Public Health Authority Notification
CPSC is publishing this notice to inform hospitals and other health care organizations of CPSC's status as a “public health authority” under the medical privacy requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
Table of Contents Back to Top
FOR FURTHER INFORMATION CONTACT: Back to Top
Melissa Buford, CPSC Office of the General Counsel, 4330 East West Highway, Suite 704, Bethesda MD 20814. 301-504-7636.
SUPPLEMENTARY INFORMATION: Back to Top
Congress enacted HIPAA to improve portability and continuity of health insurance, among other purposes. (Pub. L. 104-191, 110 Stat. 1936 (1996)). The U.S. Department of Health and Human Services (HHS) promulgated regulations pursuant to HIPAA to address the security and privacy of health data. Known as the Privacy Rule, Standards for Privacy of Individually Identifiable Health Information, 45 CFR parts 160 and 164, the regulations established procedures to protect the privacy of individually identifiable health information and to address the use and disclosure of such information.
The Privacy Rule provides that covered entities, including health care providers, health plans, and health care clearinghouses, may not use or disclose protected health information, except in certain expressly permitted circumstances. Covered entities, however, may disclose protected health information to a “public health authority.” As HHS recognized in guidance issued on December 3, 2002, and revised on April 3, 2003, disclosure in certain circumstances is necessary to support the work of public health authorities:
The HIPAA Privacy Rule recognizes the legitimate need for public health authorities and others responsible for ensuring public health and safety to have access to protected health information to carry out their public health mission. The Rule also recognizes that public health reports made by covered entities are an important means of identifying threats to the health and safety of the public at large, as well as individuals. Accordingly, the Rule permits covered entities to disclose protected health information without authorization for specified public health purposes.
The regulations define a “public health authority” broadly to include:
an agency or authority of the United States, a State, a territory, a political subdivision of a State or territory, or an Indian tribe, or a person or entity acting under a grant of authority from or contract with such public agency, including the employees or agents of such public agency or its contractors or persons or entities to whom it has grant authority, that is responsible for public health matters as part of its official mandate.
45 CFR 164.501. Moreover, the preamble to the final Privacy Rule underscored the expansive meaning of “public health authority.” Noting the clear congressional mandate not to interfere with current public health practices, the preamble stated: “the broad definition of `public health authority' is appropriate to achieve that end.” 65 FR 82462 (December 28, 2000).
Thus, the Privacy Rule provides that protected health information may be disclosed to a public health authority that is authorized by law to collect certain health-related information. Specifically, the Privacy Rule allows for the disclosure of protected health information to a public health authority that is:
authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury, or disability, including, but not limited to, the reporting of disease, injury, vital events such as birth or death and the conduct of public health surveillance, public health investigations, and public health interventions; or, at the direction of a public health authority, to an official of a foreign government agency that is acting in collaboration with a public health authority.
45 CFR 164.512(b)(1)(i).
CPSC is a public health authority authorized by law to collect certain health-related information in pursuit of its official mandate. CPSC's mission is to protect the public against unreasonable risks of injury associated with consumer products and to promote research and investigation into the causes and prevention of product-related deaths, illnesses, and injuries. 15 U.S.C. 2051(b). As such, CPSC's mission falls well within the broad parameters of a public health authority responsible for public health matters as defined in the Privacy Rule.
Additionally, in furtherance of its mandate, CPSC is authorized by law to, among other things, collect information for the purpose of preventing injury or death, report injury or death, and conduct public health investigations. For example, pursuant to statutory direction, CPSC must “maintain an Injury Information Clearinghouse to collect, investigate, analyze, and disseminate injury data, and information, relating to the causes and prevention of death, injury, and illness associated with consumer products” and to “conduct such continuing studies and investigations of deaths, injuries, diseases, other health impairments, and economic losses resulting from accidents involving consumer products as it deems necessary.” 15 U.S.C. 2054(a)(1) and (2). In addition, CPSC is authorized to “conduct research, studies, and investigations on the safety of consumer products and on improving the safety of such products.” 15 U.S.C. 2054(b). Additionally, each fiscal year CPSC is required to submit a comprehensive report to the President and Congress documenting “thorough appraisal, including statistical analyses, estimates, and long-term projections, of the incidence of injury and effects to the population resulting from consumer products, with a breakdown, insofar as practicable, among the various sources of such injury” and “statistics with respect to injuries and deaths associated with products that the Commission determines present a substantial product hazard under section 15(c).” 15 U.S.C. 2076(j)(1) and (6)(B).
As an agency responsible for public health matters pursuant to its official mandate, and with statutory authorization to collect and report information to prevent injury and death, CPSC falls squarely within the definition of a “public health authority.” Accordingly, CPSC is providing notice that it is a public health authority within the meaning of the Privacy Rule, entitled to receive protected health information from hospitals and other health care organizations, without written authorization or consent. The disclosure of protected health information to a public health authority is a permitted disclosure under the Privacy Rule. 45 CFR 164.502(a)(1)(vi).
Dated: February 26, 2014.
Todd A. Stevenson,
Secretary, Consumer Product Safety Commission.
[FR Doc. 2014-04590 Filed 2-28-14; 8:45 am]
BILLING CODE 6355-01-P