Communicable Disease Reporting and HIPAA

• Download PDF version formatted for print:
  Communicable Disease Reporting and HIPAA (PDF)

---

April 23, 2003

This memo addresses the Minnesota Department of Health (MDH’s) analysis of the following two issues related to the Health Insurance Portability and Accountability Act (HIPAA) and communicable disease reporting:

1. How HIPAA Interacts with the Minnesota Communicable Disease Reporting Rule and Minnesota Statutes, §144.05 subd.1(a)
2. Logging public health disclosures under HIPAA

---

1. How HIPAA Interacts with the Minnesota Communicable Disease Reporting Rule and Minnesota Statutes, §144.05 subd.1(a)[1]

Disclaimer of Legal Advice: The following is MDH’s analysis of how the Minnesota Communicable Disease Reporting Rule, Parts 4506.7000 to 4605.7900 , and Minnesota Statutes, §144.05, subd. 1(a) interact with the Health Insurance Portability and Accountability Act (HIPAA), privacy rules, 45 CFR 160 and 164. This is not legal advice and you should not rely on it as legal advice. Consult with a lawyer for legal advice.

Issue

The following question has been raised by some providers, their medical records departments, and their staff: Does HIPAA permit disclosure of specific patient medical information related to a communicable disease to MDH or other local public health authorities without patient authorization?

Finding

MDH has concluded that HIPAA permits a provider and/or the provider’s medical records department or staff to release a patient’s medical information pertaining to a communicable disease in accordance with the Minnesota Communicable Disease Reporting Rule and M.S.§144.05, subd. 1(a) without the patient’s authorization. This conclusion is based on review of HIPAA privacy rules and guidance from the U.S. Centers for Disease Control and Prevention (CDC) and U.S. Department of Health and Human Services (DHHS). [2]

The medical information being released must be related to a communicable disease report. This may include, but is not limited to, personally identifiable information on the patient and their contacts, the tests conducted, the results of those tests, treatments related to the disease, and other pertinent information.

Analysis

HIPAA governs the use and disclosure of protected health information (PHI). It applies to health plans, health care clearinghouses, and health care providers who transmit certain health claims information electronically. These entities are covered entities under the rule.

A covered entity must obtain a written authorization from the individual, for the use and disclosure of PHI unless the disclosure is to the individual for treatment, payment, or health care operations, or the disclosure falls under one of the specified exceptions.

HIPAA privacy rules, specifically 45 CFR [3] §164.512, addresses the uses and disclosures of PHI for which an authorization or an opportunity to agree or object is not required. Specifically:

• Section 164.512(a) permits disclosures that are required by law, including statutes and rules; [4] and
  
• Section 164.512(b) permits a covered entity to disclose PHI to:

"(i) A public health authority that is authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury, or disability, including but not limited to, the reporting of disease, injury, vital events such as birth or death, and the conduct of public health surveillance, public health investigations, and public health interventions; ...”

Under HIPAA, 45 CFR 164.501, public health authority is defined as “an agency or authority of …, a State,  ..., or a political subdivision of a State ..., that is responsible for public health matters as part of its official mandate.”

Therefore, to the extent that a public health authority is authorized by law to collect or receive information for public health purposes, covered entities may disclose PHI to such public health authority without the patient’s authorization.

Analysis Summary

In summary, M.S. §144.05, subd. 1(a) and the Minnesota Communicable Disease Reporting Rules, Parts 4506.7000 to 4605.7900 allow MDH and local public health authorities to conduct studies and investigations on communicable diseases, such as hepatitis B, E.coli O157:H7, and STDs, to protect the public’s health. Therefore, providers, their medical records departments, and their staff can share medical information pertaining to a communicable disease investigation or study without patient authorization.

2. Logging Public Health Disclosures Under HIPAA

Disclaimer of Legal Advice: The following is MDH’s analysis of how a provider may account for public health disclosures to public health entities as allowed the Minnesota Communicable Disease Reporting Rule and Minnesota Statutes, §144.05, subd. 1(a) and still be in compliance with the Health Insurance Portability and Accountability Act (HIPAA), privacy rules, 45 CFR 160 and 164. This is not legal advice and you should not rely on it as legal advice. Consult with a lawyer for legal advice.

Issue

The following concern has been raised by some providers: Does a provider or its medical records department have to keep a disclosure log when they release specific patient medical information related to a communicable disease investigation to MDH or other local public health entities without the patient’s authorization?

Finding

MDH has concluded that HIPAA permits a provider to account for these disclosures in a general, not patient specific manner in instances of an ongoing, regular reporting or inspection requirement. For example, when disclosing individual protected health information (PHI) to a public health entity as part of a communicable disease investigation, a provider may keep a general log of disclosure rather than noting them in the individual patient records (see example at end of memo). This finding is based on review of HIPAA privacy rules and guidance from the Centers for Disease Control and Prevention (CDC) and the U.S. Department of Health and Human Services (DHHS).

Analysis

As discussed previously, HIPAA permits a provider and/or the provider’s medical records department or staff to release a patient’s medical information pertaining to a communicable disease in accordance with the Minnesota Communicable Disease Reporting Rule and M.S. §144.05, subd. 1(a) without the patient’s authorization. At the same time, however, HIPAA requires that a covered entity, such as a provider, account for each disclosure of PHI to a public health authority without the patient’s authorization. Specifically, the provider must maintain a disclosure log each time they disclose PHI without the patient’s authorization (45 CFR 164.528).

The required accounting of disclosures may be accomplished in different ways. Typically, the covered entity must keep an accounting of each disclosure by date, the information disclosed, the identity of the recipient, and the purpose of the disclosure. However, 5 CFR 164.528(b)(3) does not require this type of log when a provider makes multiple disclosures for the same purpose. According to the CDC and DHHS,

“Where the covered entity has, during the accounting period, made multiple disclosures to the same recipient for the same purpose, the Privacy Rule provides for a simplified means of accounting. In such cases, the covered entity need only identify the recipient of such repetitive disclosures, the purpose of the disclosure, and describe the PHI routinely disclosed. The date of each disclosure need not be tracked.

Rather, the accounting may include the date of the first and last such disclosure during the accounting period, and a description of the frequency or periodicity of such disclosures. For example, the vast amount of data exchanged between covered entities and public health authorities is made through ongoing, regular reporting or inspection requirement.” [5] 

The following is an example of this type of disclosure.

1. A health-care provider covered by HIPAA routinely reports all cases of hepatitis B or E. coli O157:H7 it diagnoses to MDH. In this instance, the provider (covered entity) does not need to annotate each patient’s medical record when these routine public health disclosures are made. Instead, the provider only needs to keep a general log of the following:
   • Receiver of PHI: MDH
   • PHI disclosed: Hepatitis B or E. coli O157:H7 cases
   • Purpose of disclosure: Required for communicable disease surveillance under the Minnesota Communicable Disease Reporting Rules
   • The periodicity: Weekly (if applicable)
   • Dates of disclosure: For example, August 1, 2003 to December 30, 2003

Analysis Summary

Based on the above analysis, MDH concludes that covered entities, such as health care providers, may maintain a general, not patient specific disclosure log for purposes of ongoing, regular reporting or inspection requirements.

---

1. [1] M.S.§144.05, subd. 1(a) gives the Commissioner of Health authority to conduct studies and investigations, collect and analyze health and vital data, and identify and describe health problems.
2. [2]April 11, 2003 Vol. 52/Early Release MMWR: HIPAA Privacy Rule and Public Health; Guidance from CDC and the U.S. Department of Health and Human Services.
3. [3] CFR is the Code of Federal Regulations.
4. [4] 45 CFR 164.502, Definitions.
5. [5] April 11, 2003 Vol. 52/Early Release MMWR: HIPAA Privacy Rule and Public Health; Guidance from CDC and the U.S. Department of Health and Human Services.

For questions about communicable disease reporting and HIPAA, call 651-201-5414