Become a Member

HIPAA Privacy Case Studies for Local Public Health Agencies

The Public Health Data Standards Consortium has developed a series of case studies to examine the experiences of local public health agencies as they implement the HIPAA Privacy Rule. These case studies address challenges faced by agencies from Washington State, New Jersey and North Carolina and describes the methods and tools they used to solve their problems. Funding for these studies was supported by the National Center for Health Statistics (NCHS) and the Health Resources and Services Administration (HRSA).

Washington State | New Jersey | North Carolina

Washington State

Local Public Health Agency: Public Health-Seattle & King County
Covered Entity Status: Fully-covered, designated health care component
HIPAA Privacy Challenges: State Law Preemption & Business Associate Agreements

Washington State's largest public health agency, Public Health-Seattle & King County (PHSKC), faced challenges reframing its comprehensive state privacy law to reconcile with the HIPAA Privacy Rule. In order to address this challenge, PHSKC created a defined project structure and team, with a dedicated project manager from within the health agency, and hired an outside consulting firm. This team developed an implementation plan and adopted a dynamic process for creating policies and procedures. The PHSKC experienced several barriers addressing the variation between state and federal law, including creating appropriate policies and procedures and disclosing protected health information. However, the department was able to use relationships with the state public health agency and hospital association, as well as other resources, to overcome these barriers.

PHSKC also experienced difficulty creating appropriate business associates agreements, but worked with their contracts department to create a systematic approach to categorize existing and new contracts based on the relationship of the business partner to the health agency.

New Jersey

Local Public Health Agency: City of Paterson Health Department
Covered Entity Status: Fully-covered Entity
HIPAA Privacy Challenges: Internal and External Uses/Disclosures and Protected Health Information

The City of Paterson Health Department (CPHD) in New Jersey conducts various public health activities and also functions as a health care provider. Following implementation of the HIPAA Privacy Rule, CPHD experienced difficulty in collecting protected health information from providers, who believed the disclosure of protected health information (PHI) to be unlawful. In order to address this concern, CPHD began a rigorous process of contacting providers via letters and phone to clear up confusion regarding the use of PHI at the health department. CPHD benefited from resources created by the Midwest Center for HIPAA Education in its efforts to educate providers on the provisions of HIPAA.

CPHD was challenged with another limitation on its ability to conduct public health activities from the state of New Jersey. In an effort to curb the area’s prevalent lead poisoning problem, CPHD was interested in using birth certificate data to identify newborn babies who would subsequently be screened by CPHD’s public health nurses. State health officials contended that this was not a permitted public health activity under HIPAA and denied the health department’s request for access to PHI. Though CPHD attempted to resolve this issue with the state, permission was not granted to CPHD to access the essential birth certificate data, thereby curtailing CPHD’s efforts to screen a larger number of newborn infants.

North Carolina

Local Public Health Agency: Buncombe County Health Center
Covered Entity Status: Fully-covered Entity
HIPAA Privacy Challenges: Designated Record Set, Protected Health Information and State Law Preemption

Buncombe County Health Center (BCHC) provides numerous public health and health care services. As they began implementation of the Privacy Rule, BCHS staff found it challenging to identify the records that the Center maintained that should be included in the "Designated Records Set" (DRS), as defined by HIPAA. In order to resolve the issue of what types of information would be included in the DRS, BCHC conducted gap analysis, which included interview with each of the Center's department heads to verify the specific types of PHI used in each department.

As with many local health departments, BCHC also struggled with the challenge of determining when to employ the federal HIPAA Privacy Rule and when they were bound by more stringent state law. BCHC staff conducted an in-depth review of state and federal laws to verify which takes precedence. BCHC included state and federal laws related to the provisions of mental health services in their review. After conducting their analysis of state and federal law, BCHC staff determined that the North Caroline mental health laws did, in fact, supercede the HIPAA Privacy Rule.