The effect of HIPAA privacy provisions on the release of protected health information to the Iowa Department of Public Health
The Iowa Department of Public Health (IDPH), in conjunction with the Attorney General's Office, has completed a comprehensive review of its programs and has determined that neither the agency as a whole, nor any of its programs, are covered entities under the Health Insurance Portability and Accountabilty Act of 1996 (HIPAA). However, both the EPSDT Program and Enhanced Services for Maternal Health Program are actually a part of the Medicaid Program of the Iowa Department of Human Services and, as such these programs, will be business associates of the Iowa Department of Human Services and, therefore, subject to many HIPAA provisions. Because IDPH is not a covered entity, many agencies and facilities in Iowa that are covered entities have questioned whether they can continue to disclose the protected health information of their patients or clients to the IDPH as they have in the past. The short answer is YES, such disclosures may continue to occur under HIPAA.
First, HIPAA recognizes that if there is a statute or administrative rule that requires a specific disclosure of protected health information, a covered entity must obey that law. (Section 164.512). Therefore, if there is another federal or state statute or administrative rule which requires a covered entity to disclose protected health information to the IDPH, the covered entity should follow that requirement. Many disclosures of PHI to IDPH are required by state laws, including Iowa Code chapters 135, 136A, 136B, 136C, 139A, 141A, 144, 147A, and 272C and the administrative rules that implement these chapters. These disclosures are legally required and must continue to be made as mandated by state law.
Second, HIPAA allows a covered entity to disclose protected health information to public health authorities for public health activities. (Section 164.512). HIPAA defines a public health authority as "an agency or authority of the United States, a State, a territory, a political subdivision of a State or territory, or an Indian tribe, or a person or entity acting under a grant of authority from or contract with such public agency, including the employees or agents of such public agency or its contractors or persons or entities to whom it has granted authority, that is responsible for public health matters as part of its official mandate." (Section 164.501). The IDPH has such a mandate and, therefore, is a public health authority under HIPAA.
The IDPH, in conjunction with the Iowa Attorney General's Office, has reviewed its programs and determined that protected health information being received by the Department from covered entities in Iowa is disclosed for public health activities. The disclosure of such information to IDPH is, therefore, unaffected by HIPAA and should continue in accordance with past practices. Because IDPH is a public health authority that is authorized to receive PHI under this provision, covered entities are not required to enter into a business associate agreement with IDPH in order for the exchange of protected health information to take place.
Third, in some instances, the IDPH is a health oversight agency as defined by HIPAA. Under HIPAA, a "health oversight agency" is "an agency or authority of the United States, a state, a territory, a political subdivision of a State or territory, or an Indian tribe, or a person or entity acting under a grant of authority from or contract with such public agency, including the employees or agents of such public agency or its contractors or persons or entities to whom it has granted authority, that is authorized by law to oversee the health care system (whether public or private) or government programs in which health information is necessary to determine eligibility or compliance, or to enforce civil rights laws for which health information is relevant."
HIPAA permits a covered entity to disclose protected health information to a health oversight agency for oversight activities authorized by law, including audits; civil, administrative, or criminal investigations; inspections; licensure or disciplinary actions; civil, administrative, or criminal proceedings or actions; or other activities necessary for appropriate oversight of:
"Overseeing the health care system," encompasses activities such as oversight of health care plans, oversight of health benefit plans; oversight of health care providers; oversight of health care and health care delivery; oversight activities that involve resolution of consumer complaints; oversight of pharmaceutical, medical products and devices, and dietary supplements; and a health oversight agency's analysis of trends in health care costs, quality, health care delivery, access to care, and health insurance coverage for health oversight purposes.
Health oversight agencies may provide more than one type of health oversight. Such entities are considered health oversight agencies under the rule for any and all of the health oversight functions that they perform. The disclosure of protected health information to IDPH for these purposes is unaffected by HIPAA and should continue in accordance with past practices.
Finally, local public health departments and local contractors which are covered entities may release protected health information to IDPH under the above-cited legal authority applicable to all covered entities. For example, certain statutes and rules require local public health departments and local contractors to disclose protected health information to IDPH. Further, as a health oversight agency a local health department is permitted, and in most cases required, to disclose protected health information to IDPH. Disclosures of PHI by local public health departments and local contractors to IDPH do not require business associate agreements and are not prohibited or otherwise affected by HIPAA.
Please call Janet Hoffman, Assistant Attorney General, (515) 281-8330 should you have additional questions regarding these issues.