NRPM: Standards for Privacy of Individually Identifiable Health Information. b. Proposed requirements.


We propose to permit covered entities to disclose protected health information for inclusion in State or other governmental health data systems when such disclosure is authorized by law for analysis in support of policy, planning, regulatory, and management functions. The recipient of the information must be a government agency (or privacy entity acting on behalf of a government agency). Where the covered entity is itself a government agency that collects health data for analysis in support of policy, planning, regulatory, or management functions, it would be permitted to use protected health information in all cases in which it is permitted to disclose such information for government health data systems under this section.

We believe that Congress intended to permit States, Tribes, territories, and other governmental agencies to operate health data collection systems for analyzing and improving the health care system. In section 1178(c), “State regulatory reporting,” HIPAA provides that it is not limiting the ability of a State to require a health plan to report, or to provide access to, information for a variety of oversight activities, as well as for “program monitoring and evaluation.” We also believe that the considerations Congress applied to State capacities to collect data would apply to similar data collection efforts by other levels of government, such as those undertaken by Tribes, territories and federal agencies. Therefore, we considered two questions regarding governmental health data systems; first, which entities could make such disclosures; and second, what type of legal authority would be necessary for the disclosure to be permitted.

We considered whether to allow disclosure by all covered entities to governmental data collection systems or to limit permitted disclosures to those made by health plans, as specified in the regulatory reporting provision of HIPAA. While this provision only mentions data collected from health plans, the conference agreement notes that laws regarding “State reporting on health care delivery or costs, or for other purposes” should not be preempted by this rule. States would be likely to require sources of information other than health plans, such as health care providers or clearinghouses, in order to examine health care delivery or costs. Therefore, we do not believe it is appropriate to restrict States’ or other governmental agencies’ ability to obtain such data. This viewpoint is consistent with the Recommendations, which would permit this disclosure of protected health information by all covered entities.

We also asked what type of law would be required to permit disclosure without individual authorization to governmental health data systems. We considered requiring a specific statute or regulation that requires the collection of protected health information for a specified purpose. A law that explicitly addresses the conditions under which protected health information is collected would provide individuals and covered entities with a better understanding of how and why the information is to be collected and used.

We understand, however, that explicit authority to collect information is not always included in relevant law. Governmental agencies may collect health data using a broad public health or regulatory authority in statute or regulation. For example, a law may call on a State agency to report on health care costs, without providing specific authority for the agency to collect the health care cost data they need do so. Consequently, the agency may use its general operating authority to request health care providers to release the information. We recognize that many governmental agencies rely on broad legal authority for their activities and do not intend this proposed rule to hamper those efforts.

Under §164.518(c), covered entities would have an obligation to verify the identity of the person requesting protected health information, and the legal authority behind the request before the disclosure would be permitted under this subsection. Preamble section II.G.3. describes these requirements in more detail.