|
• HIPAA
• HIPAA & DOH
• Business Associates
•
Complaint Process
• Disclosing Health Information
• FAQ's
• Helpful
HIPAA Links
• Privacy Office
• Privacy Notice
•
Newsroom
•
About DOH
•
Programs & Services
• DOH Web (A-Z)
|
|
|
The following reflects the
Department of Health’s understanding of how the HIPAA regulations
apply to the department’s work with community partners. It is not
legal advice. Federal, state and local laws and regulations are
subject to revision and interpretation. You should always consult
legal counsel regarding your specific situation.
Disclosing
Individually
Identifiable Health Information
To the Department
of Health
Without Patient Authorization
HIPAA law, 45 CFR 164.512 permits HIPAA covered entities to
provide individually identifiable health information to the
department of health without a patient authorization, without an
opportunity to agree or object if:
- disclosure is required by law and disclosure complies with
and limited to the relevant requirements of such law. See
Section 164.512(a) or
- disclosure is for public health activities and purposes such
as "…preventing or controlling disease, injury, or disability,
including but not limited to the reporting of disease, injury,
vital events such as birth or death, and the conduct of public
health surveillance, public health investigations and public
health interventions…." See 164.512(b) or
- disclosure to DOH is a result of its responsibilities as a
"…health oversight agency for oversight activities authorized by
law, including…administrative… investigations; inspections;
licensure or disciplinary actions…." See Section 164.512 (d).
Without Business Associate Agreement
- "Public health authorities receiving information from covered
entities as required or authorized by law [45 CFR 164.512(a)]
[45 CFR 164.512(b)] are not business associates of the covered
entities and therefore are not required to enter into business
associate agreements.
- Public health authorities that are not covered entities also
are not required to enter into business associate agreements
with their public health partners and contractors."
MMWR April
11, 2003, page 8. DOH is a hybrid covered entity, with the
Metabolic Treatment Product program the department’s only
healthcare component. The balance of the department is not
covered by HIPAA.
Law Controlling DOH Use and Disclosure
"…after PHI [protected health information] is disclosed to a
public health authority pursuant to the Privacy Rule, the public
authority (if not a covered entity) may maintain, use and disclose
the data consistent with the laws regulations and policies
applicable to the public health authority."
MMWR April 11, 2003,
page 8. Washington state law, primarily RCW 70.02 and RCW 42.17,
controls the department of health’s use and disclosure of
individually identifiable health information.
|
