Computerized Networking of HIV Providers Workshop Data Security, Privacy and HIPAA: Focus on Privacy Joy L. Pritts, J.D. Assistant Research Professor Health.

Computerized Networking of HIV Computerized Networking of HIV Providers WorkshopProviders Workshop

Data Security, Privacy and Data Security, Privacy and HIPAA: Focus on Privacy HIPAA: Focus on Privacy

Joy L. Pritts, J.D.Joy L. Pritts, J.D.Assistant Research ProfessorAssistant Research Professor

Health Policy Institute, Georgetown UniversityHealth Policy Institute, Georgetown University

[email protected]@georgetown.edu

Health Insurance Portability and Accountability Act of 1996 (HIPAA)

“Administrative simplification”– Encourage electronic health care information

infrastructure

– Protect security/privacy of health information

BackgroundBackground

Who Is CoveredWho Is Covered

Covered entitiesCovered entities

Health plans

Health care clearinghouses

Health care providers who transmit health claims-type information electronically

What Is CoveredWhat Is Covered

Protected Health InformationProtected Health Information

Information in any format about a person’s:

Health, health care, or payment of health care;

Which identifies or reasonably could be used to identify the person; and

Was created or received by a covered health care plan or provider

What is What is NOTNOT Covered Covered

De-identified information

Qualified statistician has determined only very small chance of identifying person from information; or

All listed identifiers have been removed– Name– Dates associated with person (other than year)– Social Security Numbers– Etc.

General StructureGeneral Structure

Restricts how covered entities can use and disclose protected health information

Grants patients rights (e.g., see, copy, amend own health information)

Imposes “administrative” requirements

General Rules

Uses & Disclosures: In General

Prohibits using and disclosing health information unless

Specifically permitted by regulation or

Authorized by patient

If the disclosure does not fit within one of the specifically enumerated purposes in the regulation, you must get the patient’s authorization.

Business AssociatesBusiness Associates

Person who performs functions on behalf of covered entity involving use/disclosure of identifiable health information

Can disclose to “business associates” if certain conditions are met

Business AssociatesBusiness Associates

Contract or other arrangement that

Establishes permitted uses/disclosures

Provides that business associate will use appropriate safeguards to protect info.

Makes health information available to patients pursuant to access rights

Meets other requirements

Minimum Necessary RuleMinimum Necessary Rule

Requires reasonable effort to limit information to minimum amount necessary to accomplish intended purpose

45 C.F.R. § 164.502(b)

Rules for Specific Purposes

Treatment, Payment, and Treatment, Payment, and Health Care OperationsHealth Care Operations

Regulatory permission to use and disclose for these purposes

Obtaining patient’s consent is permitted

Treatment, Payment, and Treatment, Payment, and Health Care OperationsHealth Care Operations

Patient has right to request restrictions

Provider does not have to agree to request

Treatment, Payment, and Treatment, Payment, and Health Care OperationsHealth Care Operations

Minimum necessary rule does not apply to disclosures for treatment purposes

“National Priority” Purposes

Required by Law Public Health Health Oversight Law Enforcement Research To Avert Serious Threats to Health or

Safety Workers’ compensation Others

“National Priority Purposes”

No patient authorization required

Additional conditions generally imposed varying with the purpose

Patient Authorization

Required for uses/disclosures not expressly permitted by regulation

Must conform with standard format

Patient Rights

Right to notice of privacy practices

Right to see, copy, and amend record

Right to an accounting of disclosures– Excludes disclosures made for treatment,

payment, & health care operations

Right to request restrictions

Administrative Duties

Provide notice of privacy practice

Designate privacy officer & contact person for complaints

Implement safeguards

Develop sanctions for privacy violations

Maintain documentation

Issues for Centralized Health Information Networks

Is Anyone on the Network Covered by the HIPAA Privacy and Security Regulations?

Health PlansHealth Plans

HMOs Fee for service health insurers Most group health plans Medicaid programs State high risk pools Any individual or group plan that provides or

pays for the cost of medical care

(45 C.F.R. § 160.103)

Health Plans

Ryan White CARE funded programs generally are not considered to be health plans, but

May meet the definition of health care provider

65 Fed. Reg. 82479

Health Care Clearinghouses

Person/entity that translates health information into/out of standard format

Central database that just stores/transfers information is not a clearinghouse

Covered Health Care Providers

Health Care Provider

Practitioners Facilities Those who furnish drugs, devices

pursuant to prescriptions

Covered Health Care Covered Health Care ProvidersProvidersMust engage in:

Standard transactions– Claims submission/encounter reports– Verification of eligibility– Referrals – Others

Covered Health Care Providers

(cont’d) Electronically

– Use of computer – Fax excluded

Impact

It is likely that someone on network will be covered by HIPAA.

If someone is covered, some client-level data will be protected by HIPAA.

Impact

Every class of disclosure to central data base must either

Come within permitted disclosures of HIPAA or

Be authorized by patient

What Provisions Justify Sharing Health Information With Central Database?

Business Associate

If covered entity enters data for treatment purposes

Business associate provisions permit organization that maintains database to store and share with others for treatment purposes

Business Associate

Does not permit organization to use or disclose for other purposes

Info. for Treatment

Business Associate

Info

. f

or T

reat

men

t

Use

Provider

Provider

“ “Required by Law”Required by Law”

Covered entity may make any disclosure that is “required by law” without the permission of individual who is the subject of information.

Disclosures “Required by Law”Disclosures “Required by Law”

When is a use or disclosure “required by lawrequired by law”?

Mandate is contained in law that compelscompels use or disclosure; and

Is enforceable in court of law

Health OversightHealth Oversight

Permission of individual who is

subject of information notnot required to disclose protected health information to a public health agency for oversight activities authorized by law.

Health OversightHealth Oversight

Public Health Authority Public Health Authority includes

Federal, state, or regional entity authorized to oversee

Health care system or

Govt. programs for which health information is necessary to determine eligibility or compliance

Health Oversight

Overseeing health care system includes

Oversight of health care and health care delivery;

Analysis of trends in health care costs, quality, delivery, and access to care;

Other functions

Public Health

May disclose without authorization to public health authority that is authorized by law to collect or receive such information

Some Other Considerations

Business associate

Business associate or similar agreements

Patient right of access to information held by business associates

Some Other Considerations

Minimum necessary rule applies to disclosures for health oversight and public health

Some Other Considerations

State Law HIPAA does not preempt stronger

state law

Most states have laws related to HIV that are in some respects stronger than HIPAA

Some Resources HHS, (ASPE)

http://aspe.hhs.gov/admnsimp/Admin. Simp. History

HHS, Office of Civil Rightshttp://www.hhs.gov/ocr

Text of Privacy Regs.Guidance

CMS http://www.cms.hhs.gov/hipaa/hipaa2/default.asp

Evaluation tool