National Highway Traffic Safety Administration (NHTSA), Department of Transportation (DOT).
NHTSA is publishing this notice to inform hospitals and other health care organizations of its status as a “public health authority” under the medical privacy requirements of the Health Insurance Portability and Accountability Act of 1996.Start Further Info
FOR FURTHER INFORMATION CONTACT:
Tyler Bolden, NHTSA, Office of Chief Counsel, 400 7th Street, SW Suite 5219, Washington, DC 20590. 202-366-1834.End Further Info End Preamble Start Supplemental Information
The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) was enacted to improve the portability and continuity of health insurance coverage, to improve access to long-term care services and coverage, to simplify the administration of health insurance, and for other purposes (Pub. L. No. 104-191, 110 Stat. 196 (1996)). The Administrative Simplification subtitle of HIPAA authorized the Department of Health and Human Services (“HHS”) to promulgate medical privacy regulations to protect the privacy of individually-identifiable electronic health information. These regulations (the “Privacy Rule”) were published by HHS on December 28, 2000 and established the standards to identify the rights of individuals who are the subjects of “protected health information,” which is defined as individually-identifiable health information; provide procedures for the exercise of those rights; and define the general rules for permitted and required uses and disclosures of protected health information (45 CFR Parts 160-164).
Beginning April 14, 2003, the Privacy Rule prohibits health plans, health care clearinghouses and selected health care providers from using or disclosing protected health information, except as permitted by certain exceptions (45 CFR 164.502). Under one exception, the Privacy Rule permits the disclosure of protected health information to public health authorities authorized to “collect or receive such information for the purpose of preventing or controlling disease, injury, or disability . . . “ (45 CFR 164.512(b)(1)(i)). A “public health authority” includes “an agency or authority of the United States . . . that is responsible for public health matters as part of its official mandate” (45 CFR 164.501). Examples of public health matters include the reporting of disease, injury, or vital events; and public health surveillance, public health investigations or public health interventions (45 CFR 164.512(b)(1)(i)).
Guidance issued by HHS on December 2, 2002 further addressed the issue of disclosures to public health authorities. Specifically, the guidance stated that:
The HIPAA Privacy Rule recognizes the legitimate need for public health authorities and others responsible for ensuring public health and safety to have access to protected health information to carry out their public health mission . . . the [Privacy] Rule permits covered entities to disclose protected health information without authorization for specified public health purposes.
NHTSA's mission is to prevent and reduce deaths, injuries and economic losses resulting from automotive travel on our nation's roadways. To accomplish this mission, NHTSA has statutory authority to conduct crash injury research and collect relevant data in the interest of public health. Specifically, NHTSA is authorized to: (1) Engage in research on all phases of highway safety and traffic conditions; (2) undertake collaborative research and development projects with non-Federal entities for the purposes of crash data collection and analysis; and (3) conduct research and collect information to determine the relationship between motor vehicles and accidents, and personal injury or deaths resulting from such accidents (See 23 U.S.C. 403(a)(1), 23 U.S.C. 403(f) and 49 U.S.C. 30168(a)). The term “safety” is defined as “highway safety and highway safety'related research and development, including research and development relating to highway and driver characteristics, crash investigations, communications, emergency medical care, and transportation of the injured” (23 U.S.C. 403(a)(3)).
In light of the above-referenced statutory authority, which demonstrates a responsibility for public health matters as part of the agency's mandate, NHTSA has determined that it is a public health authority within the meaning of the Privacy Rule. As a public health authority, NHTSA is entitled to receive protected health information from hospitals and other health care organizations, without written consent or authorization, because disclosures of protected health information to a public health authority are permitted disclosures under the Privacy Rule (45 CFR 164.502(a)(1)(vi)).Start Signature
Issued on: March 21, 2003.
Jeffrey W. Runge,
Administrator, National Highway Traffic Safety Administration.
[FR Doc. 03-7301 Filed 3-26-03; 8:45 am]
BILLING CODE 4910-59-P