What about confidentiality?
Background (The Public Health Exception)
The Health Insurance Portability and Accountability Act (HIPAA) “Privacy Rule” recognizes the legitimate need for public health authorities and others responsible for ensuring public health and safety to have access to protected health information to carry out their public health mission. The Rule also recognizes that public health reports made by covered entities are an important means of identifying threats to the health and safety of the public at large, as well as individuals. Accordingly, the Rule permits covered entities to disclose protected health information without authorization for specified public health purposes.
General Public Health Activities. The Privacy Rule permits covered entities like hospitals, doctors and laboratories to disclose protected health information, without authorization, to public health authorities who are legally authorized to receive such reports for the purpose of preventing or controlling disease, injury, or disability. This would include, for example, the reporting of a disease or injury; reporting vital events, such as births or deaths; and conducting public health surveillance, investigations, or interventions. Also, covered entities may, at the direction of a public health authority, disclose protected health information to a foreign government agency that is acting in collaboration with a public health authority. Public health authority may use, as well as disclose, protected health information for these public health purposes. See 45 CFR 164.512.
A “public health authority” is an agency or authority of the United States government, a State, a territory, a political subdivision of a State or territory, or Indian tribe that is responsible for public health matters as part of its official mandate, as well as a person or entity acting under a grant of authority from, or under a contract with, a public health agency. Examples of a public health authority include State and local health departments, the Food and Drug Administration (FDA), the Centers for Disease Control and Prevention, and the Occupational Safety and Health Administration (OSHA).
Montana Code Annotated (MCA 37-2-301) requires physicians and other health care providers to report diseases specified by DPHHS. The Uniform Health Care Information Act (MCA 50-16-530 (2) ) allows the release of information, without patient authorization, to public health authorities when such information is required by law or needed to protect the public health. Once information is in possession of your local or state health department, subsequent release of the information is governed by the Government Health Care Information Act (MCA 50-16-6). This act outlines strict circumstances under which information may be released by a health department.
Additional information regarding reporting (including case reporting forms, disease lists or disease summaries) can be obtained by contacting your local health department at the number on the reportable disease list or the DPHHS Epidemiology Program at 406-444-0273.