Skip to Content

A Summary of the Proposed HIPAA Regulations Implementing HITECH
Public Interest Activities

Public Interest Activities


The Privacy Rule also permits use and disclosure of PHI, without an individual’s authorization, for certain public interest purposes.28  For example, covered entities may disclose protected health information: 1) where required by law (e.g., statute, regulation, or court order);29 2) to a health oversight agency for activities including audits and investigations of the health care system and government benefits;30 3) to law enforcement officials for law enforcement purposes under certain restrictions;31 4) if the covered entity believes that it is necessary to prevent a serious and imminent threat to the health or safety of a person or the public and the recipient of the information is reasonably able to prevent the threat;32 5) for certain specialized government functions;33 and 6) to comply with laws relating to worker’s compensation or other similar programs providing benefits for work-related injuries or illness.34


Research is included as a public health purpose for which disclosure is permitted under limited circumstances.  “Research” means any “systematic investigation, including research, development, testing, and evaluation, designed to develop or contribute to generalizable knowledge.”35  The Privacy Rule allows a covered entity to use and disclose PHI for research purposes, without an individual’s authorization, in the following limited circumstances: 1) when an authorization waiver has been obtained from an Institutional Review Board or Privacy Board; 2) when a researcher represents to a covered entity that: (i) the PHI will only be used to prepare a research protocol or for similar purposes preparatory to research; (ii) no PHI will be removed from the covered entity; and (iii) the requested PHI is necessary to completing the research purposes; or 3) when the researcher: (i) represents that the use or disclosure sought is solely for research on the decedent’s PHI; (ii) provides documentation of the individual’s death; and (iii) represents that the requested PHI is necessary to complete the research purposes.36  A covered entity may also use or disclose an LDS for research purposes without authorization, with a valid DUA in place.37



  • 28. Id. at § 164.512.
  • 29. Id. at § 164.512(a).
  • 30. Id. at § 164.512(d).
  • 31. Id. at § 164.512(f).
  • 32. Id. at § 164.512(j).
  • 33. Id. at § 164.512(k).
  • 34. Id. at § 164.512(l).
  • 35. Id. at § 164.501.
  • 36. Id. at § 164.512(i).
  • 37. Id. at § 164.502(a)(1).