Communicable Disease Reporting: CDC NNDSS + State Health Department Requirements
8 min read · Last reviewed May 23, 2026
Every state designates licensed healthcare providers and laboratories as mandatory reporters of specified communicable diseases. The federal framework is 42 USC § 247b (the federal Public Health Service Act surveillance authority) and the CDC's National Notifiable Diseases Surveillance System; the operative duty lives in state reportable-disease regulations. HIPAA at 45 CFR § 164.512(b) permits the disclosure without patient authorization.
What triggers the duty to report
The duty triggers on diagnosis — clinical, laboratory-confirmed, or both — of a condition on the state's reportable-disease list. The reportable-disease list is published by each state's department of public health and updated regularly. The federal NNDSS list, maintained by CDC in coordination with CSTE, is the recommended baseline. State lists generally include the federal baseline plus state-specific additions (regional vectors, locally endemic conditions, novel agents).
Reportable conditions break into four general categories:
- Immediately reportable — single case of a high-consequence agent (anthrax, plague, smallpox, viral hemorrhagic fevers, novel influenza, measles in many states, suspected outbreak of any kind). Report by phone within hours, often before laboratory confirmation.
- Reportable within 24 hours — pertussis, meningococcal disease, foodborne outbreaks, hepatitis A in food-handlers, certain healthcare-associated infections.
- Reportable within 7 days — most STIs, HIV, tuberculosis, hepatitis B and C, salmonella, shigella, giardia.
- Annually or summarily reportable — chronic conditions with surveillance use (lead poisoning, certain cancers via state cancer registries — these run on registry timelines).
What clinicians most often miss is that the duty triggers on clinical suspicion of a high-consequence condition before laboratory confirmation. A clinician who sees a patient with classic measles symptoms and exposure history must phone the local health department immediately — the state does not want to learn about the case three days later when the lab confirms IgM.
Who must report
Communicable-disease reporting in every state extends to:
- Physicians, PAs, nurse practitioners
- Registered nurses, school nurses, public health nurses
- Clinical laboratory directors and pathologists
- Hospital infection preventionists
- Long-term care facility administrators
- Veterinarians (for zoonotic conditions — rabies, plague, brucellosis)
- Dialysis centers (for HCV, HBV, and bloodstream infection surveillance)
- Coroners and medical examiners
State reportable-disease regulations typically impose parallel duties on the clinician and the laboratory — each must report independently. Some states (CA, NY) also impose a duty on the patient's school, employer, or institutional setting for selected conditions.
State-by-state framework (top 10 by population)
| State | Reporter Class | Timeline | Statute | |---|---|---|---| | California | Healthcare providers + labs | Immediate / 1 working day / 7 days by condition | 17 CCR § 2500–§ 2643 | | Texas | Physicians, healthcare facilities, labs | Immediate / 1 working day / 1 week by condition | 25 TAC § 97.1–§ 97.13 | | Florida | Practitioners + labs + facilities | Immediate / next business day / 3 days by condition | FL Stat. § 381.0031; Rule 64D-3 | | New York | Healthcare providers + labs | Immediate / 24 hours / 1 week by condition | 10 NYCRR § 2.10–§ 2.14 | | Pennsylvania | Healthcare providers + labs + schools | Immediate / 24 hours / 5 work days | 28 Pa. Code § 27.21–§ 27.34 | | Illinois | Healthcare providers + labs | Immediate / next business day / 7 days | 77 Ill. Adm. Code § 690 | | Ohio | Healthcare providers + labs | Immediate / 24 hours / by Friday of week | OAC 3701-3-02 | | Georgia | Physicians + labs | Immediate / 7 days by condition | OCGA § 31-12-2; Rule 511-2-1 | | North Carolina | Physicians + labs | Immediate / 24 hours / 7 days | 10A NCAC 41A.0101 | | Michigan | Healthcare providers + labs | Within 24 hours of identification | MCL 333.5111; Mich. Adm. Code R 325.173 |
The conditions on the list vary slightly. Universally reportable across all 50 states are tuberculosis, syphilis, gonorrhea, HIV/AIDS, hepatitis A/B/C, measles, mumps, rubella, pertussis, meningococcal disease, salmonella, shigella, E. coli O157:H7, Lyme disease (where endemic), and the federal high-consequence list (anthrax, plague, smallpox, viral hemorrhagic fevers, novel influenza).
Timeline
The tiered timeline is universal: immediate phone for high-consequence agents, 24-hour for high-priority infections, weekly for routine STIs and bloodborne pathogens. The clock starts at the moment of diagnosis or clinical suspicion (for immediately reportable conditions), not the end of the shift.
Outbreak situations layer separately. A cluster of two or more linked cases — even of a non-reportable condition — usually triggers an outbreak-reporting duty in addition to the individual case reports. California 17 CCR § 2500(b) and Texas 25 TAC § 97.3 both impose explicit outbreak-reporting duties.
What to report and how
The report should include the patient's name, date of birth, address, contact information, and demographic data; the diagnosis with date of onset and date of diagnosis; the laboratory result if confirmed; the suspected exposure history and source where known; the clinician's name, credentials, and contact information; and treatment initiated.
Modern state reporting systems use electronic case-reporting (eCR) through interoperability standards (HL7 FHIR, eHealth Exchange). The CDC's eCR initiative routes case reports to state, tribal, local, and territorial public health agencies; the federal authority for national public-health situational awareness and electronic information sharing is 42 USC § 247d-4, supported by CDC and ONC operational eCR guidance. Where eCR is enabled, the EHR sends the case-report message — the clinician's manual phone-report duty for immediately reportable conditions remains.
Federal vs state framework
The federal scaffolding:
- 42 USC § 247b — federal Public Health Service Act surveillance authority; funds state and local public health surveillance.
- CDC NNDSS at www.cdc.gov/nndss/ — national notifiable disease list maintained with the Council of State and Territorial Epidemiologists.
- 42 USC § 247d — Public Health Emergency authority (used for COVID-19, mpox, and other declared emergencies).
- 21st Century Cures Act and the HHS Promoting Interoperability program — incentivize electronic case reporting from EHRs.
The federal framework recommends and incentivizes. The operative reporter duty lives in state law. CDC receives the case data from the state, not from the clinician.
Penalties for failure to report
- California — Failure to report under Health & Safety Code § 120295 is a misdemeanor; civil penalties also attach. Repeat failure supports Medical Board discipline.
- Texas — Failure to report under Health & Safety Code § 81.049 is a Class B misdemeanor for the first offense, escalating to Class A on subsequent offenses, with mandatory Texas Medical Board review.
- Florida — F.S. § 381.0031(7) makes failure to report a second-degree misdemeanor, with parallel professional license discipline through the Department of Health.
- New York — Public Health Law § 12 imposes civil penalties up to $2,000 per violation; license discipline through the Office of the Professions.
- Illinois — 410 ILCS 315/2 and 77 Ill. Adm. Code § 690 violations are petty offenses with license review through IDFPR.
Federal funding eligibility is also at risk. State health departments that fail to maintain surveillance data quality risk reduction or loss of federal cooperative-agreement funding under 42 USC § 247b — which trickles down to provider reporting compliance as a state oversight priority.
HIPAA permissible disclosure
The dispositive HIPAA carve-out for communicable-disease reporting:
- 45 CFR § 164.512(b)(1)(i) — disclosure to a public health authority authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury, or disability. State reportable-disease statutes are the "authorized by law" anchor. No patient authorization is required.
- 45 CFR § 164.512(b)(1)(iv) — disclosure to a person who may have been exposed to a communicable disease, where the covered entity is authorized by law to notify the person.
- 45 CFR § 164.512(b)(1)(v) — disclosure to an employer about a workforce member or workplace exposure where the disclosure is required by the OSHA Bloodborne Pathogens Standard or state law.
The minimum-necessary standard at 45 CFR § 164.502(b) applies — disclose the data the report requires, not the entire chart. Log the disclosure under 45 CFR § 164.528.
42 CFR Part 2 substance use disorder records require a separate analysis. The Part 2 rule at 42 CFR § 2.12(c)(1) permits limited disclosures to medical personnel in a bona fide medical emergency; communicable-disease reporting from a Part 2 program may require additional patient authorization or a court order in some scenarios, though SAMHSA has clarified that mandatory state-law reporting falls within Part 2's audit and evaluation carve-outs in most cases.
How d3rx fits
The d3rx compliance binder maintains the communicable-disease reporting workflow inside the disclosure module: the state reportable-disease list with cadence indexed by ICD-10, the eCR enablement checklist, the immediate-versus-24-hour-versus-7-day decision tree, the accounting-of-disclosures entry, and the multi-state matrix for telehealth practices. d3rx is an administrative documentation aid. It does not file the report and does not replace counsel.
D3rx compliance guides are administrative documentation aids. They do not certify compliance, provide legal advice, replace counsel, or guarantee an audit outcome. The practice remains responsible for reviewing, adopting, and maintaining its compliance program.
Step 1 · Get the binder
Get the d3rx compliance binder for your practice
Pre-filled to address the gaps this guide covers — Communicable Disease Reporting: CDC NNDSS + State Health Department Requirements. We will email you the section preview and your binder intake link.
No PHI required. We use your email to send the binder preview and intake link only.
Frequently asked
Do I need patient consent to report a positive STI test to the health department?
No. HIPAA at [45 CFR § 164.512(b)(1)(i)](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.512) permits disclosure to a public health authority authorized by law to collect or receive information for preventing or controlling disease. State reportable-disease statutes — CA Title 17 CCR § 2500, TX Title 25 TAC § 97.1, NY 10 NYCRR § 2.10 — are the 'authorized by law' hook. No patient authorization is required. The disclosure must still be the minimum necessary and logged in the accounting register where applicable.
The lab already reported the positive result. Do I have to report too?
In most states, yes — the clinician and the laboratory each have independent reporting duties. CA Title 17 CCR § 2505 requires laboratory reporting; CCR § 2500 imposes the parallel clinician duty. TX Title 25 TAC § 97.3 and § 97.5 do the same. Coordinated reporting is the safer posture: the lab reports the laboratory result; the clinician reports the clinical case with epidemiologic context — symptoms, exposure history, treatment, contact tracing capacity. Both reports support the disease surveillance program.
What if my patient asks me not to report a reportable communicable disease?
The duty stands. State reportable-disease statutes do not give the patient a veto. The public-health justification overrides the privacy interest as a matter of statute — and HIPAA expressly contemplates the override at [45 CFR § 164.512(b)](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.512). Document the patient's expressed concerns and your discussion of the legal obligation in the chart. Then file the report. Patient counseling about partner notification and contact tracing belongs in the clinical encounter, not as a substitute for the report.
Does the HIV diagnosis go to the health department the same way as a strep throat outbreak?
Conceptually similar — practically different. HIV diagnoses are reportable in every state, but the data flow runs through a specially designated HIV/AIDS surveillance system with stricter access controls. CA Health & Safety Code § 121022 imposes confidentiality protections that exceed the general reportable-disease pathway. Several states (CA, NY, IL, TX) prohibit redisclosure of HIV/AIDS surveillance data to non-public-health entities even where general communicable-disease data is more freely shared.
Are we required to report under the federal CDC NNDSS or to the state?
The state. The CDC's [National Notifiable Diseases Surveillance System](https://www.cdc.gov/nndss/) collects state-reported case data — the state is the reporter to CDC, not the clinician. The Council of State and Territorial Epidemiologists (CSTE) and CDC publish the annual NNDSS notifiable conditions list as the federal recommendation. Individual states then decide which conditions to add or remove. The clinician's duty is owed to the state and local health department; the state's duty is owed to CDC.
We treat patients across state lines via telehealth. Which state's reportable disease list applies?
Generally the state where the patient is physically located at the time of the encounter, not the provider's state of licensure. State reportable-disease rules attach to the patient's residence and the public-health agency with surveillance jurisdiction. A California-licensed physician treating a Nevada-resident patient via telehealth typically reports to the Nevada Division of Public and Behavioral Health on Nevada-reportable conditions. Build a multi-state reporting matrix into the telehealth compliance binder; do not assume the provider's state controls.
Turn this into a review-ready binder
The Security Risk Analysis is where this guide becomes documentation you can actually hand to a reviewer — assembled into one review-ready binder. Source-grounded, citation-linked, and explicit about what it does and does not do.
Editorial process. This guide was drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and edited by the D3rx team for restraint and source fidelity. A named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged to verify citations — see the team page for status. Until that reviewer engagement is finalized, this page does not claim credentialed review.
This article is an administrative documentation aid. It does not certify compliance, provide legal advice, replace counsel, or guarantee an audit outcome. The practice remains responsible for reviewing, adopting, and maintaining its compliance program. References cited link to primary sources at HHS, OCR, CMS, the Code of Federal Regulations, NIST, and state regulators.
D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.
Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.
- National Notifiable Diseases Surveillance Systemhttps://www.cdc.gov/nndss/
- 45 CFR § 164.512(b)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.512
- 42 USC § 247d-4https://uscode.house.gov/view.xhtml?req=title:42%20section:247d-4%20edition:prelim
- Promoting Interoperabilityhttps://www.cms.gov/regulations-guidance/promoting-interoperability
- 45 CFR § 164.502(b)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.502
- 45 CFR § 164.528https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.528
Sources verified as of May 23, 2026
This guide is a plain-English summary maintained by D3rx for healthcare practice administrators. It is not legal advice, medical advice, or accounting advice. The authoritative source is the cited regulation or agency document. Always confirm with qualified counsel before acting on a specific compliance question affecting your practice.
Related Guides
Mandatory Child Abuse Reporting for Healthcare Providers (Federal + 50-State Overview)
9 min readState ComplianceCalifornia Healthcare Compliance: CMIA + HIPAA — Where They Diverge
9 min readEmergency ResponseHIPAA Subpoena Response: Court Order vs Administrative Subpoena (45 CFR § 164.512)
8 min readRelated across the archive
- ComplianceAccounting of Disclosures (45 CFR § 164.528): Tracker + ProcedureA 2026 HIPAA Accounting of Disclosures procedure citing 45 CFR § 164.528 — the six-year lookback, what to log, exclusions, and a copy-ready tracker template.
- ComplianceMandatory Child Abuse Reporting for Healthcare Providers (Federal + 50-State Overview)Federal CAPTA + state mandates: who reports, what triggers the duty, timeline, penalties, and the 45 CFR § 164.512(b)/(c) HIPAA carve-outs that permit disclosure to CPS.
- RegulationHIPAA Accounting of Disclosures (45 CFR 164.528)Individuals may request an accounting of disclosures of their PHI made by a covered entity in the prior six years, with a defined list of exclusions.
- ComplianceCalifornia Healthcare Compliance: CMIA + HIPAA — Where They DivergeCalifornia's CMIA (Civ. Code §§ 56–56.37) vs HIPAA: stricter consent, 5-working-day inspection / 15-day copy access, private right of action, up to $25k per knowing-and-willful violation + misdemeanor exposure.
- ComplianceHIPAA Subpoena Response: Court Order vs Administrative Subpoena (45 CFR § 164.512)Court order, civil subpoena, grand-jury subpoena, DEA administrative demand — each triggers a different HIPAA response path. Identify the type before you produce a single record.
- SRAHIPAA Security Rule vs Privacy Rule: A Plain-English MapWhat the Security Rule at 45 CFR Part 164 Subpart C does, what the Privacy Rule at Subpart E does, where they overlap, and which rule the SRA actually answers to.
- BillingWhat to Do When a Payer Says You're UnderbillingGot a letter saying you're underbilling? Here's what it actually means, whether you should worry, and what action to take.
- Glossary60-Day Overpayment RuleACA requirement that Medicare and Medicaid overpayments be reported and returned within 60 days of identification.