Protecting, maintaining and improving the health of all Minnesotans HIPAA and The Data Use Agreement (DUA) between the Minnesota Department of Health (MDH) and the Center for Disease Control and Prevention’s (CDC) National Healthcare Safety Network (NHSN) This memo addresses MDH’s analysis of how the MDH CDC/NHSN DUA interacts with Minnesota Statutes, §144.05, subd. 1(a) and the HIPAA privacy rules, 45 CFR 164. Disclaimer of Legal Advice: The following is MDH’s analysis of how the MDH CDC/NHSN data use agreement interacts with Minnesota Statutes, section 144.05, subd. 1(a) and the HIPAA privacy rules, 45 CFR 164. This is not legal advice and you should not rely on it as legal advice. Consult with a lawyer for legal advice. MDH entered a DUA with CDC/NHSN. The CDC’s NHSN is a tracking system for healthcare-associated infections (HAI). Healthcare institutions voluntarily enter HAI data into NHSN. The DUA establishes a formal data access and data use relationship between CDC/NHSN and the MDH. This Agreement covers individualidentifiable and institution-identifiable data, received by the CDC/NHSN, that have been submitted to NHSN by healthcare institutions in Minnesota. The DUA stipulates that MDH may use the data covered by the DUA for HAI surveillance and prevention purposes only. It further stipulates that these data are not to be used for public reporting of institution-specific data, or for regulatory, punitive, or other legal actions against healthcare institutions. Issue The following question has been raised: Do the HIPAA privacy rules permit healthcare institutions to disclose patient-identifiable HAI data to MDH via the CDC’s NHSN tracking system without patient authorization? Finding MDH has concluded that HIPAA permits healthcare institutions to disclose patient-identifiable NHSN data to MDH via the NHSN tracking system without patient authorization. This conclusion is based on review of MDH’s legal authority to collect data, HIPAA privacy rules, guidance from CDC and the U.S. Department of Health and Human Services on HIPAA and public health [1], and guidance from CDC/NHSN on HIPAA [2, 3]. The HAI data that MDH receives through the DUA will be used for surveillance and/or prevention purposes only. These data may include, but are not limited to, personally identifiable information on the patient, the tests conducted, the results of those tests, treatments related to the disease, and other pertinent information. Analysis HIPAA governs the use and disclosure of protected health information (PHI). It applies to healthcare providers, health plans, and healthcare clearinghouses that transmit certain health claims information electronically. These entities are covered entities under the rule. 1 A covered entity must obtain a written authorization from the individual for the use and disclosure of PHI unless the disclosure is to the individual; for treatment, payment, or healthcare operations; or unless the disclosure falls under one of the specified exceptions. HIPAA privacy rules, specifically 45 CFR §164.512 [4], address the uses and disclosures of PHI for which an authorization or an opportunity to agree or object is not required. Specifically:   Section 164.512(a) permits disclosures that are required by law; and Section 164.512(b) permits a covered entity to disclose PHI to: “(i) A public health authority that is authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury, or disability, including but not limited to, the reporting of disease, injury, vital events such as birth or death, and the conduct of public health surveillance, public health investigations, and public health interventions …” Under HIPAA, 45 CFR 164.501, a public health authority is defined as “an agency or authority of the United States, a State… a political subdivision of a State . . . that is responsible for public health matters as part of its official mandate.” Therefore, to the extent that a public health authority is authorized by law to collect or receive information for public health purposes, covered entities may disclose PHI to such public health authority without the patient’s authorization. CDC has published guidance concluding that the report of NHSN data from healthcare institutions to CDC does not violate HIPAA privacy standards. Specifically, CDC has stated: The HIPAA Privacy Rule applies to the NHSN under the following:    CDC is a public health authority authorized by law to receive patient health data. NHSN is a public health activity for which identifiable health data may be shared without an individual patient's authorization. Hospitals disclosing individually identifiable NHSN data must comply with the Privacy Rule’s requirements applicable to all covered entities, including the accounting requirements. [2] Just as CDC is a public health authority, MDH is a public health authority that is responsible for public health matters as part of its official mandate. MDH has broad statutory authority to collect or receive data for public health purposes. Specifically, Minnesota Statutes, section 144.05, §1(a) states that: The state commissioner of health shall have general authority as the state's official health agency and shall be responsible for the development and maintenance of an organized system of programs and services for protecting, maintaining, and improving the health of the citizens. This authority shall include but not be limited to the following: (a) Conduct studies and investigations, collect and analyze health and vital data, and identify and describe health problems… 2 When CDC provides the information in NHSN to MDH pursuant to the DUA, it is allowed under HIPAA privacy rules because of the status of MDH as a public health authority and the fact that NHSN is a public health activity for which identifiable health data may be shared without an individual patient’s authorization. With regard to MDH’s access to NHSN data sent to CDC, covered entities may follow their usual procedures for logging the disclosure of information for public health purposes. Such logs may be general and not patientspecific, as per guidance from the CDC and DHHS. [1]. Analysis Summary In summary, Minnesota Statutes, section, 144.05, §1(a) allows MDH to collect and receive health data for public health purposes; MDH is a public health authority under HIPAA and NHSN is a public health activity. Therefore, under HIPAA, healthcare institutions and providers can share patient-identifiable HAI data reported through CDC/NHSN with MDH without patient authorization. Footnotes 1. 2. 3. 4. CDC and the U.S. Department of Health and Human Services, HIPAA Privacy Rule and Public Health: Guidance from the CDC and the U.S. Department of Health and Human Services, MMWR May 2, 2003, available at http://www.cdc.gov/mmwr/pdf/wk/mmsu5201.pdf. CDC, National Healthcare Safety Network, Frequently Asked Questions About NHSN, http://www.cdc.gov/nhsn/faqs/FAQ_general.html (last visited August 20, 2013). CDC, National Healthcare Safety Network, Frequently Asked Questions About HIPAA Privacy Rule, http://www.cdc.gov/nhsn/faqs/FAQ_HIPPArules.html (last visited August 20, 2013). CFR is the Code of Federal Regulations. 9/16/2013 Infectious Disease Epidemiology, Prevention and Control Division PO Box 64975 • St. Paul, MN 55164 • (651) 201-5414 http://www.health.state.mn.us An equal opportunity employer 3