Sorry, this page has moved!
Please click here to go to the new location.


The HIPAA Privacy Rule recognizes the legitimate need for public health authorities and others responsible for ensuring public health and safety to have access to protected health information (PHI). Therefore, there is an explicit exemption for public health activities in HIPAA (Section 164.512(b)), which states that patient consent or authorization is not needed to disclose PHI to public health authorities.

Under the Privacy rule, State and local health departments are considered a public health authority and are therefore legally authorized to receive such reports for the purpose of preventing or controlling disease, injury, or disability, the reporting of a disease or injury; reporting vital events, such as births or deaths; and conducting public health surveillance, investigations or interventions. The information required for disease reporting is the minimum necessary to enable public health investigation.

Furthermore, California Code of Regulations, Title 17, Section 2500, requires that healthcare providers report certain diseases or conditions (see Reportable Communicable Diseases list). The full HIPAA regulations, background, and technical assistance are available at