The following
reflects the Department of Health’s understanding of how the HIPAA regulations
apply to the department’s work with community partners. It is not legal
advice. Federal, state and local laws and regulations are subject to
revision and interpretation. You should always consult legal counsel
regarding your specific situation.
FAQ’s – Frequently
Asked Questions
Q:
What
kind of protected health information may a provider or practitioner give
to the Department of Health without patient authorization, consent or
a business associate agreement?
There are four answers to this question:
A: Information included in disease reporting and public health surveillance.
See 164.512(b). Registries and notifiable conditions reporting
are two examples. Examples of registries include: cancer, kidney, lead,
and trauma, registries. The HIPAA Privacy rule specifically permits
disclosures to public health authorities for purposes of reporting disease
and conducting public health surveillance.
A: Information required by law to be reported to the public health
authority. 164.512(a), but not involved in surveillance. CHARS
is an example.
A: Information not required by law to be reported to a public
health authority but collected for purpose of preventing or controlling
disease, injury or disability. See 164.512(b) and the
MMWR April 11,
2003 page 8. Examples include information reported as part of
grant or contract with the public health authority.
A:
Information
necessary for the public health authority to conduct health oversight
activities. See Section 164.512 (d). This includes records
necessary for investigations, inspections, licensure or disciplinary
actions by Health Professions Quality Assurance and Facilities
and Services Licensing.
Q: Is the Department of Health a Business Associate of a covered entity?
A: No. Generally, the DOH does not perform services, functions or activities
solely or primarily "for or on behalf of" other organizations.
Although the Department of Health services, functions and activities
benefit other organizations, the department’s work primarily supports
the agency’s mission, ". . . to protect and improve the Health
of people in Washington state."
Example: DOH and Local Health Jurisdictions (LHJ's) work together to provide
services
to the community. In many cases, the LHJ provides individually identifiable
health information to DOH. DOH uses this information for many purposes
beneficial to both organizations. DOH views this use of information
as essential to fulfilling its mission and therefore not primarily "for
or on behalf" of the LHJ. This cooperative and interdependent relationship
does not make DOH a business associate of LHJ.
Example:
DOH sometimes helps in the support of computer systems
jointly used by the DOH and other organizations. Even though there may
be benefits to the other organization, DOH is performing functions to
fulfill its own mission and not acting "for or in behalf"
of the grantees and contractors. DOH is not their business associate.
Example: Several programs within DOH facilitate state and federal
grants
or contracts by providing funding to public and private organizations
which provide healthcare services. These organizations may or may not
be HIPAA covered entities. The grant or contract requires that they
provide the department with individually identifiable health information
in order to substantiate the grant activities and funding. These grant
activities and interactions support of the DOH mission and not "for
or in behalf" of the other organization. DOH is not a business
associate of the other organization.
Q: Where can I find more information and resources to help me get ready for
HIPAA?
A:
The DOH web
page "Helpful HIPAA Links" has
an array of links to sources that DOH has found helpful.
|
