Become a Member

PRISM
A Privacy Toolkit for
Public Health Professionals

Introduction

Most public health entities engage in traditional public health activities such as disease surveillance and investigation, collecting and maintaining vital records, and education and intervention. These traditional public health activities are considered a public function under HIPAA, which are generally subject to certain exceptions or special requirements for privacy. Public entities performing public functions, even if they must comply with HIPAA, can generally continue to use and disclose health information for those functions as in the past. However, since many public programs perform more than one function, the program must understand and identify these public functions to aid in determining when and where specific privacy exceptions and conditions apply.

The public health authority function is not directly impacted by HIPAA, and uses and disclosures for that function can continue as always. However, your public health function may be part of a larger entity that must comply with HIPAA; if so, that function may be required to comply with some of the HIPAA provisions as directed by your department or agency. This situation often causes difficulties in determining when and where HIPAA privacy provisions in particular may apply.

The HIPAA definition of public health authority provides the context for this set of tables:

A government agency or entity acting under authority from a public agency that is responsible for public health matters as part of its official mandate. These entities are generally authorized by law to collect or receive information for the purpose of preventing or controlling disease, injury, or disability, including but not limited to, the reporting of disease, injury, vital events such as birth or death, and the conduct of public health surveillance, public health investigations, and public health interventions.
 

Examples include receipt and/or reporting of mandated health information, such as for communicable disease reporting, outbreak investigations, and obtaining selected health information as related to screenings and assessments, such as general health assessments, and tests or screenings for particular conditions such as genetic disorders, HIV, or breast cancer.

Note that this description may only correspond to some of the activities your specific department/program performs; however, the HIPAA provisions for public health authority apply ONLY to the types of activities specified in the definition above. If your department/program performs other functions, such as provider, payer, health oversight, or other, then other privacy rules apply and must be followed.

Another common function performed by public health departments and programs is health oversight. Health oversight includes regulatory activities such as professional licensing and discipline, and facility inspections to assure standards compliance. HIPAA defines health oversight as:

A government agency or entity acting on behalf of a public agency, with legal authority to oversee the public and/or private health care system, or government programs where health information is necessary to determine eligibility, compliance, or to enforce civil rights.

Examples include auditing whether a recipient received appropriate services or benefits or auditing a health care facility for compliance with licensure or program participation requirements. The health oversight function, like the public health authority function, is not directly impacted by the HIPAA, and uses and disclosures for that function can continue as always. In general, the information in these tables will also be applicable to health oversight functions. However, your health oversight function may be part of a larger entity that must comply with HIPAA; if so, that function may be required to comply with some of the HIPAA provisions as directed by your department or agency.

PRISM Privacy Tables

Select the type of data disclosure in which you are interested. Use the “back” button to return to the previous menu. Click here to download the entire set of tables. Please note that this PDF is (4.91MB/1181 pages) and may take several minutes to download.

TABLE 1: WHO CONTROLS INFORMATION ABOUT INDIVIDUALS

TABLE 2: DISCLOSURES FOR TREATMENT, PAYMENT AND HEALTH CARE OPERATIONS

TABLE 3: DISCLOSURES TO PERSONS INVOLVED IN INDIVIDUAL’S CARE; FOR NOTIFICATION PURPOSES

TABLE 4: DISCLOSURES REQUIRED BY LAW; FOR PUBLIC HEALTH ACTIVITIES; FOR HEALTH OVERSIGHT; FDA REGULATED PRODUCTS (NON-TPO DISCLOSURES ALLOWED WITHOUT AUTHORIZATION)

TABLE 5: DISCLOSURES TO AVERT SERIOUS THREAT TO HEALTH AND SAFETY; FOR ORGAN DONATIONS; TO WHISTLEBLOWERS AND WORKFORCE MEMBER CRIME VICTIMS (NON-TPO DISCLOSURES ALLOWED WITHOUT AUTHORIZATION)

TABLE 6: DISCLOSURES FOR JUDICIAL AND ADMINISTRATIVE PROCEEDINGS; LAW ENFORCEMENT PURPOSES; CORRECTIONS AGENCY; BOARDS OF PRACTICE (NON-TPO DISCLOSURES ALLOWED WITHOUT AUTHORIZATION)

TABLE 7:DISCLOSURES FOR SPECIALIZED GOVERNMENT FUNCTIONS; WORKERS’ COMPENSATION; BUSINESS ASSOCIATES (NON-TPO DISCLOSURES ALLOWED WITHOUT AUTHORIZATION)

TABLE 8: DISCLOSURES FOR RESEARCH; TO HHS; FOR MARKETING; FUNDRAISING (NON-TPO DISCLOSURES ALLOWED WITHOUT AUTHORIZATION)

TABLE 9: DISCLOSURES TO SCHOOLS; TO CORONERS AND MEDICAL EXAMINERS; TO LAW ENFORCEMENT ABOUT CRIME VICTIMS; PUBLIC BENEFITS PROGRAMS (NON-TPO DISCLOSURES ALLOWED WITHOUT AUTHORIZATION)

TABLE 10: DISCLOSURES TO GOVERNMENT DEPARTMENTS AND AGENCIES PERFORMING BUSINESS ASSOCIATE FUNCTIONS: COUNTY AND STATE FINANCE AND ACCOUNTING; CENTRAL IT; COUNTY AND STATE ATTORNEYS; ARCHIVES (NON-TPO DISCLOSURES ALLOWED WITHOUT AUTHORIZATION)