PHI Disclosures to a Public Health Authority

The HIPAA Privacy Rule is a set of standards that address how covered entities may use and disclose protected health information, or PHI. PHI is health data created, received, stored, or transmitted by HIPAA covered entities (and their business associates, or BAs) in relation to the provision of healthcare, payment for treatment, and healthcare operations. Under the Privacy Rule, covered entities may, under certain circumstances, disclose PHI, without individual authorization, if that disclosure is made to a public health authority.

What is a Public Health Authority?

Under the HIPAA Privacy Rule, a public health authority is:

  1. An agency or authority of the United States, a State, a territory, a political subdivision of a State or territory, or a Native American tribe, or a person or entity acting under a grant of authority from or contract with such public agency, that 
  2. Is responsible for public health matters as part of its official mandate

What PHI Disclosures are Permitted Without Authorization?

Disclosures are permitted without written HIPAA authorization to public health authorities that are authorized to collect or receive information for certain public health activities and purposes.  Those purposes include:

  • Preventing or controlling disease, injury, or disability; and 
  • Conducting public health surveillance, investigations, or interventions. 

A covered entity may also make a disclosure of PHI without individual authorization at the direction of a public health authority, to an official of a foreign government agency that is acting in collaboration with a public health authority

What Criteria Must the Requestor Before the Requestor Can Obtain the PHI?

The requestor, to be able to receive the PHI from the covered entity without individual authorization, must first demonstrate:

  1. That it is a public health authority (or that it is, at the direction of a public health authority, seeking to disclose PHI to an official of a foreign government agency that is acting in collaboration with a public health authority); and
  2. The requestor has the authority to collect or receive the information it is requesting for the stated public health purpose; and
  3. The information being requested is the minimum necessary for the stated public health purpose.

What Proof of Authority Must a Requestor or a Public Health Authority Provide?

Requestors and public health authorities must be able to provide a statement of authority, and to verify their identity, before they can receive the requested PHI.

In most cases, the requestor or public health authority should be prepared to provide a written statement of its legal authority. However, in circumstances where it would be impractical to provide a written statement, a covered entity may rely, if it is reasonable to do so, on an oral statement of authority. 

In addition, the requestor should be prepared to verify its identity by:

  • Presenting an agency identification badge, other official credentials, or other proof of government status if the request is made in person;
  • Making the request on the appropriate government letterhead if the request is made in writing; or 
  • If the request is by a person acting on behalf of a public official, providing a written statement on appropriate government letterhead that the person is acting under the government authority.
    • Other evidence or documentation of agency (the authority to act as another’s agent) may include:
      • A copy of the contract for service; or
      • A copy of the relevant memorandum of understanding, or purchase order.

That establishes that the person is acting on behalf of the public official.