[Federal Register Volume 79, Number 41 (Monday, March 3, 2014)]
[Notices]
[Pages 11769-11770]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2014-04590]


-----------------------------------------------------------------------

CONSUMER PRODUCT SAFETY COMMISSION


Public Health Authority Notification

AGENCY: Consumer Product Safety Commission (CPSC).

ACTION: Notice .

-----------------------------------------------------------------------

SUMMARY: CPSC is publishing this notice to inform hospitals and other 
health care organizations of CPSC's status as a ``public health 
authority'' under the medical privacy requirements of the Health 
Insurance Portability and Accountability Act of 1996 (HIPAA).

FOR FURTHER INFORMATION CONTACT: Melissa Buford, CPSC Office of the 
General Counsel, 4330 East West Highway, Suite 704, Bethesda MD 20814. 
301-504-7636.

SUPPLEMENTARY INFORMATION: Congress enacted HIPAA to improve 
portability and continuity of health insurance, among other purposes. 
(Pub. L. 104-191, 110 Stat. 1936 (1996)). The U.S. Department of Health 
and Human Services (HHS) promulgated regulations pursuant to HIPAA to 
address the security and privacy of health data. Known as the Privacy 
Rule, Standards for Privacy of Individually Identifiable Health 
Information, 45 CFR parts 160 and 164, the regulations established 
procedures to protect the privacy of individually identifiable health 
information and to address the use and disclosure of such information.
    The Privacy Rule provides that covered entities, including health 
care providers, health plans, and health care clearinghouses, may not 
use or disclose protected health information, except in certain 
expressly permitted circumstances. Covered entities, however, may 
disclose protected health information to a ``public health authority.'' 
As HHS recognized in guidance issued on December 3, 2002, and revised 
on April 3, 2003, disclosure in certain circumstances is necessary to 
support the work of public health authorities:

    The HIPAA Privacy Rule recognizes the legitimate need for public 
health authorities and others responsible for ensuring public health 
and safety to have access to protected health information to carry 
out their public health mission. The Rule also recognizes that 
public health reports made by covered entities are an important 
means of identifying threats to the health and safety of the public 
at large, as well as individuals. Accordingly, the Rule permits 
covered entities to disclose protected health information without 
authorization for specified public health purposes.

    The regulations define a ``public health authority'' broadly to 
include:

an agency or authority of the United States, a State, a territory, a 
political subdivision of a State or territory, or an Indian tribe, 
or a person or entity acting under a grant of authority from or 
contract with such public agency, including the employees or agents 
of such public agency or its contractors or persons or entities to 
whom it has grant authority, that is responsible for public health 
matters as part of its official mandate.

    45 CFR 164.501. Moreover, the preamble to the final Privacy Rule 
underscored the expansive meaning of ``public health authority.'' 
Noting the clear congressional mandate not to interfere with current 
public health practices, the preamble stated: ``the broad definition of 
`public health authority' is appropriate to achieve that end.'' 65 FR 
82462 (December 28, 2000).
    Thus, the Privacy Rule provides that protected health information 
may be disclosed to a public health authority that is authorized by law 
to collect certain health-related information. Specifically, the 
Privacy Rule allows for the disclosure of protected health information 
to a public health authority that is:

authorized by law to collect or receive such information for the 
purpose of preventing or controlling disease, injury, or disability, 
including, but not limited to, the reporting of disease, injury, 
vital events such as birth or death and the conduct of public health 
surveillance, public health investigations, and public health 
interventions; or, at the direction of a public health authority, to 
an official of a foreign government agency that is acting in 
collaboration with a public health authority.

45 CFR 164.512(b)(1)(i).

    CPSC is a public health authority authorized by law to collect 
certain health-related information in pursuit of its official mandate. 
CPSC's mission is to protect the public against unreasonable risks of 
injury associated with consumer products and to promote research and 
investigation into the causes and prevention of product-related deaths, 
illnesses, and injuries. 15 U.S.C. 2051(b). As such, CPSC's mission 
falls well within the broad parameters of a public health authority 
responsible for public health matters as defined in the Privacy Rule.
    Additionally, in furtherance of its mandate, CPSC is authorized by 
law to, among other things, collect information for the purpose of 
preventing injury or death, report injury or death, and conduct public 
health investigations. For example, pursuant to statutory direction, 
CPSC must ``maintain an Injury Information Clearinghouse to collect, 
investigate, analyze, and disseminate injury data, and information, 
relating to the causes and prevention of death, injury, and illness 
associated with consumer products'' and to ``conduct such continuing 
studies and investigations of deaths, injuries, diseases, other health 
impairments, and economic losses resulting from accidents involving 
consumer products as it deems necessary.'' 15 U.S.C. 2054(a)(1) and 
(2). In addition, CPSC is authorized to ``conduct research, studies, 
and investigations on the safety of consumer products and on improving 
the safety of such products.'' 15 U.S.C. 2054(b). Additionally, each 
fiscal year CPSC is required to submit a comprehensive report to the 
President and Congress documenting ``thorough appraisal, including 
statistical analyses, estimates, and long-term projections, of the 
incidence of injury and effects to the population resulting from 
consumer products, with a breakdown, insofar as practicable, among the 
various sources of such injury'' and ``statistics with respect to 
injuries and deaths associated with products that the Commission 
determines present a substantial product hazard under section 15(c).'' 
15 U.S.C. 2076(j)(1) and (6)(B).
    As an agency responsible for public health matters pursuant to its 
official mandate, and with statutory authorization to collect and 
report information to prevent injury and death, CPSC falls squarely 
within the definition of a ``public health authority.'' Accordingly, 
CPSC is providing notice that it is a public health authority within 
the meaning of the Privacy Rule, entitled to receive protected health 
information from hospitals and other health care organizations, without 
written authorization or consent. The disclosure of protected health 
information to a public health authority is a permitted disclosure 
under the Privacy Rule. 45 CFR 164.502(a)(1)(vi).


[[Page 11770]]


    Dated: February 26, 2014.
Todd A. Stevenson,
Secretary, Consumer Product Safety Commission.
[FR Doc. 2014-04590 Filed 2-28-14; 8:45 am]
BILLING CODE 6355-01-P