1 Health Information Privacy: Scope, Structure, and Implementation Lance Gable, JD, MPH Professor of Law Wayne State University Law School

2 A Quick Overview  Objective One Understand the basic principles of health information privacy, confidentiality, and security.  Objective Two Assess the existing universe of legal protections for the privacy and confidentiality of health data.  Objective Three Examine the scope, structure, and implementation of the HIPAA Privacy Rule  Objective Four Discuss the impact of the HIPAA Privacy Rule on public health authorities.  Objective Five Explore new legal developments related to health information privacy

3 Objective One Understand the basic principles of health information privacy, confidentiality, and security.

4 Health Information Privacy - Key Terms Privacy - an individual’s right to control circumstances where their identifiable health information data is collected, used, stored, and transmitted. Confidentiality - privacy interests that arise from a specific relationship (e.g., doctor/patient, researcher/subject) and corresponding legal and ethical duties. Security – technological, organizational, or administrative safeguards or tools to protect identifiable health information from unwarranted access or disclosure.

5 Health Information Privacy - Key Terms If the security safeguards in an automated system fail or are compromised, a breach of confidentiality can occur and the privacy of data subjects invaded. Willis Ware, Lessons for the Future: Dimensions of Medical Record Keeping, in Health Records: Social Needs and Personal Privacy 43 (Task Force on Privacy, U.S. Department of Health and Human Services (1993) (

6 Health Information Privacy – Key Concepts  Protecting health information privacy requires legal protections addressing 4 types of data exchanges: Acquisitions: acquiring or accessing identifiable health data by an entity Uses: the sharing, employment, examination, or analyses of identifiable health data within an entity Disclosures: the release, transfer, provision of, access to, or divulging identifiable health data outside an entity that holds it. Storage: keeping identifiable health data in any medium within an entity that is not actively using the data

7 Health Information Privacy - Key Concepts Disclosure Acquisition Use Storage

8 Risks to Health Information Privacy Disclosure of health data: Accessibility and intimate nature of health data combine to harm those whose privacy is violated. Unwarranted disclosures can cause social, psychological and economic harm. Emerging computer technologies threaten individual privacy. Synergies: Protecting health information privacy is essential to the functioning of health care and public health systems.

9 Synergies of Health Information Privacy Absent privacy protections, patients and others will avoid some clinical, public health, and research interventions. Only through the responsible sharing of some health data may improvements in health care and community health be made.

10 Health Information Privacy - Communal Needs for Identifiable Health Data Individual privacy protections must be balanced with legitimate communal uses of health data like health research and public health.

11 Objective Two Assess the existing universe of legal protections for the privacy and confidentiality of health data.

12 The Universe of Health Information Privacy Laws and Policies  A host of laws of every type at every level of government, affecting multiple types of entities, and covering an array of health data are all part of the universe of health information privacy laws.

13 The Universe of Health Information Privacy Laws and Policies – Types of Laws Types of Laws TreatiesConstitutionsStatutesRegulationsPoliciesCasesCompacts

14 The Universe of Health Information Privacy Laws and Policies – Levels of Government Govern- ment InternationalNationalStateTribalCountyCityCommunity

15 The Universe of Health Information Privacy Laws and Policies – Regulated Entities Entities Public Health Researchers Law Enforcement National Security Health Providers NGOs Private Industry Health Insurers

16 The Universe of Health Information Privacy Laws and Policies – Examples of Types of Health Data Health Data Public Health ResearchGeneticCancerHIV/AIDS Mental Health Medical Birth defects

17 The Universe of Health Information Privacy Laws and Policies  Underlying all of these laws are some essential features: Focus is almost always on individual (as contrasted with group) privacy protections Only identifiable health data are covered (as non-identifiable data do not require individual health privacy protections Consistent need to balance individual and communal interests in identifiable health data Failure of many laws to address modern electronic exchanges of health data

18 The Universe of Health Information Privacy Laws and Policies  In combination, this existing universe of laws provides a “patchwork quilt” of privacy protections  Health information privacy protections vary across the U.S.  Inconsistencies in interpretation, application, and analyses inevitably arise.

19 Objective Three Examine the scope, structure, and implementation of the HIPAA Privacy Rule as related to health care providers and public health authorities.

20 Health Information Privacy - Modern Protections HIPAA The Health Insurance Portability and Accountability Act of 1996

21 HIPAA and the Basis for Health Info. Privacy HIPAA seeks to: > Increase access to health insurance > By reducing insurance costs > By lowering administrative costs > By transmitting electronic data > Under enhanced health info. privacy protections > That encourage people to seek health care!

22 Health Information Privacy - Modern Protections HIPAA = Administrative Simplification Provisions = Standards for Privacy of Individually Identifiable Health Info. = Health Information Privacy Regulations = 45 CFR Parts 160 – 164 = The Privacy Rule

23 HIPAA Privacy Rule – A Brief Timeline August, 21, HIPAA passes Congress and was signed into law. August 21, Congress fails to pass health info. privacy law. August, January, Absent Congressional action, DHHS was authorized to produce administrative regulations. April 14, After months of work and public commentary, DHHS finalizes its Privacy Rule with President Bush’s approval. August 14, Bush administration modifies original Rule. April 14, The Rule becomes effective for most “covered entities” [or one year later for small health plans]. April 14, The Rule is fully effective for all covered entities.

24 HIPAA Privacy Rule – Scope, Structure, and Implementation What is covered? Who is covered? How is it covered? What about other laws? What about violations?

25 What Is Covered? “Protected Health Information (PHI)” individually-identifiable health information used or disclosed by a covered entity in any form, whether electronically, on paper, or orally. 45 C.F.R

26 What Is Covered? “ Protected Health Information (PHI)” DOES NOT include: Education records covered by FERPA; Employment records held by a covered entity in its role as employer; Non-identifiable health information 45 C.F.R

27 Who Is Covered? “ Covered Entities (CEs):  Health Plans  Health Care Clearinghouses  Health Providers - that exchange identifiable health data electronically  and their business associates 45 C.F.R

28 Who Is Covered? Business associates include :  Claims or data processors  Billing companies  Quality assurance providers  Utilization reviewers  Lawyers  Accountants  Financial service providers 45 C.F.R

29 Who Is Covered? Beyond CE’s and their Business Associates are those who engage in: Covered functions – those functions of a covered entity the performance of which makes the entity a health plan, health care providers, or health care clearinghouse. 45 CFR Hybrid entities that perform both “covered” and “not covered” functions MAY have to adhere to relevant portions of the Privacy Rule to the extent to which some part of the entity conducts these activities.

30 Who Is Not Covered? Life insurances companies Auto insurance companies Worker’s compensation carriers Employers Others who may still acquire, use, and disclose vast quantities of health data

31 How is PHI Covered? Boundaries - setting limits on uses and disclosures Security - imposing security requirements Fair Information Practices - allowing individuals some level of access to their health data Accountability - making covered entities accountable for handling and abuses

32 How is PHI Covered? Boundaries  – Uses and Disclosures – General Rules  – Uses and Disclosures – Organizational Req.  – Uses and Disclosures – Std. Transactions  – Uses and Disclosures – Authorization Req.  – Uses and Disclosures – Individual Oppy.  – Uses and Disclosures – No Authorization Req.  – Uses and Disclosures – Other Requirements

33 How Are Uses/Disclosures Regulated? CEs may use or disclose PHI without individual informed consent to carry out treatment, payment, or health care operations (aka. Standard transactions).

34 How Are Uses/Disclosures Regulated? Otherwise, uses or disclosures of PHI require either individual opportunities to object or written authorizations pursuant to the “anti-disclosure rule.” “Except as otherwise permitted or required..., a CE may not use or disclose PHI without an authorization... “ 45 CFR (a)(1)

35 How Are Uses/Disclosures Regulated? 2 Major Categories of Uses or Disclosures Requiring Individual Opportunity to Object Family Directories Individual Health Care Purposes 45 CFR

36 How are Uses/Disclosures Regulated? Some exceptions to the anti-disclosure rule: Law Enforcement Judicial and Administrative Proceedings Decedents Health emergencies Limited Commercial Marketing Minors Health Research Public Health

37 Specific Public Health-based exceptions include disclosures:  To maintain quality, safety or effectiveness of FDA products  To notify people exposed to communicable diseases  Concerning work-related injuries  About victims of abuse, neglect or domestic violence  Health oversight activities  Prevent serious threats to people or the general public

38 How is PHI Covered? Security – Security Standards – Generally Administrative Safeguards Physical Safeguards Technical Safeguards Organizational Requirements CIA – Confidentiality, Integrity, and Availability

39 How is PHI Covered? Fair Information Practices – Rights to Request Privacy Protections  Request Restrictions on Uses and Disclosures  Confidential Communications – Individual Access to PHI – Amendment of PHI

40 How is PHI Covered? Accountability – Notice  Rights  Content  Provision – Accounting  Rights  Content  Provision

41 What About Other Laws? Federal/State Constitutions Federal/State Statutory Laws Federal/State Administrative Laws Federal/State Judicial Law Does the privacy rule supplant these laws?

42 Does the Privacy Rule Supplant These Laws? No, the Privacy Rule creates a floor of federal protections. Existing federal or state laws that provide greater health information privacy protections or do not otherwise conflict with the Rule remain in effect. Like a patchwork quilt, they lay over Privacy Rule protections.

43 What About Violations? Violations or breaches of the Privacy Rule may result in: Complaints filed with the Secretary of HHS; Ensuing investigation by the Secretary; Compliance reviews by the Secretary; Informal resolution by the Secretary whenever possible; and Imposition of civil penalties, which can be collected through release of federal debts owed to the entity. Does not include criminal sanctions against individuals 45 CFR Civil and criminal penalties have rarely been assessed. HHS has focused almost exclusively on compliance reviews and investigations.

44 What About Violations? DHHS Office of Civil Rights, Compliance and Enforcement Numbers at a Glance, (visited May 10, 2007).

45 What About Violations? DHHS Office of Civil Rights, Compliance and Enforcement Numbers at a Glance, (visited May 10, 2007).

46 What About Violations? DHHS Office of Civil Rights, Compliance and Enforcement Numbers at a Glance, (visited May 10, 2007).

47 What About Violations? Beyond formal or informal approaches to addressing violations pursuant to the Privacy Rule are: Judicial uses of the Privacy Rule as a per se standard for protecting health information privacy; Contractual obligations to adhere to the Privacy Rule  Business Associates  Limited Data Sets Institutional, corporate, and organizational policies requiring adherence to the Rule

48 Objective Four Discuss the impact of the HIPAA Privacy Rule on public health authorities.

49 Impact of the Privacy Rule on Public Health Externally – how does the Rule impact the flow of identifiable health data into or out of public health agencies? Internally – what are ways that the Rule affects the practice of public health or public health research done by public health agencies or its partners?

50 External Impacts of the Privacy Rule on Public Health The public health exception within the HIPAA Privacy Rule allows a covered entity to disclose PHI without individual authorization to a “public health authority that is authorized by law to collect and receive such information for the purpose of preventing and controlling disease, injury, or disability, including... reporting of disease... and the conduct of public health surveillance....”

51 External Impacts of the Privacy Rule on Public Health Beyond this general authorization, specific public health-based exceptions include disclosures: To maintain the quality, safety, or effectiveness of FDA products To notify persons exposed to communicable diseases Concerning work-related injuries About victims of abuse, neglect, or domestic violence For health oversight activities To prevent serious threats to persons or the public

52 Who Is a Public Health Authority? A public health authority is an: agency or authority of the United States, a State, a territory, a political subdivision of a State or territory, or an Indian tribe, or a person or entity acting under a grant of authority from or contract with such public agency... that is responsible for public health matters as part of its official mandate.

53 Who Is a Public Health Authority? Public health authorities include: State or Tribal Health Departments Local Health Departments Contractors/others acting under authority of these agencies

54 What About State Public Health Reporting Laws?  All states require health care providers to report communicable diseases and other conditions The specific diseases or conditions vary from state to state May be found in statutory or regulatory laws  The Privacy Rule does not pre-empt (or override) state law that “provides for the reporting of disease or injury... or for the conduct of public health surveillance [or] investigation....”

55 Internal Impacts of the Privacy Rule on Public Health To the extent that public health authorities use or disclose identifiable health data for public health purposes, they are not “covered entities,” and are thus not required to adhere to the provisions of the Privacy Rule. Simply stated – public health authorities performing public health practice activities are not covered by the Privacy Rule

56 Internal Impacts of the Privacy Rule on Public Health Public Health Authorities As Providers/Plans A profound area of potential internal impact concerns those activities of public health authorities that resemble the provision of health care (e.g. direct delivery of health services to disadvantaged individuals) or administration of health plans (e.g., state “well person” programs).

57 Internal Impacts of the Privacy Rule on Public Health  Public health authorities doing health care/plan activities may be considered as engaging in “covered functions.” If so, these activities would be deemed as covered under the Rule.  Thus, a local health clinic that provides flu vaccines or other health services for a minimal charge (and bills electronically) may be engaged in “covered functions.”

58 Internal Impacts of the Privacy Rule on Public Health Many state and local public health authorities declare themselves as Hybrid Entities pursuant to the Privacy Rule. The practical effect of hybrid status is that the public health authority must only adhere to the Privacy Rule concerning those components of its practices that are covered. Other parts of the PHA may not have to adhere to the same requirements concerning their duties.

59 Objective Five Explore new legal developments related to health information privacy

60 Nationwide Health Information Network  Understanding and resolving legal and policy issues, such as those related to variations in states’ privacy laws;  Ensuring that only the minimum amount of information necessary is disclosed to only those entities authorized to receive the information;  Ensuring individuals’ rights to request access and amendments to their own health information; and  Implementing adequate security measures for protecting health information. GAO, Health Information Technology, GAO (January 2007).

61 Genetic Non-Discrimination Act  The Genetic Information Nondiscrimination Act (HR 493) passed the House April 25, It would:  Ban health insurers and group plans from using genetic information to determine eligibility or rates.  Prohibit employers from using genetic information in hiring, firing, job placement or promotion decisions.  Protect individuals until the point of diagnosis, when the Americans with Disabilities Act would assume jurisdiction.  Michigan has similar protections under state law, but not all states have enacted privacy protections for genetic information.

62 Conclusions A multitude of health information privacy laws and policies attempt to balance individual and communal interests in acquisitions, uses, and disclosures of identifiable health data The HIPAA Privacy Rule presents a national health information privacy standards in the U.S. The Privacy Rule creates a Floor [but not a ceiling] for privacy protections The Rule impacts public health authorities in internal and external ways related to their practice and research activities Other legislative efforts are seeking to expand privacy protections for health information

63 Resources  Department of Health and Human Services: Office of Civil Rights – HIPAA:  U.S. Government Accountability Office:  National Conf. of State Legislatures - HIPAA: m m  Michigan HIPAA Information: _ ,00.html _ ,00.html

64 Resources, cont.  HIPAA Listserv(s): Go to “Browse” and enter Keyword “HIPAA”  National Committee on Vital and Health Statistics (NCVHS):  Designated Standard Maintenance Organizations:  Workgroup for Electronic Data Interchange (WEDI): Strategic National Implementation Process (SNIP):

65 Thank You! For more information, contact me at Special thanks to Nicole Rowley for research assistance and to Professor James G. Hodge, Jr., and the Centers for Disease Control and Prevention for use of some of these slides.