Immunization Data Sharing, HIPAA, and MIIC

This is the Minnesota Department of Health's (MDH's) analysis of how the Health Insurance Portability and Accountability Act (HIPAA) interacts with the Minnesota Immunization Information Connection (MIIC) and the Minnesota Immunization Data Sharing Law. MIIC is a statewide immunization information system that stores electronic immunization records for Minnesota health service providers and the public.

Disclaimer of Legal Advice: The following is the Minnesota Department of Health's analysis of how the Minnesota Immunization Data Sharing Law (Minnesota Statutes §144.3351) and MIIC interact with the Health Insurance Portability and Accountability Act (HIPAA, privacy rules, 45 CFR 160 and 164). This is not legal advice, and you should not rely on it as legal advice. Consult with a lawyer for legal advice.

Issue

The following question has been raised by some health care providers: "Does HIPAA permit providers to submit immunization data to MIIC without patient authorization?"

Finding

Upon review of HIPAA privacy rules, MDH concludes that HIPAA permits providers to disclose immunization data to MDH and enter it into MIIC, which is allowed under Minnesota's Data Sharing Law (Minn. Stat. §144.3351), without the patient's authorization.

Analysis

HIPAA governs the use and disclosure of protected health information (PHI). It applies to health plans, health care clearinghouses, and health care providers that transmit certain health claims information electronically. These entities are covered entities under the rule.

A covered entity must get a written authorization from the individual for the use and disclosure of PHI unless the disclosure is to the individual, for treatment, payment, or health care operations, or falls under one of the specified exceptions.

HIPAA Privacy Rule, specifically 45 CFR¹ §164.512, addresses the uses and disclosures for which an authorization or an opportunity to agree or object is not required. Specifically:

• Section 164.512(a) permits disclosures that are required by law, which includes statutes and rules;²
• Section 164.512(b) permits a covered entity to disclose PHI for the public health activities and purposes described in the following paragraph. These include disclosures to:
  "(i) A public health authority that is authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury, or disability, including but not limited to, the reporting of disease, injury, vital events such as birth or death, and the conduct of public health surveillance, public health investigations, and public health interventions."

Under HIPAA, MDH is a public health authority. Specifically, 45 CFR 164.50, defines a public health authority as:

"an agency or authority of the United States, a State, a territory, a political subdivision of a State or territory, or an Indian tribe, or a person or entity acting under a grant of authority from or contract with such public agency, including the employees or agents of such public agency or its contractors or persons or entities to whom it has granted authority, that is responsible for public health matters as part of its official mandate."

In summary, since MIIC is a public health service operated by a public health authority that is authorized by law to collect immunization data,³ disclosing immunization data to MIIC is allowed without patient authorization.

¹ CFR is the Code of Federal Regulations.
² 45 CFR 164.502, Definitions.
³ Minn. Stat. §144.3351, Minnesota Immunization Data Sharing Law.