NRPM: Standards for Privacy of Individually Identifiable Health Information. d. Additional requirements.

11/03/1999

Under proposed §164.518(c), covered entities would have to verify the identity of the person requesting protected health information and the legal authority supporting that request, before the disclosure would be permitted under this subsection. Preamble section II.G.3 describes these requirements in more detail.

We note that to the extent that the public health authority is providing treatment as defined in proposed § 164.504, the public health authority would be a covered health care provider for purposes of that treatment, and would be required to comply with this regulation.

We also note that the preemption provision of the HIPAA statute creates a special rule for a subset of public health disclosures: this regulation cannot preempt State law regarding “public health surveillance, or public health investigation or intervention...”.