HIPAA Privacy Regulations: Definitions - Public Health Authority - § 164.501
As Contained in the HHS HIPAA Privacy Rules
|
HHS Regulations |
Public health authority means an agency or authority of the United States, a State, a territory, a political subdivision of a State or territory, or an Indian tribe, or a person or entity acting under a grant of authority from or contract with such public agency, including the employees or agents of such public agency or its contractors or persons or entities to whom it has granted authority, that is responsible for public health matters as part of its official mandate.
| HHS Description Definitions - Public Health Authority |
The proposed rule would have defined “public health authority” as “an agency or authority of the United States, a state, a territory, or an Indian tribe that is responsible for public health matters as part of its official mandate.”
The final rule changes this definition slightly to clarify that a “public health authority” also includes a person or entity acting under a grant of authority from or contract with a public health agency. Therefore, the final rule defines this term as an agency or authority of the United States, a state, a territory, a political subdivision of a state or territory, or an Indian tribe, or a person or entity acting under a grant of authority from or contract with such public agency, including the employees or agents of such public agency or its contractors or persons or entities to whom it has granted authority, that is responsible for public health matters as part of its official mandate.
| HHS Response to Comments Received Definitions - Public Health Authority |
Response: In response to comments arguing that the provision is too broad, we note that section 1178(b) of the Act, as explained in the NPRM, explicitly carves out protection for state public health laws. This provision states that: “[N]othing in this part shall be construed to invalidate or limit the authority, power, or procedures established under any law providing for the reporting of disease or injury, child abuse, birth or death, public health surveillance, or public health investigation or intervention.” In light of this broad Congressional mandate not to interfere with current public health practices, we believe the broad definition of “public health authority is appropriate to achieve that end.
Comment: Some commenters said that they performed public health activities in analyzing data and information. These comments suggested that activities conducted by provider and health plan organizations that compile and compare data for benchmarking performance, monitoring, utilization, and determining the health needs of a given market should be included as part of the public health exemption. One commenter recommended amending the regulation to permit covered entities to disclose protected health information to private organizations for public health reasons.
Response: We disagree that such a change should be made. In the absence of some nexus to a government public health authority or other underlying legal authority, covered entities would have no basis for determining which data collections are “legitimate” and how the confidentiality of the information will be protected. In addition, the public health functions carved out for special protection by Congress are explicitly limited to those established by law.
Comment: Two commenters asked for additional clarification as to whether the Occupational Safety and Health Administration (OSHA) and the Mine Safety and Health Administration (MSHA) would be considered public health authorities as indicated in the preamble. They suggested specific language for the final rule. Commenters also suggested that we specify that states operating OSHA-approved programs also are considered public health authorities. One comment applauded the Secretary's recognition of OSHA as both a health oversight agency and public health authority. It suggested adding OSHA-approved programs that operate in states to the list of entities included in these categories. In addition, the comment requested the final regulation specifically mention these entities in the text of the regulation as well.
Response: We agree that OSHA, MSHA and their state equivalents are public health authorities when carrying out their activities related to the health and safety of workers. We do not specifically reference any agencies in the regulatory definition, because the definition of public health authority and this preamble sufficiently address this issue. As defined in the final rule, the definition of “public health authority” at § 164.501 continues to include OSHA as a public health authority. State agencies or authorities responsible for public health matters as part of their official mandate, such as OSHA-approved programs, also come within this definition. See discussion of § 164.512(b) below. We have refrained, however, from listing specific agencies and have retained a general descriptive definition.
Comments: Several commenters recommended expanding the definition of public health authority to encompass other governmental entities that may collect and hold health data as part of their official duties. One recommended changing the definition of public health authority to read as follows: public health authority means an agency or authority... that is responsible for public health matters or the collection of health data as part of its official mandate.
Response: We do not adopt this recommendation. The public health provision is not intended to cover agencies that are not responsible for public health matters but that may in the course of their responsibilities collect health-related information. Disclosures to such authorities may be permissible under other provision of this rule.
Comment: Many commenters asked us to include a formal definition of “required by law” incorporating the material noted in this preamble and additional suggested disclosures.
Response: We agree generally and modify the definition accordingly. See discussion above.