OCR publishes fact sheet on releasing PHI for public health

The Office for Civil Rights (OCR) and the Office of the National Coordinator Health Information Technology released a fact sheet on disclosing protected health information (PHI) in support of public health activities conducted by state or federal public health agencies.

Under HIPAA, covered entities (CE) and business associates (BA) must obtain the individual’s permission before sharing PHI except for the purposes of treatment, healthcare operations, and public health activities.

The fact sheet describes nine scenarios:

• Exchange for reporting of disease
• Exchange for conduct of public health surveillance
• Exchange for public health investigations
• Exchange for public health interventions (two scenarios)
• Exchange subject to Food and Drug Administration jurisdiction
• Exchange for persons exposed to communicable disease and for related public health investigation
• Exchange in support of medical surveillance of the workplace
• Using certified electronic health record technology

All of the scenarios apply to CEs but only some to BAs. The BA agreement must specifically authorize the BA to release PHI on behalf of a CE for public health reporting. CEs and BAs must also comply with all applicable state laws when releasing PHI for public health activities and HIPAA Security Rule requirements for electronic transmission of PHI.