The PRISM Privacy Tool: A User’s Guide PHDSC Home Page PRISM Web Page
What is PRISM? A framework for understanding the basic legal privacy requirements for the use and disclosure of health information Created to help public sector health programs understand and apply state and federal privacy laws to their activities
What is PRISM? (cont’d) An electronic, web-based tool Set up as web tables to easily access and focus information relevant to a specific situation Multiple tables created to inform all the common public sector health functions
Purpose of PRISM Identifies and defines the baseline conditions and requirements that a government or other health entity must follow when using and disclosing specific types of health information Organizes key privacy requirements related to uses and disclosures to provide direction to improve privacy policies, procedures, and compliance
What Information is in PRISM? Uses the HIPAA privacy rule to set the basic framework Incorporates other federal privacy laws, such as 42 CFR pt. 2 and FERPA, where relevant References common provisions in state law Focuses on DISCLOSURES of health information done by public programs
Includes other laws or requirements that may have an impact Provides additional information on how the requirement may be interpreted or applied in public programs What Information is in PRISM? (cont’d)
Why was PRISM developed? Address a gap in federal HIPAA privacy guidance HIPAA requirements do not always map to public sector health program activities
Why was PRISM developed? (cont’d) Public sector health programs often combine multiple activities and functions, so rule application can be confusing Useful for most payer and provider entities, whether public or private
Who developed PRISM? Developed through the Public Health Data Standards Consortium (PHDSC) Funded by the National Center for Health Statistics (NCHS) Development oversight provided by the Consortium’s Privacy, Security, and Data Sharing Committee (PSDSC)
Who developed PRISM? (Cont’d) Content developed by Consortium members: Walter Suarez, MD, PHDSC President Vicki Hohner, Co-Chair PSDS Committee Legal Reviewer: Joy Pritts, JD, Senior Policy Analyst and HIPAA Privacy expert, Georgetown University
How is PRISM structured? Three separate tables for common public sector health-related functions: Public Health Authority Provider Payer Focus is on disclosures of specific types of identifiable health information
How is PRISM structured? (cont’d) Tables organized by: Disclosure Purpose Treatment, Payment, Operations Required by law (public health, health oversight) Judicial/administrative proceedings, law enforcement
How is PRISM structured? (cont’d) Tables organized by: Disclosure Purpose Type of Information HIV, immunizations, medical records Separate section for minors Separate table addressing who (as the individual) can control uses and disclosures and under what conditions
What information is in the PRISM tables? Tables divided into cells that contain information about specific disclosures HIPAA citation Type of disclosure (required vs. permitted) Information related to the disclosure (conditions, special requirements)
What information is in the PRISM tables (cont’d) ? HIPAA requirements of the disclosure Whether consent/authorization is required Whether minimum necessary applies If an accounting of disclosure is required Additional general state law issues/ requirements that may apply
Where can I find PRISM? PHDSC Home Page: PHDSC Home Page: PRISM Web Page: PRISM Web Page:
Introduction to PRISM Click on “Proceed to PRISM Privacy Tool” at bottom of this web page Click on “Proceed to PRISM Privacy Tool” at bottom of this web page
Understanding and Using PRISM Proceed down the page and click on “Government Entity Acting As….” Proceed down the page and click on “Government Entity Acting As….”
Understanding and Using PRISM
Government Entity Acting As… Proceed down the page and click on one of the Type of Disclosure tables Proceed down the page and click on one of the Type of Disclosure tables
Government Entity Acting As…
How do I use PRISM? (Cont’d) Click on a specific functional table to access the actual table This takes you to the grid of disclosure purposes for that table by specific data type
Click on a folder icon to access the content for a specific disclosure/data type This screen provides you with disclosure guidelines specific to this type of disclosure How do I use PRISM? (Cont’d)
Example #1 My program functions as a provider I want to disclose information on children’s immunizations for public health purposes 1.First click to access the Public Health Healthcare Provider table
Example #1 (Cont’d) 2. Then go to table 4, Disclosures Required by Law; for Public Health; etc., which covers disclosures for public health purposes
3. Look along the top for the Public health purpose column, then for Unemancipated minors information down the side, and click to open Example #1 (Cont’d)
4. Using the information in the cell: If an entity is performing public health activities as a provider, that disclosure is allowed without consent or authorization under HIPAA State laws define and control legal issues related to minors, but public health activities are normally not affected by these laws Example #1 (Cont’d)
Example #2 My program functions as a provider AND a public health authority I need to disclose HIV AIDS information for treatment purposes 1.First click to access the Provider table
Example #2 (Cont’d) 2. Then go to table 2, Disclosures for Treatment, Payment, and Health Care Operations, which contains specific information for TPO purposes
3.Look for the Treatment disclosures column, and the STD/AIDS row, and click on the cell to open Example #2 (Cont’d)
4.Then click on the Public Health Authority table, go to table 2, Disclosures for Treatment, Payment, and Health Care Operations, which contains specific information for TPO purposes Example #2 (Cont’d)
5.Look for the Treatment disclosures column, and the STD/AIDS row, and click on the cell to open Example #2 (Cont’d)
6.Using the information in both cells: If an entity is performing treatment activities as a provider, that disclosure is allowed without consent or authorization under HIPAA However, HIV information is often subject to stricter state protections, so state laws may require consent or authorization for some or all treatment activities If an entity is performing treatment activities as a public health authority, then that disclosure is not subject to the HIPAA requirements However, those treatment activities must be clearly identifiable as public health activities defined by law to qualify Example #2 (Cont’d)
PRISM Privacy Definitions and Resources
How can I provide feedback on PRISM? Feedback/Comment form: Your comments are critical to future revisions and enhancements to this tool
How can I provide feedback on PRISM? Feedback/Comment form: Your comments are critical to future revisions and enhancements to this tool
Other Consortium Products and Activities Products Websites Local health privacy case studies Activities Participate in state and national privacy and security projects (HISPC) Participate in national privacy and security standards harmonization (HITSP)
For more information About the Consortium and other Consortium products: Invite participation in Consortium activities Help produce more useful tools and information Consider joining the Consortium to further these and other efforts
Contact Information Walter G. Suarez, MD President and CEO Institute for HIPAA/HIT Education and Research Phone: Vicki Hohner, MBA Senior Consultant Fox Systems, Inc. Phone: