HIPAA Policy Brief
When HIPAA covered entities can disclose protected health information to public health authorities
The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule is a set of standards that address how certain organizations (called covered entities) may use and disclose individually identifiable health information (called protected health information or PHI). The Department of Health and Human Services (HHS), Office for Civil Rights (OCR) has the authority to enforce the HIPAA Privacy Rule. According to OCR, the Privacy Rule “establishes a foundation of Federal protection for personal health information, carefully balanced to avoid creating unnecessary barriers to the delivery of quality health care.” Just as the exchange of information between health care providers is a key component of good patient care, when health care providers appropriately share information with public health authorities, the community and its health care resources can be more resilient. The model attached to this guide and available at HIPAA Public Health Authority Disclosure Request Checklist is designed to make the information sharing process easier by facilitating compliance with the Privacy Rule’s disclosure requirements.
Note: The use or disclosure of PHI without written authorization is allowed for certain public health activities and purposes.
Important Terms and Definitions
This Policy Brief focuses on the disclosure by a covered entity of PHI to a public health authority. The terms
Covered Entity, Protected Health Information, and Public Health Authority are important to understand:
Covered entities are health plans, health care clearinghouses, and certain health care providers that electronically transmit health information in standard transactions, such as billing.
Protected Health Information (PHI) is individually identifiable health information that is “held or transmitted by a covered entity…in any form or media, whether electronic, paper, or oral.”
Public Health Authority includes an agency or authority of the U.S., a state (or political subdivision of a state), or an Indian tribe that is responsible for public health matters as part of its official mandate. See
45 CFR 164.501 for the complete definition of public health authority.
Disclosures to Public Health Authorities
Disclosures are permitted without authorization to public health authorities that are authorized to collect or receive information for certain public health activities and purposes. Those purposes include preventing or controlling disease, injury, or disability and conducting public health surveillance, investigations, or interventions.
Generally, providers are limited to disclosing only the minimum amount of information necessary when making a disclosure. Providers disclosing PHI to a public health authority may reasonably rely on determinations by a public health authority regarding the minimum necessary information needed. Providers should verify that the requestor is an employee, contractor, or agent of the public health authority. Similarly, when releasing PHI, a covered entity should consider whether other state or local privacy laws apply.
The HIPAA Privacy Rule is designed to permit communications that are necessary to provide care and to support other important provider activities such as responses to emergency situations. In addition to disclosures to public health authorities, providers (and other covered entities) may disclose patient information for the purpose of providing treatment; notifying family members, a guardian, or another person who is responsible for the care of a patient; or notifying appropriate authorities to prevent or lessen a serious and imminent threat to the health and safety of a person or the public. Providers may also disclose to public or private entities that are authorized to assist in disaster relief efforts. See HHS-OCR’s guidance (links below) for more detailed information.