIPAA & Public Health
HIPAA historically contained an exemption to the authorization requirement for public health reporting. This means that covered entities can and must report certain events to public health authortieis and can do so without patient authorization. Public health activities include the reporting of a disease or injury; reporting vital events, such as births or deaths; and conducting public health surveillance, investigations, or interventions. You can probably see why it’s important that health care providers help public health authorities track things like disease outbreaks and sexually transmitted diseases.
Carrying this theme forward, Section 13405(d)(2) of HITECH contained an exception to the authorization requirement for exchanges of protected health information for public health activities, as described at § 164.512(b) of the HIPAA Privacy Rule.
Another quick historical fact is that HIPAA generally frowns upon the “sale” of protected health information without patient consent. It’s a pretty big no-no. However, some providers may charge a fee to the public health authority for providing public health data. Generally, the providers charge only the cost to them of making the report, as well as a reasonable charge for their time. This practice has not been historically considered “sale” of data and there has been a recognized exception carved out for public health reporting. However, if charges get out of hand, the HHS Secretary has the authority to restrict the amount charged. There had been some discussion about whether this restriction would be made in the new rules.
It was not. In HIPAA 2013, HHS did not limit the exception to only those disclosures where all the covered entity receives as remuneration is a cost-based fee to cover the cost to prepare and transmit the data. So, although the sky is not the limit, there appears to be some room for covered entities to charge actual costs plus their time.
My prediction is, however, that if covered entities attempt to make public health reporting a profit center, HHS will quickly revisit the issue. The takeaway is that covered entities should keep their costs fair and reasonable.
Again, HIPAA 2013 regulations continue to allow covered entities to exchange information for public health activities and for covered entities to charge a fee for reporting.
One small addition was made to §164.502 to reference 164.514(e) of the Privacy Rule to ensure that disclosures of protected health information for public health activities in limited data set form would also be excepted from the authorization requirement, in addition to disclosures that may occur under § 164.512(b) with more identifiable information. A limited data set is protected health information that excludes many direct identifiers of the individual or of relatives, employers, or household members of the individual such as names, postal addresses other than town, city, state and zip code and social security numbers. There was a need to reference limited data sets because it can often be time and resource-consuming for a covered entity to produce them.
AIRBOAT THROUGH HIPAA 2013 Public Health Reporting
1. Covered entities can and should still report everything mandated by state and federal law to the public health authority and can do it without the patient authorizing it.
2. Covered entities can charge a fee for doing it. They shouldn’t get too cute with it.
3. Public health reporting is good public policy and HHS continues to recognize this.
Tomorrow I will discuss the impact of the HIPAA 2013 Changes to Public Health as it relates to immunizations.