The privacy and security of electronic health information is a shared responsibility of public health and healthcare facilities in outbreak investigations, including those involving HAIs. Early conversations between public health officials and healthcare facility staff should address concerns about public health authority, patient privacy, and the secure transfer and storage of patient information to ensure the information is appropriately protected.
The Federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule establishes protection for health information while also allowing certain uses for public health purposes. Healthcare facilities may share protected health information with a public health authority without the patient’s authorization if the information is needed to prevent or control disease. Public health officials consistently reported perceived HIPAA barriers as a reason healthcare facilities were hesitant to provide health departments with access to patient information. Understanding and making the public health exemption of HIPAA available to healthcare facilities helps to overcome barriers to access during outbreaks.
Learn more »
Defined levels of authority to access medical records
Public health officials rely on delegated authority, that is, through their state health code to access medical information. Healthcare facilities sometimes challenge or ask for proof of that authority, even after being informed of public health authority. Healthcare facilities may want to withhold certain patient information because of concerns about patient privacy. To help overcome this challenge, some health departments have developed standardized letters to address healthcare facilities’ concerns by identifying state laws and the HIPAA exceptions that grant the health department access to patient health information in the healthcare facilities’ EHRs.
– Health Department Staff
Healthcare facilities’ concerns about data security
Some health departments faced challenges when accessing medical records because healthcare facilities were concerned about the health department's ability to view the entire patient record, including information that was not part of the outbreak investigation. In some cases, healthcare facilities restricted access to certain aspects of the patient's health information (e.g., mental health, obstetrics) in the EHR to maintain patient privacy. Additionally, some health department staff also mentioned that healthcare facilities could audit what information was accessed as a way to monitor the health department’s access and use of EHRs. To help build trust, and communicate clearly with full transparency, health departments should be specific with healthcare facilities and outline what parts of the EHR they will need access to and why.
Questions and concerns about the security of patient health information (transmission and storage) can also be a concern for healthcare facilities when health departments access and use EHRs. Health departments identified when they are onsite at the healthcare facility, they use personalized passwords, encrypted computers, and locked briefcases to transfer and store patient health information. When accessing EHRs from remote locations, the health department used secure personalized passwords, secure file transfer and secure storage mechanisms.