As the state public health, and mental health authority, DSHS has designated itself a HIPAA hybrid entity. This means that DSHS has identified both covered and non-covered functions within the agency. HIPAA applies only to programs and functions that fall within the definition of “covered entity.” Vital Statistics is a public health function and it is specifically excluded from HIPAA. (See below)
The vital data you report electronically to DSHS to comply with Health and Safety Code, Title 3. Vital Statistics, Chapters 191—195, is not a HIPAA covered Electronic Data Interchange (EDI) transaction; it is public health data. The fact that it is individually identifiable health data does not make it an EDI transaction. The EDI transactions for which a standard has been adopted are found in 45 CFR, Part 162. The software provided to covered entities by DSHS is for reporting public health and vital statistics information to DSHS, a public health authority authorized to receive and collect the information, and it is provided to reporting covered entities for this limited purpose.
DSHS is not a business associate of the covered entities that submit to and access information from the vital records of DSHS. DSHS does not act on behalf of the covered entity. The covered entity is submitting data to DSHS in compliance with state law. A covered entity is not required to obtain an authorization to disclose PHI to a public health authority if required by law (see 45 CFR 164.512).
HIPAA was very careful to except public health and governmental functions from the application of HIPAA ( see 42 USC Section 1320d-7(b) below* ). DSHS has also been very careful to designate its covered and non-covered functions under HIPAA to ensure that its public health, regulatory and health oversight functions are not affected.
Because HIPAA does not apply to this program or this function, the HIPAA standards, EDI, privacy and security do not apply. State law protects the information for confidentiality purposes and the standards adopted by the Department of Information Resources adopt standards for data security and transmissions.
Be assured that DSHS has voluntarily adopted the HIPAA security standards for all programs and electronic data collection systems under which we also collect individually identifiable health information covered entities are required by law to report. Every statute that authorizes DSHS to receive and collect this data also makes the information confidential in our hands. Disclosures of confidential information can only be made in compliance with the statute that allows DSHS to collect and receive the data in the first place. DSHS has always protected information transmitted to us from disclosure, not because of HIPAA, but because of our state statute, which makes the information confidential.
42 USC §1320d- 7. Effect on State law
(a) General effect
(1) General rule
Except as provided in paragraph (2), a provision or requirement under this part, or a standard or implementation specification adopted or established under sections 1320d-1 through 1320d-3 of this title, shall supersede any contrary provision of State law, including a provision of State law that requires medical or health plan records (including billing information) to be maintained or transmitted in written rather than electronic form.
A provision or requirement under this part, or a standard or implementation specification adopted or established under sections 1320d-1 through 1320d-3 of this title, shall not supersede a contrary provision of State law, if the provision of State law—
(A) is a provision the Secretary determines—
(i) is necessary—
(I) to prevent fraud and abuse;
(II) to ensure appropriate State regulation of insurance and health plans;
(III) for State reporting on health care delivery or costs; or
(IV) for other purposes; or
(ii) addresses controlled substances; or
(B) subject to section 264(c)(2) of the Health Insurance Portability and Accountability Act of 1996, relates to the privacy of individually identifiable health information.
(b) Public health
Nothing in this part shall be construed to invalidate or limit the authority, power, or procedures established under any law providing for the reporting of disease or injury, child abuse, birth, or death, public health surveillance, or public health investigation or intervention.
(c) State regulatory reporting
Nothing in this part shall limit the ability of a State to require a health plan to report, or to provide access to, information for management audits, financial audits, program monitoring and evaluation, facility licensure or certification, or individual licensure or certification.
Please send questions via e-mail to: Contact DSHS HIPAA Project Office.
Also see the HIPAA Privacy Rule and Public Health Guidance from CDC and U.S. Dept. of Health and Human Services