[Please label comments about this section with the subject: “Public health”]
We propose to permit covered entities to disclose protected health information without individual authorization to public health authorities carrying out public health activities authorized by law, to non-governmental entities authorized by law to carry out public health activities, and to persons who may be at risk of contracting or spreading a disease (when other law authorizes notification). Where the covered entity also is a public health agency, such as a public hospital or local health department, it would be permitted to use protected health information in all cases in which it would be permitted to disclose such information for public health activities under this section.
Public health authorities are responsible for promoting health and quality of life by preventing and controlling disease, injury, and disability. Inherent in the collection of information for public health activities is a balancing of individual versus communal interests. While the individual has an interest in maintaining the privacy of his or her health information, public health authorities have an interest in the overall health and well- being of the entire population of their jurisdictions. To accomplish this, public health authorities engage in a number of activities, including: traditional public health surveillance; investigations and interventions with respect to communicable diseases; registries (such as immunization or cancer registries); programs to combat diseases that involve contacting infected persons and providing treatment; and actions to prevent transmission of serious communicable diseases.
Public health activities also include regulatory investigations and interventions such as pre-market review of medical products, and evaluations of the risk-benefit profile of a drug or medical product before and after approval (relying on critical epidemiological techniques and resources such as HMO claims databases and medical records). Public health agencies use the results of analyses to make important labeling changes and take other actions, such as the removal of non-compliant products from the market.
We considered requiring individual authorization for certain public health disclosures, but rejected this approach because many important public health activities would not be possible if individual authorization were required. In the case of contagious diseases, for example, if individual authorization were required before individually identifiable identifiable information could be provided to public health workers, many other people who may be harboring contagious diseases may be missed by efforts to halt the spread of disease because they failed to provide the appropriate individual authorization. Their failure to authorize could place the general population at risk for contracting an infectious disease. Furthermore, always requiring individual authorization to disclose protected health information to public health authorities would be impractical due to the number of reports and the variety of sources from which they are made. If individuals were permitted to opt out from having their information included in these public health systems, the number of persons with a particular condition would be undercounted. Furthermore, the persons who did authorize the inclusion of their information in the system might not be representative of all persons with the disease or condition.
We also considered limiting certain public health disclosures to de-identified health information. However, identifiable information could be required in order to track trends in a disease over time, and to assess the safety of medical treatments. While de-identified information could be appropriate for many public health activities, there are also many public health activities that require individual identifiers. We decided not to attempt to define specific public health activities for which only de-identified information could be disclosed, in part because public health data collection requirements would be better addressed in public health laws, and in part to reflect the variation in information technologies available to public health authorities. Instead, we rely on the judgment of public health authorities as to what information would be necessary for a public health activity. See discussion in section II.C.2.
We intend a broad reading of the term “public health activities” to include the prevention or control of disease, injury, or disability. We considered whether to propose a narrow or broad scope of public health activities for which disclosure without individual authorization would be permitted. For the reasons described above, we believe that both the general public and individual interests are best served by a broad approach to public health disclosures.
We therefore propose that covered entities be permitted to disclose protected health information to public health authorities for the full range of public health activities described above, including reporting of diseases, injuries, and conditions, reporting of vital events such as birth and death to vital statistics agencies, and a variety of activities broadly covered by the terms public health surveillance, public health investigation, and public health intervention. These would include public health activities undertaken by the FDA to evaluate and monitor the safety of food, drugs, medical devices, and other products. These terms would be intended to cover the spectrum of public health activities carried out by federal, State, and local public health authorities. The actual authorities and terminology used for public health activities will vary under different jurisdictions. We do not intend to disturb or limit current public health activities.
Disclosures without individual authorization for public health activities would be permitted to be made to only three types of persons: public health authorities, non- governmental entities authorized by law to carry out public health activities, and persons who may be at risk of contracting or spreading a disease, if other law authorizes notification.
We propose to define “public health authority” broadly, based on the function being carried out, not the title of the public entity. Therefore, disclosures under this proposed rule would not be limited to traditional public health entities such as State health departments. Other government agencies and entities carry out public health activities in the course of their missions. For example, the Occupational Safety and Health Administration, the Mine Safety and Health Administration, and the National Institute for Occupational Safety and Health conduct public health investigations related to occupational health and safety. The National Transportation Safety Board investigates airplane and train crashes in an effort to reduce mortality and injury by making recommendations for safety improvements. Similar inquiries are conducted by the military services. The Food and Drug Administration reviews product performance prior to marketing, and investigates adverse events reported after marketing by industries, health professionals, consumers, and others. The Environmental Protection Agency investigates the effects of environmental factors on health. The definition of public health authority reflects the need for access to data and information including protected health information by these other agencies and authorities consistent with their official mandates under applicable law.
The proposed rule would further provide that disclosures may be made not only to government agencies, but also to other public and private entities as otherwise required or authorized by law. For example, this would include tracking medical devices, where the initial disclosure is not to a government agency, but to a device manufacturer that collects information under explicit legal authority, or at the direction of the Food and Drug Administration. Also, the cancer registries mentioned above could be operated by non-profit organizations such as universities funded by public health authorities which receive reports from physicians and laboratories pursuant to State statutory requirements to report.
We considered limiting public health disclosures to only government entities, but the reality of current public health practice is that a variety of activities are conducted by public health authorities in collaboration with non-governmental entities. Federal agencies also use a variety of mechanisms including contracts, grants, cooperative agreements, and other agreements such as memoranda of understanding to carry out and support public health activities. These relationships could be based on specific or general legal authorities. It is not our intent to disturb these relationships. Limiting the ability to collaborate with other entities and designate them to receive protected health information, could potentially have an adverse impact on public health practice.
The proposed rule would allow disclosure to a person who could have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading a disease or condition and is authorized by law to be notified as necessary in the conduct of a public health intervention or investigation. Physicians, in carrying out public health interventions authorized by law, can notify persons who have been exposed to a communicable disease, or who otherwise may be at risk of contracting or spreading a disease or condition. That notification may implicitly or explicitly reveal the identity of the individual with the disease to which the person could have been exposed, but should be permitted as a disclosure in the course of a legally authorized public health intervention or investigation. The proposed rule would not (and, under the HIPAA legislative authority, cannot) impose a confidentiality obligation on the person notified.
Under proposed §164.518(c), covered entities would have to verify the identity of the person requesting protected health information and the legal authority supporting that request, before the disclosure would be permitted under this subsection. Preamble section II.G.3 describes these requirements in more detail.
We note that to the extent that the public health authority is providing treatment as defined in proposed § 164.504, the public health authority would be a covered health care provider for purposes of that treatment, and would be required to comply with this regulation.
We also note that the preemption provision of the HIPAA statute creates a special rule for a subset of public health disclosures: this regulation cannot preempt State law regarding “public health surveillance, or public health investigation or intervention...”.