Melissa Buford, CPSC Office of the General Counsel, 4330 East West Highway, Suite 704, Bethesda MD 20814. 301-504-7636.
Congress enacted HIPAA to improve portability and continuity of health insurance, among other purposes. (Pub. L. 104-191, 110 Stat. 1936 (1996)). The U.S. Department of Health and Human Services (HHS) promulgated regulations pursuant to HIPAA to address the security and privacy of health data. Known as the Privacy Rule, Standards for Privacy of Individually Identifiable Health Information, 45 CFR parts 160 and 164, the regulations established procedures to protect the privacy of individually identifiable health information and to address the use and disclosure of such information.
The Privacy Rule provides that covered entities, including health care providers, health plans, and health care clearinghouses, may not use or disclose protected health information, except in certain expressly permitted circumstances. Covered entities, however, may disclose protected health information to a “public health authority.” As HHS recognized in guidance issued on December 3, 2002, and revised on April 3, 2003, disclosure in certain circumstances is necessary to support the work of public health authorities:
The regulations define a “public health authority” broadly to include:
45 CFR 164.501. Moreover, the preamble to the final Privacy Rule underscored the expansive meaning of “public health authority.” Noting the clear congressional mandate not to interfere with current public health practices, the preamble stated: “the broad definition of `public health authority' is appropriate to achieve that end.” 65 FR 82462 (December 28, 2000).
Thus, the Privacy Rule provides that protected health information may be disclosed to a public health authority that is authorized by law to collect certain health-related information. Specifically, the Privacy Rule allows for the disclosure of protected health information to a public health authority that is:
45 CFR 164.512(b)(1)(i).
CPSC is a public health authority authorized by law to collect certain health-related information in pursuit of its official mandate. CPSC's mission is to protect the public against unreasonable risks of injury associated with consumer products and to promote research and investigation into the causes and prevention of product-related deaths, illnesses, and injuries. 15 U.S.C. 2051(b). As such, CPSC's mission falls well within the broad parameters of a public health authority responsible for public health matters as defined in the Privacy Rule.
Additionally, in furtherance of its mandate, CPSC is authorized by law to, among other things, collect information for the purpose of preventing injury or death, report injury or death, and conduct public health investigations. For example, pursuant to statutory direction, CPSC must “maintain an Injury Information Clearinghouse to collect, investigate, analyze, and disseminate injury data, and information, relating to the causes and prevention of death, injury, and illness associated with consumer products” and to “conduct such continuing studies and investigations of deaths, injuries, diseases, other health impairments, and economic losses resulting from accidents involving consumer products as it deems necessary.” 15 U.S.C. 2054(a)(1) and (2). In addition, CPSC is authorized to “conduct research, studies, and investigations on the safety of consumer products and on improving the safety of such products.” 15 U.S.C. 2054(b). Additionally, each fiscal year CPSC is required to submit a comprehensive report to the President and Congress documenting “thorough appraisal, including statistical analyses, estimates, and long-term projections, of the incidence of injury and effects to the population resulting from consumer products, with a breakdown, insofar as practicable, among the various sources of such injury” and “statistics with respect to injuries and deaths associated with products that the Commission determines present a substantial product hazard under section 15(c).” 15 U.S.C. 2076(j)(1) and (6)(B).
As an agency responsible for public health matters pursuant to its official mandate, and with statutory authorization to collect and report information to prevent injury and death, CPSC falls squarely within the definition of a “public health authority.” Accordingly, CPSC is providing notice that it is a public health authority within the meaning of the Privacy Rule, entitled to receive protected health information from hospitals and other health care organizations, without written authorization or consent. The disclosure of protected health information to a public health authority is a permitted disclosure under the Privacy Rule. 45 CFR 164.502(a)(1)(vi).
Dated: February 26, 2014.
Todd A. Stevenson,
Secretary, Consumer Product Safety Commission.
[FR Doc. 2014-04590 Filed 2-28-14; 8:45 am]
BILLING CODE 6355-01-P