Understanding HIPAA

HIPAA and Tribal Sovereignty
STLT Limits on Access
HIPAA Frequently Asked Questions

When considering requesting access to electronic health information (EHI), it is important to understand the laws and statutes concerning the protection of health information at the federal and state levels. One commonly encountered barrier to getting access to EHI from healthcare organizations (HCOs) is a limited understanding of the application of The Health Insurance Portability and Accountability Act of 1996 (HIPAA) to public health activities. This section provides a brief overview of HIPAA and the public health exception. 

What is HIPAA?

    HIPAA is a federal law that sets national standards for protecting sensitive patient health information. HIPAA applies to health care providers, health plans, and health care clearinghouses, known collectively as covered entities and, in certain cases, to their business associates (DHHS, 2019). hybrid entity is an organization that performs both covered and noncovered functions. This designation allows segments of the organization to adhere to HIPAA regulations while exempting others. It’s a mechanism that provides flexibility for organizations with diverse operations. For more information on hybrid entities and how to receive the designation as a hybrid entity see the Network for Public Health Law’s Hybrid Entity Toolkit. 

    HIPAA’s primary goals are to: 

    • Protect the privacy and security of individuals’ health information. 
    • Ensure individuals have access to their own health records. 
    • Support the sharing of health data for treatment, payment, and health care operations. 
    What is the HIPAA Privacy Rule?

    The HIPAA Privacy Rule, issued in 2000, sets national standards for when and how protected health information (PHI) can be used or disclosed (DHHS, 2025). PHI includes any health data that can identify an individual and relates to their past, present, or future physical or mental health, health care services, or payment for care. 

    The Privacy Rule requires covered entities to: 

    • Limit uses and disclosures of PHI to the minimum necessary for the intended purpose. 
    • Obtain authorization from individuals before sharing PHI in most situations. 
    • Provide notice of privacy practices to patients. 

    However, the Privacy Rule also permits disclosures without individual authorization in specific cases, including to public health authorities (PHAs). 

    The Public Health Exception: What PHAs Need to Know

      Under HIPAA, PHAs are explicitly recognized as needing access to PHI to protect the health of communities (DHHS, 2023; CDC, n.d.). The Privacy Rule permits covered entities to disclose PHI without patient authorization to PHAs which are legally authorized to collect or receive such information for public health purposes. PHAs require HIPAA training that is similar, if not identical, to what providers in HCOs are required to take.  Recognized PHAs under HIPAA include state and local public health departments, Tribal nations, and the Tribal Epidemiology Centers.  

      Examples of permitted disclosures: 

      • Reporting cases of communicable diseases. 
      • Providing immunization data. 
      • Supporting surveillance and outbreak investigations. 

      This exception is crucial for state, Tribal, local and territorial (STLT) PHAss that need timely access to electronic health records (EHRs) for surveillance, investigation, and taking public health action. To learn more about privacy risk in public health, see the CSTE Learn training courses on this topic. 

      Key requirements: 

      • PHAs regularly publish their reporting requirements and must be authorized by law to collect the information. 
      • The disclosure must be limited to what is necessary to accomplish the public health goal. 

       

      EHI and HIPAA in Practice

      As PHAs move toward direct electronic connections with provider EHR systems, it is important to remember: 

      • HIPAA does not prohibit these connectionsrather, it provides a framework for doing so responsibly. 
      • PHAs and HCOs have been exchanging data for decades upon request, in accordance with applicable laws and regulations, and prior to the adoption of health information technologies. HIPAA Rules have been, and continue to be, updated to incorporate new language reflecting increased use of EHI and electronic sharing of PHI. 
      • Public health data exchanges must still follow technical safeguards, such as encryption and access controls, as required under the HIPAA Security Rule. 
      • Collaboration with providers includes educating them on the legal basis and public benefit of information sharing under HIPAA’s public health provisions. 

      Success Story : James Carrier, Maryland Department of Health

      At the Maryland Department of Health, James Carrier and his team have transformed HIV/STI surveillance by strategically expanding direct access to electronic health information across multiple systems — from hospital EHRs to the state’s health information exchange and even to non-traditional data sources like the Maryland motor vehicle registry. “The best benefit of having direct access is, I don’t even have to pick up the phone,” Carrier explained. If I’m looking at [alab result] the same day, I can pull all the information I need and immediately move the investigation forward.” By focusing first on educating providers about public health authority and the mutual benefits of data sharing, the team built trust and secured access without needing formal data-use agreements, enabling them to complete investigations faster and with greater accuracy. 

      Toolkit Navigation

      what Is EHI

      Training and Capacity Building

      Benefits and Rationale

      Accessing EHI

      Understanding hipaa

      Operationalizing EHI Access

      Partner Engagement Strategies

      Resources

      References

      Centers for Disease Control and Prevention. (n.d.). Health Insurance Portability and Accountability Act of 1996 (HIPAA). Retrieved May 2025, from Public Health Law: https://www.cdc.gov/phlp/php/resources/health-insurance-portability-and-accountability-act-of-1996-hipaa.html?CDC_AAref_Val=https://www.cdc.gov/phlp/publications/topic/hipaa.html 

      Chrysler D. and Milam S. (2019). HIPAA Hybrid Entity Toolkit. Network for Public Health Law. https://www.networkforphl.org/resources/resource-collection-hipaa-hybrid-entity-toolkit/ Accessed June 25, 2025. 

      Council of State and Territorial Epidemiologists. Basic Principles of Privacy Risk in Public Health: Courses 1 and 2. https://learn.cste.org/courses/course/basic-principles-of-privacy-risk-in-public-health Accessed June 25, 2025. 

      U.S. Department of Health and Human Services. (2019, July). HIPAA for Professionals. Retrieved May 2025, from Health Information Privacy: https://www.hhs.gov/hipaa/for-professionals/index.html 

      U.S. Department of Health and Human Services. (2023, February). Public Health. Retrieved May 2025, from Health Information Privacy: https://www.hhs.gov/hipaa/for-professionals/special-topics/public-health/index.html 

      U.S. Department of Health and Human Services. (2025, March). Summary of the HIPAA Privacy Rule. Retrieved May 2025, from Health Information Privacy: https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html