There are laws in place that require doctors, surgeons and other healthcare practitioners to report certain diseases. While some people view this as a violation of privacy, these laws are intended to protect the general public. If a once-rare and dormant disease becomes widespread, for instance, individuals can take the necessary precautions to avoid infection – assuming they know about the disease. So, what types of publish health disclosures are covered entities required to make under the Health Insurance Portability and Accountability Act (HIPAA) of 1996?
Contrary to what some people believe, HIPAA's Privacy Rule does not require covered entities to disclose any specific health information to the public. The Privacy Rule does, however, permit covered entities to voluntarily make disclosures that are “critically important to public health and safety,” according to the Department of Health and Human Services (HHS).
Many states have laws requiring doctors and other healthcare practitioners to report health information about disease outbreaks, child abuse cases, births and deaths, etc. The Privacy Rule does not require these disclosures to be made. Rather, it permits them when required by state or other laws. Here's the thing: making these disclosures isn't optional if it's required under a state law. So while HIPAA doesn't specifically require covered entities to make these disclosures, they are still necessary when deemed so by state or other laws. This is why it's important for covered entities to familiarize themselves with all national and state laws, only one of which is HIPAA.
Unless required by state or “other” laws, covered entities are not allowed to disclose a patient's Protected Health Information (PHI) in any form – verbal, written, digital – without the patient's permission. This is a provision of the HIPAA Privacy Rule, which his intended to protect the privacy of healthcare patients.
Unfortunately, it's not uncommon for covered entities to disclose patients' PHI without the necessary authorization/permission. This is one of the most common types of HIPAA violations, costing covered entities big bucks in fines. Doctors may knowing or unknowingly disclose a patient's PHI without his or her permission, which can be viewed as a violation of the Privacy Rule.
To recap, HIPAA does not require covered entities to make public health disclosures. It does, however, permit it when required by state or other laws. If you want to learn more about public health provisions included in HIPAA, check out the fact sheet here.