HIPAA and Birth Defect Reporting: What Providers Can Share with Public Health Authorities

HIPAA Privacy Rule and Public Health Reporting

What HIPAA permits

Under the HIPAA Privacy Rule, you may disclose Protected Health Information (PHI) to a Public Health Authority for activities aimed at preventing or controlling disease, injury, or disability. That expressly includes congenital conditions reporting and birth defects surveillance. These disclosures do not require patient authorization when made to an authority that is legally authorized to collect such data for public health purposes.

Minimum necessary and scope

Apply the minimum necessary standard by sharing only the data elements needed to meet the request or requirement. When a state law or regulation specifically requires reporting, transmit the information the law mandates; when a request is permissible but not required, limit the dataset to what is reasonably necessary for the stated public health purpose.

Security, documentation, and accountability

Use secure transmission methods (for example, a state portal, encrypted transfer, or a dedicated registry interface) and keep a record of each disclosure. Document the receiving Public Health Authority, the purpose of the disclosure, and the data elements released to demonstrate compliance and accountability.

Reporting Birth Defects Under HIPAA

What information you can share

For birth defects reporting, PHI may include patient identifiers, maternal and birth details, diagnostic codes (such as ICD-10-CM Q00–Q99), clinical summaries, laboratory and imaging results, and follow-up outcomes. You can include sensitive clinical details when they are necessary for accurate case ascertainment by a Birth Defects Registry or a Genetic Disease Screening Program.

When patient authorization is not required

Patient or parent authorization is not required when you report to a legally authorized Public Health Authority. HIPAA allows these disclosures to support surveillance, case investigation, and program evaluation, provided you share only what is needed and follow secure transmission practices.

Operationalizing reporting in your workflow

• Identify reportable diagnoses and outcomes (for example, structural anomalies, chromosomal conditions, and other congenital disorders defined by your state’s program).
• Embed reporting triggers in the EHR (e.g., discharge diagnoses, abnormal screening results, or specialist-confirmed conditions) to prompt timely submission.
• Transmit data using the state’s approved pathway—electronic interfaces, secure portals, or standardized forms—while applying minimum necessary.
• Track submissions and reconcile any data quality queries from the Public Health Authority to ensure complete, accurate congenital conditions reporting.

State Laws and Birth Defect Reporting

The role of state reporting mandates

State Reporting Mandates define which conditions are reportable, who must report, what data to include, and the reporting timeframe. Hospitals, birthing centers, obstetric and pediatric practices, genetics clinics, and laboratories are common reporters. Some states operate active surveillance (state staff abstract records), while others require passive reporting by providers and facilities.

How HIPAA interacts with state law

HIPAA establishes a federal privacy floor and generally defers to state public health reporting laws. When a state requires birth defects reporting, your disclosure is “required by law” and permitted by HIPAA. When state law permits but does not compel reporting, HIPAA still allows the disclosure to a Public Health Authority for public health purposes.

Reporting Requirements Vary by State

Key variables to confirm locally

• Reportable conditions: structural defects, chromosomal abnormalities, inborn errors of metabolism, and conditions detected through newborn bloodspot or hearing screening.
• Case definitions and timing: whether reports include live births only or also stillbirths, pregnancy terminations for fetal anomaly, and diagnoses made after the newborn period.
• Reporters: responsible clinicians, hospitals, outpatient surgical centers, laboratories, or specialty clinics.
• Data elements: identifiers, maternal and infant demographics, prenatal exposures, diagnostic codes, clinical notes, procedures, and follow-up outcomes.
• Submission timelines: deadlines from birth, diagnosis, or discharge (e.g., within 30–90 days, as specified by the state).
• Submission methods: secure web portal, EHR-based electronic feeds, or standardized forms accepted by the Birth Defects Registry.

Practical steps to stay compliant

• Create an internal matrix mapping state requirements to workflows (coding, abstraction, submission, and reconciliation).
• Build EHR lists for ICD-10-CM Q00–Q99 codes and newborn screening results to automate case identification.
• Designate a reporting lead to monitor acknowledgments, correct errors, and manage data quality queries from the Public Health Authority.
• Retain documentation of submissions and responses to meet audit and quality assurance expectations.

HIPAA and State Reporting Laws

HIPAA preemption and the “more stringent” test

HIPAA Preemption means federal rules override contrary state laws unless the state law is more stringent on privacy or falls within specific public health exceptions. Reporting laws for birth defects and related surveillance activities typically fall within those exceptions, so they are not preempted. In practice, follow the state mandate for what to report and HIPAA for how to protect it.

Required vs. permitted disclosures

• Required by law: If a statute or regulation obligates reporting, disclose the elements the law specifies and meet the prescribed timelines.
• Permitted for public health: If the request is not mandatory but originates from a Public Health Authority, you may disclose PHI that is reasonably necessary for the stated purpose, applying minimum necessary.

Business associates and data sharing

Business associates (for example, your EHR vendor or a data submission service) may facilitate reporting if your agreements authorize them to support public health disclosures. Ensure contracts allow these activities, use secure transmission, and keep an audit trail of submissions.

Reporting Birth Defects in California

Programs you may interact with

• Birth Defects Registry: The state public health department conducts surveillance to identify and track congenital anomalies, often combining active case-finding with data submitted by providers and facilities.
• Genetic Disease Screening Program: Newborn and prenatal screening results feed into public health follow-up, and providers and laboratories share information needed to confirm diagnoses and coordinate care.

Who must report and what to include

• Reporters commonly include hospitals, birthing centers, pediatric subspecialists, genetics clinics, and laboratories.
• Typical data elements include infant and maternal demographics, dates of birth and diagnosis, relevant prenatal exposures, diagnostic codes, test results, imaging and operative notes, and follow-up outcomes.

When and how to report

Submit within the timelines specified by the state (often tied to birth, discharge, or diagnosis) using the state’s approved pathway. In areas where state staff conduct active case abstraction, promptly respond to requests and provide access to medical records as allowed under HIPAA and state law.

HIPAA alignment

Disclosures to California’s public health programs for birth defects surveillance and newborn/prenatal screening are permitted without authorization. Apply minimum necessary, use secure channels, and retain submission logs to demonstrate compliance.

Reporting Birth Defects in Alaska

Programs you may interact with

• Birth Defects Registry: Alaska’s public health program monitors congenital anomalies to guide prevention, clinical follow-up, and resource planning.
• Newborn Screening and related follow-up: Providers and laboratories share results and confirmatory data to ensure timely diagnosis and treatment.

Who must report and what to include

• Hospitals, birthing facilities, pediatric and specialty clinics, and laboratories are commonly designated reporters.
• Include identifiers, maternal and infant demographics, clinical summaries, diagnostic codes, and relevant laboratory and imaging findings necessary for case confirmation.

When and how to report

Report within the state-specified timeframe using the approved submission route (secure portal, electronic feed, or standardized form). Maintain records of each disclosure and promptly address any data quality queries from the Public Health Authority.

HIPAA alignment

Disclosures to Alaska’s Public Health Authority for congenital conditions reporting are permitted without patient authorization. Limit to the minimum necessary and ensure secure transmission and documentation.

FAQs.

What information can providers share about birth defects under HIPAA?

You may share PHI that is necessary for public health surveillance and case investigation, including identifiers, demographics, diagnostic codes, laboratory and imaging results, and clinical summaries. Provide the elements your state program requests or requires, limiting to the minimum necessary to meet that purpose.

Is patient authorization required for birth defect reporting?

No. HIPAA permits disclosures to a legally authorized Public Health Authority for public health activities without patient or parent authorization. Always use secure submission methods and document the disclosure.

How do state laws interact with HIPAA for birth defect reporting?

State Reporting Mandates define what must be reported and by whom. HIPAA does not preempt these public health reporting laws; instead, it permits you to disclose the required information and sets privacy and security expectations for how you disclose it.

What are the consequences of non-compliance with birth defect reporting requirements?

Consequences may include state administrative penalties, licensure or accreditation risks, and remediation obligations. Operationally, missing or late reports can impair surveillance, delay patient follow-up, and increase audit findings. Embed clear workflows to ensure complete and timely reporting.