December 12th, 2017
Over the past few years, the health care system has devoted considerable energy and attention to ensuring compliance with the Health Insurance Portability andAccountabilityAct of 1996 (HIPAA).A primary focus of HIPAA is on improving the efficiency and effectiveness of health care systems by standardizing the electronic exchange of administrative and financial data. HIPAA also established new national standards for protecting the privacy of personal medical information and authorized the U.S. Department of Health and Human Services (HHS) to implement these standards through a regulation known as the Privacy Rule. These new requirements have changed the way traditional health care providers, health plans, and health care clearinghouses transmit and manage health information. However, misinterpretation of the Privacy Rule has caused some concern about the authority of health departments to disclose personal health information for public health purposes related to childhood lead poisoning. In reading the letter of the law, it is important to consider the spirit of the law. HIPAA was intended to improve patient privacy protections – not to undermine legitimate public health practice. This paper reviews HIPAA requirements and exceptions, focusing on those for public health agencies, and describes permissible uses of lead-related data under the HIPAA Privacy Rule. Readers are cautioned that this paper reflects publicly available guidance but does not constitute legal advice.