A Health Insurance Portability and Accountability Act (HIPAA) Covered Entity is permitted to disclose protected health information (PHI) without individual authorization to a “public health authority” that is authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury or disability, such as for purposes of reporting disease, injury, or vital events, or for public health surveillance, investigations, or interventions; or, at the direction of a public health authority, to an official of a foreign government agency that is acting in collaboration with a public health authority. (45 CFR 164.512(b)(1)(i)).
The HIPAA Privacy Rule imposes certain requirements and conditions on these disclosures, such as that the covered entity must make reasonable efforts to limit the PHI disclosed to the minimum necessary to accomplish the intended purpose of the disclosure. The following checklist is intended to help public health authorities be prepared to provide a covered entity with the information and representations necessary for the covered entity to ensure that a disclosure meets the specific requirements and conditions outlined in the Privacy Rule.
The requestor of the PHI should be able to demonstrate or represent that:
- The requestor is a “public health authority” as defined in the Privacy Rule. The Privacy Rule defines “public health authority” as an agency or authority of the United States, a State, a territory, a political subdivision of a State or territory, or an Indian tribe, or a person or entity acting under a grant of authority from or contract with such public agency, including the employees or agents of such public agency or its contractors or persons or entities to whom it has granted authority, that is responsible for public health matters as part of its official mandate.
- The requestor has legal authority to collect or receive the information it is requesting for the stated public health purpose.
- The information being requested is the minimum necessary for the stated public health purpose.
In most cases, the requestor should be prepared to provide a written statement of its legal authority. However, in circumstances where it would be impracticable to provide a written statement, a covered entity may rely, if reasonable, on an oral statement of authority.
In addition, the requestor should be prepared to verify its identity by:
- Presenting an agency identification badge, other official credentials, or other proof of government status if the request is made in person;
- Making the request on the appropriate government letterhead if the request is made in writing; or
- If the request is by a person acting on behalf of a public official, providing a written statement on appropriate government letterhead that the person is acting under the government’s authority or other evidence or documentation of agency, such as a contract for services, memorandum of understanding, or purchase order, that establishes that the person is acting on behalf of the public official.
For additional guidance, see HIPAA Privacy Rule and public health disclosures.
View PDF version of the HIPAA Public Health Authority Disclosure Request Checklist.