Skip Navigation LinksSkip Navigation Links
Centers for Disease Control and Prevention
Safer Healthier People
Blue White
Blue White
bottom curve
CDC Home Search Health Topics A-Z spacer spacer
spacer
Blue curve MMWR spacer
spacer
spacer

Persons using assistive technology might not be able to fully access information in this file. For assistance, please send e-mail to: mmwrq@cdc.gov. Type 508 Accommodation and the title of the report in the subject line of e-mail.

Appendix B

Sample Text That Can Be Used To Clarify Public Health Issues Under the Privacy Rule

Following are sample letters that can be used to help clarify Privacy Rule issues among covered entities and public health authorities (e.g., CDC, National Institutes of Health, Food and Drug Administration, Substance Abuse and Mental Health Services Administration, Health Resources and Services Administration, state and local health departments). Public health authorities can use these letters as templates by inserting names of the appropriate individuals, projects, agreements, laws, activity types, covered entities, public health authorities, and authorized agencies.

From a public health authority to a covered entity, clarifying rules regarding disclosure
To Whom it May Concern:

[Public health authority] is an agency of [parent authority] and is conducting the activity described here in its capacity as a public health authority as defined by the Health Insurance Portability and Accountability Act (HIPAA), Standards for Privacy of Individually Identifiable Health Information; Final Rule (Privacy Rule) [45 CFR §164.501]. Pursuant to 45 CFR §164.512(b) of the Privacy Rule, covered entities such as your organization may disclose, without individual authorization, protected health information to public health authorities " . . . authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury, or disability, including, but not limited to, the reporting of disease, injury, vital events such as birth or death, and the conduct of public health surveillance, public health investigations, and public health interventions . . . "

[Public health authority] is conducting [project], a public health activity as described by 45 CFR § 164.512(b), and is authorized by [law or regulation]. The information being requested represents the minimum necessary to carry out the public health purposes of this project pursuant to 45 CFR §164.514(d) of the Privacy Rule.

If you have questions or concerns please contact [project leader].

From a public health authority to an authorized agency, providing grant of authority
Dear [authorized agency]:

This letter serves as verification of a grant of authority from [public health authority] for you to conduct the public health activities described here, acting as a public health authority pursuant to the Standards for Privacy of Individually Identifiable Health Information promulgated under the Health Insurance Portability and Accountability Act (HIPAA) [45 CFR Parts 160 and 164)]. Under this rule, covered entities may disclose, without individual authorization, protected health information to public health authorities " . . . authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury, or disability, including, but not limited to, the reporting of disease, injury, vital events such as birth or death, and the conduct of public health surveillance, public health investigations, and public health interventions . . . ." The definition of a public health authority includes " . . . an individual or entity acting under a grant of authority from or contract with such public agency . . . ."

[Authorized agency] is acting under [contract, grant, cooperative agreement] with [public health authority] to conduct [project], which is authorized by [law or regulation]. [Public health authority] grants this authority to [authorized agency] for purposes of this project. Further, [public health authority] considers this to be [activity type], for which disclosure of protected health information by covered entities is authorized by 45 CFR § 164.512(b) of the Privacy Rule.

From a public health authority to a covered entity, confirming grant of authority to an authorized agency
To Whom It May Concern:

[Public health authority] is an agency of [parent authority] and is a public health authority as defined by the Health Insurance Portability and Accountability Act (HIPAA), Standards for Privacy of Individually Identifiable Health Information; Final Rule (Privacy Rule)[45 CFR § 164.501]. Pursuant to 45 CFR § 164.512(b) of the Privacy Rule, covered entities may disclose protected health information to public health authorities " . . . authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury, or disability, including, but not limited to, the reporting of disease, injury, vital events such as birth or death, and the conduct of public health surveillance, public health investigations, and public health interventions . . . ." The definition of public health authority includes " . . . an individual or entity acting under a grant of authority from or contract with such public agency . . ." [45 CFR § 164.501]. [Authorized agency] is acting under [contract, grant or cooperative agreement] with [public health authority] to carry out [project]. Through this grant of authority, [authorized agency] may function as a public health authority under the Privacy Rule for purposes of this project.

[Project] is a public health activity as described by 45 CFR § 164.512(b) referenced previously, and is authorized by [law or regulation]. The information being requested represents the minimum necessary to carry out the public health purposes of this project pursuant to 45 CFR § 164.514(d) of the Privacy Rule. The Privacy Rule provides that covered entities " . . . may rely, if such reliance is reasonable under the circumstances, on a requested disclosure as the minimum necessary for the stated purposes when making disclosures to public officials that are permitted under 45 CFR § 164.512, if the public official represents that the information requested is the minimum necessary for the stated purposes(s)."

If you have questions or concerns please contact [project leader for authorized agency; public health authority contact].

Use of trade names and commercial sources is for identification only and does not imply endorsement by the U.S. Department of Health and Human Services.


References to non-CDC sites on the Internet are provided as a service to MMWR readers and do not constitute or imply endorsement of these organizations or their programs by CDC or the U.S. Department of Health and Human Services. CDC is not responsible for the content of pages found at these sites. URL addresses listed in MMWR were current as of the date of publication.

Disclaimer   All MMWR HTML versions of articles are electronic conversions from ASCII text into HTML. This conversion may have resulted in character translation or format errors in the HTML version. Users should not rely on this HTML document, but are referred to the electronic PDF version and/or the original MMWR paper copy for the official text, figures, and tables. An original paper copy of this issue can be obtained from the Superintendent of Documents, U.S. Government Printing Office (GPO), Washington, DC 20402-9371; telephone: (202) 512-1800. Contact GPO for current prices.

**Questions or messages regarding errors in formatting should be addressed to mmwrq@cdc.gov.

Page converted: 4/11/2003

HOME  |  ABOUT MMWR  |  MMWR SEARCH  |  DOWNLOADS  |  RSSCONTACT
POLICY  |  DISCLAIMER  |  ACCESSIBILITY

Safer, Healthier People

Morbidity and Mortality Weekly Report
Centers for Disease Control and Prevention
1600 Clifton Rd, MailStop E-90, Atlanta, GA 30333, U.S.A

USA.GovDHHS

Department of Health
and Human Services

This page last reviewed 4/11/2003