Privacy, Confidentiality, and Regulatory Compliance

Key Takeaways

  • The HIPAA public health activity exception (45 CFR 164.512(b)) permits covered entities to disclose PHI to public health authorities for surveillance, investigation, and intervention without individual authorization.
  • Safe Harbor de-identification removes all 18 specified identifiers; Expert Determination requires a qualified statistician to certify very small re-identification risk.
  • Public health legal authority derives from state police power and is constrained by Fourth, Fourteenth, and First Amendment protections as interpreted by courts.
  • 42 CFR Part 2 imposes stricter consent requirements on substance use disorder records than HIPAA, and FERPA governs school-based health information in student records.
  • The HIPAA Security Rule requires administrative, physical, and technical safeguards anchored by an accurate and thorough risk analysis.
Last updated: July 2026

Quick Answer: Public health practitioners navigate privacy statutes—HIPAA, FERPA, 42 CFR Part 2, GINA, and state confidentiality laws—while exercising legal authority granted by state public health statutes. The HIPAA Privacy Rule (45 CFR Part 164, Subpart E) governs Protected Health Information (PHI), the Security Rule establishes electronic PHI safeguards, and the public health activity exception at 45 CFR 164.512(b) permits disclosure to public health authorities for surveillance and intervention. Compliance requires written policies, workforce training, minimum-necessary controls, risk analysis, and breach response.

Protected Health Information and HIPAA Fundamentals

Protected Health Information (PHI) is individually identifiable health information transmitted or maintained in any form by a covered entity—health plans, healthcare clearinghouses, and most healthcare providers—or their business associates. PHI includes demographic data, medical histories, laboratory results, and insurance information linked to any of the 18 Safe Harbor identifiers: names; geographic subdivisions smaller than a state (except first three ZIP digits where the area exceeds 20,000); all date elements except year; phone and fax numbers; email addresses; Social Security numbers; medical record and health plan beneficiary numbers; account numbers; certificate or license numbers; vehicle identifiers and serial numbers; device identifiers; URLs; IP addresses; biometric identifiers including finger and voice prints; full-face photographs; and any other unique identifying number, characteristic, or code.

Two de-identification methods render data no longer PHI:

MethodRegulatory BasisStandard
Safe Harbor (45 CFR 164.514(b))Remove all 18 identifiersCovered entity has no actual knowledge of residual re-identification risk
Expert Determination (45 CFR 164.514(a))Statistician or qualified expert applies statistical and scientific principlesCertifies very small risk that information could identify an individual

A limited data set, defined under 45 CFR 164.514(e), retains dates and some geographic detail but strips direct identifiers; its use requires a data use agreement. Public health agencies use limited data sets or fully de-identified data for surveillance, rate calculations, and trend analyses.

Public Health Exception and Scope of Legal Authority

The HIPAA Privacy Rule permits disclosure of PHI without individual authorization for public health activities authorized by law, codified at 45 CFR 164.512(b). Covered entities may disclose PHI to public health authorities—CDC, state and local health departments, and authorized foreign agencies—authorized by law to collect or receive such information for disease reporting, surveillance, investigations, and interventions. This exception is deliberately broad and does not require a court order, emergency declaration, or active outbreak, because routine surveillance depends on continuous data flows from clinical sources.

Public health legal authority originates from the state police power, the inherent sovereign authority to enact laws protecting health, safety, and welfare. State statutes and regulations define the specific powers vested in health officials, including mandatory reporting of notifiable diseases, epidemiological investigation, isolation and quarantine orders, mandatory testing or treatment under defined circumstances, facility inspection and licensure, nuisance abatement, and emergency powers during declared public health emergencies. These powers are constrained by constitutional protections—the Fourth Amendment (unreasonable searches and seizures), the Fourteenth Amendment (due process and equal protection), and First Amendment freedoms—as interpreted by courts. A practitioner must ensure that every data collection, investigation, or intervention is grounded in explicit statutory or regulatory authorization; exceeding granted authority risks legal challenge, evidentiary suppression, and erosion of community trust.

Designing strategies to ensure compliance with laws governing scope of legal authority requires that public health agencies maintain current inventories of their statutory powers, train staff on the boundaries of that authority, and implement review processes for novel or contested actions. Agencies may develop decision support tools—such as legal templates for isolation orders or standard operating procedures for outbreak investigation—that incorporate due process protections and documentation requirements. Legal counsel review of proposed orders and interagency coordination protocols further strengthen compliance.

Additional Federal and State Privacy Laws

Several federal statutes supplement HIPAA in the public health data landscape. FERPA (20 USC 1232g) governs student education records; school-based health information in student records falls under FERPA rather than HIPAA, with disclosures requiring parental consent. 42 CFR Part 2 imposes stricter confidentiality on substance use disorder treatment records, requiring specific written consent for most disclosures beyond medical emergencies. GINA (Genetic Information Nondiscrimination Act) prohibits health insurers and employers from using genetic information for underwriting or employment decisions. State laws such as California's Confidentiality of Medical Information Act may exceed HIPAA's minimum protections, and where federal and state laws conflict, the more stringent standard generally prevails.

The HITECH Act of 2009 strengthened HIPAA enforcement, introduced tiered civil penalties (up to $1.5 million per violation category per year), and mandated breach notification under 45 CFR 164.400 through 414 for unauthorized acquisition, access, use, or disclosure of unsecured PHI. Breaches affecting 500 or more individuals require notification to HHS and prominent media within 60 calendar days.

Compliance Program Design and Security Safeguards

Effective compliance strategies include written data governance policies defining access roles, disclosure logging, and retention schedules; role-based workforce training with periodic retraining; minimum-necessary access controls (45 CFR 164.502(b)) limiting uses and disclosures to the least PHI needed; business associate agreements imposing HIPAA obligations on vendors; periodic risk analysis identifying vulnerabilities; documented breach response with defined notification timelines; and sanctions for workforce members who violate policies. The Security Rule's three safeguard categories define a layered defense for electronic PHI:

Safeguard CategoryRepresentative Controls
AdministrativeSecurity management, risk analysis, workforce training, access management
PhysicalFacility access controls, workstation security, device and media controls
TechnicalUnique user IDs, encryption, audit controls, integrity controls, transmission security

A covered entity or business associate must conduct an accurate and thorough risk analysis as the foundation of its security management process. The minimum necessary standard requires that uses and disclosures be limited to the least PHI needed, though disclosures to public health authorities and disclosures required by law are exempt.

Test Your Knowledge

Under HIPAA, which regulation permits a covered entity to disclose PHI to a state health department for notifiable disease surveillance without patient authorization?

A
B
C
D
Test Your Knowledge

Which of the following is NOT classified as a HIPAA Safe Harbor identifier that must be removed for de-identification?

A
B
C
D
Test Your Knowledge

Which federal law imposes stricter consent requirements on substance use disorder treatment records than HIPAA does for general health records?

A
B
C
D