Home |  Contact |  Site Map

 
  Firm Information  |  Attorneys  |  Industries   |  Practices   |  Publications   |  Seminars   |  Recruiting   |  Resource Centers
 

Search HIPAA






Related Services

Health Care
Insurance
Employment
 
   Health & Insurance

Return to HIPAA Regulations Index

Download changes to HIPAA contained in the 2009 Federal Stimulus Bill H.R. 1

USES AND DISCLOSURES FOR PUBLIC HEALTH ACTIVITIES
SECTION 164.512(b)
As Contained in the HHS Final HIPAA Privacy Rules

HHS Regulations as Amended August 2002
Uses and Disclosures for Public Health Activities - § 164.512(b)


Standard: uses and disclosures for public health activities.

  1. Permitted disclosures. A covered entity may disclose protected health information for the public health activities and purposes described in this paragraph to:

    1. A public health authority that is authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury, or disability, including, but not limited to, the reporting of disease, injury, vital events such as birth or death, and the conduct of public health surveillance, public health investigations, and public health interventions; or, at the direction of a public health authority, to an official of a foreign government agency that is acting in collaboration with a public health authority;

    2. A public health authority or other appropriate government authority authorized by law to receive reports of child abuse or neglect;

    3. A person subject to the jurisdiction of the Food and Drug Administration (FDA) with respect to an FDA-regulated product or activity for which that person has responsibility, for the purpose of activities related to the quality, safety or effectiveness of such FDA-regulated product or activity. Such purposes include:

      1. To collect or report adverse events (or similar activities with respect to food or dietary supplements), product defects or problems (including problems with the use or labeling of a product), or biological product deviations;

      2. To track FDA-regulated products;

      3. To enable product recalls, repairs, or replacement, or lookback (including locating and notifying individuals who have received products that have been recalled, withdrawn, or are the subject of lookback; or

      4. To conduct post marketing surveillance;

    4. A person who may have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading a disease or condition, if the covered entity or public health authority is authorized by law to notify such person as necessary in the conduct of a public health intervention or investigation; or

    5. An employer, about an individual who is a member of the workforce of the employer, if:

      1. The covered entity is a covered health care provider who is a member of the workforce of such employer or who provides health care to the individual at the request of the employer:

        1. To conduct an evaluation relating to medical surveillance of the workplace; or

        2. To evaluate whether the individual has a work-related illness or injury;

      2. The protected health information that is disclosed consists of findings concerning a work-related illness or injury or a workplace-related medical surveillance;

      3. The employer needs such findings in order to comply with its obligations, under 29 CFR parts 1904 through 1928, 30 CFR parts 50 through 90, or under state law having a similar purpose, to record such illness or injury or to carry out responsibilities for workplace medical surveillance; and

      4. The covered health care provider provides written notice to the individual that protected health information relating to the medical surveillance of the workplace and work-related illnesses and injuries is disclosed to the employer:

        1. By giving a copy of the notice to the individual at the time the health care is provided; or

        2. If the health care is provided on the work site of the employer, by posting the notice in a prominent place at the location where the health care is provided.

  2. Permitted uses. If the covered entity also is a public health authority, the covered entity is permitted to use protected health information in all cases in which it is permitted to disclose such information for public health activities under paragraph (b)(1) of this section.

HHS Description of and Commentary on August 2002 Revisions
Uses and Disclosures For Public Health Activities

December 2000 Privacy Rule. The Privacy Rule permits covered entities to disclose protected health information without consent or authorization for public health purposes. Generally, these disclosures may be made to public health authorities, as well as to contractors and agents of public health authorities. However, in recognition of the essential role of drug and medical device manufacturers and other private persons in carrying out the Food and Drug Administration's (FDA) public health mission, the December 2000 Privacy Rule permitted covered entities to make such disclosures to a person who is subject to the jurisdiction of the FDA, but only for the following specified purposes: (1) to report adverse events, defects or problems, or biological product deviations with respect to products regulated by the FDA (if the disclosure is made to the person required or directed to report such information to the FDA); (2) to track products (if the disclosure is made to the person required or directed to report such information to the FDA); (3) for product recalls, repairs, or replacement; and (4) for conducting post-marketing surveillance to comply with FDA requirements or at the direction of the FDA.

March 2002 NPRM. The Department heard a number of concerns about the scope of the disclosures permitted for FDA-regulated products and activities and the failure of the Privacy Rule to reflect the breadth of the public health activities currently conducted by private sector entities subject to the jurisdiction of the FDA on a voluntary basis. These commenters claimed the Rule would constrain important public health surveillance and reporting activities by impeding the flow of needed information to those subject to the jurisdiction of the FDA. For instance, there were concerns that the Rule would have a chilling effect on current voluntary reporting practices. The FDA gets the vast majority of information concerning problems with FDA-regulated products, including drugs, medical devices, biological products, and food indirectly through voluntary reports made by health care providers to the manufacturers. These reports are critically important to public health and safety. The December 2000 Rule permitted such disclosures only when made to a person "required or directed" to report the information to the FDA or to track the product. The manufacturer may or may not be required to report such problems to the FDA, and the covered entities who make these reports are not in a position to know whether the recipient of the information is so obligated. Consequently, many feared that this uncertainty would cause covered entities to discontinue their practices of voluntary reporting of adverse events related to FDA-regulated products or entities.

Some covered entities also expressed fears of the risk of liability should they inadvertently report the information to a person who is not subject to the jurisdiction of the FDA or to the wrong manufacturer. Hence, they urged the Department to provide a "good-faith" safe harbor to protect covered entities from enforcement actions arising from unintentional violations of the Privacy Rule.

A number of commenters, including some subject to the jurisdiction of the FDA, suggested that it is not necessary to disclose identifiable health information for some or all of these public health purposes, that identifiable health information is not reported to the FDA, and that information without direct identifiers (such as name, mailing address, phone number, social security number, and email address) is sufficient for post-marketing surveillance purposes.

The Rule is not intended to discourage or prevent adverse event reporting or otherwise disrupt the flow of essential information that the FDA and persons subject to the jurisdiction of the FDA need in order to carry out their important public health activities. Therefore, the Department proposed some modifications to the Rule to address these issues in the NPRM. Specifically, the Department proposed to remove from '' 164.512(b)(1)(iii)(A) and (B) the phrase "if the disclosure is made to a person required or directed to report such information to the Food and Drug Administration" and to remove from subparagraph (D) the phrase "to comply with requirements or at the direction of the Food and Drug Administration." In lieu of this language, the Department proposed to describe at the outset the public health purposes for which disclosures may be made. The proposed language read: "A person subject to the jurisdiction of the Food and Drug Administration (FDA) with respect to an FDA-regulated product or activity for which that person has responsibility, for the purpose of activities related to the quality, safety or effectiveness of such FDA-regulated product or activity."

The proposal retained the specific activities identified in paragraphs (A), (B), (C), and (D) as examples of common FDA purposes for which disclosures would be permitted, but eliminated the language that would have made this listing the only activities for which such disclosures would be allowed. These activities include reporting of adverse events and other product defects, the tracking of FDA-regulated products, enabling product recalls, repairs, or replacement, and conducting post-marketing surveillance. Additionally, the Department proposed to include "lookback" activities in paragraph (C), which are necessary for tracking blood and plasma products, as well as quarantining tainted blood or plasma and notifying recipients of such tainted products.

In addition to these specific changes, the Department solicited comments on whether a limited data set should be required or permitted for some or all public health purposes, or if a special rule should be developed for public health reporting. The Department also requested comments as to whether the proposed modifications would be sufficient, or if additional measures, such as a good-faith safe harbor, would be needed for covered entities to continue to report vital information concerning FDA-regulated products or activities on a voluntary basis.

Overview of Public Comments. The following discussion provides an overview of the public comment received on this proposal.

The proposed changes received wide support. The overwhelming majority of commenters urged the Department to adopt the proposed changes, claiming it would reduce the chilling effect that the Rule would otherwise have on current voluntary reporting practices, which are an important means of identifying adverse events, defects, and other problems regarding FDA-regulated products. Several commenters further urged the Department to provide a good-faith safe harbor to allay providers' fears of inadvertently violating the Rule, stating that covered entities would otherwise be reluctant to risk liability to make these important public health disclosures.

A few commenters opposed the proposed changes, expressing concern that the scope of the proposal was too broad. They were particularly concerned that including activities related to "quality" or "effectiveness" would create a loophole for manufacturers to obtain and use protected health information for purposes the average person would consider unrelated to public health or safety, such as using information to market products to individuals. Some of these commenters said the Department should retain the exclusive list of purposes and activities for which such disclosures may be made, and some urged the Department to retain the "required or directed" language, as it creates an essential nexus to a government authority or requirement. It was also suggested that the chilling effect on reporting of adverse events could be counteracted by a more targeted approach. Commenters were also concerned that the proposal would permit disclosure of much more protected health information to non-covered entities that are not obligated by the Rule to protect the privacy of the information. Comments regarding use of a limited data set for public health disclosures are discussed in section III.G.1. of the preamble.

Final Modifications. In the final modifications, the Department adopts the language proposed in the NPRM. Section 164.512(b)(1)(iii), as modified, permits covered entities to disclose protected health information, without authorization, to a person subject to the jurisdiction of the FDA with respect to an FDA-regulated product or activity for which that person has responsibility, for the purpose of activities related to the quality, safety, or effectiveness of such FDA-regulated product or activity. Such purposes include, but are not limited to, the following activities and purposes listed in subparagraphs (A) through (D): (1) to collect or report adverse events (or similar activities regarding food or dietary supplements), product defects or problems (including problems with the use or labeling of a product), or biological product deviations, (2) to track FDA-regulated products, (3) to enable product recalls, repairs, or replacement, or for lookback (including locating and notifying persons who have received products that have been withdrawn, recalled, or are the subject of lookback), and (4) to conduct post-marketing surveillance.

The Department believes these modifications are necessary to remove barriers that could prevent or chill the continued flow of vital information between health care providers and manufacturers of food, drugs, medical and other devices, and biological products. Health care providers have been making these disclosures to manufacturers for many years, and commenters opposed to the proposal did not cite any examples of abuses of information disclosed for such purposes. Furthermore, both the individuals who are the subjects of the information and the general public benefit from these disclosures, which are an important means of identifying and dealing with FDA-regulated products on the market that potentially pose a health or safety threat. For example, FDA learns a great deal about the safety of a drug after it is marketed as a result of voluntary adverse event reports made by covered entities to the product's manufacturer. The manufacturer is required to submit these safety reports to FDA, which uses the information to help make the product safer by, among other things, adding warnings or changing the product's directions for use. The modifications provide the necessary assurances to covered entities that such voluntary reporting may continue.

Although the list of permissible disclosures is no longer exclusive, the Department disagrees with commenters that asserted the modifications permit virtually unlimited disclosures for FDA purposes. As modified, such disclosures must still be made to a person subject to the jurisdiction of the FDA. The disclosure also must relate to FDA-regulated products or activities for which the person using or receiving the information has responsibility, and be made only for activities related to the safety, effectiveness, or quality of such FDA-regulated product or activity. These terms are terms of art with commonly accepted and understood meanings in the FDA context, meanings of which providers making such reports are aware. This limits the possibility that FDA-regulated manufacturers and entities will able to abuse this provision to obtain information to which they would otherwise not be entitled.

Moreover, § 164.512(b)(1) specifically limits permissible disclosures to those made for public health activities and purposes. While a disclosure related to the safety, quality or effectiveness of an FDA-regulated product is a permissible disclosure, the disclosure also must be for a "public health" activity or purpose. For example, it is not permissible under § 164.512(b)(1)(iii) for a covered entity to disclose protected health information to a manufacturer to allow the manufacturer to evaluate the effectiveness of a marketing campaign for a prescription drug. In this example, although the disclosure may be related to the effectiveness of an FDA-regulated activity (the advertising of a prescription drug), the disclosure is made for the commercial purposes of the manufacturer rather than for a public health purpose.

A disclosure related to a "quality" defect of an FDA-regulated product is also permitted. For instance, the public health exception permits a covered entity to contact the manufacturer of a product to report drug packaging quality defects. However, this section does not permit all possible reports from a covered entity to a person subject to FDA jurisdiction about product quality. It would not be permissible for a provider to furnish a manufacturer with a list of patients who prefer a different flavored cough syrup over the flavor of the manufacturer's product. Such a disclosure generally would not be for a public health purpose. However, a disclosure related to the flavor of a product would be permitted under this section if the covered entity believed that a difference in the product's flavor indicated, for example, a possible manufacturing problem or suggested that the product had been tampered with in a way that could affect the product's safety.

The Department clarifies that the types of disclosures that covered entities are permitted to make to persons subject to FDA jurisdiction are those of the type that have been traditionally made over the years. These reports include, but are not limited to, those made for the purposes identified in paragraphs (A) - (D) of § 164.512(b)(1)(iii) of this final Rule.

Also, the minimum necessary standard applies to public health disclosures, including those made to persons subject to the jurisdiction of the FDA. There are many instances where a report about the quality, safety, or effectiveness of an FDA-regulated product can be made without disclosing protected health information. Such may be the case with many adverse drug events where it is important to know what happened but it may not be important to know to whom. However, in other circumstances, such as device tracking or blood lookback, it is essential for the manufacturer to have identifying patient information in order to carry out its responsibilities under the Food, Drug, and Cosmetic Act. Therefore, identifiable health information can be disclosed for these purposes, consistent with the minimum necessary standard.

As the Department stated in the preamble of the NPRM, "a person" subject to the jurisdiction of the FDA does not mean that the disclosure must be made to a specific individual. The Food, Drug, and Cosmetic Act defines "person" to include an individual, partnership, corporation, and association. Therefore, covered entities may continue to disclose protected health information to the companies subject to FDA's jurisdiction that have responsibility for the product or activity. Covered entities may identify responsible companies by using information obtained from product labels or product labeling (written material about the product that accompanies the product) including sources of labeling, such as the Physician's Desk Reference.

The Department believes these modifications effectively balance the privacy interests of individuals with the interests of public health and safety. Since the vast majority of commenters were silent on the question of the potential need for a "good faith" exception, the Department believes that these modifications will be sufficient to preserve the current public health activities of persons subject to the jurisdiction of the FDA, without such a safe harbor. However, the Department will continue to evaluate the effect of the Rule to determine whether there is need for further modifications or guidance.

Response to Other Public Comments.

Comment: A few commenters urged the Department to include foreign public health authorities in the Rule's definition of "public health authority." These commenters claimed that medical products are often distributed in multiple countries, and the associated public health issues are experienced globally. They further claimed that requiring covered entities to obtain the permission of a United States-based public health authority before disclosing protected health information to a foreign government public health authority will impede important communications.

Response: The Department notes that covered entities are permitted to disclose protected health information for public health purposes, at the direction of a public health authority, to an official of a foreign government agency that is acting in collaboration with a public health authority. The Department does not have sufficient information at this time as to any potential impacts or workability issues that could arise from this language and, therefore, does not modify the Rule in this regard.

Comment: Some commenters, who opposed the proposal as a weakening of the Privacy Rule, suggested that the Department implement a more targeted approach to address only those issues raised in the preamble to the NPRM, such as voluntary adverse event reporting activities, rather than broadening the provision generally.

Response: The NPRM was intended to address a number of issues in addition to the concern that the December 2000 Privacy Rule would chill reporting of adverse events to entities from whom the FDA receives much of its adverse event information. For instance, the text of the December 2000 Privacy Rule did not expressly permit disclosure of protected health information to FDA-regulated entities for the purpose of enabling "lookback," which is an activity performed by the blood and plasma industry to identify and quarantine blood and blood products that may be at increased risk of transmitting certain blood-borne diseases, and which includes the notification of individuals who received possibly tainted products, permitting them to seek medical attention and counseling. The NPRM also was intended to simplify the public health reporting provision and to make it more readily understandable. Finally, the approach proposed in the NPRM, and adopted in this final Rule, is intended to add flexibility to the public health reporting provision of the December 2000 Rule, whose exclusive list of permissible disclosures was insufficiently flexible to assure that § 164.512(b)(1)(iii) will allow legitimate public health reporting activities that might arise in the future. In addition, the Department clarifies that the reporting of adverse events is not restricted to the FDA or persons subject to the jurisdiction of the FDA. A covered entity may, under § 164.512(b), disclose protected health information to a public health authority that is authorized to receive or collect a report on an adverse event. In addition, to the extent an adverse event is required to be reported by law, the disclosure of protected health information for this purpose is also permitted under § 164.512(a). For example, a Federally funded researcher who is a covered health care provider under the Privacy Rule may disclose protected health information related to an adverse event to the National Institutes of Health (NIH) if required to do so by NIH regulations. Even if not required to do so, the researcher may also disclose adverse events directly to NIH as a public health authority. To the extent that NIH has public health matters as part of its official mandate it qualifies as a public health authority under the Privacy Rule, and to the extent it is authorized by law to collect or receive reports about injury and other adverse events such collection would qualify as a public health activity.

HHS Description from Original Rulemaking
Uses and Disclosures For Public Health Activities

The NPRM would have allowed covered entities to disclose protected health information without individual authorization to: (1) a public health authority authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury, or disability, including, but not limited to, the reporting of disease, injury, vital events such as birth or death, and the conduct of public health surveillance, public health investigations, and public health interventions; (2) a public health authority or other appropriate authority authorized by law to receive reports of child abuse or neglect; (3) a person or entity other than a governmental authority that could demonstrate or demonstrated that it was acting to comply with requirements or direction of a public health authority; or (4) a person who may have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading a disease or condition and was authorized by law to be notified as necessary in the conduct of a public health intervention or investigation.

In the final rule, we broaden the scope of permissible disclosures pursuant to item (1) listed above. We narrow the scope of disclosures permissible under item (3) of this list, and we add language to clarify the scope of permissible disclosures with respect to item (4) on the list. We broaden the scope of allowable disclosures regarding item (1) by allowing covered entities to disclose protected health information not only to U.S. public health authorities but also, at the direction of a public health authority, to an official of a foreign government agency that is acting in collaboration with a public health authority. For example, we allow covered entities to disclose protected health information to a foreign government agency that is collaborating with the Centers for Disease Control and Prevention to limit the spread of infectious disease.

We narrow the conditions under which covered entities may disclose protected health information to non-government entities. We allow covered entities to disclose protected health information to a person subject to the FDA's jurisdiction, for the following activities: to report adverse events (or similar reports with respect to food or dietary supplements), product defects or problems, or biological product deviations, if the disclosure is made to the person required or directed to report such information to the FDA; to track products if the disclosure is made to a person required or directed by the FDA to track the product; to enable product recalls, repairs, or replacement, including locating and notifying individuals who have received products regarding product recalls, withdrawals, or other problems; or to conduct post-marketing surveillance to comply with requirements or at the direction of the FDA.

The terms included in § 164.512(b)(iii) are intended to have both their commonly understood meanings, as well as any specialized meanings, pursuant to the Food, Drug, and Cosmetic Act (21 U.S.C. 321 et seq.) or the Public Health Service Act (42 U.S.C. 201 et seq.). For example, "post-marketing surveillance" is intended to mean activities related to determining the safety or effectiveness of a product after it has been approved and is in commercial distribution, as well as certain Phase IV (post-approval) commitments by pharmaceutical companies. With respect to devices, "post-marketing surveillance" can be construed to refer to requirements of section 522 of the Food, Drug, and Cosmetic Act regarding certain implanted, life-sustaining, or life-supporting devices. The term "track" includes, for example, tracking devices under section 519(e) of the Food, Drug, and Cosmetic Act, units of blood or other blood products, as well as trace-backs of contaminated food.

In § 164.512(b)(iii), the term "required" refers to requirements in statute, regulation, order, or other legally binding authority exercised by the FDA. The term "directed," as used in this section, includes other official agency communications such as guidance documents.

We note that under this provision, a covered entity may disclose protected health information to a non-governmental organization without individual authorization for inclusion in a private data base or registry only if the disclosure is otherwise for one of the purposes described in this provision (e.g., for tracking products pursuant to FDA direction or requirements, for post-marketing surveillance to comply with FDA requirements or direction.)

To make a disclosure that is not for one of these activities, covered entities must obtain individual authorization or must meet the requirements of another provision of this rule. For example, covered entities may disclose protected health information to employers for inclusion in a workplace surveillance database only: with individual authorization; if the disclosure is required by law; if the disclosure meets the requirements of § 164.512(b)(v); or if the disclosure meets the conditions of another provision of this regulation, such as § 154.512(i) relating to research. Similarly, if a pharmaceutical company seeks to create a registry containing protected health information about individuals who had taken a drug that the pharmaceutical company had developed, covered entities may disclose protected health information without authorization to the pharmaceutical company pursuant to FDA requirements or direction. If the pharmaceutical company's registry is not for any of these purposes, covered entities may disclose protected health information to it only with patient authorization, if required by law, or if disclosure meets the conditions of another provision of this rule.

The final rule continues to permit covered entities to disclose protected health information without individual authorization directly to public health authorities, such as the Food and Drug Administration, the Occupational Safety and Health Administration, the Centers for Disease Control and Prevention, as well as state and local public health departments, for public health purposes as specified in the NPRM.

The final rule retains the NPRM provision allowing covered entities to disclose protected health information to public health authorities or other appropriate government authorities authorized by law to receive reports of child abuse or neglect. In addition, we clarify the NPRM's provision regarding disclosure of protected health information to persons who may have been exposed to a communicable disease or who may otherwise be at risk of contracting or spreading a disease or condition. Under the final rule, covered entities may disclose protected health information to such individuals when the covered entity or public health authority is authorized by law to notify these individuals as necessary in the conduct of a public health intervention or investigation.

In addition, as in the NPRM, under the final rule, a covered entity that is acting as a public health authority – for example, a public hospital conducting infectious disease surveillance in its role as an arm of the public health department – may use protected health information in all cases for which it is allowed to disclose such information for public health activities as described above.

The proposed rule did not contain a specific provision relating to disclosures by covered health care providers to employers concerning work-related injuries or illnesses or workplace medical surveillance. Under the proposed rule, a covered entity would have been permitted to disclose protected health information without individual authorization for public health purposes to private person if the person could demonstrate that it was acting to comply with requirements or at the direction of a public health authority.

As discussed above, in the final rule we narrow the scope of this paragraph as it applies to disclosures to persons other than public health authorities. To ensure that covered health care providers may make disclosures of protected health information without individual authorization to employers when appropriate under federal and state laws addressing work-related injuries and illnesses or workplace medical surveillance, we include a new provision in the final rule. The provision permits covered health care providers who provide health care as a workforce member of or at the request of an employer to disclose to that employer protected health information concerning work-related injuries or illnesses or workplace medical surveillance in situations where the employer has a duty under the Occupational Safety and Health Act, the Federal Mine Safety and Health Act, or under a similar state law, to keep records on or act on such information. For example, OSHA regulations in 29 CFR Part 1904 require employers to record work-related injuries and illnesses if medical treatment is necessary; MSHA regulations at 30 CFR Part 50 require mine operators to report injuries and illnesses experienced by miners. Similarly, OSHA rules require employers to monitor employees' exposure to certain substances and to remove employees from exposure when toxic thresholds have been met. To obtain the relevant health information necessary to determine whether an injury or illness should be recorded, or whether an employee must be medically removed from exposure at work, employers must refer employees to health care providers for examination and testing.

OSHA and MSHA rules do not impose duties directly upon health care providers to disclose health information pertaining to recordkeeping and medical monitoring requirements to employers. Rather, these rules operate on the presumption that health care providers who provide services at the request of an employer will be able to disclose to the employer work-related health information necessary for the employer to fulfill its compliance obligations. This new provision permits covered entities to make disclosures necessary for the effective functioning of OSHA and MSHA requirements, or those of similar state laws, by permitting a health care provider to make disclosures without the authorization of the individual concerning work-related injuries or illnesses or workplace medical surveillance in situations where the employer has a duty under OSHA and MSHA requirements, or under a similar state laws, to keep records on or act on such information.

We require health care providers who make disclosures to employers under this provision to provide notice to individuals that it discloses protected health information to employers relating to the medical surveillance of the workplace and work-related illnesses and injuries. The notice required under this provision is separate from the notice required under § 164.520. The notice required under this provision may be met giving a copy of the notice to the individual at the time it provides the health care services, or, if the health care services are provided on the work site of the employer, by posting the notice in a prominent place at the location where the health care services are provided.

This provision applies only when a covered health care provider provides health care services as a workforce member of or at the request of an employer and for the purposes discussed above. The provision does not affect the application of this rule to other health care provided to individuals or to their relationship with health care providers that they select.

HHS Response to Comments Received from Original Rulemaking
Uses and Disclosures for Public Health Activities

Comment: Several non-profit entities commented that medical records research by nonprofit entities to ensure public health goals, such as disease-specific registries, would not have been covered by this provision. These organizations collect information without relying on a government agency or law. Commenters asserted that such activities are essential and must continue. They generally supported the provisions allowing the collection of individually identifiable health information without authorization for registries. One stated that both governmental and non-governmental cancer registries should be exempt from the regulation. They stated that "such entities, by their very nature, collect health information for legitimate public health and research purposes." Another, however, addressed its comments only to "disclosure to non-government entities operating such system as required or authorized by law."

Response: We acknowledge that such entities may be engaged in disease-specific or other data collection activities that provide a benefit to their members and others affected by a particular malady and that they contribute to the public health and scientific database on low incidence or little known conditions. However, in the absence of some nexus to a government public health authority or other underlying legal authority, it is unclear upon what basis covered entities can determine which registries or collections are "legitimate" and how the confidentiality of the registry information will be protected. Commenters did not suggest methods for "validating" these private registry programs, and no such methods currently exist at the federal level. It is unknown whether any states have such a program. Broadening the exemption could provide a loophole for private data collections for inappropriate purposes or uses under a "public health" mask.

In this rule, we do not seek to make judgments as to the legitimacy of private entities' disease-specific registries or of private data collection endeavors. Rather, we establish the general terms and conditions for disclosure and use of protected health information. Under the final rule, covered entities may obtain authorization to disclose protected health information to private entities seeking to establish registries or other databases; they may disclose protected health information as required by law; or they may disclose protected health information to such entities if they meet the conditions of one of the provisions of §§ 164.510 or 164.512. We believe that the circumstances under which covered entities may disclose protected health information to private entities should be limited to specified national priority purposes, as reflected through the FDA requirements or directives listed in § 164.512(b)(iii), and to enable recalls, repairs, or replacements of products regulated by the FDA. Disclosures by covered health care providers who are workforce members of an employer or are conducting evaluations relating to work-related injuries or illnesses or workplace surveillance also may disclose protected health information to employers of findings of such evaluations that are necessary for the employer to comply with requirements under OSHA and related laws.

Comment: Several commenters said that the NPRM did not indicate how to distinguish between public health data collections and government health data systems. They suggested eliminating proposed § 164.510(g) on disclosures and uses for government health data systems, because they believed that such disclosures and uses were adequately covered by proposed § 164.510(b) on public health.

Response: As discussed below, we agree with the commenters who suggested that the proposed provision that would have permitted disclosures to government health data bases was overly broad, and we remove it from the final rule. We reviewed the important purposes for which some commenters said government agencies needed protected health information, and we believe that most of those needs can be met through the other categories of permitted uses and disclosures without authorization allowed under the final rule, including provisions permitting covered entities to disclose information (subject to certain limitations) to government agencies for public health, health oversight, law enforcement, and otherwise as required by law. For example, the final rule continues to allow collection of protected health information without authorization to monitor trends in the spread of infectious disease, morbidity and mortality.

Comment: Several commenters recommended expanding the scope of disclosures permissible under proposed § 164.510(b)(1)(iii), which would have allowed covered entities to disclose protected health information to private entities that could demonstrate that they were acting to comply with requirements, or at the direction, of a public health authority. These commenters said that they needed to collect individually identifiable health information in the process of drug and device development, approval, and post-market surveillance – activities that are related to, and necessary for, the FDA regulatory process. However, they noted that the specific data collections involved were not required by FDA regulations. Some commenters said that they often devised their own data collection methods, and that health care providers disclosed information to companies voluntarily for activities such as post-marketing surveillance and efficacy surveys. Commenters said they used this information to comply with FDA requirements such as reporting adverse events, filing other reports, or recordkeeping. Commenters indicated that the FDA encouraged but did not require them to establish other data collection mechanisms, such as pregnancy registries that track maternal exposure to drugs and the outcomes.

Accordingly, several commenters recommended modifying proposed § 164.510(b) to allow covered entities to disclose protected health information without authorization to manufacturers registered with the FDA to manufacture, distribute, or sell a prescription drug, device, or biological product, in connection with post-marketing safety and efficacy surveillance or for the entity to obtain information about the drug, device, or product or its use. One commenter suggested including in the regulation an illustrative list of examples of FDA-related requirements, and stating in the preamble that all activities taken in furtherance of compliance with FDA regulations are "public health activities."

Response: We recognize that the FDA conducts or oversees many activities that are critical to help ensure the safety or effectiveness of the many products it regulates. These activities include, for example, reporting of adverse events, product defects and problems; product tracking; and post-marketing surveillance. In addition, we believe that removing defective or harmful products from the market is a critical national priority and is an important tool in FDA efforts to promote the safety and efficacy of the products it regulates. We understand that in most cases, the FDA lacks statutory authority to require product recalls. We also recognize that the FDA typically does not conduct recalls, repairs, or product replacement surveillance directly, but rather, that it relies on the private entities it regulates to collect data, notify patients when applicable, repair and replace products, and undertake other activities to promote the safety and effectiveness of FDA-regulated products.

We believe, however, that modifying the NPRM to allow disclosure of protected health information to private entities as part of any data-gathering activity related to a drug, device, or biological product or its use, or for any activity that is consistent with, or that appears to promote objectives specified, in FDA regulation would represent an inappropriately broad exception to the general requirement to obtain authorization prior to disclosure. Such a change could allow, for example, drug companies to collect protected health information without authorization to use for the purpose of marketing pharmaceuticals. We do not agree that all activities taken to promote compliance with FDA regulations represent public health activities as that term is defined in this rule. In addition, we believe it would not be appropriate to include in the regulation text an "illustrative list" of requirements "related to" the FDA. The regulation text and preamble list the FDA-related activities for which we believe disclosure of protected health information to private entities without authorization is warranted.

We believe it is appropriate to allow disclosure of protected health information without authorization to private entities only: for purposes that the FDA has, in effect, identified as national priorities by issuing regulations or express directions requiring such disclosure; or if such disclosure is necessary for a product recall. For example, we believe it is appropriate to allow covered health care providers to disclose to a medical device manufacturer recalling defective heart valves the names and last known addresses of patients in whom the provider implanted the valves. Thus, in the final rule, we allow covered entities to disclose protected health information to entities subject to FDA jurisdiction for the following activities: to report adverse events (or similar reports with respect to food or dietary supplements), product defects or problems (including problems with the use or labeling of a product), or biological product deviations, if the disclosure is made to the person required or directed to report such information to the FDA; to track products if the disclosure is made to a person required or directed by the FDA to track the product; to enable product recalls, repairs, or replacement (including locating and notifying individuals who have received products of product recalls, withdrawals, or other problems); or to conduct post-marketing surveillance to comply with requirements or at the direction of the FDA. The preamble above provides further detail on the meaning of some of the terms in this list. Covered entities may disclose protected health information to entities for activities other than those described above only as required by law; with authorization; or if permissible under another section of this rule.

We understand that many private registries, such as pregnancy registries, currently obtain patient authorization for data collection. We believe the approach of § 164.512(b) strikes an appropriate balance between the objective of promoting patient privacy and control over their health information and the objective of allowing private entities to collect data that ultimately may have important public health benefits.

Comment: One commenter remarked that our proposal may impede fetal/infant mortality and child fatality reviews.

Response: The final rule permits a covered entity to disclose protected health information to a public health authority authorized by law to conduct public health activities, including the collection of data relevant to death or disease, in accordance with § 164.512(b). Such activities may also meet the definition of "health care operations." We therefore do not believe this rule impedes these activities.

Comment: Several comments requested that the final regulation clarify that employers be permitted to use and/or disclose protected health information pursuant to the requirements of the Occupational Safety and Health Act and its accompanying regulations ("OSHA"). A few comments asserted that the regulation should not only permit employers to use and disclose protected health information without first obtaining an authorization consistent with OSHA requirements, but also permit them to use and disclose protected health information if the use or disclosure is consistent with the spirit of OSHA. One commenter supported the permissibility of these types of uses and disclosures, but warned that the regulation should not grant employers unfettered access to the entire medical record of employees for the purpose of meeting OSHA requirements. Other commenters noted that OSHA not only requires disclosures to the Occupational Safety and Health Administration, but also to third parties, such as employers and employee representatives. Thus, this comment asked HHS to clarify that disclosures to third parties required by OSHA are also permissible under the regulation.

Response: Employers as such are not covered entities under HIPAA and we generally do not have authority over their actions. When an employer has a health care component, such as an on-site medical clinic, and the components meets the requirements of a covered health care provider, health plan or health care clearinghouse, the uses and disclosures of protected health information by the health care component, including disclosures to the larger employer entity, are covered by this rule and must comply with its provisions.

A covered entity, including a covered health care provider, may disclose protected health information to OSHA under § 164.512(a), if the disclosure is required by law, or if the disclosure is a discretionary one for public health activities, under § 164.512(b). Employers may also request employees to provide authorization for the employer to obtain protected health information from covered entities to conduct analyses of work-related health issues. See § 164.508.

We also permit covered health care providers who provide health care as a workforce member of an employer or at the request of an employer to disclose protected health information to the employer concerning work-related injuries or illnesses or workplace medical surveillance in situations where the employer has a duty to keep records on or act on such information under the OSHA or similar laws. We added this provision to ensure that employers are able to obtain the information that they need to meet federal and state laws designed to promote safer and healthier workplaces. These laws are vital to protecting the health and safety of workers and we permit specified covered health care providers to disclose protected health information as necessary to carry out these purposes.

Comment: A few comments suggested that the final regulation clarify how it would interact with existing and pending OSHA requirements. One of these comments requested that the Secretary delay the effective date of the regulation until reviews of existing requirements are complete.

Response: As noted in the "Relationship to Other Federal Laws" section of the preamble, we are not undertaking a complete review of all existing laws with which covered entities might have to comply. Instead we have described a general framework under which such laws may be evaluated. We believe that adopting national standards to protect the privacy of individually identifiable health information is an urgent national priority. We do not believe that it is appropriate to delay the effective date of this regulation.

Comment: One commenter asserted that the proposed regulation conflicted with the OSHA regulation requirement that when a designated representative (to whom the employee has already provided a written authorization to obtain access) requests a release form for access to employee medical records, the form must include the purpose for which the disclosure is sought, which the proposed privacy regulation does not require.

Response: We do not agree that this difference creates a conflict for covered entities. If an employer seeks to obtain a valid authorization under § 164.508, it may add a purpose statement to the authorization so that it complies with OSHA's requirements and is a valid authorization under § 164.508 upon which a covered entity may rely to make a disclosure of protected health information to the employer.

Comment: One commenter stated that access to workplace medical records by the occupational medical physicians is fundamental to workplace and community health and safety. Access is necessary whether it is a single location or multiple sites of the same company, such as production facilities of a national company located throughout the country.

Response: We permit covered health care providers who provide health care as a workforce member of an employer or at the request of an employer to disclose protected health information to the employer concerning work-related injuries or illnesses or workplace medical surveillance, as described in this paragraph. Information obtained by an employer under this paragraph would be available for it to use, consistent with other laws and regulations, as it chooses and throughout the national company. We do not regulate uses or disclosures of individually identifiable health information by employers acting as employers.

 

 

 
Subscribe to
HIPAA E-Alerts

Sign up to receive HIPAA Privacy & Security E-Alerts
Subscribe to HIPAA E-Alerts

Archived HIPAA E-Alerts
 

Highlights


Subscribe to the HIPAA Self-Assessment and Compliance Guide For Health Care Providers and Health Plans -- A guide for complying with the new 2009 HIPAA requirements in the Recovery Act and updated to include the new breach notification regulations.
 

 

Copyright 2005-2010, Bricker & Eckler LLP, all rights reserved.  Please read our Privacy Notice.
The words Bricker & Eckler and its logo are registered trademarks of Bricker & Eckler LLP. DISCLAIMER