MINNESOTA IMMUNIZATION INFORMATION CONNECTION
Immunization Data Sharing, HIPAA, and MIIC
This is the Minnesota Department of Health’s (MDH’s) analysis of how the Health Insurance
Portability and Accountability Act (HIPAA) interacts with the Minnesota Immunization
Information Connection (MIIC) and the Minnesota Immunization Data Sharing Law. MIIC is a
statewide immunization information system that stores electronic immunization records for
Minnesota health service providers and the public.
Disclaimer of Legal Advice: The following is the Minnesota Department of Health’s analysis of
how the Minnesota Immunization Data Sharing Law (Minnesota Statutes §144.3351) and MIIC
interact with the Health Insurance Portability and Accountability Act (HIPAA, privacy rules, 45
CFR 160 and 164). This is not legal advice, and you should not rely on it as legal advice. Consult
with a lawyer for legal advice.
Issue
The following question has been raised by some health care providers: “Does HIPAA permit
providers to submit immunization data to MIIC without patient authorization?”
Finding
Upon review of HIPAA privacy rules, MDH concludes that HIPAA permits providers to disclose
immunization data to MDH and enter it into MIIC, which is allowed under Minnesota’s Data
Sharing Law (Minn. Stat. §144.3351), without the patient’s authorization.
Analysis
HIPAA governs the use and disclosure of protected health information (PHI). It applies to health
plans, healthcare clearinghouses, and healthcare providers that transmit certain health claims
information electronically. These entities are covered entities under the rule.
A covered entity must get a written authorization from the individual for the use and disclosure
of PHI unless the disclosure is to the individual, for treatment, payment, or health care
operations, or falls under one of the specified exceptions.
HIPAA Privacy Rule, specifically 45 CFR1 §164.512, addresses the uses and disclosures for which
an authorization or an opportunity to agree or object is not required. Specifically:
•
•
Section 164.512(a) permits disclosures that are required by law, which includes statutes
and rules;2 and
Section 164.512(b) permits a covered entity to disclose PHI for the public health
activities and purposes described in the following paragraph. These include disclosures
to:
(1/16) Page 1 of 2
IMMUNIZATION DATA SHARING, HIPAA, AND MIIC
“(i) A public health authority that is authorized by law to collect or receive such
information for the purpose of preventing or controlling disease, injury, or disability,
including but not limited to, the reporting of disease, injury, vital events such as birth or
death, and the conduct of public health surveillance, public health investigations, and
public health interventions.”
Under HIPAA, MDH is a public health authority. Specifically, 45 CFR 164.50, defines a public
health authority as:
“an agency or authority of the United States, a State, a territory, a political subdivision of a
State or territory, or an Indian tribe, or a person or entity acting under a grant of authority from
or contract with such public agency, including the employees or agents of such public agency or
its contractors or persons or entities to whom it has granted authority, that is responsible for
public health matters as part of its official mandate.”
In summary, since MIIC is a public health service operated by a public health authority that is
authorized by law to collect immunization data,3 disclosing immunization data to MIIC is
allowed without patient authorization.
1
CFR is the Code of Federal Regulations.
2
45 CFR 164.502, Definitions.
3
Minn. Stat. §144.3351, Minnesota Immunization Data Sharing Law.
Minnesota Department of Health
Minnesota Immunization Information
Connection
PO Box 64975, St. Paul, MN 551640975
651-201-5207
[email protected]
www.health.state.mn.us
To obtain this information
in a different format, call:
651-201-5503.
(1/16) Page 2 of 2