May covered entities disclose facially identifiable protected health information, such as name, address, and social security number, for public health purposes?
Yes. The HIPAA Privacy Rule permits covered entities
to disclose the amount and type of protected health information that is needed for public health purposes. In some cases, the disclosure will be required by other law, in which case, covered entities may make the required disclosure pursuant to 45 CFR 164.512
(a) of the Rule.
For disclosures that are not required by law, covered entities may disclose, without authorization, the information that is reasonably limited to that which is minimally necessary to accomplish the intended purpose of the disclosure. For routine or recurring public health disclosures, a covered entity may develop protocols as part of its minimum necessary policies and procedures to address the type and amount of information that may be disclosed for such purposes. Covered entities may also rely on the requesting public health authority’s determination of the minimally necessary information.
See the fact sheet
and frequently asked questions on this web site about the public health
and minimum necessary standards
for more information.
Date Created: 12/20/2002
Last Updated: 03/14/2006