Healthcare Information Security

Cybersecurity News

ONC, OCR Provide 9 Scenarios for HIPAA Health Data Exchange

HIPAA safeguards PHI and is often an impediment to health data exchange, but certain public health activities authorize information sharing without patient consent.

By Kate Monica

- In collaboration with the Office for Civil Rights (OCR), the Office of the National Coordinator for Health Information Technology (ONC) recently published a fact sheet describing hypothetical instances where HIPAA supports the electronic exchange of health data for public health reasons.

Health data exchange for public health

“While HIPAA requires that the information disclosed is the minimum information necessary for the purpose, it permits the discloser to reasonably rely on a public health authority’s request as to what information is necessary for the public health activities,” the fact sheet states.

In a joint point post on ONC blog Health IT Buzz, representatives from ONC and the Centers for Disease Control & Prevention (CDC) cite public health crises such as Zika and natural disasters as circumstances for making use of HIPAA’s provisions for sharing PHI without an individual’s written consent.

The ONC-OCR fact sheet comprises nine examples illustrating where HIPAA permitted uses and disclosures come into play for the public health purposes.

The first scenario focuses on the exchange of PHI for disease reporting in which CDC responds to an outbreak of the Zika various in a particular geography by requesting patient health data from area hospitals. As the authors of the fact sheet note in this and the other scenarios, hospitals furnishing CDC with data must still adhere to the HIPAA Security Rule.

Scenarios 2 and 3 focus on the exchange of health data in relation to public health surveillance and investigations. The former scenario describes an example of a state law authorizing the collection of data for maintaining a state cancer registry. The latter scenario demonstrates how an outbreak of an infectious disease in a local school would give a state’s health authority the right to access medical records to investigate the incident.

The fourth and fifth scenarios in the fact sheet focus on PHI sharing for public health interventions. In the first example, a state health department is working to enforce a lead poisoning intervention program and requires access to lead exposure test results of children who might have been exposed. The Health Department is authorized to view the test results of each child and to track their health over time due to lead poisoning’s known long-term effects.

Scenario 5 further elaborates on the opportunity to exchange information for public health intervention — in this case, when measuring outcomes for patients that have both diabetes and depression whose primary care provider coordinates their patients’ care. The state requests that primary care providers disclose PHI to the state’s public health authority to assist in the evaluation of care coordination outcomes.

HIPAA also authorizes information exchange to the Food & Drug Administration (FDA) in the event that a manufacturer has ordered a recall of a certain device, since medical devices are subject to the jurisdiction of FDA. Primary care providers who have used a specific device with their patients prior to the recall may disclose patient data to FDA.

Similar to the third scenario, the seventh outlines how health information exchange is useful for people exposed to communicable diseases and for related public health investigations conducted as a result.  In this case, hospitals are authorized to notify patients potentially exposed to a virus during a visit. Additionally, local health authorities also have the right to request this and other health information to conduct an investigation.

HIPAA also allows the exchange of PHI in support of medical surveillance of the workplace. In this scenario, a mining company is required by federal law to monitor the safety of their working conditions.

Lastly, the ONC fact sheet states that providers who need to share PHI with agencies or organizations for public health activities must use certified health IT to send the information.

Dig Deeper:


SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks

Continue to site...