North Carolina Public Health Law

The HIPAA Privacy Rule gives certain rights and the authority to take certain actions to individuals whose health information is subject to the rule. For example:
• An individual has the right to access his or her own PHI.
• An individual may authorize disclosure of his or her PHI to another person by completing a HIPAA-compliant authorization form.
Sometimes an individual may be unable to personally exercise rights or take actions under HIPAA. To account for such situations, HIPAA allows a “personal representative” to act on the individual’s behalf.

The HIPAA Privacy Rule requires covered entities to verify the identity of a person to whom protected health information (PHI) is to be disclosed, as well as the person’s legal authority to receive the PHI.

HIPAA’s minimum necessary standard requires a covered entity to develop and implement policies and procedures to:
• Limit uses and disclosures of protected health information (PHI) to the minimum necessary amount of PHI to accomplish the purpose of the use or disclosure;
• Limit requests for PHI to the minimum necessary amount of PHI to accomplish the purpose of the request; and
• Limit who among the covered entity’s workforce has access to PHI.

This document describes disclosures of protected health information that are required by North Carolina law.

In most cases, local health departments do not need permission to disclose a client’s protected health information (PHI) for purposes of treatment, payment, or health care operations (often referred to collectively as “TPO”). These disclosures may be made without permission under both the HIPAA Privacy Rule and North Carolina law. There are a few exceptions to this general rule, which are explained in the next section of this handout. HIPAA defines the terms treatment, payment, and health care operations and is fairly specific about which disclosures qualify as TPO disclosures.

Requests for release of a minor’s protected health information (PHI) are similar in some respects to requests for an adult’s PHI. As with adults, the general rule is that PHI may be released with written authorization, and there are some circumstances in which PHI may be released without authorization. However, minors often must rely on an adult—usually a parent—to make their health care decisions, or to exercise their rights to access PHI or authorize disclosure of PHI. As a result, two frequently asked questions about disclosing minors’ PHI are:
• If a disclosure of a minor’s PHI requires authorization, who signs the authorization form?
• Are parents allowed to have access to a minor’s PHI?
This document focuses on those two questions, which have answers that can be quite complicated.

It is not uncommon for law enforcement officials to have an interest in confidential patient information. Law enforcement may seek the information in order to further an investigation, to locate a missing person, or for a number of other legitimate law enforcement purposes. Local health departments typically want to cooperate with law enforcement officials but are sometimes constrained by federal or state confidentiality laws, which may prohibit a disclosure altogether, or may allow it but only if certain conditions are met.

A subpoena is a form of court order that directs the person named in the subpoena to appear at a designated time and place to testify, to produce documents, or both. A health department that receives a subpoena for confidential medical information or records must not ignore the subpoena—a response is usually required. However, the appropriate response is not to immediately release records or otherwise disclose confidential information. The HIPAA Privacy Rule imposes conditions that must be met before protected health information (PHI) may be disclosed in response to a subpoena. In addition, the information may be privileged under state law, in which case it may not be disclosed without either the patient’s permission or a court order.

The HIPAA Privacy Rule governs when a local health department may disclose PHI.

Statutes affecting doctor- and nurse-patient privilege and health record confidentiality.

Link to HIPAA Combined Regulation Text (US DHHS website)