HIPAA and Public Health 2007 Epi Rapid Response Team Conference

HIPAA Standard The HIPAA Privacy Rule provides the first national standards for protecting the privacy of health information. (Standard) The HIPAA Privacy Rule provides the first national standards for protecting the privacy of health information. (Standard) The Privacy Rule regulates how certain entities, called covered entities, use and disclose certain individually identifiable health information, called protected health information (PHI). The Privacy Rule regulates how certain entities, called covered entities, use and disclose certain individually identifiable health information, called protected health information (PHI). PHI is individually identifiable health information PHI is individually identifiable health information

Legislative History Health Insurance Portability and Accountability Act of 1996 (HIPAA) Health Insurance Portability and Accountability Act of 1996 (HIPAA) Subtitle F--Administrative Simplification Subtitle F--Administrative Simplification Encourage development of (electronic) health information technologies (transactions) Encourage development of (electronic) health information technologies (transactions) Easier information sharing—security and privacy Easier information sharing—security and privacy

HIPAA … gives patients more control over their health information gives patients more control over their health information sets boundaries on the use and release of health records sets boundaries on the use and release of health records establishes appropriate safeguards that the majority of health- care providers and others must achieve to protect the privacy of health information establishes appropriate safeguards that the majority of health- care providers and others must achieve to protect the privacy of health information holds violators accountable with civil and criminal penalties that can be imposed if they violate patients' privacy rights holds violators accountable with civil and criminal penalties that can be imposed if they violate patients' privacy rights strikes a balance when public health responsibilities support disclosure of certain forms of data strikes a balance when public health responsibilities support disclosure of certain forms of data

HIPAA … enables patients to make informed choices based on how individual health information may be used enables patients to make informed choices based on how individual health information may be used enables patients to find out how their information may be used and what disclosures of their information have been made enables patients to find out how their information may be used and what disclosures of their information have been made generally limits release of information to the minimum reasonably needed for the purpose of the disclosure generally limits release of information to the minimum reasonably needed for the purpose of the disclosure generally gives patients the right to obtain a copy of their own health records and request corrections generally gives patients the right to obtain a copy of their own health records and request corrections empowers individuals to control certain uses and disclosures of their health information empowers individuals to control certain uses and disclosures of their health information

Scope: Who is Covered? Limited by HIPAA to: Limited by HIPAA to: Health care providers who transmit health information in electronic transactions Health care providers who transmit health information in electronic transactions Health plans Health plans Health care clearinghouses Health care clearinghouses Business associate relationships Business associate relationships

Scope: What is Covered? Protected health information (PHI) is: Protected health information (PHI) is: Individually identifiable health information Individually identifiable health information Transmitted or maintained in any form or medium Transmitted or maintained in any form or medium Held by covered entities or their business associates Held by covered entities or their business associates De-identified information is not covered De-identified information is not covered

Individual’s Rights Individuals have the right to: Individuals have the right to: A written notice of information practices from health plans and providers A written notice of information practices from health plans and providers Inspect and obtain a copy of their PHI Inspect and obtain a copy of their PHI Obtain an accounting of disclosures Obtain an accounting of disclosures Amend their records Amend their records Request restrictions on uses and disclosures Request restrictions on uses and disclosures Accommodation of reasonable communication requests Accommodation of reasonable communication requests Complain to the covered entity and to HHS Complain to the covered entity and to HHS

Day-to-day Data Sharing with Public Health Disclosures permitted if required by law Disclosures permitted if required by law Disclosures also permitted for “public health activities and purposes” Disclosures also permitted for “public health activities and purposes” Consent or authorization not required for above disclosures Consent or authorization not required for above disclosures Rule does not require public health disclosures Rule does not require public health disclosures

Information Types De-Identified Information - require no individual privacy protections and are not covered by the Privacy Rule. De-Identified Information - require no individual privacy protections and are not covered by the Privacy Rule. statistical de-identification --- a properly qualified statistician using accepted analytic techniques concludes the risk is substantially limited that the information might be used, alone or in combination with other reasonably available information, to identify the subject of the information; or the statistical de-identification --- a properly qualified statistician using accepted analytic techniques concludes the risk is substantially limited that the information might be used, alone or in combination with other reasonably available information, to identify the subject of the information; or the safe-harbor method --- a covered entity or its business associate de- identifies information by removing 18 identifiers and the covered entity does not have actual knowledge that the remaining information can be used alone or in combination with other data to identify the subject. safe-harbor method --- a covered entity or its business associate de- identifies information by removing 18 identifiers and the covered entity does not have actual knowledge that the remaining information can be used alone or in combination with other data to identify the subject.

Information Types Limited Data Set - Health information in a limited data set is not directly identifiable, but may contain more identifiers than de-identified data that has been stripped of the 18 identifiers. Limited Data Set - Health information in a limited data set is not directly identifiable, but may contain more identifiers than de-identified data that has been stripped of the 18 identifiers.

Limited Data Set A data-use agreement must establish who is permitted to use or receive the limited data set, and provide that the recipient will A data-use agreement must establish who is permitted to use or receive the limited data set, and provide that the recipient will not use or disclose the information other than as permitted by the agreement or as otherwise required by law; not use or disclose the information other than as permitted by the agreement or as otherwise required by law; use appropriate safeguards to prevent uses or disclosures of the information that are inconsistent with the data-use agreement; use appropriate safeguards to prevent uses or disclosures of the information that are inconsistent with the data-use agreement; report to the covered entity any use or disclosure of the information, in violation of the agreement, of which it becomes aware; report to the covered entity any use or disclosure of the information, in violation of the agreement, of which it becomes aware; ensure that any agents to whom it provides the limited data set agree to the same restrictions and conditions that apply to the limited data set recipient with respect to such information; and ensure that any agents to whom it provides the limited data set agree to the same restrictions and conditions that apply to the limited data set recipient with respect to such information; and not attempt to re-identify the information or contact the individual. not attempt to re-identify the information or contact the individual.

Identifiers 1. Names 2. Geographic subunits smaller than state 3. Age 4. Telephone # 5. Fax # SSN 8. IP addresses 9. Biometric IDs 10. Medical Record Number 11. Health plan beneficiary # 12. Account # 13. Certificate and License # 14. Vehicle ID 15. Medical Device ID 16. URLs 17. Full face photographs 18. Any other unique identifying number, characteristic, or code

Data Shared with Whom? Includes: “Public health authority” for public health activities “Public health authority” for public health activities Official of foreign government acting in collaboration with public health authority Official of foreign government acting in collaboration with public health authority Person exposed to or at risk of contracting or spreading disease Person exposed to or at risk of contracting or spreading disease

Definition of Public Health Authority “an agency or authority of the U.S., a State, a territory, a political subdivision of a State or territory, or an Indian tribe, or a person or entity acting under a grant of authority from or contract with such public agency or its contractors or persons or entities to whom it has granted authority, that is responsible for public health matters as part of its official mandate.”

“Minimum Necessary” Data Information use/disclosed/requested should be “minimum necessary” needed Information use/disclosed/requested should be “minimum necessary” needed Covered entities may rely on public officials to determine Covered entities may rely on public officials to determine

Not Required by Privacy Rule Sharing of data with public health authorities Sharing of data with public health authorities Specification of particular activity in law—general authority under law suffices (e.g., to receive data for surveillance activities) Specification of particular activity in law—general authority under law suffices (e.g., to receive data for surveillance activities) Specification of data requested by public health in law Specification of data requested by public health in law Protection of data received by public health authority unless it is also a covered entity (e.g., a health care provider) Protection of data received by public health authority unless it is also a covered entity (e.g., a health care provider)

Useful sites

Source Health and Human Services, Office of Civil Rights Health and Human Services, Office of Civil Rights Centers for Disease Control and Prevention Centers for Disease Control and Prevention