[Federal Register Volume 68, Number 59 (Thursday, March 27, 2003)]
[Notices]
[Page 15039]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 03-7301]


-----------------------------------------------------------------------

NATIONAL HIGHWAY TRAFFIC SAFETY ADMINISTRATION


Public Health Authority Notification

AGENCY: National Highway Traffic Safety Administration (NHTSA), 
Department of Transportation (DOT).

ACTION: Notice.

-----------------------------------------------------------------------

SUMMARY: NHTSA is publishing this notice to inform hospitals and other 
health care organizations of its status as a ``public health 
authority'' under the medical privacy requirements of the Health 
Insurance Portability and Accountability Act of 1996.

FOR FURTHER INFORMATION CONTACT: Tyler Bolden, NHTSA, Office of Chief 
Counsel, 400 7th Street, SW Suite 5219, Washington, DC 20590. 202-366-
1834.

SUPPLEMENTARY INFORMATION: The Health Insurance Portability and 
Accountability Act of 1996 (``HIPAA'') was enacted to improve the 
portability and continuity of health insurance coverage, to improve 
access to long-term care services and coverage, to simplify the 
administration of health insurance, and for other purposes (Pub. L. No. 
104-191, 110 Stat. 196 (1996)). The Administrative Simplification 
subtitle of HIPAA authorized the Department of Health and Human 
Services (``HHS'') to promulgate medical privacy regulations to protect 
the privacy of individually-identifiable electronic health information. 
These regulations (the ``Privacy Rule'') were published by HHS on 
December 28, 2000 and established the standards to identify the rights 
of individuals who are the subjects of ``protected health 
information,'' which is defined as individually-identifiable health 
information; provide procedures for the exercise of those rights; and 
define the general rules for permitted and required uses and 
disclosures of protected health information (45 CFR Parts 160-164).
    Beginning April 14, 2003, the Privacy Rule prohibits health plans, 
health care clearinghouses and selected health care providers from 
using or disclosing protected health information, except as permitted 
by certain exceptions (45 CFR 164.502). Under one exception, the 
Privacy Rule permits the disclosure of protected health information to 
public health authorities authorized to ``collect or receive such 
information for the purpose of preventing or controlling disease, 
injury, or disability . . . `` (45 CFR 164.512(b)(1)(i)). A ``public 
health authority'' includes ``an agency or authority of the United 
States . . . that is responsible for public health matters as part of 
its official mandate'' (45 CFR 164.501). Examples of public health 
matters include the reporting of disease, injury, or vital events; and 
public health surveillance, public health investigations or public 
health interventions (45 CFR 164.512(b)(1)(i)).
    Guidance issued by HHS on December 2, 2002 further addressed the 
issue of disclosures to public health authorities. Specifically, the 
guidance stated that:

    The HIPAA Privacy Rule recognizes the legitimate need for public 
health authorities and others responsible for ensuring public health 
and safety to have access to protected health information to carry 
out their public health mission . . . the [Privacy] Rule permits 
covered entities to disclose protected health information without 
authorization for specified public health purposes.

    NHTSA's mission is to prevent and reduce deaths, injuries and 
economic losses resulting from automotive travel on our nation's 
roadways. To accomplish this mission, NHTSA has statutory authority to 
conduct crash injury research and collect relevant data in the interest 
of public health. Specifically, NHTSA is authorized to: (1) Engage in 
research on all phases of highway safety and traffic conditions; (2) 
undertake collaborative research and development projects with non-
Federal entities for the purposes of crash data collection and 
analysis; and (3) conduct research and collect information to determine 
the relationship between motor vehicles and accidents, and personal 
injury or deaths resulting from such accidents (See 23 U.S.C. 
403(a)(1), 23 U.S.C. 403(f) and 49 U.S.C. 30168(a)). The term 
``safety'' is defined as ``highway safety and highway safety'related 
research and development, including research and development relating 
to highway and driver characteristics, crash investigations, 
communications, emergency medical care, and transportation of the 
injured'' (23 U.S.C. 403(a)(3)).
    In light of the above-referenced statutory authority, which 
demonstrates a responsibility for public health matters as part of the 
agency's mandate, NHTSA has determined that it is a public health 
authority within the meaning of the Privacy Rule. As a public health 
authority, NHTSA is entitled to receive protected health information 
from hospitals and other health care organizations, without written 
consent or authorization, because disclosures of protected health 
information to a public health authority are permitted disclosures 
under the Privacy Rule (45 CFR 164.502(a)(1)(vi)).

    Issued on: March 21, 2003.
Jeffrey W. Runge,
Administrator, National Highway Traffic Safety Administration.
[FR Doc. 03-7301 Filed 3-26-03; 8:45 am]
BILLING CODE 4910-59-P