Computerized Networking of HIV Providers Workshop Data Security, Privacy and HIPAA: Focus on Privacy Joy L. Pritts, J.D. Assistant Research Professor Health Policy Institute, Georgetown University

 Health Insurance Portability and Accountability Act of 1996 (HIPAA)  “Administrative simplification” –Encourage electronic health care information infrastructure –Protect security/privacy of health information Background

Who Is Covered Covered entities  Health plans  Health care clearinghouses  Health care providers who transmit health claims-type information electronically

What Is Covered Protected Health Information Information in any format about a person’s:  Health, health care, or payment of health care;  Which identifies or reasonably could be used to identify the person; and  Was created or received by a covered health care plan or provider

What is NOT Covered De-identified information  Qualified statistician has determined only very small chance of identifying person from information; or  All listed identifiers have been removed –Name –Dates associated with person (other than year) –Social Security Numbers –Etc.

General Structure  Restricts how covered entities can use and disclose protected health information  Grants patients rights (e.g., see, copy, amend own health information)  Imposes “administrative” requirements

General Rules

Uses & Disclosures: In General Prohibits using and disclosing health information unless  Specifically permitted by regulation or  Authorized by patient

If the disclosure does not fit within one of the specifically enumerated purposes in the regulation, you must get the patient’s authorization.

Business Associates  Person who performs functions on behalf of covered entity involving use/disclosure of identifiable health information  Can disclose to “business associates” if certain conditions are met

Business Associates Contract or other arrangement that  Establishes permitted uses/disclosures  Provides that business associate will use appropriate safeguards to protect info.  Makes health information available to patients pursuant to access rights  Meets other requirements

Minimum Necessary Rule Requires reasonable effort to limit information to minimum amount necessary to accomplish intended purpose 45 C.F.R. § (b)

Rules for Specific Purposes

Treatment, Payment, and Health Care Operations  Regulatory permission to use and disclose for these purposes  Obtaining patient’s consent is permitted

Treatment, Payment, and Health Care Operations  Patient has right to request restrictions  Provider does not have to agree to request

Treatment, Payment, and Health Care Operations Minimum necessary rule does not apply to disclosures for treatment purposes

“National Priority” Purposes  Required by Law  Public Health  Health Oversight  Law Enforcement  Research  To Avert Serious Threats to Health or Safety  Workers’ compensation  Others

“National Priority Purposes”  No patient authorization required  Additional conditions generally imposed varying with the purpose

Patient Authorization  Required for uses/disclosures not expressly permitted by regulation  Must conform with standard format

Patient Rights  Right to notice of privacy practices  Right to see, copy, and amend record  Right to an accounting of disclosures –Excludes disclosures made for treatment, payment, & health care operations  Right to request restrictions

Administrative Duties  Provide notice of privacy practice  Designate privacy officer & contact person for complaints  Implement safeguards  Develop sanctions for privacy violations  Maintain documentation

Issues for Centralized Health Information Networks

Is Anyone on the Network Covered by the HIPAA Privacy and Security Regulations?

Health Plans  HMOs  Fee for service health insurers  Most group health plans  Medicaid programs  State high risk pools  Any individual or group plan that provides or pays for the cost of medical care (45 C.F.R. § )

Health Plans  Ryan White CARE funded programs generally are not considered to be health plans, but  May meet the definition of health care provider 65 Fed. Reg

Health Care Clearinghouses  Person/entity that translates health information into/out of standard format  Central database that just stores/transfers information is not a clearinghouse

Covered Health Care Providers Health Care Provider  Practitioners  Facilities  Those who furnish drugs, devices pursuant to prescriptions

Covered Health Care Providers Must engage in:  Standard transactions –Claims submission/encounter reports –Verification of eligibility –Referrals –Others

Covered Health Care Providers (cont’d)  Electronically –Use of computer –Fax excluded

Impact  It is likely that someone on network will be covered by HIPAA.  If someone is covered, some client-level data will be protected by HIPAA.

Impact Every class of disclosure to central data base must either  Come within permitted disclosures of HIPAA or  Be authorized by patient

What Provisions Justify Sharing Health Information With Central Database?

Business Associate  If covered entity enters data for treatment purposes  Business associate provisions permit organization that maintains database to store and share with others for treatment purposes

Business Associate Does not permit organization to use or disclose for other purposes Info. for Treatment Business Associate Info. for Treatment Use Provider

“Required by Law” “Required by Law” Covered entity may make any disclosure that is “required by law” without the permission of individual who is the subject of information.

Disclosures “Required by Law” required by law When is a use or disclosure “required by law”? compels  Mandate is contained in law that compels use or disclosure; and  Is enforceable in court of law

Health Oversight Permission of individual who is not subject of information not required to disclose protected health information to a public health agency for oversight activities authorized by law.

Health Oversight Public Health Authority Public Health Authority includes Federal, state, or regional entity authorized to oversee  Health care system or  Govt. programs for which health information is necessary to determine eligibility or compliance

Health Oversight Overseeing health care system includes  Oversight of health care and health care delivery;  Analysis of trends in health care costs, quality, delivery, and access to care;  Other functions

Public Health May disclose without authorization to public health authority that is authorized by law to collect or receive such information

Some Other Considerations Business associate  Business associate or similar agreements  Patient right of access to information held by business associates

Some Other Considerations Minimum necessary rule applies to disclosures for health oversight and public health

Some Other Considerations State Law  HIPAA does not preempt stronger state law  Most states have laws related to HIV that are in some respects stronger than HIPAA

Some Resources  HHS, (ASPE) Admin. Simp. History  HHS, Office of Civil Rights Text of Privacy Regs. Guidance  CMS Evaluation tool