What is the HIPAA Public Health Exception?

The HIPAA Privacy Rule recognizes that public health authorities and others who ensure public health and safety, be given access to protected health information (PHI) to carry out public health activities. The Privacy Rule also recognizes that public health reports made by covered entities play an important role in identifying threats to individual and public health and safety. As such, the Privacy Rule allows covered entities to disclose PHI without authorization for certain public health purposes. Find out more information about HIPAA privacy exceptions to the HIPAA Privacy Rule regarding public health. This HIPAA public health exception is discussed below.

HIPAA Public Health Exception

What is Permitted under the HIPAA Public Health Exception?

Under the HIPAA public health exemption, covered entities may, under the HIPAA Privacy Rule, disclose PHI, without authorization, to public health authorities legally authorized to receive it, for:

  • The purpose of preventing or controlling disease
  • The purpose of preventing or controlling injury
  • The purpose of preventing or controlling disability.

Disease, injury, and disability prevention and control measures and activities include:

  • Reporting of disease or injury;
  • Reporting of vital events (i.e., births, deaths); and
  • Conducting public health surveillance, investigations, or interventions

Covered entities may also, if directed to do so by a public health authority, disclose PHI to a foreign government agency acting in collaboration with that authority. Covered entities that ARE public authorities may use and disclose PHI for:

  • The purpose of preventing or controlling disease
  • The purpose of preventing or controlling injury
  • The purpose of preventing or controlling disability.

What is a Public Health Authority?

The HIPAA Privacy Rule defines a “public health authority” as:

  • An agency or authority of the United States government;
  • A state;
  • A territory;
  • A political subdivision of a state or territory; or 
  • An Indian tribe

That is responsible for public health matters as part of its official mandate. 

Public health authorities also include individuals and entities acting under a grant of authority from, or under a contract with, a public health agency.

Examples of a public health authority include:

  • State and local health departments;
  • The federal Food and Drug Administration (FDA);
  • The federal Centers for Disease Control and Prevention (CDC); and
  • The federal Occupational Safety and Health Administration (OSHA).

Generally, covered entities must reasonably limit the PHI disclosed for public health purposes, to the minimum amount necessary to accomplish the public health purpose. 

However, covered entities are not required to make a “minimum necessary determination” for public health disclosures that are either made under an individual’s authorization, or made for disclosures that are required by other law. 

For disclosures to a public health authority, covered entities may reasonably rely on a minimum necessary determination made by the public health authority that is requesting the protected health information.

For routine and recurring public health disclosures, covered entities may develop standard protocols, as part of their minimum necessary policies and procedures, that address the types and amount of protected health information that may be disclosed for such purposes. 

When Else Does the HIPAA Public Health Exception Apply?

The Privacy Rule recognizes the important role that persons or entities other than public health authorities play in certain essential public health activities. As such, covered entities may, under the Privacy Rule, disclose protected health information, without authorization, for the following public health activities:  

  • Child abuse or neglect. Covered entities may disclose PHI to report known or suspected child abuse  or neglect, provided the report is made to a public health or other appropriate government authority authorized to receive such reports under law. Such authorities may include (among other entities) social services departments of local governments, and police departments. 
  • Quality, safety or effectiveness of a product or activity regulated by the FDA. Covered entities may disclose PHI to persons (e.g., individuals, entities, partnerships, and corporations) subject to Food and Drug Administration jurisdiction, if the disclosure is for a public health purpose that is related to the quality, safety or effectiveness of an FDA-regulated product or activity for which that person has responsibility.

    Examples of purposes or activities for which such disclosures may be made include (but are not limited to):

    • 1. Collecting or reporting product defects or problems (including problems regarding use or labeling).
    • 2. Tracking FDA-regulated products; 
    • 3. Enabling product recalls, repairs, or replacement
  • Persons at risk of contracting or spreading a disease. A covered entity may disclose protected health information to a person who is at risk of contracting or spreading a disease or condition, if other law authorizes the covered entity to notify such individuals as necessary to carry out public health interventions or investigations. 
  • Workplace medical surveillance. A covered health care provider who provides a health care service to an individual at the request of the individual’s employer, or provides the service in the capacity of a member of the employer’s workforce, may disclose the individual’s PHI to the employer for the purposes of workplace medical surveillance or the evaluation of work-related illness and injuries to the extent the employer needs that information to comply with OSHA, the Mine Safety and Health Administration (MSHA), or the requirements of State laws having a similar purpose. In such instances, the covered provider must give written notice to the individual that the information will be disclosed to the individual’s employer. As an alternative to having to give written notice to the individual, the notice may be posted at the worksite, if that is where the service is provided. 

See How It Works