NRPM: Standards for Privacy of Individually Identifiable Health Information. ii. Non-governmental entities carrying out public health activities.


The proposed rule would further provide that disclosures may be made not only to government agencies, but also to other public and private entities as otherwise required or authorized by law. For example, this would include tracking medical devices, where the initial disclosure is not to a government agency, but to a device manufacturer that collects information under explicit legal authority, or at the direction of the Food and Drug Administration. Also, the cancer registries mentioned above could be operated by non-profit organizations such as universities funded by public health authorities which receive reports from physicians and laboratories pursuant to State statutory requirements to report.

We considered limiting public health disclosures to only government entities, but the reality of current public health practice is that a variety of activities are conducted by public health authorities in collaboration with non-governmental entities. Federal agencies also use a variety of mechanisms including contracts, grants, cooperative agreements, and other agreements such as memoranda of understanding to carry out and support public health activities. These relationships could be based on specific or general legal authorities. It is not our intent to disturb these relationships. Limiting the ability to collaborate with other entities and designate them to receive protected health information, could potentially have an adverse impact on public health practice.