​Disease reporting and public health surveillance are among the nine scenarios the U.S. Department of Health and Human Services' Office for Civil Rights (OCR) uses in a December 2016 fact sheet to discuss permissible disclosures of protected health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA). The HIPAA privacy rule establishes several permitted disclosures that do not require patients' authorization; among them is exchange of information for public health activities. Other HIPAA-permitted disclosures of PHI could include public health investigations conducted by a state health department, submission of mandated reports to the U.S. Food and Drug Administration after a device recall, and disclosures required in accordance with mandated workplace medical surveillance programs. In each scenario, OCR describes the exchange of PHI between the covered entity and the public health agency, which often includes PHI moving in both directions. OCR also notes that in any of the scenarios, when PHI is transmitted electronically, covered entities must continue to comply with the HIPAA security rule to limit the risk of inappropriate disclosure.

HRC Recommends: A valid written HIPAA authorization must be obtained from an individual for uses and disclosures of PHI not otherwise allowed by the privacy rule. Public health activities such as those described in the OCR guidance are among the exceptions in the privacy rule. HIPAA privacy officers and others responsible for health information management can use the scenarios to understand how those exceptions may play out and to help inform workforce training activities.