The HIPAA Privacy Rule: Safeguarding Health Information in Research and Public Health Practice

1
The HIPAA Privacy Rule Safeguarding Health
Information in Research and Public Health Practice

• Centers for Disease Control and Prevention
• Beverly A. Peeples, J.D.
• December 13, 2005

2
Brief Overview of HIPAA

• What is the Privacy Rule?
• Who is covered by the Privacy Rule?
• What information is protected?

3
What is the Privacy Rule?

• Establishes a set of national standards
• Promulgated by the US DHHS
• Addresses use and disclosure of individuals
  health information
• Addresses standards and protection of
  individuals privacy rights

4
Major Goals of Privacy Rule

• Assures that individuals health information is
  properly protected
• Strives to maintain balance
• Designed to be flexible and comprehensive

5
Who is Covered by the Privacy Rule?

• Covered Healthcare Providers
• Known as Covered Entities (CE)
• Health Plans
• Healthcare Clearinghouses

6
What is a Covered Entity?

• Health Care Provider
• Conducts electronic transactions

7
What is a HIPAA transaction?

• health care claims
• health care payment
• coordination of benefits
• health care claim status
• enrollment and disenrollment in a health plan

8
What is a HIPAA transaction?

• eligibility for a health plan
• health plan premium payments
• referral certification and authorization
• first report of injury
• health care claims attachments
• other transactions that the Secretary may
  prescribe by regulation.

9
What Information is Protected?

• Protected Health Information (PHI)
• Individuals past, present or future physical or
  mental health
• Provision of healthcare
• Past, present or future payment for provision of
  healthcare
• Does not include FERPA records

10
Limits on Use of Individually Identifiable Health
Information

• -Privacy Rule sets limits
• -Does not restrict ability of health care
  providers to share information to treat
  patients
• -May not be used for purposes unrelated to
  health care

11
Limits on Use of Individually Identifiable Health
Information

• Specific authorizations required before a CE can
  release information to a
• life insurer
• bank
• marketing firm or
• school

12
Limits on Use of Individually Identifiable Health
Information

• Permits health care providers and other CEs to
  share information about
• treatment options
• disease-management programs
• When they have a treatment relationship with the
  individual

13
Limits on Use of Individually Identifiable Health
Information

• A person or entity conducting certain functions
  on behalf of a CE --business associate
• CE may disclose PHI to a business associate
• CE must obtain satisfactory assurances to
  safeguard the information

14
Limits on Use of Individually Identifiable Health
Information

• Privacy standards do not affect state laws
• Privacy Rule sets a national floor of privacy
  standards
• State law providing additional protections would
  continue to apply

15
What is the Minimum Necessary Standard?

• - CE must make reasonable efforts to disclose
  only the minimum amount of PHI
• - CEs may reasonably rely on public health
  authorities representation
• - Applies to disclosures to a public health
  agency

16
Exceptions to the Minimum Necessary Requirements

• Minimum Necessary Standard does not apply if
  disclosures are
• Required by law
• Authorized by individual
• Requested by health care provider for treatment
  purposes

17
Exceptions to the Minimum Necessary Requirements

• Disclosures to the individual
• Disclosures to HHS
• When required for compliance with other HIPAA
  rules
• e.g. to fill out required or situationally
  required data fields in standard transactions

18
Uses and Disclosures of PHI

• A covered entity may not use or disclose PHI
  except either
• as the Privacy Rule permits or requires or
• as the individuals or their representatives
  authorize in writing

19
Permitted Uses and Disclosures without
Authorizations

• To the individual
• For treatment, payment, and healthcare operations
• Opportunity to agree or object
• As incident
• Public interest and benefit activities
• Limited Data Set

20
Permitted Uses and Disclosures without
Authorizations

• A limited data set is PHI from which certain
  specified direct identifiers or individuals and
  their relatives, household members, and
  employers have been removed.
• May contain more identifiers than deidentified
  data stripped of the 18 identifiers-still PHI

21
Written Authorizations

• Must be written in specific terms
• Must be in plain language
• Contain specific information

22
Written Authorizations

• Allows use and disclosure of PHI by the covered
  entity or a 3rd party
• Examples of disclosures
• to a life insurer
• to an employer
• To a school employee who is not a heath care
  provider

23
Public Health Authority

• Public Health Authorities are not subject to the
  Privacy Rule
• When they are conducting public health activities
  as defined in the Rule
• Even when they are covered entities acting in the
  capacity of a public health authority
• Funded by a federal (CDC) or state public health
  authority
• With a grant of authority to conduct a public
  health activity

24
Examples of PHAs

• Federal public health agencies Include
• CDC NIH SAMSHA FDA OSHA and tribal health
  agencies
• State public health agencies include
• public health departments or divisions, state
  cancer registries and vital statistics
  departments
• Local public health agencies include
• similar departments

25
Public Health Authorities

• Hybrid entities
• A hybrid entity is a single legal entity that is
  a CE, performs business activities that include
  both covered and noncovered functions, and
  designates its health care components as provided
  in the Privacy Rule.

26
Public Heath Authorities that are CEs or Hybrid
Entities

• A university or school that includes an academic
  medical centers hospital is a CE
• It may choose to be a hybrid entity via
  designating the hospital as its health care
  component

27
Hybrid Entities

• A school clinic if it conducts electronic
  transactions
• Bills for services
• Files insurance reimbursement claims
• Provides health care to students
• Physical or mental health services

28
Highlights of the Privacy Rule

• - Contains standards to protect privacy of
  individuals identifiable health information
• - Sets minimum standards for how PHI may
  be used and disclosed and
• - Individuals can have control of their
  health information

29
Highlights of the Privacy Rule

• Describes methods to de-identify health
  information
• Provides alternatives to obtaining an
  Authorization e.g. limited data sets
• Important steps toward understanding
• how and why the Privacy Rule protects
• How CEs implement the Rules standards

30
Contact Information

• Beverly A. Peeples, JD
• Privacy Rule Coordinator
• Office of Chief Science Officer
• Office of Scientific Regulatory Services
• Health Information Privacy Office
• bpeeples_at_cdc.gov
• PH 404-371-5977