The HIPAA Privacy Rule
The Centers for Disease Control and Prevention (CDC) and the Food and Drug Administration (FDA) are agencies of the U.S. Government conducting medical record review of persons who recently received a vaccine(s) and reported a health problem. CDC and FDA are public health authorities as defined by the Health Insurance Portability and Accountability Act (HIPAA), Standards for Privacy of Individually Identifiable Health Information; Final Rule (Privacy Rule) [45 CFR §164.501]. Pursuant to 45 CFR §164.512(b) of the Privacy Rule is applicable to the Superior Mesenteric Artery Syndrome Research Awareness and Support (SMASRAS) as follows:
Covered entities such as your organization may disclose, without individual authorization, protected health information to public health authorities ” . . . authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury, or disability, including, but not limited to, the reporting of disease, injury, vital events such as birth or death, and the conduct of public health surveillance, public health investigations, and public health interventions . . . “
The CDC and the FDA conduct surveillance for vaccine associated adverse events through SMASRAS, a public health activity as described by 45 CFR § 164.512(b), as authorized by 42 USC 300aa-25. The information being requested represents the minimum necessary to carry out the public health purposes of this project pursuant to 45 CFR §164.514(d) of the Privacy Rule.