North Carolina Public Health Law
Medical Confidentiality Law 101: Introduction to Key Concepts for N.C. Local Health Departments
The following is a collection of frequently asked questions from the 2011 conference Legal Basics for Human Services Directors & Administrators
FAQs
There are several laws that require local health departments to keep patient information
confidential. The major laws protecting health care information are:
• HIPAA Privacy Rule (45 CFR1 Parts 160 and 164): This is a federal law that governs when
covered entities—a term that includes most health care providers, including LHDs—may
use and disclose protected health information.
• Public health patient confidentiality law (GS2 130A-12): This is a state law that applies
only to North Carolina LHDs and the NC Department of Health and Human Services
(DHHS). Under this law, records in the possession of LHDs or DHHS are confidential and
not subject to NC’s public records law if they contain any of the following types of
information:
o Information that is privileged under state law,
o Information that is protected under HIPAA, or
o Information that is collected under the authority of the child lead screening and
investigation program.
This law also addresses some instances in which patient information may be disclosed.
• Privilege laws (primarily GS 8-53 [physician-patient privilege] and GS 8-53.13 [nursepatient
privilege]): These are state laws. Under GS 8-53, communications between
patients and their physicians (and others working under the physician’s direction) are
privileged. Under GS 8-53.13, communications between patients and nurses are
privileged. The historic purpose of these kinds of privileges is to prevent information
from being introduced into court proceedings against the patient’s will. In North
Carolina, privileged patient information usually may be introduced into courtproceedings in only two circumstances: (1) when the patient gives permission for
disclosure of the information, or (2) when the judge orders disclosure of information
after finding that disclosure is necessary to a proper administration of justice.
Two laws of particular importance to LHDs protect specific clients or categories of information:
• Title X family planning client confidentiality (42 CFR 59.11): This is a federal law that
requires providers to keep information about Title X clients confidential and disclose it
only with the client’s documented consent, unless the disclosure is necessary to provide
services to the client or is required by law.
• Communicable disease confidentiality (GS 130A-143): This is a state law that applies to
information or records that identify a person who has or may have a reportable
communicable disease or condition. Such information may be disclosed only when the
disclosure fits into one of eleven circumstances specified in the statute.
Some LHDs may be subject to other confidentiality laws as well, depending upon the types of
health care providers and/or the types of services they offer. For example:
• School nurses who work with education records must protect them in accordance with
the federal Family Educational Rights and Privacy Act (FERPA).
• Some components or employees of some LHDs may be subject to state mental health
confidentiality laws or federal substance abuse confidentiality regulations.
This list is not exhaustive. HIPAA requires each covered entity to have a privacy official. The
person who acts as the privacy official for the LHD should be familiar with the confidentiality
laws that apply to the different activities of the LHD.
This list is not exhaustive. HIPAA requires each covered entity to have a privacy official. The
person who acts as the privacy official for the LHD should be familiar with the confidentiality
laws that apply to the different activities of the LHD.
1 CFR stands for Code of Federal Regulations. The HIPAA regulations (including the privacy rule) are available at http://www.hhs.gov/ocr/privacy/hipaa/administrative/combined/index.html.
2 GS stands for General Statutes, North Carolina’s state laws. The proper legal citation form is N.C. Gen. Stat., which makes clear we are referring to NC laws and not the laws of any other state, but it is customary to use the abbreviation “GS” in documents that are intended specifically for North Carolina audiences. The NC General Statutes are available at http://www.ncleg.net/gascripts/statutes/Statutes.asp
A LHD’s starting assumptions should always be:
• Any individually identifiable information about a patient is confidential; and
• Any individually identifiable health information the LHD has on a person who is not a
patient might be confidential. For example, information in an environmental health
report that identifies a person with a communicable disease is confidential, even if the
person is not a LHD patient and even though the EH report is not a patient record.
There are exceptions to these rules of thumb, but it is best to start with the assumption that
individually identifiable health information is probably confidential and should not be disclosed
except as allowed by HIPAA and other confidentiality laws. Consult the LHD’s privacy official or
an attorney if you think you have a situation that constitutes an exception.
Under the HIPAA Privacy Rule, protected health information (PHI) is confidential. PHI is defined
as information or records in any form (including paper records, electronic records, and oral
communications) that:
• Identify an individual (or can be used to identify an individual), and
• Relate to any of the following:
o The physical or mental health status or condition of the individual,
Moore/December 2011 (revised) Page 3
o The provision of health care to the individual, or
o Payment for the provision of health care to the individual.
Look carefully at the second and third bullet points, and you will see that under the Privacy Rule,
it is not just medical status or treatment information that is confidential–the mere fact that a
person is a patient is confidential (because it relates to the provision of health care), as is billing
information (because it relates to payment for the provision of health care).
GS 130A-12, the main state law that addresses confidentiality of LHD patient records, is
consistent with HIPAA. It provides that LHD records that contain information that is privileged
under state law or protected under HIPAA are confidential.
With the patient’s (or personal representative’s) permission: A LHD may disclose information if the patient or the patient’s personal representative3 gives permission for the disclosure. The permission must be in the proper form. In most cases, the permission must be in writing on an authorization form that complies with the HIPAA Privacy Rule.
The first thing to ask when there is a question about whether a disclosure may be made is, “Should I seek the patient’s permission to disclose this information?” Patient permission is often the simplest way to resolve a disclosure question. Of course, it doesn’t always make sense to seek permission. For example, if a DSS employee is asking for information about a child who is the subject of a child protective services report, the LHD is required by law to disclose the information. It does not need permission for the disclosure and it probably shouldn’t seek it.
Without the patient’s (or personal representative’s) permission under certain circumstances that are specified in law: There are several circumstances in which a LHD may disclose patient information without permission. I will not attempt to address all of them in this outline. The following list describes three circumstances that arise very frequently in North Carolina LHDs.
• Treatment, payment, and health care operations: Since July 2004, North Carolina LHDs
have been permitted to disclose information without the patient’s permission when the
purpose of the disclosure is to provide for the patient’s treatment, to obtain payment
for treatment, or to carry out health care operations. The terms “treatment,”
“payment,” and “health care operations” are defined in the HIPAA privacy rule. See the
definitions section on the last page of this handout.
• Required by law: LHDs are permitted to disclose information without a patient’s
permission when the disclosure is required by another law, such as a state law. For example, in NC, a LHD must disclose PHI in the following circumstances, and it does not
need the patient’s permission to do so:
o To make a report to child protective services or adult protective services.
o To make communicable disease reports to the state or another LHD.
o To a medical examiner who requests it.
o To report a diagnosis of cancer to the state cancer registry.
This is not a complete list. For more information, see the handout, “Disclosures of Protected Health Information that are Required by North Carolina Law.”
• Court orders and subpoenas: LHDs may disclose information without a patient’s
permission pursuant to a proper court order. A subpoena is a form of court order, but in
North Carolina, a subpoena alone is not sufficient to permit a LHD to disclose patient
information or provide access to or copies of patient records. LHDs should take great
care with subpoenas. It is essential for a LHD to have a carefully written policy on
responding to subpoenas, and it is a good idea for a LHD that has received a subpoena
to consult with an attorney as well.4
There are several other circumstances in which a disclosure of information may be made without the patient’s permission, provided certain criteria are met. Consult the LHD’s privacy official or an attorney if you need to know whether a LHD may disclose information without patient permission in a particular circumstance.
3 A personal representative is a person who is authorized by law to make health care decisions for another individual. 45 CFR 164.502(g). Examples of persons who may constitute personal representatives under NC law include a legal guardian, a person named as health care agent in a health care power of attorney, or another person who consented to health care on behalf of a person who lacked capacity to give consent. (This sometimes includes parents of minor children but not always, as minors sometimes receive care on their own consent. For more information on consent to treatment of minors and disclosure of minors’ health information, see https://www.sog.unc.edu/resources/microsites/north-carolina-public-health-law/medical-treatment-minors.) If an individual is deceased, the person who may authorize disclosure of information is the executor or administrator of the estate, or if there is no executor or administrator, the next of kin. 4 An excellent resource for anyone who is responsible for a LHD’s subpoena policy is Responding to Subpoenas for Health Department Records, by John Rubin and Aimee Wall (SOG Health Law Bulletin No. 82, September 2005).
Before disclosing information to a person or entity who requests it, the HIPAA Privacy Rule
requires LHDs to verify two things: (1) the requesting person’s identity, and (2) the requesting
person’s authority to receive the information.
The LHD must document the disclosure of information. Also, under the HIPAA Privacy Rule, individuals have the right to request an accounting of disclosures of their protected health information. Some, but not all, disclosures of information must be included in any such accounting.
