Become a Member

PRISM
A Privacy Toolkit for
Public Health Professionals

Government Entity Acting As A Public Health
Healthcare Payer

Introduction

Public health programs at both the state and county level often pay for health services in a variety of areas. Programs at the State level are almost exclusively payers; county level programs are moving more and more into the payer category as they increasingly contract with external entities to provide direct services. Some common services paid for by public health include HIV, STD, and TB drugs and treatment and primary care services for infants and children and other vulnerable populations not covered by Medicaid. These payer programs may meet the HIPAA definition of a health plan, which is simply defined as an individual or group plan that pays or provides the cost of medical care. However, public payers do not operate like commercial health plans, so determining whether and how to apply the privacy provisions can be challenging.

Other public payers of health services that may find themselves directly or indirectly impacted by HIPAA privacy provisions include social service programs such as aging, vocational rehabilitation, disability, home care, mental health, substance abuse, crisis and/or emergency services, and school health. While these tables are targeted more specifically to public health programs, the public programs listed above may also find the PRISM tool useful for general privacy guidance.

The payer function is directly impacted by HIPAA, but the privacy provisions should not substantively affect most uses and disclosures for that function. In general, the ability to use and disclose information for payer purposes is very similar to that of providers.

However, public health departments and programs seldom perform only payer functions; instead, payer functions are often performed along with provider, public health authority, and/or health oversight functions. Payer programs are also likely to be part of a larger entity that must comply with the HIPAA provisions. If payer functions are combined with provider functions, it is generally prudent to apply the provider privacy requirements, which are more extensive, to both the provider and payer activities.

PRISM Privacy Tables

Select the type of data disclosure in which you are interested. Use the “back” button to return to the previous menu. Click here to download the entire set of tables. Please note that this PDF is (516 KB/105 pages) and may take several minutes to download.

TABLE 1: WHO CONTROLS INFORMATION ABOUT INDIVIDUALS

TABLE 2: DISCLOSURES FOR TREATMENT, PAYMENT AND HEALTH CARE OPERATIONS

TABLE 3: DISCLOSURES TO PERSONS INVOLVED IN INDIVIDUAL’S CARE; FOR NOTIFICATION PURPOSES (NON-TPO DISCLOSURES ALLOWED WITHOUT AUTHORIZATION)

TABLE 4: DISCLOSURES REQUIRED BY LAW; FOR PUBLIC HEALTH ACTIVITIES; FOR HEALTH OVERSIGHT; FDA REGULATED PRODUCTS (NON-TPO DISCLOSURES ALLOWED WITHOUT AUTHORIZATION)

TABLE 5: DISCLOSURES TO AVERT SERIOUS THREAT TO HEALTH AND SAFETY; FOR ORGAN DONATIONS; TO WHISTLE-BLOWERS AND WORKFORCE MEMBER CRIME VICTIMS (NON-TPO DISCLOSURES ALLOWED WITHOUT AUTHORIZATION)

TABLE 6: DISCLOSURES FOR JUDICIAL AND ADMINISTRATIVE PROCEEDINGS; LAW ENFORCEMENT PURPOSES; CORRECTIONS AGENCY; BOARDS OF PRACTICE (NON-TPO DISCLOSURES ALLOWED WITHOUT AUTHORIZATION)

TABLE 7: DISCLOSURES FOR SPECIALIZED GOVERNMENT FUNCTIONS; WORKERS’ COMPENSATION; BUSINESS ASSOCIATES (NON-TPO DISCLOSURES ALLOWED WITHOUT AUTHORIZATION)

TABLE 8: DISCLOSURES FOR RESEARCH; TO HHS; FOR MARKETING; FUNDRAISING (NON-TPO DISCLOSURES ALLOWED WITHOUT AUTHORIZATION)

TABLE 9: DISCLOSURES TO SCHOOLS; TO CORONERS AND MEDICAL EXAMINERS; TO LAW ENFORCEMENT ABOUT CRIME VICTIMS; PUBLIC BENEFITS PROGRAMS (NON-TPO DISCLOSURES ALLOWED WITHOUT AUTHORIZATION)

TABLE 10: DISCLOSURES TO GOVERNMENT DEPARTMENTS AND AGENCIES PERFORMING BUSINESS ASSOCIATE FUNCTIONS; COUNTY AND STATE FINANCE AND ACCOUNTING; CENTRAL IT; COUNTY AND STATE ATTORNEYS; ARCHIVES (NON-TPO DISCLOSURES ALLOWED WITHOUT AUTHORIZATION)