Is a covered entity permitted to disclose protected health information under the HIPAA Privacy Rule's public health provision when the link between an averse event and a product regulated by the Food and Drug Administration (FDA) is only suspected?
Yes. In most instances when a covered entity makes an adverse event report to a person responsible for an FDA-regulated product, the covered entity will suspect, but not know, the product is the cause of the event. Determining whether the product is related to the adverse event almost always requires follow up with the covered entity which in turn may need further contact with the patient.
FDA and product manufacturers receive a great deal of important information about the safety of regulated products from these reports. To limit such reports to those instances where the covered entity is convinced of the link between the product and the event would reduce the amount of useful safety, quality and effectiveness data available to the agency as well as to product manufacturers. This would limit significantly FDA’s ability to protect the public health by helping to assure that only safe and effective products are marketed in the U.S. Accordingly, covered entities may disclose the minimum amount of protected health information that is reasonably necessary to report suspected adverse events associated with an FDA-regulated product.
Learn more about public health uses and disclosures and the minimum necessary standard.