NCPH Logo Epidemiology is part of Public Health in North Carolina


Topics A-Z


Asbestos


Biological Agents Registry


Communicable Disease


DHHS Hurricane Information


Environmental Contaminants


Exposure to Chemicals


Fish Consumption Advisories


HIV/STD Prevention & Care


Indoor Air Quality


Lead


Medical Evaluation & Risk Assessment


Methamphetamine Labs


Occupational & Environmental Epidemiology


Occupational Illnesses & Injuries


Public Health Preparedness & Response


Tuberculosis


Veterinary Public Health





Centers for Disease Control and Prevention


CDC Health Topics

HIV/STD Prevention and Care

Privacy

Division of Public Health Confidentiality Agreement

Effective Date: April 14, 2003
Ensuring the confidentiality of all health reports, records, and files containing patient names and other individually identifying information is of critical importance in the Division of Public Health. Breaches of confidentiality could undermine public trust in the Public Health Division and thereby hinder efforts to prevent and control morbidity and mortality from disease and injury.

The federal Privacy Rule (45 CFR Part 160 and Subparts A and E of Part 164), which implements the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Standards for Privacy of Individually Identifiable Health Information provides protection for the privacy of health information.

HIPAA provides requirements to ensure that the protection of certain individually identifiable health information that is created, received, and maintained in any form or medium, by the North Carolina Department of Health and Human Services (DHHS) and the Division of Public health, is safeguarded and protected

Employees of the Division of Public Health may only use and disclose individually identifiable health information as provided by and subject to all of the limitations and requirements specified in the DHHS Policies and Procedures Manual, which is maintained by the DHHS Office of the Secretary. The Division of Public Health has also defined specific division privacy policies and procedures, which are in the DPH Privacy Policy and Procedures Manual.

The Division of Public policy is to address the privacy requirements regarding the use and disclosure of any individually identifiable health information for full time and part time employees. It also addresses the extended workforce (e.g., contractors, volunteers) that are to be included as part of the Division “workforce”. As a member of the Division workforce, I must make all reasonable efforts to protect individually identifiable health information in all forms from intentional or unintentional use or disclosure.

Any information containing patient individually identifiable information disclosed to the Division of Public Health remains confidential and is not public record as mandated by North Carolina General Statutes (General Statutes 130A-12, 130A-93, 130A-131, 130A-143, 130A-212 130A-374, 130A-441, 130A-460, 131E-214, 132.1,143B-139). In the case of medical records, the right to confidentiality is guaranteed under North Carolina laws (General Statutes 130A-143, 130A-212 and 130A-374) and this data can only be released with approval of the Director of the Division or Assistant. Only the State Registrar is authorized to release an individual’s name and vital records information maintained at the state level (G.S. 130A-93). Vital records are birth, death, fetal death, marriage and divorce certificates or reports.

All disease report cards, case surveillance forms, patient records, patient x-rays or other medical records that contain individually identifiable information must be kept in closed files except when being processed by designated staff. Either the files must be locked or the office in which the files are located must be locked during non-business hours.

The confidentiality of all medical or case report records and other records with personal identifiers, whether on paper or in an electronic medium, must be protected in such a manner that unauthorized persons do not and cannot obtain access to the records. Access to records, files and databases containing individually identifiable health information is restricted to staff whose job responsibilities require that they have access to these data and who have been authorized to have access by the appropriate Section Chief or Branch Head.

Division employees must not discuss sensitive office issues or records with anyone other than those involved in the work who have a need to know. Division employees must never reveal individually identifiable health information to anyone other than those directly involved in the work and who have a need to know. All requests for release of individually identifiable health information must follow Department and Division policies and procedures and follow applicable state and federal law. Before responding to or acting on requests to release individually identifiable health information, Division employees must consult with the appropriate Section Chief or Branch Head and/or with the DPH Privacy Official.

Division employees must never confirm or deny that a particular individual has been reported as having specific disease or condition to anyone other than those directly involved in the work and who have a need to know.

In carrying out the responsibilities delegated to the division by state law, except as provided by specific law {e.g., G.S. 130A-143, G.S. 130A-144, 10A NCAC .0202(11)}, an authorized division employee, without identifying the patient, may share information contained in a medical record or division file with a healthcare provider in consultation to the investigation, evaluation, or prevention of any illness or injury falling under the purview of the division.

If a division physician determines that personal identifiers are essential to a consultation, written authorization must be obtained from the patient or in the case of a minor, the patient’s parent or guardian before a patient’s medical records or parts thereof obtained under the authority of G.S. 130A-5(2) or otherwise may be released to any person in another state or federal agency. If a patient is deceased, authorization must be obtained from the surviving next-of-kin.

All statistical data released by the Division must be carefully scrutinized to ensure that no individual can be identified. Statistics may be released to reporters or others requesting such information so long as no information is given which would make it possible for a particular individual to be identified. Only those employees authorized to release such statistical information should do so; persons without such authorization should refer queries to an authorized individual.

All known or suspected breaches of confidentiality must be documented and brought to the attention of the DPH Privacy Official, the appropriate Branch Head and Section Chief, and the Division Director.

Nothing in this policy should be construed to prohibit the provision to the NC Industrial Commission of those medical records required to be submitted to the commission or litigants in a workers’ compensation case by Chapter 97 of the NC General Statutes.

Page last updated on January 03, 2005

HIV/STD Prevention & Care Home | Contact Us | Privacy | DHHS Disclaimer