Computerized Networking of HIV Computerized Networking of HIV Providers WorkshopProviders Workshop
Data Security, Privacy and Data Security, Privacy and HIPAA: Focus on Privacy HIPAA: Focus on Privacy
Joy L. Pritts, J.D.Joy L. Pritts, J.D.Assistant Research ProfessorAssistant Research Professor
Health Policy Institute, Georgetown UniversityHealth Policy Institute, Georgetown University
[email protected]@georgetown.edu
Health Insurance Portability and Accountability Act of 1996 (HIPAA)
“Administrative simplification”– Encourage electronic health care information
infrastructure
– Protect security/privacy of health information
BackgroundBackground
Who Is CoveredWho Is Covered
Covered entitiesCovered entities
Health plans
Health care clearinghouses
Health care providers who transmit health claims-type information electronically
What Is CoveredWhat Is Covered
Protected Health InformationProtected Health Information
Information in any format about a person’s:
Health, health care, or payment of health care;
Which identifies or reasonably could be used to identify the person; and
Was created or received by a covered health care plan or provider
What is What is NOTNOT Covered Covered
De-identified information
Qualified statistician has determined only very small chance of identifying person from information; or
All listed identifiers have been removed– Name– Dates associated with person (other than year)– Social Security Numbers– Etc.
General StructureGeneral Structure
Restricts how covered entities can use and disclose protected health information
Grants patients rights (e.g., see, copy, amend own health information)
Imposes “administrative” requirements
General Rules
Uses & Disclosures: In General
Prohibits using and disclosing health information unless
Specifically permitted by regulation or
Authorized by patient
If the disclosure does not fit within one of the specifically enumerated purposes in the regulation, you must get the patient’s authorization.
Business AssociatesBusiness Associates
Person who performs functions on behalf of covered entity involving use/disclosure of identifiable health information
Can disclose to “business associates” if certain conditions are met
Business AssociatesBusiness Associates
Contract or other arrangement that
Establishes permitted uses/disclosures
Provides that business associate will use appropriate safeguards to protect info.
Makes health information available to patients pursuant to access rights
Meets other requirements
Minimum Necessary RuleMinimum Necessary Rule
Requires reasonable effort to limit information to minimum amount necessary to accomplish intended purpose
45 C.F.R. § 164.502(b)
Rules for Specific Purposes
Treatment, Payment, and Treatment, Payment, and Health Care OperationsHealth Care Operations
Regulatory permission to use and disclose for these purposes
Obtaining patient’s consent is permitted
Treatment, Payment, and Treatment, Payment, and Health Care OperationsHealth Care Operations
Patient has right to request restrictions
Provider does not have to agree to request
Treatment, Payment, and Treatment, Payment, and Health Care OperationsHealth Care Operations
Minimum necessary rule does not apply to disclosures for treatment purposes
“National Priority” Purposes
Required by Law Public Health Health Oversight Law Enforcement Research To Avert Serious Threats to Health or
Safety Workers’ compensation Others
“National Priority Purposes”
No patient authorization required
Additional conditions generally imposed varying with the purpose
Patient Authorization
Required for uses/disclosures not expressly permitted by regulation
Must conform with standard format
Patient Rights
Right to notice of privacy practices
Right to see, copy, and amend record
Right to an accounting of disclosures– Excludes disclosures made for treatment,
payment, & health care operations
Right to request restrictions
Administrative Duties
Provide notice of privacy practice
Designate privacy officer & contact person for complaints
Implement safeguards
Develop sanctions for privacy violations
Maintain documentation
Issues for Centralized Health Information Networks
Is Anyone on the Network Covered by the HIPAA Privacy and Security Regulations?
Health PlansHealth Plans
HMOs Fee for service health insurers Most group health plans Medicaid programs State high risk pools Any individual or group plan that provides or
pays for the cost of medical care
(45 C.F.R. § 160.103)
Health Plans
Ryan White CARE funded programs generally are not considered to be health plans, but
May meet the definition of health care provider
65 Fed. Reg. 82479
Health Care Clearinghouses
Person/entity that translates health information into/out of standard format
Central database that just stores/transfers information is not a clearinghouse
Covered Health Care Providers
Health Care Provider
Practitioners Facilities Those who furnish drugs, devices
pursuant to prescriptions
Covered Health Care Covered Health Care ProvidersProvidersMust engage in:
Standard transactions– Claims submission/encounter reports– Verification of eligibility– Referrals – Others
Covered Health Care Providers
(cont’d) Electronically
– Use of computer – Fax excluded
Impact
It is likely that someone on network will be covered by HIPAA.
If someone is covered, some client-level data will be protected by HIPAA.
Impact
Every class of disclosure to central data base must either
Come within permitted disclosures of HIPAA or
Be authorized by patient
What Provisions Justify Sharing Health Information With Central Database?
Business Associate
If covered entity enters data for treatment purposes
Business associate provisions permit organization that maintains database to store and share with others for treatment purposes
Business Associate
Does not permit organization to use or disclose for other purposes
Info. for Treatment
Business Associate
Info
. f
or T
reat
men
t
Use
Provider
Provider
“ “Required by Law”Required by Law”
Covered entity may make any disclosure that is “required by law” without the permission of individual who is the subject of information.
Disclosures “Required by Law”Disclosures “Required by Law”
When is a use or disclosure “required by lawrequired by law”?
Mandate is contained in law that compelscompels use or disclosure; and
Is enforceable in court of law
Health OversightHealth Oversight
Permission of individual who is
subject of information notnot required to disclose protected health information to a public health agency for oversight activities authorized by law.
Health OversightHealth Oversight
Public Health Authority Public Health Authority includes
Federal, state, or regional entity authorized to oversee
Health care system or
Govt. programs for which health information is necessary to determine eligibility or compliance
Health Oversight
Overseeing health care system includes
Oversight of health care and health care delivery;
Analysis of trends in health care costs, quality, delivery, and access to care;
Other functions
Public Health
May disclose without authorization to public health authority that is authorized by law to collect or receive such information
Some Other Considerations
Business associate
Business associate or similar agreements
Patient right of access to information held by business associates
Some Other Considerations
Minimum necessary rule applies to disclosures for health oversight and public health
Some Other Considerations
State Law HIPAA does not preempt stronger
state law
Most states have laws related to HIV that are in some respects stronger than HIPAA
Some Resources HHS, (ASPE)
http://aspe.hhs.gov/admnsimp/Admin. Simp. History
HHS, Office of Civil Rightshttp://www.hhs.gov/ocr
Text of Privacy Regs.Guidance
CMS http://www.cms.hhs.gov/hipaa/hipaa2/default.asp
Evaluation tool