HIPAA and The Data Use Agreement (DUA) between the Minnesota... Health (MDH) and the Center for Disease Control and Prevention’s...

Protecting, maintaining and improving the health of all Minnesotans
HIPAA and The Data Use Agreement (DUA) between the Minnesota Department of
Health (MDH) and the Center for Disease Control and Prevention’s (CDC) National
Healthcare Safety Network (NHSN)
This memo addresses MDH’s analysis of how the MDH CDC/NHSN DUA interacts with Minnesota Statutes,
§144.05, subd. 1(a) and the HIPAA privacy rules, 45 CFR 164.
Disclaimer of Legal Advice: The following is MDH’s analysis of how the MDH CDC/NHSN data use agreement
interacts with Minnesota Statutes, section 144.05, subd. 1(a) and the HIPAA privacy rules, 45 CFR 164. This is
not legal advice and you should not rely on it as legal advice. Consult with a lawyer for legal advice.
MDH entered a DUA with CDC/NHSN. The CDC’s NHSN is a tracking system for healthcare-associated
infections (HAI). Healthcare institutions voluntarily enter HAI data into NHSN. The DUA establishes a formal
data access and data use relationship between CDC/NHSN and the MDH. This Agreement covers individualidentifiable and institution-identifiable data, received by the CDC/NHSN, that have been submitted to NHSN by
healthcare institutions in Minnesota. The DUA stipulates that MDH may use the data covered by the DUA for
HAI surveillance and prevention purposes only. It further stipulates that these data are not to be used for public
reporting of institution-specific data, or for regulatory, punitive, or other legal actions against healthcare
institutions.
Issue
The following question has been raised: Do the HIPAA privacy rules permit healthcare institutions to disclose
patient-identifiable HAI data to MDH via the CDC’s NHSN tracking system without patient authorization?
Finding
MDH has concluded that HIPAA permits healthcare institutions to disclose patient-identifiable NHSN data to
MDH via the NHSN tracking system without patient authorization. This conclusion is based on review of
MDH’s legal authority to collect data, HIPAA privacy rules, guidance from CDC and the U.S. Department of
Health and Human Services on HIPAA and public health [1], and guidance from CDC/NHSN on HIPAA [2, 3].
The HAI data that MDH receives through the DUA will be used for surveillance and/or prevention purposes
only. These data may include, but are not limited to, personally identifiable information on the patient, the tests
conducted, the results of those tests, treatments related to the disease, and other pertinent information.
Analysis
HIPAA governs the use and disclosure of protected health information (PHI). It applies to healthcare providers,
health plans, and healthcare clearinghouses that transmit certain health claims information electronically. These
entities are covered entities under the rule.
1
A covered entity must obtain a written authorization from the individual for the use and disclosure of PHI
unless the disclosure is to the individual; for treatment, payment, or healthcare operations; or unless the
disclosure falls under one of the specified exceptions.
HIPAA privacy rules, specifically 45 CFR §164.512 [4], address the uses and disclosures of PHI for which an
authorization or an opportunity to agree or object is not required. Specifically:


Section 164.512(a) permits disclosures that are required by law; and
Section 164.512(b) permits a covered entity to disclose PHI to:
“(i) A public health authority that is authorized by law to collect or receive such information for the
purpose of preventing or controlling disease, injury, or disability, including but not limited to, the reporting of
disease, injury, vital events such as birth or death, and the conduct of public health surveillance, public health
investigations, and
public health interventions …”
Under HIPAA, 45 CFR 164.501, a public health authority is defined as “an agency or authority of the United
States, a State… a political subdivision of a State . . . that is responsible for public health matters as part of its
official mandate.”
Therefore, to the extent that a public health authority is authorized by law to collect or receive information for
public health purposes, covered entities may disclose PHI to such public health authority without the patient’s
authorization.
CDC has published guidance concluding that the report of NHSN data from healthcare institutions to
CDC does not violate HIPAA privacy standards. Specifically, CDC has stated:
The HIPAA Privacy Rule applies to the NHSN under the following:



CDC is a public health authority authorized by law to receive patient health data.
NHSN is a public health activity for which identifiable health data may be shared without an individual
patient's authorization.
Hospitals disclosing individually identifiable NHSN data must comply with the Privacy Rule’s
requirements applicable to all covered entities, including the accounting requirements. [2]
Just as CDC is a public health authority, MDH is a public health authority that is responsible for public health
matters as part of its official mandate. MDH has broad statutory authority to collect or receive data for public
health purposes. Specifically, Minnesota Statutes, section 144.05, §1(a) states that:
The state commissioner of health shall have general authority as the state's official health agency
and shall be responsible for the development and maintenance of an organized system of
programs and services for protecting, maintaining, and improving the health of the citizens. This
authority shall include but not be limited to the following:
(a) Conduct studies and investigations, collect and analyze health and vital data, and identify and
describe health problems…
2
When CDC provides the information in NHSN to MDH pursuant to the DUA, it is allowed under HIPAA
privacy rules because of the status of MDH as a public health authority and the fact that NHSN is a public
health activity for which identifiable health data may be shared without an individual patient’s authorization.
With regard to MDH’s access to NHSN data sent to CDC, covered entities may follow their usual procedures
for logging the disclosure of information for public health purposes. Such logs may be general and not patientspecific, as per guidance from the CDC and DHHS. [1].
Analysis Summary
In summary, Minnesota Statutes, section, 144.05, §1(a) allows MDH to collect and receive health data for
public health purposes; MDH is a public health authority under HIPAA and NHSN is a public health activity.
Therefore, under HIPAA, healthcare institutions and providers can share patient-identifiable HAI data reported
through CDC/NHSN with MDH without patient authorization.
Footnotes
1.
2.
3.
4.
CDC and the U.S. Department of Health and Human Services, HIPAA Privacy Rule and Public Health: Guidance from the CDC
and the U.S. Department of Health and Human Services, MMWR May 2, 2003, available at
http://www.cdc.gov/mmwr/pdf/wk/mmsu5201.pdf.
CDC, National Healthcare Safety Network, Frequently Asked Questions About NHSN,
http://www.cdc.gov/nhsn/faqs/FAQ_general.html (last visited August 20, 2013).
CDC, National Healthcare Safety Network, Frequently Asked Questions About HIPAA Privacy Rule,
http://www.cdc.gov/nhsn/faqs/FAQ_HIPPArules.html (last visited August 20, 2013).
CFR is the Code of Federal Regulations.
9/16/2013
Infectious Disease Epidemiology, Prevention and Control Division
PO Box 64975 • St. Paul, MN 55164 • (651) 201-5414
http://www.health.state.mn.us
An equal opportunity employer
3
`