MEMORANDUM

 

DATE:             May 15, 2006

 

TO:                  Trauma Registry Reporters

 

FROM:            Sheri Johnson, Ph.D.

                        Administrator and State Health Officer

Division of Public Health

                    

SUBJECT:      Permissibility of trauma registry reporting under federal and state law

Some entities that are required to report to the state trauma registry have questioned whether HIPAA permits this reporting without patient consent or authorization. It does.  Patient consent or authorization is not required by HIPAA or Wisconsin law.

The Department of Health and Family Services is the state public health agency in Wisconsin.  The Wisconsin Statutes, at § 146.56, require the Department to develop and implement a statewide trauma care system, including collection of injury data for the purpose of confidential review relating to performance improvements in that system.  The same statute requires the Department to promulgate rules for the system.  This has been done.  The Department developed the trauma care system rules with public participation, and the rules are published in the Wisconsin Administrative Code in Chapter HFS 118.  Rules HFS 118.04(2)(e), HFS 118.09 and HFS 118.10 specifically require creation by the Department of a state trauma registry, and compel mandatory reporting to that trauma registry by hospitals, ambulance service providers and first responder services.  As is the case with all rules in the Wisconsin Administrative Code, these rules have the force of law.  Nothing in the rules or in the statute requires patient permission for the reporting to occur.

Because the Department’s Division of Public Health is the organizational unit within the Department that actually handles public health programs, the trauma care system and the trauma registry are being administered by the Division of Public Health.  In receiving the data reported to the trauma registry, the Department and its Division of Public Health function in the role of a “public health authority” as defined in the Health Insurance Portability and Accountability Act (HIPAA), Standards for Privacy of Individually Identifiable Health Information, Final Rule (Privacy Rule), at 45 CFR 164.501.    Neither the Department nor the Division of Public Health is a HIPAA “business associate” of the hospital, ambulance service provider or first responder that reports data pursuant to the trauma care system requirements.

The reporting of data to the trauma registry is required by Wisconsin law.  The Privacy Rule at 45 CFR 164.512(a) specifically allows disclosures of protected health information when required by law.  In addition, pursuant to 45 CFR 164.512(b) of the Privacy Rule, covered entities may disclose, without individual authorization, protected health information to public health authorities “…authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury, or disability, including, but not limited to, the reporting of disease, injury, vital events such as birth or death, and the conduct of public health surveillance, public health investigations, and public health interventions…”

Furthermore, 45 CFR 160.203(c) provides that HIPAA does not preempt state law that “provides for the reporting of disease or injury, child abuse, birth, or death, or for the conduct of public health surveillance, investigation, or intervention.”

Accordingly, reporting to the trauma registry is consistent with both Wisconsin law and the HIPAA Privacy Rule.

If you have questions about this clarification, please contact Ted Ohlswager at OHLSWTS@dhfs.state.wi.us or by calling 608/267-9007.