Page 1
Computerized Networking of HIV Computerized Networking of HIV Providers WorkshopProviders Workshop
Data Security, Privacy and Data Security, Privacy and HIPAA: Focus on Privacy HIPAA: Focus on Privacy
Joy L. Pritts, J.D.Joy L. Pritts, J.D.Assistant Research ProfessorAssistant Research Professor
Health Policy Institute, Georgetown UniversityHealth Policy Institute, Georgetown University
[email protected] @georgetown.edu
Page 2
Health Insurance Portability and Accountability Act of 1996 (HIPAA)
“Administrative simplification”– Encourage electronic health care information
infrastructure
– Protect security/privacy of health information
BackgroundBackground
Page 3
Who Is CoveredWho Is Covered
Covered entitiesCovered entities
Health plans
Health care clearinghouses
Health care providers who transmit health claims-type information electronically
Page 4
What Is CoveredWhat Is Covered
Protected Health InformationProtected Health Information
Information in any format about a person’s:
Health, health care, or payment of health care;
Which identifies or reasonably could be used to identify the person; and
Was created or received by a covered health care plan or provider
Page 5
What is What is NOTNOT Covered Covered
De-identified information
Qualified statistician has determined only very small chance of identifying person from information; or
All listed identifiers have been removed– Name– Dates associated with person (other than year)– Social Security Numbers– Etc.
Page 6
General StructureGeneral Structure
Restricts how covered entities can use and disclose protected health information
Grants patients rights (e.g., see, copy, amend own health information)
Imposes “administrative” requirements
Page 8
Uses & Disclosures: In General
Prohibits using and disclosing health information unless
Specifically permitted by regulation or
Authorized by patient
Page 9
If the disclosure does not fit within one of the specifically enumerated purposes in the regulation, you must get the patient’s authorization.
Page 10
Business AssociatesBusiness Associates
Person who performs functions on behalf of covered entity involving use/disclosure of identifiable health information
Can disclose to “business associates” if certain conditions are met
Page 11
Business AssociatesBusiness Associates
Contract or other arrangement that
Establishes permitted uses/disclosures
Provides that business associate will use appropriate safeguards to protect info.
Makes health information available to patients pursuant to access rights
Meets other requirements
Page 12
Minimum Necessary RuleMinimum Necessary Rule
Requires reasonable effort to limit information to minimum amount necessary to accomplish intended purpose
45 C.F.R. § 164.502(b)
Page 13
Rules for Specific Purposes
Page 14
Treatment, Payment, and Treatment, Payment, and Health Care OperationsHealth Care Operations
Regulatory permission to use and disclose for these purposes
Obtaining patient’s consent is permitted
Page 15
Treatment, Payment, and Treatment, Payment, and Health Care OperationsHealth Care Operations
Patient has right to request restrictions
Provider does not have to agree to request
Page 16
Treatment, Payment, and Treatment, Payment, and Health Care OperationsHealth Care Operations
Minimum necessary rule does not apply to disclosures for treatment purposes
Page 17
“National Priority” Purposes
Required by Law Public Health Health Oversight Law Enforcement Research To Avert Serious Threats to Health or
Safety Workers’ compensation Others
Page 18
“National Priority Purposes”
No patient authorization required
Additional conditions generally imposed varying with the purpose
Page 19
Patient Authorization
Required for uses/disclosures not expressly permitted by regulation
Must conform with standard format
Page 20
Patient Rights
Right to notice of privacy practices
Right to see, copy, and amend record
Right to an accounting of disclosures– Excludes disclosures made for treatment,
payment, & health care operations
Right to request restrictions
Page 21
Administrative Duties
Provide notice of privacy practice
Designate privacy officer & contact person for complaints
Implement safeguards
Develop sanctions for privacy violations
Maintain documentation
Page 22
Issues for Centralized Health Information Networks
Page 23
Is Anyone on the Network Covered by the HIPAA Privacy and Security Regulations?
Page 24
Health PlansHealth Plans
HMOs Fee for service health insurers Most group health plans Medicaid programs State high risk pools Any individual or group plan that provides or
pays for the cost of medical care
(45 C.F.R. § 160.103)
Page 25
Health Plans
Ryan White CARE funded programs generally are not considered to be health plans, but
May meet the definition of health care provider
65 Fed. Reg. 82479
Page 26
Health Care Clearinghouses
Person/entity that translates health information into/out of standard format
Central database that just stores/transfers information is not a clearinghouse
Page 27
Covered Health Care Providers
Health Care Provider
Practitioners Facilities Those who furnish drugs, devices
pursuant to prescriptions
Page 28
Covered Health Care Covered Health Care ProvidersProvidersMust engage in:
Standard transactions– Claims submission/encounter reports– Verification of eligibility– Referrals – Others
Page 29
Covered Health Care Providers
(cont’d) Electronically
– Use of computer – Fax excluded
Page 30
Impact
It is likely that someone on network will be covered by HIPAA.
If someone is covered, some client-level data will be protected by HIPAA.
Page 31
Impact
Every class of disclosure to central data base must either
Come within permitted disclosures of HIPAA or
Be authorized by patient
Page 32
What Provisions Justify Sharing Health Information With Central Database?
Page 33
Business Associate
If covered entity enters data for treatment purposes
Business associate provisions permit organization that maintains database to store and share with others for treatment purposes
Page 34
Business Associate
Does not permit organization to use or disclose for other purposes
Info. for Treatment
Business Associate
Info
. f
or T
reat
men
t
Use
Provider
Provider
Page 35
“ “Required by Law”Required by Law”
Covered entity may make any disclosure that is “required by law” without the permission of individual who is the subject of information.
Page 36
Disclosures “Required by Law”Disclosures “Required by Law”
When is a use or disclosure “required by lawrequired by law”?
Mandate is contained in law that compelscompels use or disclosure; and
Is enforceable in court of law
Page 37
Health OversightHealth Oversight
Permission of individual who is
subject of information notnot required to disclose protected health information to a public health agency for oversight activities authorized by law.
Page 38
Health OversightHealth Oversight
Public Health Authority Public Health Authority includes
Federal, state, or regional entity authorized to oversee
Health care system or
Govt. programs for which health information is necessary to determine eligibility or compliance
Page 39
Health Oversight
Overseeing health care system includes
Oversight of health care and health care delivery;
Analysis of trends in health care costs, quality, delivery, and access to care;
Other functions
Page 40
Public Health
May disclose without authorization to public health authority that is authorized by law to collect or receive such information
Page 41
Some Other Considerations
Business associate
Business associate or similar agreements
Patient right of access to information held by business associates
Page 42
Some Other Considerations
Minimum necessary rule applies to disclosures for health oversight and public health
Page 43
Some Other Considerations
State Law HIPAA does not preempt stronger
state law
Most states have laws related to HIV that are in some respects stronger than HIPAA
Page 44
Some Resources HHS, (ASPE)
http://aspe.hhs.gov/admnsimp/Admin. Simp. History
HHS, Office of Civil Rightshttp://www.hhs.gov/ocr
Text of Privacy Regs.Guidance
CMS http://www.cms.hhs.gov/hipaa/hipaa2/default.asp
Evaluation tool