Federal Aviation Administration (FAA), Department of Transportation (DOT).
Notice.
The FAA is publishing this notice to inform hospitals and other health care organizations of its status as a “public health authority” under the medical privacy requirements of the Health Insurance Portability and Accountability Act of 1996.
Charles DeJohn, CAMI, Aeromedical Research Division, Federal Aviation Administration, CAMI Building, AAM–600, RM #112A, P.O. Box 25082, Oklahoma City, OK 73125. 405–954–5519.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was enacted to improve the portability and continuity of health insurance coverage in the group and individual markets, to combat waste, fraud, and abuse in health insurance and health care delivery, to promote the use of medical savings accounts, to improve access to long-term care services and coverage to simplify the administration of health insurance, and for other purposes (Pub. L. 104–191, 110 Stat. 196 (1996)). The administration simplification provisions (HIPAA, Title II) require the Department of Health and Human Services (HHS) to establish national medical privacy regulations to protect the privacy of individually identifiable electronic health information. These regulations (the “Privacy Rule”) were published by the HHS on December 28, 2000, and established the standards to identify the rights of individuals who are the subjects of “protected health information,” which is defined as individually-identifiable health information; provide procedures for the exercise of those rights; and define the general rules and disclosures of protected health information. (45 CFR 160–164).
Beginning April 14, 2003, the Privacy Rule prohibits health plans, health care clearinghouses and selected health care providers from using or disclosing protected health information, except as permitted by certain exceptions (45 CFR 164.502). Under one exception, the Privacy Rule permits the disclosure of protected information to public health authorities legally authorized to “collect or receive the information for the purpose of preventing or controlling disease, injury, or disability” (45 CFR 164.512(b)(1)(i)) A “public health authority” includes “an agency or authority of the United States * * * that is responsible for public health matters as part of its official mandate” (45 CFR 164.501). Examples of public health matters include the reporting of disease, injury, or vital events; and public health surveillance, public health investigations or public health interventions (45 CFR 164.512(b)(1)(i)).
Guidance issued by HHS titled “Disclosures for Public Health Activities (45 CFR 164.512(b))” on December 3, 2002, and revised on April 3, 2003, further addressed the issue of disclosure to public health authorities. The guidance states that:
The HIPAA Privacy Rule recognizes the legitimate need for public health authorities and others responsible for ensuring public health and safety to have access to protected health information to carry out their public health mission. The Rule also recognizes that public health reports made by covered entities are an important means of identifying threats to the health and safety of the public at large, as well as individuals. Accordingly, the Rule permits covered entities to disclose protected health information without authorization for specified public health purposes. (See:
The FAA has statutory responsibility for promoting safe flight of civil aircraft in air commerce. The scope of this statutory responsibility includes the performance of medical research intended to protect the occupants of aircraft from risks and hazards that are attendant to flight (49 U.S.C. 44701, 44703, 44507). The Administrator has delegated to the Federal Air Surgeon the responsibility for this research, which is conducted at the Civil Aerospace Medical Institute (CAMI). The medical and crash injury research conducted at CAMI requires collection and analysis of relevant data which the FAA relies upon to establish safety standards for such issues as cabin materials, seat design and strength, and environmental control. These research functions are conducted in the interests of public health and the improvement of aviation safety for the traveling public. Public health authority status will allow CAMI to efficiently obtain medical information necessary to fulfill its statutory mission.
In light of the statutory duties described above, the FAA has determined that it is a public health authority within the meaning of the Privacy Rule. As a public health authority, FAA is entitled to receive protected health information from hospitals and other health care organizations, without written consent or authorization because disclosures of protected health information to a public authority are permitted disclosures under the Privacy Rule (45 CFR 164.502(a)(1)(vi)).