Does the HIPAA Privacy Rule's public health provision permit covered entities to disclose protected health information to authorities such as the National Institutes of Health (NIH)?

Answer:

The definition of a “public health authority” requires that an agency’s official mandate include the responsibility for public health matters. The mandate can be responsibility for public health matters, generally, or it can be for specific public health programs. Furthermore, an agency’s official mandate does not have to be exclusively or primarily for public health. Therefore, to the extent a government agency has public health matters as part of its official mandate, it qualifies as a public health authority.

For instance, various Department of Health and Human Service (HHS) agencies, such as National Institutes of Health (NIH), and the Health Resources and Services Administration (HRSA), are authorized by law to assist the Secretary of Health and Human Services in carrying out the purposes of section 301 of the Public Health Service Act. Those agencies are public health authorities under the Rule, even if they have other non-public health mandates.

To the extent a public health authority is authorized by law to collect or receive information for the public health purposes specified in the public health provision, covered entities may disclose protected health information to such public health authorities without authorization pursuant to the public health provision.

See our public health section and frequently asked questions for more information.