1. Computerized Networking of HIV Providers Workshop Data Security, Privacy and HIPAA: Focus on Privacy Joy L. Pritts, J.D. Assistant Research Professor Health Policy Institute, Georgetown University jlp@georgetown.edu

2.  Health Insurance Portability and Accountability Act of 1996 (HIPAA)  “Administrative simplification” –Encourage electronic health care information infrastructure –Protect security/privacy of health information Background

3. Who Is Covered Covered entities  Health plans  Health care clearinghouses  Health care providers who transmit health claims-type information electronically

4. What Is Covered Protected Health Information Information in any format about a person’s:  Health, health care, or payment of health care;  Which identifies or reasonably could be used to identify the person; and  Was created or received by a covered health care plan or provider

5. What is NOT Covered De-identified information  Qualified statistician has determined only very small chance of identifying person from information; or  All listed identifiers have been removed –Name –Dates associated with person (other than year) –Social Security Numbers –Etc.

6. General Structure  Restricts how covered entities can use and disclose protected health information  Grants patients rights (e.g., see, copy, amend own health information)  Imposes “administrative” requirements

7. General Rules

8. Uses & Disclosures: In General Prohibits using and disclosing health information unless  Specifically permitted by regulation or  Authorized by patient

9. If the disclosure does not fit within one of the specifically enumerated purposes in the regulation, you must get the patient’s authorization.

10. Business Associates  Person who performs functions on behalf of covered entity involving use/disclosure of identifiable health information  Can disclose to “business associates” if certain conditions are met

11. Business Associates Contract or other arrangement that  Establishes permitted uses/disclosures  Provides that business associate will use appropriate safeguards to protect info.  Makes health information available to patients pursuant to access rights  Meets other requirements

12. Minimum Necessary Rule Requires reasonable effort to limit information to minimum amount necessary to accomplish intended purpose 45 C.F.R. § 164.502(b)

13. Rules for Specific Purposes

14. Treatment, Payment, and Health Care Operations  Regulatory permission to use and disclose for these purposes  Obtaining patient’s consent is permitted

15. Treatment, Payment, and Health Care Operations  Patient has right to request restrictions  Provider does not have to agree to request

16. Treatment, Payment, and Health Care Operations Minimum necessary rule does not apply to disclosures for treatment purposes

17. “National Priority” Purposes  Required by Law  Public Health  Health Oversight  Law Enforcement  Research  To Avert Serious Threats to Health or Safety  Workers’ compensation  Others

18. “National Priority Purposes”  No patient authorization required  Additional conditions generally imposed varying with the purpose

19. Patient Authorization  Required for uses/disclosures not expressly permitted by regulation  Must conform with standard format

20. Patient Rights  Right to notice of privacy practices  Right to see, copy, and amend record  Right to an accounting of disclosures –Excludes disclosures made for treatment, payment, & health care operations  Right to request restrictions

21. Administrative Duties  Provide notice of privacy practice  Designate privacy officer & contact person for complaints  Implement safeguards  Develop sanctions for privacy violations  Maintain documentation

22. Issues for Centralized Health Information Networks

23. Is Anyone on the Network Covered by the HIPAA Privacy and Security Regulations?

24. Health Plans  HMOs  Fee for service health insurers  Most group health plans  Medicaid programs  State high risk pools  Any individual or group plan that provides or pays for the cost of medical care (45 C.F.R. § 160.103)

25. Health Plans  Ryan White CARE funded programs generally are not considered to be health plans, but  May meet the definition of health care provider 65 Fed. Reg. 82479

26. Health Care Clearinghouses  Person/entity that translates health information into/out of standard format  Central database that just stores/transfers information is not a clearinghouse

27. Covered Health Care Providers Health Care Provider  Practitioners  Facilities  Those who furnish drugs, devices pursuant to prescriptions

28. Covered Health Care Providers Must engage in:  Standard transactions –Claims submission/encounter reports –Verification of eligibility –Referrals –Others

29. Covered Health Care Providers (cont’d)  Electronically –Use of computer –Fax excluded

30. Impact  It is likely that someone on network will be covered by HIPAA.  If someone is covered, some client-level data will be protected by HIPAA.

31. Impact Every class of disclosure to central data base must either  Come within permitted disclosures of HIPAA or  Be authorized by patient

32. What Provisions Justify Sharing Health Information With Central Database?

33. Business Associate  If covered entity enters data for treatment purposes  Business associate provisions permit organization that maintains database to store and share with others for treatment purposes

34. Business Associate Does not permit organization to use or disclose for other purposes Info. for Treatment Business Associate Info. for Treatment Use Provider

35. “Required by Law” “Required by Law” Covered entity may make any disclosure that is “required by law” without the permission of individual who is the subject of information.

36. Disclosures “Required by Law” required by law When is a use or disclosure “required by law”? compels  Mandate is contained in law that compels use or disclosure; and  Is enforceable in court of law

37. Health Oversight Permission of individual who is not subject of information not required to disclose protected health information to a public health agency for oversight activities authorized by law.

38. Health Oversight Public Health Authority Public Health Authority includes Federal, state, or regional entity authorized to oversee  Health care system or  Govt. programs for which health information is necessary to determine eligibility or compliance

39. Health Oversight Overseeing health care system includes  Oversight of health care and health care delivery;  Analysis of trends in health care costs, quality, delivery, and access to care;  Other functions

40. Public Health May disclose without authorization to public health authority that is authorized by law to collect or receive such information

41. Some Other Considerations Business associate  Business associate or similar agreements  Patient right of access to information held by business associates

42. Some Other Considerations Minimum necessary rule applies to disclosures for health oversight and public health

43. Some Other Considerations State Law  HIPAA does not preempt stronger state law  Most states have laws related to HIV that are in some respects stronger than HIPAA

44. Some Resources  HHS, (ASPE) http://aspe.hhs.gov/admnsimp/ Admin. Simp. History  HHS, Office of Civil Rights http://www.hhs.gov/ocr Text of Privacy Regs. Guidance  CMS http://www.cms.hhs.gov/hipaa/hipaa2/default.asp Evaluation tool