Public health agencies often seek data from a variety of sources to drive community health initiatives. However, before joining these efforts, hospital officials must review their responsibilities under state and federal data privacy legislation.
In a November report, researchers from Bethesda, Md.-based de Beaumont Foundation and Baltimore-based Johns Hopkins Bloomberg School of Public Health laid out a framework for public health departments to request data from hospitals, including answers to frequently asked questions about data access under HIPAA.
Here are the answers to four key questions on how hospitals may share EHR data — including protected health information — with public health agencies while remaining compliant with HIPAA regulations.
1. Can healthcare organizations disclose PHI to public health agencies under the HIPAA Privacy Rule? Yes, healthcare organizations may share patient data under a provision that enables covered entities to disclose PHI to "public health authorities" for public health activities — such as controlling or surveilling diseases — without requiring a patient's prior authorization.
2. How much data is a healthcare organization authorized to share with a public health agency under HIPAA? The HIPAA Privacy Rule specifies a "minimum necessary standard," requiring covered entities to limit disclosure of PHI to the minimum amount necessary for the public health agency to complete its intended goal.
3. Who decides what level of detail meets the "minimum necessary standard" for public health disclosures? For lawful PHI disclosures, the public health agency — rather than the covered entity — is tasked with determining the minimum amount of information needed. In the report, the researchers encouraged agencies to offer providers a written statement explaining the legal basis of their request.
4. May a healthcare organization share de-identified information that does not include PHI with a public health agency? Yes, because HIPAA does not apply to information that satisfies the legislation's de-identification standards. Under HIPAA regulations, covered entities are allowed to share this information with public health agencies, and even the public.
To access the complete report, click here.