CMA: Public Purpose Disclosures


The information provided in this document does not constitute, and is no substitute for, legal or other professional advice.  Users should consult their own legal or other professional advisors for individualized guidance regarding the application of the law to their particular situations, and in connection with other compliance-related concerns.

PrivaGuide: Public Purpose Disclosures

By Robbi-Lynn Watnik



The HIPAA Privacy Rule prohibits covered entities (CEs) from disclosing protected health information (PHI) for purposes other than treatment, payment or operations without authorization.

To avoid possible conflicts with other laws that may require disclosures under certain circumstances, the rule permits CEs to disclose PHI without authorization for public health, law enforcement, and other legal purposes.  In most cases, the CE is not required to notify the individual.  However, the CE should document these disclosures and must account for most of them upon request from the individual.


Of course, no exception is without procedural requirements and other safeguards.  As a CE, before making a disclosure, you must:


Recognize the types of activities for which disclosure is mandated by state law.
Recognize the requisite elements of a subpoena, court order or other legal document pursuant to the laws of your jurisdiction before making a disclosure.
Identify when notification of the individual that his or her PHI may be disclosed is appropriate and/or required.
Maintain proper record-keeping of all disclosures
Account for most disclosures





Mandatory v. Permissive

The Privacy Rule does not require disclosure without authorization for the purposes stated.  Rather, it permits CEs to disclose if other laws require or permit  that disclosure.


How to do this:

In this section we document some practical suggestions for implementing your complaint procedure.  “Implementation” suggestions relate to the initial steps you take to get into HIPAA compliance. “Maintenance” suggestions relate to on-going activities.  Your implementation policy and procedure documentation should be based upon your specific needs and on your understanding of how the HIPAA privacy regulation applies to you.





Implementation Suggestions:


1. Designate who, in your organization, will be responsible for determining whether a disclosure should be made and for making the disclosure. All staff should send all requests for disclosure to that individual.


2. Review the PHI Inventory you created in PrivaPlan Stat 2 and PrivaGuide: PHI Inventory. This step provided you with a listing of the types of PHI that typically are disclosed for public purposes. You might disclose on a frequent basis (for example you are an infectious disease specialist or work with personal injury attorneys) or on an occasional basis. The PHI Inventory is your starting point for determining this. Also review the procedures you have created to deal with these disclosures in the Procedures Manual.


Legal Proceedings and Law Enforcement Activities


1. Inform legal counsel of all requests pursuant to judicial and administrative proceedings, warrants, grand jury subpoenas or summons. Have legal counsel determine if a particular request meets the legal standards of your jurisdiction.


2. If you are a health care provider also inform your professional liability carrier. Frequently the risk management department of your professional liability carrier will have specific guidance and advice.


3. Recognize the different types of orders used in legal proceedings:


A court order or court-ordered warrant, subpoena or summons issued by a judicial officer;
A grand jury subpoena;
An administrative request (i.e., supoena or summons, investigative demand)
A court or administrative order that includes a qualified protective order;
A subpoena, discovery request or other legal request that does not include a qualified protective order (QPO).
What is a Qualified Protective Order?

A QPO is part of a court or administrative order, or is stipulated in a subpoena, discovery request, etc., that the use or disclosure of the PHI requested shall be restricted to the purposes listed and that the PHI will be returned or destroyed upon conclusion of the legal proceeding.


3. If the PHI request is in the form of a valid court or administrative order, determine if disclosure is appropriate. Remember, the Privacy Rule is intended to avoid conflicts with other laws.  It does not require you to make the disclosure.  Your decision to disclose the PHI requested must be based on the specifics of the case at hand, based upon advice from legal counsel.


4. If the order does not comply with the legal requirements of your jurisdiction, do not make the disclosure. Inform legal counsel of your decision.


5. If the PHI request is in the form of a subpoena, discovery request, or other legal proceeding, determine if the appropriate safeguards have been implemented before making a disclosure.


Are there satisfactory assurances that the subject of the PHI has been notified of the request?  There must be written notice–including adequate details about the legal proceeding involved–to the individual..
Has the individual had an opportunity to object to the disclosure?  Have any objections been resolved?  There must be written documentation to support this notification, any timely objections, and any resolution of those objections.
Alternatively, are there satisfactory assurances that the parties involved in the request for the PHI have either agreed to and requested a QPO?
If there is no documentation of notification or QPO request, you may attempt–but are not required–to notify the individual who is the subject of the PHI request or seek a QPO on the individual’s behalf.

6. If the appropriate safeguards have not been met, do not make the disclosure. Inform legal counsel of your decision.


7. If the request is  in the form of an administrative request, make the disclosure only if:


The information requested is relevant and material to a legitimate law enforcement inquiry;
The request is as specific and limited in scope as possible; and
De-identified information would not be adequate.
Objecting to a Disclosure


A  CE is not required to explain the procedures available to make an objection.  Any objection must be filed by the individual with the court or other appropriate legal authority, NOT the CE.


Malpractice Claims


If  you are a health care provider and the legal proceeding is based on a potential or pending malpractice claim, notify your professional liability carrier  carrier immediately.  Follow their guidance and instructions. Your disclosures to the professional liability carrier are permitted since they are a business associate.  (Note:  Ensure that you have a business associate agreement in place before disclosing PHI.)



Criminal or Otherwise Conduct


1. Any disclosures to law enforcement to identify or locate a suspect, fugitive, material witness, or missing person must be limited to:


Name/ address;
Date/place of birth;
Social Security Number;
ABO blood type/rh factor;
Type of injury;
Date/time of treatment;
Date/time of death;
Description of physical characteristics

Do not disclose DNA, dental records, typing, samples, or analysis of body fluids for identification purposes.


Copying PHI

Unless there is legal authority (i.e., a court order, or state law) to the contrary, any copying of PHI in response to a legal proceeding should be performed by, or under the control of, the CE.




Do not disclose an individual’s comments about criminal conduct if it is made in the course of counseling or therapy to stop that conduct or during a request for such treatment.  For example, do not disclose if a patient says: “I need therapy because I set fires.”


2. If an individual is believed to be a crime victim, seek the individual’s agreement to disclose PHI. If the individual is incapacitated or otherwise unable to agree, disclose the PHI if a delay in disclosure would adversely affect any investigation and the disclosure would not be used against the individual.  Any disclosure should be in the best interest of the individual, based on your professional judgment.  Document your reasons for disclosure if made.


3. Disclose PHI if, in your professional judgment, there may be a threat to the public health or safety of a particular individual or the public in general. This includes individuals who appear to have escaped from legal custody (i.e., prison, law enforcement, etc.) 


4. Disclose a decedent’s PHI to law enforcement if you believe that the death may be been related to criminal conduct.


5. If a crime has occurred on your premises, relevant PHI related to that crime (other than domestic abuse, neglect, or violence) may be disclosed to law enforcement. If the crime is not on your premises, disclose the relevant PHI if it will alert law enforcement to:

The commission and nature of a crime;
The location of the crime or its victims;
The identity, description, location of the alleged perpetrator.


Domestic abuse, neglect, or violence


1. Except in cases of child abuse or neglect, and unless contrary to the laws in your jurisdiction, before disclosing PHI about a individual believed to be a victim of domestic abuse, neglect, or violence, determine whether the individual should be notified of the disclosure.


Do not notify the individual or seek the individual’s agreement for the disclosure if there is reasonable belief that notifying the individual of the disclosure would be harmful to the individual.
If notification is appropriate, do it orally.  Any agreement should also be oral.
If the individual is incapacitated, disclose the PHI as long as it will not be used against the individual and any delay in disclosure will adversely affect law enforcement activity.
If there is a personal representative, do not notify him or her of the disclosure if there is reasonable belief that he or she is responsible for the abuse, neglect, or violence.

2. If child abuse or neglect is suspected, disclose the PHI without any notification to the individual, parent, or other legal guardian.


Public Health Issues


1. Provide a list to the staff of the types of public health issues that require disclosure pursuant to the laws (federal and local) in your jurisdiction. This includes:


disease registries;
births and other vital statistics;
FDA regulated drugs or devices;
individuals exposed to a communicable disease (if authorized by law in your jurisdiction);
work-related injuries and illnesses, including workplace medical surveillance;
Lapses of consciousness
Evidence of adult, elder or child abuse (and subject to both HIPAA and state law requirements) 
and other steps to ensure public health safety, including protection against communicable diseases.


2. Make a list of the public health agencies/officials in your jurisdiction to whom disclosure may be made.


Workplace Issues


1. If providing health care to employees at the request of the employer, disclose work-related health information as needed to the employer so that the employer can meet its workplace compliance requirements. This includes workers’ compensation laws and Occupational Safety .& Health obligations


2. Notify employees that the relevant PHI will be disclosed. This may be accomplished by either posting prominently a notice at the employer’s work site or by handing the notice to the employee before any health service is provided.


Health Oversight Activities


1. You may disclose PHI to health oversight agencies for certain oversight activities involving:

healthcare providers;
health care delivery;
resolution of consumer complaints;
analyses of trends in healthcare costs;
quality; and
access to care

2. Health oversight agencies include:

Offices of Inspectors General;
The Department of Justice;
State Medicaid fraud control units;
Defense Criminal Investigative Services;
The Pension and Welfare Benefit Administration;
The HHS Office for Civil Rights; and
The FDA.
State Departments of Health

3. Do not disclose an individual’s PHI for any investigations involving the individual that is not related to the health care or public benefits for that individual.


Private Oversight Agencies


You may not disclose PHI to a private agency, such as JCAHO that is performing a service for you (eg, a survey), unless you have entered into a business associate agreement with that agency.


Other Permitted Disclosures


1. You may disclose PHI to funeral directors, coroners or medical examiners to assist them in carrying out their legal duties such as identifying the decedent and determining cause of death. PHI may also be released to a funeral director in reasonable anticipation of the individual’s death.


2. You may use or disclose PHI to authorized organ donation agencies to facilitate organ donation.


3. You may use and disclose PHI of members of the armed forces (U.S. and foreign) as mandated by military command (as published in the Federal Register). This includes information needed for separation or discharge from the military and veterans benefits.


4. You may disclose PHI to authorized federal officials for national security purposes. This includes intelligence and counter-intelligence activities.


5. You may disclose PHI to auhorized officials having custody of an inmate or other individual if the official represents that the PHI is necessary to:


Provide health care to the individual.
Protect the health and safety of the individual, other inmates, and/or other individuals involved with, or employed by the correctional institution.

Maintenance Suggestions:


1. Continuously train all staff on how to handle requests for disclosure.


2. Be aware of changes in local laws regarding valid subpoenas and other court orders.


3. Be aware of any changes in public health rules that may necessitate additional disclosures. For example, any new outbreaks of certain diseases may cause a request for disclosures based on these outbreaks.





Implementation Suggestions:


1. Follow the instructions contained in PrivaGuide: Access, Amendment and Disclosure Accounting and your Procedure Manual.


2. Use the Disclosure Accounting Log to maintain a record of each disclosure made other than for treatment, payment or health care operations or pursuant to an authorization signed by the patient. This includes disclosures by business associates.


You are not required to account for disclosures made for national security or intelligence purposes or to correctional institutions.

3. Upon request by the appropriate official, you may temporarily suspend an individual’s right to an accounting of disclosure to a health oversight agency or law enforcement official for the period specified by the agency.  The request may be made orally, but must be followed up with a written request within 30 days of the oral request.


The statement must indicate that accounting the disclosure to the individual would impede the agency’s activities.
The statement must specify the time during which an accounting is to be suspended.

About the Author:


Robbi-Lynn Watnik


Ms. Watnik is an attorney with 20 years experience in health policy.  For the past several years, her work has focused on providing guidance to healthcare finance professionals on issues such as compliance and fraud and abuse.  She has extensive knowledge and understanding of the various reimbursement systems as well as the risk areas as identified by the Office of Inspector General of the Department of Health and Human Services.  While working in the Washington, D.C., office of the Healthcare Financial Management Association, Ms. Watnik was actively involved in the passage of the Administrative Simplification provisions of HIPAA.  She contributes to many healthcare publications and speaks throughout the country on healthcare policy issues, including the new privacy rules.  Since moving to Colorado, Ms. Watnik has continued providing consultation to healthcare providers on these issues.


Ms. Watnik can be contacted at 8626 Gatewick Drive, Colorado Springs, Colorado, 80920.  Telephone: 719-964-1338.  Email:

Related Posts

Access PrivaPlan Toolkit

Access CMA-PrivaPlan Toolkit

Sign up for updates