The new guidance will help organizations determine what information can be disseminated in issues dealing with public health and workers’ compensation, while expanding on previously released guidance concerning medical research. Previous releases of HHS interpretation of HIPAA did not include guidance on public health and workers’ compensation.
Found on the OCR’s website, the guidance provides information on what events do not require permission to report, including:
- Notifying public health officials of the occurrence of reportable diseases
- Adverse events and a product regulated by the Food and Drug Administration (FDA)
- Workers’ compensation cases in which the law requires disclosure of personal health information
“This provision is intended to allow covered entities to continue current voluntary reporting practices that are critically important to public health and safety,” according to the guidance. “The Rule also permits covered entities to disclose protected health information when State or other law requires covered entities to make disclosures for public health purposes. For instance, many State laws require health care providers to report certain diseases, cases of child abuse, births, or deaths, and the Privacy Rule permits covered entities to disclose protected health information, without authorization, to make such reports.”
Also included in the guidance are provisions for the release of protected health information disclosure under “very limited circumstances,” which the paper sums up as follows:
- The covered health care provider must provide the health care service to the individual at the request of the individual’s employer or as a member of the employer’s workforce
- The health care service provided must relate to the medical surveillance of the workplace or an evaluation to determine whether the individual has a work-related illness or injury
- The employer must have a duty under the Occupational Safety and Health Administration (OSHA), the Mine Safety and Health Administration (MSHA), or the requirements of a similar State law, to keep records on or act on such information.
Groups participating in medical research are not required to enter into business association agreements with researchers when transferring personal health information. Such an agreement is necessary ” only where a person or entity is conducting a function or activity regulated by the Administrative Simplification Rules on behalf of a covered entity, such as payment or health care operations, or providing one of the services listed in the definition of ‘business associate’ at 45 CFR 160.103,” the guidance says.
Covered groups must be in compliance with HIPAA by April 14, 2003. A text of the full release can be found here .