HIPAA regs
HIPAA dvisory
HIPAAdvisory > HIPAAregs > Proposed Privacy Phoenix Health Systems
news
regs
action
tech
wares
alert
live
latest
online HIPAA training
HIPAAstore
HIPAA help desk
search
contact us
site map

 

This proposed rule is no longer the most current information. It will continue to be available for reference, but the final rule has been published. View the final rule.

 

Proposed Standards for Privacy and Individually Identifiable Health Information

6. Uses and disclosures for governmental health data systems. (§ 164.510(g))

In § 164.510(g), we propose to permit covered entities to disclose protected health information for inclusion in State or other governmental health data systems without individual authorization when such disclosures are authorized by State or other law in support of policy, planning, regulatory or management functions.

a. Importance of Governmental health data systems and the need for protected health information.

Governmental agencies collect and analyze individually identifiable health information as part of their efforts to improve public policies and program management, improve health care and reduce costs, and improve information available for consumer choices. Governments use the information to analyze health care outcomes, quality, costs and patterns of utilization, effects of public policies, changes in the health care delivery system, and related trends. These important purposes are related to public health, research and oversight (although the information in State or other governmental data systems usually is not collected specifically to audit or evaluate health care providers or for public health surveillance). The data are an important resource that can be used for multiple public policy evaluations.

The collection of health information by governmental health data systems often occurs without specification of the particular analyses that could be conducted with the information. These governmental data collection programs frequently call for reporting of information for all individuals treated or released by specified classes of providers. For example, many States request and receive from hospitals records containing individual diagnosis and treatment data for all discharges from their facilities. State hospital discharge data have been used to compare treatment practices and costs between hospitals, to evaluate implications for funding of health care, as well as to provide hospital “report cards” to consumers. As part of its general evaluation activities, the DOD maintains a very large database, called the Comprehensive Clinical Evaluation Program, involving military personnel who have reported illnesses possibly arising from service during the Gulf War.

b. Proposed requirements.

We propose to permit covered entities to disclose protected health information for inclusion in State or other governmental health data systems when such disclosure is authorized by law for analysis in support of policy, planning, regulatory, and management functions. The recipient of the information must be a government agency (or privacy entity acting on behalf of a government agency). Where the covered entity is itself a government agency that collects health data for analysis in support of policy, planning, regulatory, or management functions, it would be permitted to use protected health information in all cases in which it is permitted to disclose such information for government health data systems under this section.

We believe that Congress intended to permit States, Tribes, territories, and other governmental agencies to operate health data collection systems for analyzing and improving the health care system. In section 1178(c), “State regulatory reporting,” HIPAA provides that it is not limiting the ability of a State to require a health plan to report, or to provide access to, information for a variety of oversight activities, as well as for “program monitoring and evaluation.” We also believe that the considerations Congress applied to State capacities to collect data would apply to similar data collection efforts by other levels of government, such as those undertaken by Tribes, territories and federal agencies. Therefore, we considered two questions regarding governmental health data systems; first, which entities could make such disclosures; and second, what type of legal authority would be necessary for the disclosure to be permitted.

We considered whether to allow disclosure by all covered entities to governmental data collection systems or to limit permitted disclosures to those made by health plans, as specified in the regulatory reporting provision of HIPAA. While this provision only mentions data collected from health plans, the conference agreement notes that laws regarding “State reporting on health care delivery or costs, or for other purposes” should not be preempted by this rule. States would be likely to require sources of information other than health plans, such as health care providers or clearinghouses, in order to examine health care delivery or costs. Therefore, we do not believe it is appropriate to restrict States’ or other governmental agencies’ ability to obtain such data. This viewpoint is consistent with the Recommendations, which would permit this disclosure of protected health information by all covered entities.

We also asked what type of law would be required to permit disclosure without individual authorization to governmental health data systems. We considered requiring a specific statute or regulation that requires the collection of protected health information for a specified purpose. A law that explicitly addresses the conditions under which protected health information is collected would provide individuals and covered entities with a better understanding of how and why the information is to be collected and used.

We understand, however, that explicit authority to collect information is not always included in relevant law. Governmental agencies may collect health data using a broad public health or regulatory authority in statute or regulation. For example, a law may call on a State agency to report on health care costs, without providing specific authority for the agency to collect the health care cost data they need do so. Consequently, the agency may use its general operating authority to request health care providers to release the information. We recognize that many governmental agencies rely on broad legal authority for their activities and do not intend this proposed rule to hamper those efforts.

Under §164.518(c), covered entities would have an obligation to verify the identity of the person requesting protected health information, and the legal authority behind the request before the disclosure would be permitted under this subsection. Preamble section II.G.3. describes these requirements in more detail.

[Previous] [Next: Disclosure of Directory Information]