Monkeypox (Mpox) Patient Data Privacy: HIPAA Rules, Reporting, and Your Rights

When you seek care for monkeypox (mpox), sensitive details about your health become Protected Health Information (PHI). This guide explains how HIPAA works during outbreaks, what must be reported for public health surveillance, and how you can exercise your privacy rights while meeting infectious disease reporting needs.

HIPAA Privacy Rule During Public Health Emergencies

HIPAA continues to apply during emergencies. The Privacy Rule permits—but does not require—covered entities and business associates to share PHI for defined purposes that help prevent or control disease while safeguarding your privacy.

Key principles you can expect

• Minimum necessary: Except where a law requires specific reporting, your data should be limited to the minimum necessary to achieve the public health purpose.
• Public health purposes: Disclosures to authorized health departments for public health surveillance, investigations, and interventions are allowed without your authorization.
• Treatment and care coordination: Providers may share PHI for your treatment, including with labs and other clinicians involved in your care.
• HIPAA Authorization Exceptions: When reporting is required by law or permitted for public health, providers do not need your signed authorization.

These guardrails balance rapid response during an outbreak with your data privacy, ensuring disclosures support prevention, case finding, and Health Department Notifications—not broad, unnecessary sharing.

Public Health Reporting Requirements

States and territories set Infectious Disease Reporting rules. Mpox is reportable, so your provider and clinical laboratory must follow state and local Health Department Notifications and Laboratory Reporting Requirements.

Who reports and when

• Healthcare providers and hospitals: Report suspected, probable, and confirmed cases to the local or state health department within timelines set by jurisdiction (often same day or within 24 hours).
• Clinical laboratories: Report positive Orthopoxvirus or mpox PCR results promptly as required; some jurisdictions specify electronic laboratory reporting formats.

How reporting occurs

• Channels: Phone, secure web portals, electronic case reporting from EHRs, or structured electronic lab reporting from LIMS.
• Scope: Only information required or reasonably necessary for the public health purpose should be transmitted.

Providers should confirm local requirements regularly, because deadlines, forms, and Laboratory Reporting Requirements vary by jurisdiction.

Data Elements for Monkeypox Case Reporting

While specific forms differ by health department, these are commonly requested data elements to support case investigation and public health surveillance. Providers and labs should share only what is required by law or the minimum necessary for the stated purpose.

Patient identifiers and demographics

• Full name, date of birth, address, phone, and preferred language.
• Sex assigned at birth, gender identity, race, and ethnicity (to monitor disparities and tailor outreach).

Clinical presentation

• Date of symptom onset; rash distribution and stage; systemic symptoms (fever, lymphadenopathy, pain).
• Hospitalization status, severity markers, complications, and outcomes.

Exposure and risk information

• Close contacts; household and sexual contacts; congregate settings; travel or event attendance during exposure window.
• Occupational risks and healthcare exposures.

Vaccination and medical factors

• Mpox (JYNNEOS) vaccination dates and doses; prior smallpox vaccination if known.
• Underlying conditions relevant to disease course (e.g., immunocompromising conditions), disclosed only as necessary.

Laboratory data

• Specimen type (e.g., lesion swab), collection date, test method (PCR), and result (including cycle threshold where required).
• Performing laboratory details to meet Laboratory Reporting Requirements.

Treatments and outcomes

• Antivirals provided (e.g., tecovirimat), pain management, supportive therapy.
• Recovery date, persistent symptoms, or death (with date).

Contact tracing facilitation

• Information needed by public health to notify contacts and interrupt transmission, shared under permitted public health authority disclosures.

Permitted Disclosures Under HIPAA

HIPAA identifies specific circumstances when PHI may be disclosed without your authorization, many of which are relevant during an mpox response.

• To public health authorities authorized by law for surveillance, case investigation, contact notification, and interventions.
• To persons at risk of contracting or spreading disease when authorized by law to enable exposure notifications and protective measures.
• To health oversight agencies for audits or inspections related to public health programs.
• To family, friends, or others involved in your care when consistent with your preferences or, when you are incapacitated, when in your best interests.
• To avert a serious and imminent threat to health or safety, consistent with applicable law and ethical standards.
• For research under an Institutional Review Board or privacy board waiver, or by sharing a de-identified dataset or a limited data set under a data use agreement.
• To law enforcement only under specific conditions (e.g., when required by law or to comply with a court order), never as a blanket disclosure.

Minimum necessary applies to most of these uses and disclosures. When a law specifies exactly what must be reported, covered entities follow that law.

Limited Waivers of HIPAA Provisions

During declared emergencies, Emergency Waiver Provisions under Section 1135 of the Social Security Act may temporarily waive sanctions and penalties for limited Privacy Rule requirements at hospitals that have activated disaster protocols in the emergency area.

What may be waived and for how long

• Obtaining a patient’s agreement to speak with family or friends involved in care.
• Honoring a request to opt out of a facility directory.
• Distributing a Notice of Privacy Practices at the time of service.
• Honoring a request for restrictions on disclosures.
• Honoring a request for confidential communications.

These limited waivers generally apply for up to 72 hours from when the hospital implements its disaster protocol and do not suspend the core Privacy Rule or Security Rule. They also do not broadly permit disclosures beyond what HIPAA otherwise allows.

Patient Rights in Data Privacy

Your rights remain in force during outbreaks. You can exercise these even while reporting and response activities proceed.

• Access and copies: You may access your records and obtain a paper or electronic copy, typically within 30 days of your request.
• Amendment: You can request corrections if information is inaccurate or incomplete; denials must include a written explanation and appeal process.
• Accounting of disclosures: You may request an accounting of certain disclosures (such as public health disclosures) for up to six years prior to your request.
• Restrictions: You can ask to restrict disclosures; providers must honor your request to withhold information from your health plan when you pay for an item or service in full out of pocket, if feasible.
• Confidential communications: You can request communications at an alternative address or via a preferred method when reasonable.
• Notice and complaints: You are entitled to a Notice of Privacy Practices and may file complaints with your provider’s privacy officer or the appropriate authorities if you believe your privacy rights were violated.

Compliance Best Practices for Healthcare Providers

Providers can meet Infectious Disease Reporting needs while protecting patient privacy by building practical, auditable workflows.

• Map legal obligations: Maintain a current inventory of state and local Health Department Notifications and Laboratory Reporting Requirements for mpox.
• Verify requestors: Confirm the identity and authority of public health officials before disclosing PHI.
• Apply minimum necessary: Transmit only required or purpose-driven data; use role-based access and data segmentation in EHRs.
• Standardize data: Use structured fields for vaccination dates, specimen type, onset dates, and outcomes to improve data quality.
• Secure transmissions: Prefer encrypted portals or secure direct messaging; log what was sent, to whom, and when.
• Train and test: Provide just-in-time training on HIPAA Authorization Exceptions and emergency procedures; run tabletop exercises for surge scenarios.
• Manage business associates: Ensure BAAs cover reporting support, secure transport, and breach notification duties.
• Monitor and improve: Conduct periodic audits, reconcile lab and case reports, and promptly address gaps or incidents.

Conclusion

Mpox response depends on timely reporting and robust privacy. HIPAA enables targeted data sharing for public health surveillance while preserving your core rights. By following minimum-necessary principles and clear reporting rules, providers protect patients and communities at the same time.

FAQs.

How does HIPAA apply during a public health emergency?

HIPAA still applies. The Privacy Rule permits disclosures without authorization to public health authorities to prevent or control disease, and it allows sharing for treatment and other defined purposes. Most uses remain subject to the minimum necessary standard, except when a law specifically requires certain disclosures.

What information must be reported for monkeypox cases?

Requirements vary by jurisdiction, but reports typically include patient identifiers and demographics, symptom onset and clinical details, exposure history, vaccination status, laboratory results, treatments, and outcomes. Providers and labs should follow local rules and share only what is required or reasonably necessary.

Can patient authorization be bypassed for reporting purposes?

Yes. When reporting is required by law or permitted to an authorized public health authority for surveillance, investigation, or intervention, HIPAA does not require patient authorization. Disclosures should still follow the minimum necessary principle unless a law specifies exactly what must be reported.

What rights do patients have concerning their monkeypox data privacy?

You retain the right to access your records, request amendments, obtain an accounting of certain disclosures, request restrictions (including withholding from your health plan when you pay out of pocket in full), and ask for confidential communications. You also have the right to a privacy notice and to file complaints if you believe your rights were violated.