Q&A: Sharing records for a public health project

Q: An investigator from the state health department called the clinic where I work and asked for health records to collect vaccination data for a public health project. Is it a HIPAA violation to share that data?

A: Under the Privacy Rule, CEs may use or disclose information:

• As required by law
• For public health activities
• For health oversight activities

Here are a few things to remember about these requests:

• Patient authorization is not required
• You don’t have to tell patients about these requests and give them an opportunity to agree or object to the disclosure
• These requests must be tracked for an accounting of disclosures if the patient was identified by name, medical record number, Social Security number, or another identifier
• The minimum necessary requirement applies

It is not a HIPAA violation to provide vaccination data to the state health department. However, you should have a written request for the information; this will give you a record of the disclosure and allow you to track it for an accounting of disclosures if individual patients were identified.

If the health department is asking for aggregate data that does not identify individual patients (such as the number of patients who received a flu vaccine), this is considered de-identified data and may be freely shared.

Editor’s note: This question was answered by Mary Brandt, MBA, RHIA, CHE, CHPS. Brandt is a healthcare consultant specializing in healthcare regulatory compliance and operations improvement. She is also a BOH editorial advisory board member. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Opinions expressed are those of the author and do not represent HCPro or ACDIS. Email your HIPAA questions to Associate Editor Heidi Samuelson at hsamuelson@hcpro.com.