Most DAWN hospitals are covered by Federal regulations that protect the privacy of individually identifiable health information. These regulations, issued pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA), are commonly known as the "HIPAA Privacy Rule."

Many hospitals have questions about how it is possible to participate in DAWN and comply with the HIPAA Privacy Rule. This section provides answers to the most common questions about DAWN and HIPAA.

Is participation in DAWN permitted under HIPAA?
Yes. Disclosure of protected health information to DAWN is permitted under the Federal privacy standards. The "Privacy Rule" — at 45 CFR 164.512(b)(1) — permits covered entities (hospitals) to disclose protected health information - without patient authorization - to a public health authority authorized by law to receive such information for the purpose of public health surveillance. The Substance Abuse and Mental Health Services Administration (SAMHSA) is a public health authority authorized by law (Section 505 of the Public Health Service Act) to collect data from hospitals on drug-related emergency department visits. Westat operates DAWN under contract to SAMHSA, thereby serving as a public health authority for the purpose of collection and processing DAWN data.

Consistent with the Privacy Rule, we request only the minimum information necessary to fulfill DAWN's function as a public health surveillance system. Data are used only for public health and associated statistical purposes (e.g., for monitoring trends in drug-related morbidity). SAMHSA and Westat are prohibited by Federal law from using DAWN data for any other purpose.

Do we need to sign a Business Associate Agreement with Westat?
No. Under the Privacy Rule, covered entities may disclose protected health information to legally sanctioned public health authorities that are not business associates. For example, hospitals routinely disclose protected health information to public health agencies that track infectious diseases. Receipt of such disclosures does not make those agencies business associates of the hospital.

Are there protections on our data once they are submitted to DAWN?
Yes. SAMHSA and its agents are bound by the confidentiality provisions in Section 501(n) of the Public Health Service Act (42 U.S.C. 290aa) and in Title V of the E-Government Act of 2002 (P.L. 107-347). These laws prohibit SAMHSA from using identifiable information for any purpose other than the purpose for which it was collected, without the consent of the establishment or individual providing the information. SAMHSA collects and uses DAWN data only for public health surveillance, to monitor drug-related morbidity at the local and national levels. Identifiable data are used only for these purposes; data are released only in de-identified form; and information is published only in aggregate form. Unlawful disclosures of information by employees of SAMHSA or Westat are subject to stiff penalties of up to 5 years in prison and fines of up to $250,000.

Can Westat help us account for disclosures to DAWN?
Yes. Under the Privacy Rule, covered entities must account for disclosures of protected health information for public health. Westat can produce an accounting of disclosures for DAWN that fully complies with the Privacy Rule’s accounting provisions as interpreted by the Office for Civil Rights, the agency responsible for HIPAA implementation and enforcement. Such an accounting can be made available to you upon or request, or on a set schedule of your choosing.