May covered entities disclose facially identifiable PHI, such as name, address, and social security number, for public health purposes?
Yes. The HIPAA Privacy Rule permits covered entities to disclose the amount and type of PHI that is needed for public health purposes. In some cases, the disclosure will be required by other law, in which case, covered entities may make the required disclosure pursuant to 45 CFR 164.512 (a) of the Rule. For disclosures that are not required by law, covered entities may disclose, without authorization, the information that is reasonable limited to that which is minimally necessary to accomplish the intended purpose of the disclosure. For routine or recurring public health disclosures, a covered entity may develop protocols as part of its minimum necessary policies and procedures to address the type and amount of information that may be disclosed for such purposes. Covered entities may also rely on the requesting public health authority’s determination of the minimally necessary information.
Related Questions
- Does the HIPAA Privacy Rules public health provision permit covered entities to disclose protected health information to authorities such as the National Institutes of Health (NIH)?
- May covered entities disclose facially identifiable protected health information, such as name, address, and social security number, for public health purposes?
- May covered entities disclose facially identifiable PHI, such as name, address, and social security number, for public health purposes?