The Colorado Department of Public Health and Environment has always worked to protect the health information it receives and takes seriously its responsibility to ensure health information is secure and kept confidential. This responsibility predates the Health Insurance Portability and Accountability Act (HIPAA) and is backed up by confidentiality requirements in Colorado statutes. It’s also expressed in our internal policies and procedures.
HIPAA applies to health plans, medical providers billing electronically and clearinghouses. The Colorado Department of Public Health and Environment is not a health plan, provider billing electronically nor a clearinghouse and therefore is not directly covered under HIPAA. The department is a public health authority under the act:
Public health authority means an agency or authority of the United States, a state, a territory, a political subdivision of a state or territory, or an Indian tribe, or a person or entity acting under a grant of authority from or contract with such public agency, including the employees or agents of such public agency or its contractors or persons or entities to whom it has granted authority, that is responsible for public health matters as part of its official mandate.
HIPAA acknowledges the importance of public health in the law itself (Public Law 104-191):
Public Health. — Nothing in this part shall be construed to invalidate or limit the authority, power, or procedures established under any law providing for the reporting of disease or injury, child abuse, birth, or death, public health surveillance, or public health investigation or intervention.
In key areas of the Privacy Rule, HIPAA provides for reporting to public health authorities (§164.512 b):
for purposes of preventing or controlling disease, injury, disability, including but not limited to the reporting of disease, injury, vital events such as births or death and the conduct of public health surveillance, public health investigations and public health interventions… or for purposes of reporting child abuse or neglect
The Public Health reporting under this section must be to a public health authority authorized by law to collect the information, but the information does not have to be specifically mandated by law. Rather, it is enough that the public health authority’s authorizing statute permit the receipt of the information. Reporting to a public health authority is voluntary, not required.
Many public health activities also are provided for as “required by law,” §164.512 (a) or as part of health oversight activities, §164.512 (d), including nursing home surveillance and oversight of government benefit programs where health information is important to eligibility.
§164.514 (d)(3)(iii)(A) also allows a health plan, provider billing electronically or clearinghouse to accept the word of the public health authority that the information requested is the “minimum necessary.”
The Colorado Department of Public Health and Environment is indirectly covered under HIPAA as a Business Associate for a few programs. If a health plan, provider billing electronically or clearinghouse hires another agency to do work for it, and shares health information, the hired agency is a Business Associate. Business Associates must take measures to protect the information they receive. The Prenatal Plus program, for instance, is a Business Associate of Medicaid, as Medicaid is covered under HIPAA.