Slide 1

Health Insurance Portability and Accountability Act

HIPAA: An Overview

Welcome to this lesson, HIPAA: An Overview, which provides public health professionals with a summary of the Health Insurance Portability and Accountability Act.

Slide 2 Learning Objectives

• Describe the Health Insurance Portability and Accountability Act of 1996

• Discuss the Privacy Rule and its purpose• Determine when private information can or

cannot be disclosed • Explain how HIPAA and the Privacy Rule

affect public health practice and research

After completing this lesson, you should be able to: • Describe the Health Insurance

Portability and Accountability Act of 1996;

• Discuss the Privacy Rule and its purpose;

• Determine when private information can or cannot be disclosed; and

• Explain how HIPAA and the Privacy Rule affect public health practice and research.

Slide 3 Overview

• HIPAA Overview• Privacy Rule

– Protected Health Information (PHI)– Covered Entities– Disclosure of PHI– Compliance with HIPAA

• Security Rule• HIPAA and Public Health

– Practice– Research

In this discussion, we will explain HIPAA and give you a brief background of the law. We will then cover the Privacy Rule, a component of HIPAA that governs the way in which employees in the healthcare industry collect, use, and store data. We’ll define and explain terminology such as protected health information, which will be referred to as PHI, and covered entities, meaning those agencies subject to HIPAA regulations. Then we’ll discuss disclosure of protected information, how to comply with HIPAA, and what can happen if you do not comply with HIPAA. Next we will talk about the Security Rule, which governs the protection of individual health data

that is transmitted electronically. We will conclude the presentation with a discussion of how HIPAA affects public health practice and research.

Slide 4 What is HIPAA?

• Health Insurance Portability and Accountability Act of 1996

• Federal law passed by Congress to improve health care delivery

• Purpose: – Allow individuals to keep health insurance

during job loss or change– Set standards for electronic transactions of

health-care related information

In 1996 Congress passed HIPAA, the Health Insurance Portability and Accountability Act. That law gave Congress 3 years to pass comprehensive health privacy legislation. After three years of discussion in Congress without passage of such a law, HIPAA provided the Department of Health and Human Services with the authority to craft such privacy protections. Usually the Department of Health and Human Services itself does not play a regulatory role, but in this case the legislation stated it would. The purpose of HIPAA was to set national standards for the protection of health information and improve health care delivery. Inconsistent and inadequate legislation on the local level meant that federal standards were needed to provide standardization of health information. HIPAA was originally envisioned to ensure the portability of health insurance when moving from job to job. For example, if one were to begin a new job in a different state before the enactment of HIPAA, the transfer of health information could be subject to 2 different standards. Additionally, as the use of computer databases became more widespread, there was the inevitable need to address how to protect data in electronic health care transactions.

Slide 5 HIPAA Background

• HIPAA sets a national minimum of basic privacy protection for individuals

• Many state laws are more stringent

• The more stringent law takes precedence

While HIPAA sets a national minimum level of basic privacy protection for individuals, there may be more stringent state and local laws that further protect the privacy of health information. When state and local laws are more stringent than HIPAA, the state and local laws should be followed. However, if state or local laws are less stringent than HIPAA, HIPAA must be followed.

Slide 6

THE PRIVACY RULE

Now let’s talk about one important provision of HIPAA, the Privacy Rule.

Slide 7 Privacy Rule

• Defines and limits the circumstances in which an individual’s protected health information may be used or disclosed by a covered entity and/or business associate.

Basically, the Privacy Rule ensures that an individual’s protected health information is only shared on a need-to-know basis. The Privacy Rule explicitly defines the circumstances when this information can be used or disclosed. The Privacy Rule became effective in 2001.

Slide 8 HIPAA Privacy Rule

• Sets national standards for ensuring the privacy of protected health information (PHI)

• Requires covered entities to implement measures that protect against the misuse of PHI

• Provides individuals with privacy rights and control over how their PHI is used

The Privacy Rule sets national standards for ensuring the privacy of protected health information. This protection of privacy occurs through the measures implemented by covered entities to defend against the misuse of protected health information. Additionally, the Privacy Rule is designed so that individuals have control over how their information is used. There is a lot of technical language being used in this presentation, and its important that we not get bogged down with the terminology. So let’s take a few moments to provide clear definitions of protected health information and covered entities.

Slide 9 Protected Health Information (PHI)

Individually identifiable health information held or transmitted in

any form or medium (e.g., electronic, paper, or oral)

Protected health information, often referred to as PHI, is any individually identifiable health information held or transmitted in any form or medium, including electronic, paper, or oral, by a covered entity or business associate. We’ll talk more about covered entities in a moment, but first let’s look at exactly what type of information is considered PHI.

Slide 10 Protected Health Information (PHI)

• Information related to:– Past, present, and/or future physical/mental

health or condition, – Provision of health care to an individual, or– Payment for the provision of health care

• Individually identifiable information is:– Name, geography, month & day of birth,

telephone #, email address, SSN, health insurance account #s, photographs and more

Health information is information that relates to past, present and/or future physical or mental health; the provision of health care to an individual; or the payment for the provision of health care. To qualify as PHI, this information must be linked to an individual. Individually identifiable information, which is anything that can identify you, is also protected by HIPAA. For example, your name, all levels of geography smaller than the state in which you live, month & day of birth, telephone #, email address, social security number, and health insurance account numbers are all considered individually identifiable information under HIPAA.

Slide 11 Who Must Comply with the Privacy Rule?

“Covered Entities”

Health care providers

Health care clearinghouses Health plans

Business associate

Business associate

Business associate

So who is required to comply with the HIPAA Privacy Rule? The rule uses the term “covered entities” to refer to those who must comply. Covered entities fall into three categories: health care providers, health care clearinghouses, and health plans and business associates under each as they are now fully and separately liable under the Privacy Rule. Let’s look at some examples of each.

Slide 12 Who Must Comply with the Privacy Rule?

“Covered Entities”

Health care providers

Health care clearinghouses Health plans

• Hospitals/clinics• Clinicians• Dentists• Pharmacies• Nursing homes

• Billing services and providers

• Individual or group health insurance

• HMOs• Government

health plans

Health care providers include hospitals and clinics, individual clinicians such as doctors, nurses, paramedics and dentists, pharmacies, and nursing homes. Health care clearinghouses usually refer to billing services and providers who work closely with the health care industry. Health plans include individual or group health insurance companies, health maintenance organizations or HMOs, and government health plans such as Medicare and Medicaid. We’ll talk more about what is required of covered entities later in this lesson.

Slide 13

“Covered Entities”

Health care providers

Health care clearinghouses Health plans

Business associate

Business associate

Business associate

Who Must Comply with the Privacy Rule?

• Perform functions or activities on behalf of/provide services to a covered entity

• Subcontractor

Not only are health care providers, health care clearinghouses and health plans considered covered entities but so are business associates of any of these covered entities. So what is a business associate? A business associate (or BA) is a person or entity that performs functions or activities on behalf of, or provides services to, a covered entity that involves access to protected health information. A BA is also a subcontractor that creates, receives, maintains or transmits PHI on behalf of another BA.

Slide 14 Privacy Rule Components

• PHI must only be used for healthcare purposes and specifically authorized purposes

Boundaries

• PHI must only be disclosed on a need-to-know basisSecurity

• Ensures the privacy of personal health information Responsibility

• Those who misuse PHI subject to civil and criminal penaltiesAccountability

The Privacy Rule is made up of 4 primary components. It provides and defines boundaries that state that protected health information must only be used for healthcare purposes. However, there are situations, mainly under legal authority or authorization, where this protected information can be used for non-health related purposes. By setting these boundaries, the Privacy Rule ensures the security and confidentiality of protected health information, giving those who possess the information the responsibility of assuring this privacy. As with any regulation, those who do not uphold the standards set by HIPAA are subject to civil and criminal penalties.

Slide 15 Responsibilities of Covered Entities

• Notify individuals regarding their privacy rights and use/disclosure of PHI

• Adopt and implement privacy policies to ensure protection of PHI

• Designate employee(s) to implement policies and manage privacy-related complaints

• Train employees to understand these policies• Establish privacy contracts with business

associates performing covered functions

HIPAA outlines certain requirements for covered entities. They must: • Notify individuals regarding their

privacy rights and use/disclosure of PHI;

• Adopt and implement privacy policies to ensure the protection of PHI;

• Designate one or more employees to implement these policies and manage privacy-related complaints;

• Train employees to understand these new policies; and,

• Establish privacy contracts with business associates who are performing covered functions.

Slide 16 Rights of Individuals

• Receive access to their PHI• Request amendments to their PHI• Receive notice of disclosure/use of PHI• Receive accounting of any disclosure/use of PHI

upon request• Request certain restrictions on use/disclosure of

PHI*

* The covered entity is not obligated to agree to a request

HIPAA is unique in that it provides individuals rights to their own private health information. An individual can receive access to their own PHI and request amendments to their PHI. Individuals also have the right to receive notice and accounting whenever their PHI is used or disclosed. Additionally, an individual can request restrictions on use/disclosure of their PHI. However, it should be noted that the covered entity is not obligated to agree to a request.

Slide 17 Rights of Individuals, continued

• Give or deny authorization before PHI can be disclosed in connection with marketing communications that involve financial enumeration

• Revoke authorization for disclosure of PHI in connection with marketing communications

• Elect not to receive fundraising communications

Additional rights recently added include: • the right to give or deny

authorization before PHI can be disclosed in connection with marketing communications that involve financial remuneration;

• the right to revoke authorization for disclosure of PHI in connection with marketing communications; and

• the right to elect not to receive fundraising communications.

Slide 18

• Right to access a decedent’s information for family members and others who were involved in the care or payment for care of the decedent prior to death, unless expressly prohibited by the decedent

• Right to be notified following a breach of unsecured PHI

Rights of Individuals, continued

Other rights include: • the right to access a decedent’s

information for family members and others who were involved in the care or payment for care of the decedent prior to death, unless expressly prohibited by the decedent; and

• the right to be notified following a breach of unsecured PHI.

Slide 19 Disclosure of PHI

Covered entities may use or disclose

information under 2 circumstances

Written permission granted by individual

(or a representative) to whom information

refers

Disclosure permitted or required by Privacy

Rule

We will now look more closely at ways that protected health information can be disclosed. Disclosure and use of protected health information by covered entities occur under 2 circumstances: When the individual, or a personal representative, to which the information refers provides written permission approving the use or disclosure of information. It is important to note that verbal permission alone to use PHI does not adhere to HIPAA standards. Alternatively, PHI may be used or disclosed when required or permitted by the Privacy Rule.

Slide 20 Required Disclosure of PHI

• Individual or representative requests access to information

• HHS conducts a compliance investigation, review, or enforcement action

Required disclosure may occur when an individual or their representative requests access to their information, as mentioned earlier. Disclosure is also required when the U.S. Department of Health and Human Services conducts a compliance investigation, review, or enforcement action.

Slide 21 Permitted Disclosure of PHI

• To the patient• Treatment, payment, and

health care operations (TPO)

• Required by other federal, state, local, or tribal laws

• Public health• Reporting of abuse,

neglect, or domestic violence

• Law enforcement• Decedents• Health research• Judicial and

administrative proceedings

• Cadaveric organ, tissue, or eye donations

• Oversight organizations• Worker’s compensation• Business associates

Permitted use and disclosure of PHI, which does not require authorization from the individual, is allowed in the following circumstances: to the patient; by health care organizations for treatment, payments, and health care operations, sometimes referred to as TPO; when required by federal, state, local, or tribal law; for public health; when reporting abuse, neglect, or domestic violence; to law enforcement; to coroners and medical examiners about decedents; as a result of judicial and administrative proceedings; in cadaveric organ, tissue, or eye donations; for oversight organizations; in cases of worker’s compensation; as well as business associates.

Slide 22 Minimum Necessary Rule

• Covered entities must limit the information they disclose to the “minimum necessary” to achieve the specified goal

• Does not apply to:– Disclosures to health care providers for

treatment purposes– Requests by the individual– Other disclosures required by law.

Most disclosure of PHI is guided by the minimum necessary rule, which states that covered entities must limit the information they disclose to the “minimum necessary” to achieve the specified goal. In other words, requesters should not receive more information than they need to know. This rule does not apply to: disclosures to health care providers for treatment purposes, requests by the individual, or other disclosures required by law. Let’s look at an example of a situation involving disclosure of PHI.

Slide 23 PHI Disclosure Situation 1

Can the hospital legally disclose the requested information?

Officer X, attempting to locate a suspect of a crime in the local community, asks the local hospital for information about the suspect, most of which is protected health information.

In this hypothetical situation, Officer X, who is attempting to locate a suspect of a crime in the local community, asks the local hospital for the information about the suspect, mainly his last known address, contact information, and when he was last admitted to the hospital. Most of this information is protected health information. Based on what you know about HIPAA, can the hospital legally disclose the requested information to law enforcement?

Slide 24 Situation 1 - Answer

• YES! Law enforcement is allowed certain PHI when investigating a crime.

• Because the officer is only trying to locate the suspect, the hospital may only disclose information about suspect’s location and identity

Yes, the hospital can provide the needed information to the officer. Even without a subpoena and without the patient’s authorization, law enforcement is allowed certain PHI when investigating a crime and trying to locate a suspect. However, because the officer is only trying to locate the subject, the covered entity, in this case the hospital, may only disclose information concerning the location and identity of the suspect. The date the suspect was admitted to the hospital may seem like unnecessary information, but because it might provide information to help locate the suspect it is permitted. When investigating serious crimes, law enforcement officials are urged to subpoena the necessary information to avoid any confusion as to what can be disclosed.

Slide 25 Compliance with HIPAA

• Mandatory compliance by April 2003 for all large-scale covered entities

• Compliance by April 2004 for small health plans• Enforced by Office for Civil Rights (OCR), in the

Department of Health & Human Services• Compliance by Business Associates and

Subcontractors by September 23, 2013

We have discussed the rights and responsibilities of individuals and covered entities, so let’s spend a few moments talking about the enforcement of HIPAA regulations. Although HIPAA was passed in 1996 and the Privacy Rule became effective in 2001, it was not until 2003 that covered entities were required to comply with HIPAA. This long interval occurred for several reasons, one of which was to allow covered entities time to familiarize all personnel with HIPAA and to implement standards to protect health information. Smaller health plans were given an extra year to implement new privacy policies. HIPAA regulations are enforced by the Office for Civil Rights, a branch of the Department of Health and Human Services. Compliance by Business Associates and Subcontractors was added as of September 23, 2013.

Slide 26 Failure to Comply with HIPAA Standards

Civil PenaltiesDid not know $100 - $50,000 for each

violation, $1,500,000 maximum penalty

Reasonable cause $1,000 - $50,000 for each violation, $1,500,000 maximum penalty

Willful neglect, with correction $10,000 - $50,000 for each violation, with $1,500,000 maximum penalty

Willful neglect, without correction $50,000 for each violation, with $1,500,000 maximum penalty

Failure to comply with HIPAA regulations can result in civil and/or criminal penalties, including fines and jail time. The new rule establishes four categories of violations that reflect increasing levels of culpability and four corresponding tiers of penalty amounts that significantly increase the minimum penalty amount for each violation. • If the culpability is “did not know”

then the penalty is $100-$50,000 for each violation, with $1,500,000 maximum penalty for all such violations of an identical provision in a calendar year.

• If the culpability is “reasonable cause” then there is a penalty of

$1,000-$50,000 for each violation, with a $1,500,000 maximum penalty for all such violations of an identical provision in a calendar year.

• If the culpability is “willful neglect” with correction, then the penalty is $10,000-$50,000 for each violation, with a $1,500,000 maximum penalty for all such violations of an identical provision in a calendar year.

• And, for the last level of culpability --“willful neglect” without correction – the penalty is $50,000 for each violation, with a$1,500,000 maximum penalty for all such violations of an identical provision in a calendar year.

Slide 27 Failure to Comply with HIPAA Standards, Continued

Criminal PenaltiesKnowingly discloses individually identifiable health information

Fine up to $50,000Up to 1 year imprisonment

PHI obtained or disclosed underfalse pretenses

Fine up to $100,000Up to 5 years imprisonment

Intent to use or disclose PHI for commercial advantage, personal gain, or malicious intent

Fine up to $250,000Up to 10 years imprisonment

Covered entities may be excluded from Medicare

The criminal penalties are more severe, and may include jail time as well. Violators who knowingly obtain or disclose PHI by neglecting HIPAA regulations can be fined up to $50,000 and serve 1 year in jail. As the severity of the crime increases, so too, does the punishment: $100,000 fine with up to 5 years in jail for PHI obtained or disclosed under false pretenses, and $250,000 and 10 years in jail for use or disclosure of PHI for commercial advantage, personal gain, or malicious intent. Additionally, DHHS may exclude covered entities in violation of HIPAA from participating in Medicare.

Slide 28

THE SECURITY RULE AND HITECH ACT

Now we’ll spend a few moments talking about the HIPAA Security Rule.

Slide 29 What is the Security Rule?

• Guidelines protecting PHI that is created, received, maintained, or transmitted electronically by covered entities

• Does not apply to PHI conveyed orally or in writing

• Goal is to limit incidental, and avoid prohibited, use and disclosure of PHI

The HIPAA Security Rule is a set of guidelines protecting PHI that is created, received, maintained, or transmitted electronically by covered entities. Note that it does not apply to PHI conveyed orally or in writing, although such information is protected by the Privacy Rule. The goal of the Security Rule is to limit incidental, and avoid prohibited, use and disclosure of PHI. Let’s talk in more detail about how this is done.

Slide 30 Ways to Protect PHI

Administrative Safeguards

• Designate a security official

• Establish policies about access to PHI

• Train workforce• Periodically

evaluate security policies

Physical Safeguards

• Limit physical access to area

• Keep workstations secure

Technical Safeguards

• Control electronic access to PHI

• Audit use of PHI• Ensure PHI is

not improperly changed or destroyed

• Guard against access of PHI during transmission

The Security Rule specifies several ways that covered entities must protect electronic PHI. These are classified as administrative, physical, and technical safeguards. Administrative safeguards require the agency to designate a security official, to establish policies about access to PHI, to train its workforce on how to use and protect PHI, and to periodically evaluate its security policies. Physical safeguards require that agencies limit physical access to its facilities and keep workstations and other devices secure through its policies and procedures. Finally, technical safeguards specify that agencies must control electronic access to PHI, implement software that

records and audits use of PHI, ensure that PHI cannot be improperly changed or destroyed, and implement technical security measures that guard against access to PHI during electronic transmission.

Slide 31 What is the HITECH Act?

• Health Information Technology for Economic and Clinical Health Act

• Part of the American Recovery and Reinvestment Act (ARRA) of 2009– Contains health care information technology –related

incentives– Includes specific incentives designed to accelerate

adoption of electronic health record systems• Broadens scope of HIPAA privacy and security

protections by:– Increasing potential legal liability for non-compliance– Providing for greater enforcement

In discussing the Security Rule and protection of PHI, it is worthwhile to also acknowledge another important piece of HIPAA-related legislation, the Health Information Technology for Economic and Clinical Health Act, or HITECH Act. The HITECH Act was signed into law in 2009 as part of the American Recovery and Reinvestment Act of 2009 (ARRA). ARRA contains incentives related to health care information technology (e.g. creation of a national health care infrastructure) and also contains specific incentives designed to accelerate the adoption of electronic health record (EHR) systems among providers. This legislation was developed in anticipation of a major expansion in the exchange of electronic PHI. As such, the HITECH Act serves to broaden the scope of privacy and security protections that are available under HIPAA legislation. Additionally, it increases the potential legal liability for non-compliance and also provides for greater enforcement. The HITECH Act addresses various different HIPAA provisions such as enforcement, notification of breach, electronic health record access, and business associates and business associate agreements. To learn more details on each of these topics, you may

wish to visit the HIPAA Survival Guide, the link for which is provided in the “References” slides at the conclusion of this training.

Slide 32

HIPAA AND PUBLIC HEALTH

Although HIPAA applies to any organization in the healthcare industry, it includes specific additions and clarifications that are relevant to public health. Let’s talk about how HIPAA affects public health practice and research.

Slide 33 The Privacy Rule and Public Health

• Access to PHI is essential to public health

• Public health uses PHI to identify, monitor, and respond to disease, death and disability among populations

• Covered entities may disclose PHI to public health authorities authorized to collect necessary data

Access to PHI is essential to public health operations. Without it, certain practices within public health would not be possible. PHI is used to identify, monitor, and respond to disease, death, and disability among populations. Some areas where it is used routinely are program operations, surveillance, outbreak investigation, program evaluation, terrorism preparedness, direct health services, and research. The intent of HIPAA regulations was not to restrict the degree to which public health organizations can ensure the well-being of the public, so covered entities are permitted to disclose PHI to public health authorities authorized to collect necessary data.

Slide 34 PHI Disclosure for Public Health

• To prevent or control disease, injury or disability– Reporting of disease and injury, births and

deaths, and child abuse and neglect– Conducting public health surveillance,

investigation, or intervention– Monitoring adverse events related to food,

drugs, biological products, medical devices• When required by law

Covered entities are permitted to disclose PHI to public health authorities, without authorization, to prevent or control disease, injury, or disability. This includes reporting of disease and injury, reporting of vital events such as births and deaths, and reporting child abuse and neglect. It also includes conducting public health surveillance, investigation, or intervention, and monitoring adverse events related to food, drugs, biological products, and medical devices. Disclosure of PHI to public health authorities is also permitted when required by federal, state, tribal, or local laws.

Slide 35 Public Health Disclosure Examples

A person may have been exposed to a communicable disease or may be at risk for contracting or spreading disease. A person is subject to

jurisdiction of the Food and Drug Administration (FDA) concerning the quality, safety, or effectiveness of an FDA product.

An employer needs certain PHI to meet the requirements of Occupational Safety and Health Administration (OSHA) or other similar laws.

PHI can be disclosed to public health officials when investigating a person who may have been exposed to a communicable disease or who may be at risk for spreading disease. There are times when the Food and Drug Administration is investigating an FDA approved product and they need information concerning an individual, and it is permissible to disclose PHI in this situation. Additionally, PHI can be disclosed when an employer must obtain certain health information to comply with OSHA, Occupational Safety and Health Administration standards.

Slide 36 Public Health as a Covered Entity

• Public health agencies providing direct health care services are covered entities– Clinics– Vaccination programs– Other services that involve electronic data

and patient information

• Public health agencies may classify themselves as “hybrid entities”

Because of the multi-faceted nature of local health departments, there are circumstances under which public health agencies serve as covered entities. Any organization that sponsors clinics, vaccination programs, and other services involving electronic data and patient information is considered a covered entity. If a public health agency performs some functions that are covered by HIPAA and others that are not, it may designate itself as a hybrid entity and specify those direct care functions that fall under the purview of a “covered entity.”

Slide 37 Notice of Privacy Practices for PHI

• Notices explain rights and practices allowable under the Privacy Rule that must be developed and distributed by covered entities

• Must describe:How the covered entity may use and disclose protected health

informationThe individual’s rights with respect to the information and how the

individual may exercise these rights

The covered entity’s legal duties with respect to the information

Whom individuals can contact for further information about the covered entity’s privacy policies

As part of the HIPAA Privacy Rule, covered entities are required to develop and distribute a notice that provides a clear explanation of the rights and practices allowable under the Privacy Rule. This notice is referred to as the “Notice of Privacy Practices”. The purpose of the notice is to draw the attention of individuals to privacy issues and concerns, and to prompt them to have discussions with their health plans and health care providers and to exercise their rights. Generally speaking, the notice must describe: • How the covered entity may use and

disclose protected health information about an individual;

• The individual’s rights with respect to the information and how the individual may exercise these rights, including how the individual may complain to the covered entity;

• The covered entity’s legal duties with

respect to the information, including a statement that the covered entity is required by law to maintain the privacy of protected health information; and

• Whom individuals can contact for further information about the covered entity’s privacy policies.

The covered entity must make this notice available to any person who requests it, and also must display the notice on any web site it maintains that provides information about customer services or benefits.

Slide 38 HIPAA and Public Health

• Public health agencies must be prepared to deal with HIPAA on both ends of the spectrum

– Disclosure, creation and use of PHI

– Protection and storage of PHI

Because public health must solicit PHI from other health organizations AND house PHI from various clinics and programs, public health organizations must be prepared to deal with HIPAA on both ends of the spectrum. It is important to know when to disclose, create or use PHI, and have measures in place to protect the storage and privacy of PHI.

Slide 39 PHI Disclosure Situation 2

Can the health department disclose this information?

A local news station contacts the health department because there has been a confirmed case of West Nile Virus in the county. The news station knows that the health department cannot release the name of the patient, but asks for other demographic information.

Let’s look at another disclosure situation. Say a local news station contacts the health department because they have received notification of a confirmed case of West Nile Virus in the county. The news station knows that the health department cannot release the name of the patient, but asks for more information about the patient such as the zip code and street the person lives on. Can the health department disclose this information?

Slide 40 Situation 2 - Answer

• NO!!! Disclosure of certain combinations of demographic information, such as age, gender, and zip code could lead to the inadvertent identification of the infected individual.

• However, this information could be shared for public health or research purposes

Absolutely not! Even without the name, disclosure of certain information such as age, gender, and zip code could give clues about the identity of the individual and lead to their identification. However, note that patient information could have been disclosed to public health organizations because West Nile Virus is a reportable communicable disease. For example, in early August of 2003, a North Carolina man was the state’s first human case of West Nile Virus that year. Interestingly enough, even the county in which the man lived could not be identified because the population was small enough that the man’s identity might have been discovered. This case was televised as “a man from eastern North Carolina.” However, it is possible that this information could have been shared for research purposes. Let’s talk more about how HIPAA affects public health research.

Slide 41 Public Health Research

• HIPAA regulates how covered entities may permit access to PHI in their possession

• PHI obtained for healthcare purposes, not for research, cannot be used without permission

• Data sets for research must use as little PHI as possible

There are also exceptions made to HIPAA for public health research purposes since health information is often necessary for research. HIPAA regulates how covered entities may permit access to PHI in their possession. PHI must be collected specifically for research purposes, and PHI obtained strictly for healthcare purposes cannot be used without permission. To gain permission, researchers must file certain HIPAA documents and present them to the covered entity before receiving access

to PHI. However, this does not allow researchers unlimited access to PHI– it must use minimal health information, as defined by 2 acceptable data sets: deidentified data sets and limited data sets.

Slide 42 De-identified Data Sets

• Names• Geographic subdivisions• Dates• Telephone/fax numbers• Email addresses• Social Security Numbers• Medical record numbers• Health plan beneficiary

numbers• Account numbers

• Certificate/license numbers• Vehicle identifiers• Device identifiers• Web URLs• IP addresses• Biometric identifiers

(finger/voice prints)• Full face photograph/image• Any other code or number

that can reveal identity

May not contain ANY of the following:

To be considered a de-identified data set, all identifiable information must be removed from the data, including names, geographic subdivisions such as zip code or voting precinct, dates, telephone or fax numbers, email addresses, social security numbers, medical record numbers, health plan beneficiary numbers, account numbers, certificate/license numbers, vehicle identifiers, device identifiers, web URLs, IP addresses, biometric identifiers, full face photographs or images, or any other code, number, or document that could reveal the identity of the individual. This may sound rigorous and excessive, but this information, alone or with other information, could make it possible to identify an individual person.

Slide 43 Limited Data Sets

Largely de-identified, but may contain:• Dates related directly to the individual

– Birth/death date, date of medical procedure, etc.

• Geographic Information– State, county, city, town, census tract,

precinct, or zip code– NOT street name, street address, PO Box

address

Limited data sets do not go to such extreme lengths to assure privacy of the individual, and can include dates related directly to the individual such as date of birth, date of death, or date of medical procedure. Limited data sets can also include the state, county, city, town, census tract, precinct, or zip code, but not street name, street address, or PO Box. Whether a public health researcher uses a de-identified or limited data set depends on the nature of the research

and whether some identifiers are relevant to the research question.

Slide 44 Summary

• HIPAA set a national standard for protecting health information

• HIPAA and the Privacy Rule allow the use of PHI by covered entities for public health, research, and other necessary purposes, while maintaining the confidentiality of this data

• HIPAA can be a confusing law, but is important to understand it. For more information, please visit the sites listed on the references slide

HIPAA and the Privacy Rule have set a national standard for protecting the privacy of health information, while maintaining the use of data for law enforcement, public health, and research purposes. As with any complex law, there are certain exceptions and intricacies that were not covered in this lecture. I hope this lecture has been a helpful overview of HIPAA and the Privacy Rule. For more information, please visit the sites listed on the following page.

Slide 45 References

• American Medical Association. HIPAA: health insurance portability and accountability act. http://www.ama-assn.org/ama/pub/category/4234.html. Accessed January 19, 2012.

• Centers for Disease Control and Prevention. HIPAA Privacy Rule and public health: guidance from CDC and the U.S. Department of Health and Human Services. http://www.cdc.gov/privacyrule/Guidance/PRmmwrguidance.pdf. Accessed January 19, 2012.

• U.S. Department of Health and Human Services, Office of Civil Rights. Summary of the HIPAA Privacy Rule. Revised May 2003. http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html. Accessed January 19, 2012.

• U.S. Department of Health and Human Services, Office of Civil Rights. Summary of the HIPAA security rule. http://www.hhs.gov/ocr/privacy/hipaa/understanding/srsummary.html. Accessed January 19, 2012.

These references were used in the development of this module.

Slide 46 References

• U.S. Department of Health and Human Services, Office of Civil Rights. Notice of Privacy Practices for Protected Health Information. http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/notice.html. Accessed May 14, 2012

• HIPAA Survival Guide. HITECH Act Summary. http://www.hipaasurvivalguide.com/hitech-act-summary.php. Accessed May 14, 2012.