Presentation on theme: "Protected Health Information in University Archives Hiding Information or Providing Access in Archives (HIPAA) Erik Moore, Project Archivist University."— Presentation transcript:
Protected Health Information in University Archives Hiding Information or Providing Access in Archives (HIPAA) Erik Moore, Project Archivist University of Minnesota
Project Background Academic Health Center History Project (Univ. of MN) –What is the history of the AHC? –What is needed to tell it? Goals –To identify, collect, and make available the institutional and historical documentation of the AHC –Ensure that this documentation is preserved –Follow professional standards and local, state, & federal policies
What is the Privacy Rule? Is short for the regulation “Standards for Privacy of Individually Identifiable Health Information” [45 CFR 160 & 164] the companion piece to the Health Insurance Portability & Accountability Act (HIPAA) of 1996 The purpose of the Privacy Rule is to establish minimum standards for safeguarding the privacy of individually identifiable health information or PHI (Protected Health Information) Meant to protect privacy of people during the course of care or when seeking access to insurance
What is the Privacy Rule? Establishes 18 elements that are considered identifiable pieces of information including name, address, most dates, SSN, URLs, IP addresses, biometrics & full face photos, and all other unique identifiers Applies to all instances of PHI in any format or context regardless of when it was created including “incidental exposures.”
Quick Definitions A Covered Entity is a health plan, health care clearinghouse, or a health care provider who transmits health information in electronic form in connection with a covered transaction. They can be institutions, organizations, or persons. The Privacy Rule applies to all covered entities. A Hybrid Entity is a single institution that performs functions that are both covered and non-covered under the Privacy Rule and can separate the health care components from non health care components within the entity. The Privacy Rule only applies to the covered components or areas for which they have oversight. A Business Associate is a separate entity contracted to provide some of the functions of a covered entity including the handling of PHI.
Key Points Regarding HIPAA The Privacy Rule in HIPAA applies only to covered entities; it does not apply to all persons or institutions that collect individually identifiable health information. –Federal agencies are exempt such as NIH’s Library of Medicine. Other non covered institutions may also be exempt. The Privacy Rule in HIPAA pertains only to PHI created or collected by a covered entity. Personal health information created or collected by a non-covered entity does not have to comply with the Privacy Rule. –Letters written by doctors to patients are covered. Letters written by patients to health professionals are not.
Key Points Regarding HIPAA The Privacy Rule does not "pass through" its requirements to business associates; instead, it requires, typically by contract, satisfactory assurances to the safeguarding of information. –A business associate contracted to handle a function of a covered entity (e.g. records management) is subject to the contract, not the Privacy Rule. –A covered entity is not responsible for any violations a business associate may incur. –The contract cannot allow the business associate to use or disclose PHI for its own purposes.
Key Points Regarding HIPAA De-identified health information is not PHI and thus not protected by the Privacy Rule. –Providing access to a document without any of the 18 PHI elements is not a violation of the Privacy Rule. Enforcement of the Privacy Rule is complaint driven. Covered entities will not be periodically audited or monitored. –There is a level of risk management involved in allowing access to collections that contain or could potentially contain PHI. However, a “don’t ask, don’t tell” policy is not a legitimate professional response.
The University of Minnesota The University of Minnesota is designated as a hybrid entity and has designated the health care components of the University that are covered by the Privacy Rule. The Academic Health Center (AHC) is a covered entity component of the University of Minnesota. The University Archives, a unit of the University Libraries, is a non-covered entity component of the University of Minnesota and is not subject to the Privacy Rule.
The University of Minnesota If the University Archives is not a covered entity, what is the level of access? –The Archives are subject to University wide policy for protecting privacy which is more stringent than HIPAA –University policy does not differentiate between covered and non covered components –Policy mirrors the Privacy Rule by releasing health information for research if a waiver is obtained, IRB approval is granted, information is de-identified, or if it is part of a limited data set –Limited models for operation of university archives with PHI Non covered archives should look toward covered & exempt archives as guide –The Alan Mason Chesney Medical Archives at Johns Hopkins –Archives & Special Collections at Columbia University Medical Center –NIH’s National Library of Medicine
HIPAA and Archival Work: Traditional Approaches Restrict access to only covered entity personnel/IRB approved research –Material that comes from a covered entity would only be available to that covered entity and its associates. Additional access may be provided via application through the Institutional Review Board or Privacy Board. Item level processing until the collection is either cleared or flagged as containing PHI –Labor intensive process that would be reserved for high priority collections. Review/redacting of materials at the time of research request –Labor intensive process that would involve staff reviewing collections on an as needed basis. Potential for error.
HIPAA and Archival Work: Alternative Approaches The Business Associate Model –If archives are Business Associates, would we be limited in providing access to only the covered entity? Can a Business Associate model exist within a hybrid entity? No clear answer from HHS. Providing Access with Provisions –Burden is on the researcher to comply with the Privacy Rule. Use provisions ask researchers not to record or publish incidental PHI found within archival materials. Doing so would result in loss of research privileges and/or a report to the journal or professional society.
HIPAA and Archival Work: Alternative Approaches Online Access and EAD Finding Aids –The HIPAA Compliant Finding Aid (NHPRC Electronic Records Fellowship, N. McCall & C. Arnott Smith) brings together two XML standards EAD & CDA (Clinical Document Architecture) in electronic health records –Comparison with historic medical records and current electronic templates are consistent “More Product, Less Process” Method –If our own benchmarks (and those of our granting agencies) are on a trend away from item level work, how will we know if collections contain PHI? –MPLP and the Privacy Rule are both risk management methods – look to formulate a bridge between the two
Archivists & HIPAA In absence of guidelines, look for precedents –The Privacy Rule [45 CFR ] defines research as “a systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge” –In regards to IRBs and oral history, HHS does not equate human subject research with historical research stating: While historians reach for meaning that goes beyond the specific subject of their inquiry, unlike researchers in the biomedical and behavioral sciences they do not reach for generalizable principles of historical or social development, nor do they seek underlying principles or laws of nature... Historians explain a particular past; they do not create general explanations about all that has happened in the past, nor do they predict the future. –Is the answer to the way we manage the collections in the definition of research?
References & Resources Catherine Arnott Smith & Nancy McCall, “Developing the HIPAA-Aware Finding Aid” NHPRC Electronic Records Research Fellowship Program Accessed 13 March Lesley Brunet, “Documenting Cancer Medicine and Science at The University of Texas M.D. Anderson Cancer Center” Archival Elements (2006). Accessed 3 April Timothy Ericson & Jodi Koste “Letter from SAA to HHS Secretary Tommy Thompson Regarding HIPAA” The Watermark 27 (Winter ). Accessed 7 February Nancy McCall, “The Impact of the HIPAA Privacy Rule on the Ability to Access and Utilize Archives” Testimony of Nancy McCall. Panel 3--Decedent Health Information, Subcommittee on Privacy and Confidentiality, National Committee on Vital and Health Statistics. Accessed 13 March
References & Resources Stephen E. Novak, “The Health Insurance Portability and Accountability Act of 1996: It’s Implications for History of Medicine Collections” The Watermark 26 (Summer 2003). Accessed 30 March _____, Testimony of Stephen Novak. Panel 3--Decedent Health Information, Subcommittee on Privacy and Confidentiality, National Committee on Vital and Health Statistics. Accessed 13 March Oral History Association, “Institutional Review Boards and Human Subjects Research.” Accessed on 3 April US Department of Health & Human Services, Protecting Personal Health Information in Research: Understanding the HIPAA Privacy Rule. Accessed 30 March
References & Resources US Department of Health & Human Services, National Institutes of Health, National Library of Medicine, “Access to Health Information of Individuals.” Accessed 30 March US Department of Health & Human Services, Office for Civil Rights, “Standards for Privacy of Individually Identifiable Health Information.” Accessed 30 March University of Minnesota, “Academic/Administrative Policy : Administration & Oversight for Protection of Individual Health Information (HIPAA).” Accessed 30 March See also the Science, Technology & Health Care Roundtable (STHC) and the Archivists and Librarians in the History of the Health Sciences (ALHHS) “HIPAA Resource Page.” Accessed 7 February