A great deal of confusion still exists around the Health Insurance Portability and Accountability Act’s (HIPAA) privacy impact on public sector entities and its intersection with state and other federal laws. Public sector health care services are very heterogeneous and often perform multiple functions, which may cross program boundaries or be shared with other departments, agencies, and external partners. In many cases, public sector health program processes do not fit well with many of the regulatory provisions. While there is recognition in the HIPAA rules that public programs play different roles, the rules do not address the real life complexity of public sector solutions to providing access and services.
The Department of Health and Human Services (DHHS) Office of Civil Rights (OCR) produced a series of guidance documents for the Privacy Rule to aid compliance, but little has been released to date that directly addresses public sector concerns. In general, HIPAA privacy regulations recognize current business practices and preserve a government entity’s ability to use and disclose the information. Use or disclosure for most activities is permitted and can still continue, including for public health, public benefit programs, and oversight activities. However, the complexity of the rule and the imperfect fit of the rule requirements with public sector health activities have greatly hindered understanding, application, and compliance. This tool is to provide some direction for government entities in applying privacy regulations to their programs and functions and in complying with all state and federal privacy requirements.
The PRISM Privacy Tool is an electronic tool to provide state and local government health programs, and public health departments and programs in particular, with a convenient and useful way to understand the basic legal privacy requirements for identifiable health information use and disclosure. The tool identifies and defines the baseline conditions and requirements that a public health or other government health entity must follow when using and disclosing specific types of health information. The tool consists of a series of tables that outline different types and/or purposes of information use and disclosure and the general legal requirements relevant to each type of use or disclosure.
The Consortium's PRISM Privacy Tool helps look at the health information privacy issue from different public health perspectives.
The tool is organized according to the three common roles and functions of state and local public health and other government health entities that often require use or disclosure of health information: public health authority, health care provider, and as a payer of health services.
The PRISM tool describes the baseline privacy requirements for government health sector uses and disclosures using HIPAA (the Health Insurance Portability and Accountability Act) as a foundation and takes into consideration:
- Other Federal laws impacting health privacy, namely 42 CFR pt. 2 (substance abuse program information privacy), and FERPA (privacy of educational records)
- Common state privacy laws and related requirements and considerations such as:
- Areas where state laws are commonly more restrictive than HIPAA, such as for HIV/AIDS, mental health, and certain reproductive health concerns
- Minor’s rights, which are directed by state law
- Areas where state laws may impose additional conditions relating to uses and disclosures, such as requiring consents for uses and disclosures related to treatment, payment, and health care operations
- Any other relevant information, including notes and explanations on conditions or applications specific to government programs that may add clarity
Definitions & Resources
Click here to view key definitions and terms related to the disclosure of privacy information.
Click here to view additional resources related to the disclosure of privacy information.
PROCEED TO PRISM PRIVACY TOOL