Title: HIPAA Health Insurance Portability and Accountability Act
1HIPAAHealth Insurance Portability and
Accountability Act
- Lab Disclosures
- March 29, 2004
- UAB Health System
2Education Objective
- Review the HIPAA Privacy law segments most
applicable to lab disclosures. - Explain the UABHS Accounting of Disclosures
electronic and manual processes. - Distribute and explain a matrix of typical
disclosures. - Answer questions and de-mystify HIPAA privacy
regulations. - Provide resources to assist with future questions.
3HIPAA Privacy
- Under the HIPAA Privacy Regulations
- PHI may be used for treatment, payment,
healthcare operations (TPO). - PHI may be disclosed to other providers for
treatment. - PHI may be disclosed to other covered entities
for payment. - PHI may be disclosed to other covered entities
that have a relationship with the patient for
certain healthcare operations such as QI,
credentialing and compliance.
4HIPAA PrivacyOther Permitted Uses Disclosures
- PHI my be used or disclosed without authorization
under the following circumstances - Public health agencies for purposes such as
controlling or preventing disease or collecting
vital statistics, i.e. notifiable or communicable
diseases which must be reported to AL Dept. of
Public Health, PKU Information Reporting. - Public health or government authorities for law
enforcement purposes, such as reporting on
victims of abuse, neglect or domestic violence.
5HIPAA PrivacyOther Permitted Uses Disclosures
- Health oversight agencies for activities
authorized by law, i.e. AQAF. - Judicial and administrative proceedings, such as
compliance with a court order or subpoena. - Law enforcement officials seeking information for
the purpose of identifying a suspect, witness, or
victim of a crime. - Coroners, medical examiners, and funeral
directors to identify a deceased person or
determine a cause of death. - Organ donation.
- Workers compensation.
6HIPAA PrivacyOther Uses Disclosures
- Facility Directories unless patient opts out,
their name, location and general medical
condition may be disclosed to those asking for
patient, by name. - Individuals involved in care or payment for care
PHI may be disclosed unless patient objects.
7HIPAA Privacy Marketing Fundraising
- Marketing
- Covered entities are prohibited from using or
disclosing PHI for marketing purposes without the
patients express authorization. - Covered entities are prohibited from selling
patient/enrollee lists to third parties. - Providers CAN communicate with patients about
treatment options or the covered entities own
health-related products and services, common
health care communications- such as disease
management, wellness programs, prescription
refill reminders and appointment notifications,
recommending alternative treatments, therapies,
or health-care products. - Fundraising- limited PHI may be used if patient
told how to opt out.
8HIPAA Privacy Incidental Uses and Disclosures
- Uses and disclosures that are incidental to an
otherwise permitted use or disclosure may occur
and is not considered a violation of the Rule
provided that the covered entity meets reasonable
safeguards and minimum necessary requirements. - Waiting room sign-in sheets, patient charts at
bedside, physician conversations with patients in
semi-private room, and physicians conferring at
nurses stations.
9HIPAA PrivacyResearch
- HIPAA regulations do not replace or reproduce
other federal regulations (e.g. 45 CFR 46, 21 CFR
56). All existing regulations remain in force. - Unlike some other regulations, HIPAA applies
regardless of whether the research is funded by
the government.
10HIPAA PrivacyResearch
- HIPAA preempts all less stringent state laws
regarding privacy of health information unless
specific requirements are met. - These requirements involve state mandated
reporting related to health, safety, or welfare,
as well as reporting that is necessary for a
health plan to conduct auditing procedures.
11HIPAA PrivacyResearch
- Instructions for requesting an exemption - to
follow the state law instead of HIPAA - are given
in Subpart B (160.201-205).
12HIPAA PrivacyResearch
- Covered Entities are permitted to use or disclose
PHI for research if the IRB has approved the
research and one or more of the following
conditions exist - 1. Patient Authorization
- 2. Decedent Research
- 3. Preparatory Research
- 4. Limited Data Set
- 5. IRB grants a waiver of required authorization.
13Waiver of Authorization
- The IRB may waive the authorization, if the
reviewing board finds that - The use or disclosure of PHI involves no more
than minimal risk to privacy. - The proposed research could not practicably be
conducted without the waiver or alteration and - The research could not practicably be conducted
without access to and use of the PHI.
14Research with Records of Deceased Individuals
- If a research subject is deceased, PHI may be
used or disclosed provided that the researcher
represents - The use or disclosure is sought solely for
research on PHI of decedents, and - PHI for which use or disclosure is sought is
necessary for research purposes. - Upon request of the covered entity, the
researcher must provide documentation of the
death of the individual.
15Reviews Preparatory to Research
- A covered entity may use or disclose PHI for
reviews preparatory to research if it obtains the
following representations from the researcher - Use and disclosure is sought solely to review PHI
as necessary to prepare a research protocol or
for similar purposes preparatory to research
(e.g. recruitment) - No PHI is removed from the covered entity by the
researcher in the course of review and - The PHI for which use or access is sought is
necessary for the research purpose. - Look to institutional policy to see if IRB
approval is required.
16De-Identification Standard
- De-identified health information is health
information that does not identify an individual
and for which there is no reasonable basis that
the information could be used to identify an
individual. - It is not considered individually identifiable
information. - There is no actual knowledge that the information
could be used to identify an individual.
17De-Identification Standard (cont.)
- The Privacy Rule does not apply to information
that has been de-identified under one or two
standards set forth in the Privacy Rule. - Removal of 18 identifiers.
- Certification by a biostatistician that the
method for de-identifying the PHI has a very
small risk that the information could be used,
alone or in combination with other reasonably
available information, to identify an individual
who is the subject of the information.
18De-Identification Standard (cont.) Information
is presumed to be de-identified, if the following
identifiers of the individual or of relatives,
employers, or household members of the
individual, have been removed
- -Names
- -All geographic subdivisions smaller than a
State, including street address, city, county,
precinct, zip code, and equivalent geocodes - -All elements of dates (except year), including
birth date, admission discharge dates, date of
death, and all ages over 89 and all elements of
dates (including year) indicative of such age - -Telephone numbers
- -Fax numbers
- -Electronic mail addresses
- -Social security number
- -Medical record numbers
- -Health plan beneficiary numbers
-
- -Account numbers
- -Certificate/license numbers
- -Vehicle identifiers and serial numbers,
including license plate numbers - -Device identifiers and serial numbers
- -Web Universal Resource Locator (URL)
- -Internet Protocol (IP) address numbers
- -Biometric identifiers, including finger and
voice prints - -Full face photographic images and any comparable
images and - -Any other unique identifying number,
characteristic, or code, except as allowed under
the re-identification specifications 164.514(c).
19Limited Data Sets
- Similar to de-identified data sets except certain
direct identifiers must be removed. - Can be used for research, public health, and
health care operations. - Limited Data Sets can include identifiers such as
date of birth, dates of hospital admissions and
discharges, and an individuals residence by
city, county, state, and 5 digit zip codes. - Researcher may access and use the entire array of
PHI without authorizations or waivers of
authorizations.
20Minimum Necessary Standard
- When HIPAA permits use or disclosure of PHI,
providers should disclose or use only the minimum
necessary amount of PHI in order to do their
jobs. - Exceptions
- Treatment
- Anything for which a patient authorization is
signed. - Incidental disclosures.
- Disclosures required by law.
21HIPAA Privacy- Patient Rights
- Notice to Individuals of Information Practices.
- Authorization.
- Request Access.
- Request Accounting for Uses and Disclosures.
- Request Amendment and Correction (subject to
approval by the covered entity). - Request Confidential / alternate communication.
- Request Restriction on use of PHI (subject to
approval by the covered entity). - Complaints.
22What is an Accounting of Disclosures?
- Info. provided to the patient, upon request of
certain disclosures made by UAB/UABHS in the six
years prior to the date of the request, but not
prior to April 14, 2003. - Date of disclosure
- Name, address (if known) of entity/person
receiving PHI - Brief description of PHI disclosed
- Purpose of disclosure or copy of request
23Accounting of Disclosures
- A covered entity must provide an accounting to
the individual of any research disclosure made
pursuant to an IRB. - No accounting is needed for disclosures made
pursuant to an Authorization.
24Accountings of Disclosures are not required for
the following
- To carry out TPO,
- PHI to individuals about themselves,
- For facility directory purposes,
- Incidental to an otherwise permitted
use/disclosure, - To persons involved in the care of the pt.,
- National security or intelligence purposes,
- Correctional institutions or other law
enforcement officials, - For disclosures made prior to April 14, 2003,
- Pursuant to a valid authorization,
- For other such reasons as allowed under HIPAA.
25Mandatory Reporting Involving Protected Health
Information
- The state of Alabama requires reporting on the
following - Births
- Infants of Unknown Parentage
- Fetal Deaths/Induced Termination of Pregnancy
- Deaths
- Notifiable Diseases Health Conditions
- Infected Health Care Workers with HIV or
Hepatitis B - Head Spinal Cord Injuries
- Confirmed Cancer Cases (Tumor Registry)
- Child Abuse or Neglect
- Protection of Aged or Disabled Adults
- Victims of Domestic Violence
26UAB Health System Types of Disclosures
- Abuse, Neglect or Exploitation
- Administrative Hearing
- Adverse Outcomes
- ACS Consultation/Verification Review of Trauma in
Hospitals - Audits
- Autopsy Report
- Billing Records/Reports
- Birth Certificate (Vital Event)
- Bureau of Health Care Information
- Business Associates for Non - T.P.O.
27UAB Health System Types of Disclosures
- Center for Disease Control
- Civil/Criminal Investigation
- Communicable Diseases
- Complaint Investigation
- Consultants/Contractors
- Coroners/Medical Examiners
- Court Order
- Death Certificate (Vital Event)
- Department of Justice
- Department of Transportation (D.O.T.)
28UAB Health System Types of Disclosures
- Drug Enforcement Agency (D.E.A.) - Narcotics
Reporting - Environmental Protection Agency (E.P.A.)
- Federal Bureau of Investigation (F.B.I.)
- Federal Emergency Management Agencies (F.E.M.A.)
- Food and Drug Administration Reporting (F.D.A.)
- Funeral Homes
- Government Required Disclosures, Not Otherwise
Specified - Immunization Records
- Inspection
- Insurance Reviewers (N.C.Q.A., etc.)
29UAB Health System Types of Disclosures
- Law Enforcement (Aversion of Serious Threat)
- Law Enforcement (Crime on Premises)
- Law Enforcement (Suspicious Death, Location of
Suspect/Witness) - Law Enforcement (Victims of or Suspected Crime)
- Law Enforcement (Wounds, Injuries)
- Licensure/Disciplinary Action
- Military Command Authorities
- National Transportation Safety Board (N.T.S.B.)
- National Trauma Data Bank
- Neonatal Reporting to State
- Occupations Safety and Health Administration
(O.S.H.A.)
30UAB Health System Types of Disclosures
- Organ, Eye and Tissue Donation/Procurement
- Paternity Testing/Affidavits
- Peer Review (A.Q.A.F./Alabama Quality Assurance
Foundation) - Poison Control Center
- Public Health Activities, Not Otherwise Specified
- Public Health Authorities, Not Otherwise
Specified - Registry Birth Defects
- Registry Births
- Registry Burns and Trauma
- Registry Cancer/Tumor
31UAB Health System Types of Disclosures
- Registry Cardiac
- Registry Child Abuse or Neglect
- Registry Deaths
- Registry Eye Injury
- Registry Fetal Deaths
- Registry Head and Spinal Cord Injury
- Registry Hearing Screening
- Registry Infants of Unknown Parentage
- Research (Preparatory, Decedent, or Requirements
for Authorization Waived) - Search Warrant
32UAB Health System Types of Disclosures
- Subpoena
- Summons
- Surveys (CAP, CLIA, FDA, JCAHO)
- Underage Pregnancy
- Unlawful Disclosure Discovered Post-Release
- Vendors
- Workers' Compensation, if not related to TPO
33Office of Civil Rights web-site
- FAQs or Frequently Asked Questions
- Accounting of Disclosures
- Research
www.hhs.gov/ocr/hipaa
34OCR Privacy FAQs
- List of FAQs
- Note multiple pages
- Click on line item for details
35OCR Privacy FAQs
- Review FAQ for information as it relates to
Privacy
36UABHS Accounting Tool
- UAB Health System utilizes one central database
for maintaining accounting of disclosures.
37Manual Documentation of Accounting of Disclosures
38Miscellaneous
- Reminder HIPAA Privacy requirement to maintain
accounting of disclosures, from April 14, 2003. - Questions?
39For HIPAA questions or to report a suspected
HIPAA violation contact
- Carlos Brown,UAB Hospital
- Corporate Compliance / Privacy Manager
- 934-2990
- Sheila Moore
- Institutional Review Board
- 934-3789
- Linda Lum
- Accounting of Disclosures
- 975-2622
- llum_at_uabmc.edu