Presentation on theme: "The Impact of HIPAA on access to Medical Archives: An Archivist’s Perspective Presentation to American Association for the History of Medicine May 10,"— Presentation transcript:
The Impact of HIPAA on access to Medical Archives: An Archivist’s Perspective Presentation to American Association for the History of Medicine May 10, 2014 Phoebe Evans Letocha Alan Mason Chesney Medical Archives Johns Hopkins Medical Institutions firstname.lastname@example.org email@example.com
Patient Related Materials = Hidden Collections Fewer resources devoted to processing Hidden to archivists as well as researchers because not in catalogs Lack of adequate description
HIPAA Background and Dates 1996 - Health Insurance Portability and Accountability Act (HIPAA) adopted by Congress April 14, 2003 - Privacy Rule of HIPAA goes into effect July 2010 - OCR proposes changes to the Privacy Rule as a result of the HITECH ACT January 25, 2013 - OCR publishes its final rule to implement the privacy and enforcement provisions of the HITECH Act and modifies the HIPAA Privacy, Security and Enforcement rules issued under HIPAA March 26, 2013 - Effective date September 23, 2013 – Compliance date September 23, 2014 – Deadline for covered entities revise existing Business Associate Agreements
Who is covered by HIPAA and the changes in HIPAA? Covered Entity - A health plan, a health care clearinghouse, or a health care provider who transmits health information in electronic form in connection with a transaction for which HHS has adopted a standard. Business Associates of Covered Entities - A person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.
To what extent would archival repositories be considered part of covered entities or business associates of covered entities? HIPAA places responsibility on individual institutions to determine designation of archives and other departments as part of Covered entity Covered function in hybrid entity Non-covered function in hybrid entity Non-covered entity Business Associate of a covered entity Sub-contractors of business associates of a covered entity
Other protections for health information Repositories within HIPAA covered and non-covered entities must also: Comply with state laws applying to medical records and health information in holdings Comply with the Federal Common Rule for Protection of Human Subjects Adhere to institutional requirements for protection of health information Observe donor agreements for protecting health privacy Even if not subject to HIPAA, examine the ethical considerations related to the access and use of health information
Definition: Protected Health Information PHI is individually identifiable health information transmitted or maintained in any form or medium (electronic, oral, or paper) by a covered entity or its business associates, excluding certain educational and employment records and excluding information on those individuals who have been deceased for longer than 50 years.
Set of 18 Identifiers that must be removed to de- identify health information names geographic subdivisions smaller than a state all elements of dates (except year) telephone numbers facsimile numbers electronic mail addresses social security numbers medical record numbers health plan beneficiary numbers account numbers certificate/license numbers vehicle identifiers and serial numbers device identifiers and serial numbers web universal resource locators (URLs) internet protocol (IP) address numbers biometric identifiers full-face photographic images Any other unique identifying number, characteristic, or code, unless otherwise permitted by the Privacy Rule for re-identification
Change in the Definition of Decedent PHI Between April 14, 2003 and March 25, 2013, Protected Health Information of decedents was defined as being protected by HIPAA in perpetuity. Starting March 26, 2013, PHI no longer includes health information of individuals who have been deceased for over 50 years, ie those who died before March 26, 1963. New definition lifts protection for individually identifiable health information of those known to be deceased for 50+ years. HHS declined to designate a date from record creation when records would be presumed to relate to individuals deceased 50+years.
Implications of Change in definition of PHI Change in definition allows greater access and use of health information that is no longer covered by HIPAA Option for repositories to develop less restrictive access policies for users requesting access to this material Ability for researchers to publish and use health information that is no longer protected Ability for archives to digitize and disseminate health information that is no longer protected, such as images
Is the information Individually Identifiable Health Information? [Health information containing any of the 18 specified HIPAA identifiers] No Yes Legally permitted to disclose Did the information come from a medical record? Policy Considerations [ Should attempt to honor any limitations or refusal from a personal representative of which we are aware.] [ Others?] Is the individual deceased for more than 50 years? Legally permitted to disclose HIPAA requirements to disclose HIPAA requirements and Maryland Law requirements to disclose Meet Maryland law requirements to disclose No Yes No Yes Draft decision tree prepared 3/12/13 by Don Bradfield, Senior Counsel, Johns Hopkins Health System. Decisions are based on Maryland Law. Other state or local law could result in different decision process.
Archival examples: Patient Record Operative Note Operative Note created by Alfred Blalock, surgeon who treated this Blue Baby case. Patient has been deceased more than 50 years but record would be considered a medical record. While record is no longer protected by HIPAA, it still requires protection under state medical records statute and the redaction of personal identifiers. Removal of identifiers may have little impact on intellectual content
Information may still be protected by State Medical Records Statutes HIPAA does not define the term “Medical Record” Medical records traditionally include: Unit medical record, whether paper or electronic, usually held by hospital medical records office or other provider based centralized filing systems Other records used to make health care decisions about the individual patient
Determining if information came from a medical record Medical Records could also include: Correspondence (including email) containing patient-provider or provider-provider communications regarding care or treatment of specific patients Research notes regarding treatment for specific patients Patient diagnostic images Gray areas may include: Patient Logbooks Patient Diagnostic Indices Research records that include health information but were not used to make health care decisions about individuals
Determining if an individual subject of PHI has been deceased for more than 50 years Less than 70 years old No Not covered by HIPAA Determine how old the subject would have been 50 years ago. Individual is likely to have been alive 50 years ago. Individual may have been alive 50 years ago. Yes Between 70 to 85 years old Information about this individual is still likely protected by HIPAA Is the death date known? More than 50 years ago Less than 50 years ago Covered by HIPAA Determine the age of the subject at the date of record creation. Between 85 to 100 years old Between 100 to 115 years old Over 115 years old Individual would have been deceased 50 years ago Information about this individual is highly unlikely to be protected by HIPAA Likelihood that the individual was alive 50 years ago decreases. Information about this individual may still be protected by HIPAA Individual unlikely to have been alive 50 years ago Information about this individual is unlikely to be protected by HIPAA Information about this individual is of decreased likelihood to be protected by HIPAA Decision tree prepared by Phoebe Evans Letocha, Collections Management Archivist, Johns Hopkins Medical Institutions, 5/14/2013
Policy Considerations What level of risk is the repository willing to accept? How sensitive is the information? How will the information be used? What is the risk of re-disclosure?
Risk of Non-Compliance Greater risk of regulatory scrutiny and fines for covered entities and their business associates Larger penalties and enforcement provision Maximum fines can be up to $50,000 per violation per day, per patient, up to a maximum of $1.5 million per year for the same violation Amounts can increase with multiple violations 4 tiers of monetary penalties based on culpability levels: 1.Reasonable diligence would not have revealed the violation 2.Violation is due to reasonable cause, not willful neglect 3.Violation is due to willful neglect that is corrected within 30 days 4.Violation is due to willful neglect that is not corrected within 30 days
What is Research? Definition of Research under the HIPAA Privacy Rule and the Federal Common Rule A systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge.
Authorizations for access under the HIPAA Privacy Rule Individual authorizations – Subject of health information – Legal representative of subject of health information Institutional authorizations for research – Waivers issued by Privacy Board or IRB for research involving living individuals – Research on decedents – Review preparatory to research – Data use agreement for limited data sets Other allowable institutional uses or disclosures – Treatment, payment, and health care operations – Health care emergencies, law enforcement and government oversight
Privacy Board at JHMI Joint institutional board of The Johns Hopkins Hospital and the Johns Hopkins University schools of Medicine, Nursing, and Public Health for access to records, data, and information held by: – Alan Mason Chesney Medical Archives of the Johns Hopkins Medical Institutions – Health Information Management Division of The Johns Hopkins Hospital (for access to medical records created more than 50 years ago) – Department of Art as Applied to Medicine Allows research using these institutional materials when it is legally and ethically responsible to do so Administered by the Medical Archives Individuals both affiliated and not affiliated with Johns Hopkins are eligible to submit applications.
Analysis of Privacy Board applications at Johns Hopkins April 2003- April 2014 233 numbered cases 200 approved (86% of all cases, 96% of reviewed cases) 8 not approved 25 application incomplete and not submitted for review (10%) 80 cases requested access to patient related materials (34%) – Requests for patient materials have increased since 2011 to 48% of all cases Privacy board waivers have enabled the Medical Archives to provide access to unprocessed collections
Obtaining authorization to publish Protected Health Information Institutions cannot authorize publication of PHI Only individual subjects or their personal representatives can authorize publication Difficulty in locating personal representatives of decedents Change in the Privacy Rule may allow publication of some health information without the need to obtain authorization Information of individuals who have been deceased 50+ years Information from medical records may still be governed by state laws Redaction or de-identification may be necessary
Limitations of redaction Patient Record Logbook May diminish the research value of the document
Examples of De-identified Documents Correspondence Redaction may diminish intellectual content of document Challenging due to free text structure Labor intensive and costly
Examples of De-identified Documents Photographs Redaction may diminish content and aesthetic value of the image
Presenter Phoebe Evans Letocha Collections Management Archivist firstname.lastname@example.org Alan Mason Chesney Medical Archives of the Johns Hopkins Medical Institutions ALHHS HIPAA resource page www.alhhs.org