Public health authorities such as the Food and Drug Administration (FDA), the Center for Disease Control and Prevention (CDC), and the Occupational Safety and Health Administration (OSHA), and state and local health departments regulate health information that is available for public record. These authorities obtain and manage essential data relevant to the health of the population in the U.S., tracking things like diseases, effects of natural disasters, and general health trends. The reports generated from this data are called public health records, which are available to anyone.
The following data are routinely collected by public health authorities to create public health records:
- Cases of child abuse or neglect
- Workplace injuries or illnesses
- Complications resulting from FDA approved products or medications
- People who are at risk of spreading a disease or illness
SEE ALSO: HIPAA compliant email
How personal health information contributes
Protected health information (PHI) makes up the data in these records, with a majority coming from electronic health records (EHR). EHR systems play a significant role in helping public health authorities collect important data that informs how they can create best practices and guidelines for the public’s health. For example, EHR records have been used to identify trends in testing, progression of symptoms, and diagnosis rates in patients with HIV and Lyme disease.
HIPAA compliance with public health records
However, EHR records are not the only way public health authorities can gather data for public health records. Partnering with both small and large healthcare organizations to obtain medical information is becoming increasingly popular; this also means that the communication methods these organizations use have to be HIPAA compliant to ensure patient data safety. In general, any information that could identify a person is not collected by public health authorities -- data goes through a de-identification process.
The CDC states that only the minimal information necessary can be shared with public health authorities per HIPAA compliance. This means authorities only receive what is necessary to know about a person’s medical history for the public health record. For example, suppose a shared health record is being generated to look at trends of memory problems in older adults. In that case, only information such as rates of cognitive impairment diagnosis or the number of people on a memory medication can be shared. Nonetheless, this does not mean that de-identified PHI requires any different level of HIPAA compliance. Organizations must ensure that the data they send to public health authorities is being transferred safely, primarily when information is transmitted via email.
Paubox Email Suite Premium provides all the inbound security features a healthcare organization needs to remain HIPAA compliant when contributing to public health records. In addition to sending HIPAA compliant email with no extra steps for sender or receiver, it protects against display name spoofing and has data loss prevention (DLP) built into the program. With Paubox products, organizations can help further how public health records influence the healthcare field -- locally and globally.