Skip Navigation

Public Health Uses and Disclosures

Must a health care provider or other covered entity obtain permission from a patient prior to notifying public health authorities of the occurrence of a reportable disease?

Does the public health provision of the HIPAA Privacy Rule require covered entities to make public health disclosures?

May covered entities disclose facially identifiable protected health information, such as name, address, and social security number, for public health purposes?

Does the HIPAA Privacy Rule's public health provision permit covered entities to disclose protected health information to authorities such as the National Institutes of Health (NIH)?

To whom may covered entities make public health disclosures regarding a product regulated by the Food and Drug Administration (FDA) when more than one person is identified on the product label?

Is a covered entity permitted to disclose protected health information under the HIPAA Privacy Rule's public health provision when the link between an averse event and a product regulated by the Food and Drug Administration (FDA) is only suspected?

Does the HIPAA Privacy Rule's public health provision permit covered entities to disclose protected health information without authorization to a manufacturer of a product regulated by the Food and Drug Administration (FDA) for use by the manufacturer to assess the effectiveness of its marketing campaign?

Does the HIPAA Privacy Rule's public health provision permit covered health care providers to disclose protected health information concerning the findings of pre-employment physicals, drug tests, or fitness-for-duty examinations to an individuals employer?

Does the HIPAA Privacy Rule permit covered entities to disclose protected health information, without individuals' authorization, to public officials responding to a bioterrorism threat or other public health emergency?

To provide individuals with an accounting for disclosures, does a covered entity have to document each medical record that may be accessed by a public health authority in the course of surveillance activities that involve all patient records?

Must a covered entity provide an accounting for disclosures if the only information disclosed to a public health authority is in the form of a limited data set?

May a covered entity hire a business associate to create a limited data set, and may the public health authority be a business associate for that purpose, even if the public health authority is also the intended recipient of the limited data set?

When may a covered health care provider disclose protected health information, without an authorization or business associate agreement, to a medical device company representative?

Back to Top

Back to HIPAA - Frequently Asked Questions