The Health Insurance Portability and Accountability Act (HIPAA), also known as the Kennedy-Kassebaum bill, was implemented to assure health insurance coverage after leaving a job.
An administrative simplification section was added to HIPAA to standardize electronic medical claims. HIPAA makes it easier for medical professionals to bill for services electronically, and for health plans to process medical claims.
HIPAA also includes a Privacy Rule and a Security Rule to make sure that medical information is protected and the personal health information is kept confidential.
The Colorado Department of Public Health and Environment has always worked to protect the health information it receives, and takes seriously its responsibility to insure that health information is secure and kept confidential. This responsibility predates HIPAA and is backed up by confidentiality requirements in Colorado statutes. It is also expressed in Colorado Department of Public Health and Environment internal policies and procedures.
HIPAA applies to health plans, medical providers billing electronically and clearinghouses. The Colorado Department of Public Health and Environment is not a health plan, provider billing electronically nor a clearinghouse and therefore is not directly covered under HIPAA. The Colorado Department of Public Health and Environment is a public health authority under HIPAA:
Public health authority means an agency or authority of the United States, a State, a territory, a political subdivision of a State or territory, or an Indian tribe, or a person or entity acting under a grant of authority from or contract with such public agency, including the employees or agents of such public agency or its contractors or persons or entities to whom it has granted authority, that is responsible for public health matters as part of its official mandate.
HIPAA acknowledges the importance of public health in the law itself (Public Law 104-191):
Public Health.--Nothing in this part shall be construed to invalidate or limit the authority, power, or procedures established under any law providing for the reporting of disease or injury, child abuse, birth, or death, public health surveillance, or public health investigation or intervention.
In key areas of the Privacy Rule HIPAA provides for reporting to public health authorities (§164.512 b) to public health authorities:
for purposes of preventing or controlling disease, injury, disability, including but not limited to the reporting of disease, injury vital events such as births or death and the conduct of public health surveillance, public health investigations and public health interventions….or for purposes of reporting child abuse or neglect
Please note that Public Health reporting under this section must be to a public health authority authorized by law to collect the information, but the information does not have to be specifically mandated by law. Rather it is enough that the public health authority’s authorizing statute permit the receipt of the information. Reporting to a public health authority is voluntary, not required.
Many public health activities are also provided for as “required by law”, §164.512 (a) or as part of health oversight activities, §164.512 (d), including nursing home surveillance and oversight of government benefit programs where health information is important to eligibility.
§164.514 (d)(3)(iii)(A) also allows a health plan, provider billing electronically or clearinghouse to accept the word of the public health authority that the information requested is the “minimum necessary”.
The Colorado Department of Public Health and Environment is indirectly covered under HIPAA as a Business Associate for a few programs. If a health plan, provider billing electronically or clearinghouse hires another agency to do work for it, and shares health information, the hired agency is a Business Associate. Business Associates must take measures to protect the information they receive. The Prenatal Plus program, for instance, is a Business Associate of Medicaid, as Medicaid is covered under HIPAA.
Colorado Department of Public Health and Environment,
Privacy Officer, A5-CHEIS
4300 Cherry Creek Drive South,
Denver, CO 80246-1530
Disclaimer: The Colorado Department of Public Health and Environment, nor its employees, agents, and volunteers, does not warrant that the Website or its operation will be accurate, reliable, uninterrupted or error-free. Reliance on any information presented on the Website is at your own risk and is for informational purposes only. No content is intended to substitute for legal advice. The Website links to other websites operated by third parties. The inclusion of any link to such sites does not imply endorsement by The Colorado Department of Public Health and Environment of the site, but is for your reference and convenience only.