1 Health Information Privacy: Scope, Structure, and Implementation Lance Gable, JD, MPH Professor of...

1

Health Information Privacy: Scope, Structure, and

Implementation

Lance Gable, JD, MPH Professor of Law

Wayne State University Law School

2

A Quick Overview Objective One

Understand the basic principles of health information privacy, confidentiality, and security.

Objective Two Assess the existing universe of legal protections for the privacy

and confidentiality of health data. Objective Three

Examine the scope, structure, and implementation of the HIPAA Privacy Rule

Objective Four Discuss the impact of the HIPAA Privacy Rule on public health

authorities. Objective Five

Explore new legal developments related to health information privacy

3

Objective One

Understand the basic principles of health information privacy, confidentiality, and security.

4

Health Information Privacy - Key Terms

• Privacy - an individual’s right to control circumstances where their identifiable health information data is collected, used, stored, and transmitted.

• Confidentiality - privacy interests that arise from a specific relationship (e.g., doctor/patient, researcher/subject) and corresponding legal and ethical duties.

• Security – technological, organizational, or administrative safeguards or tools to protect identifiable health information from unwarranted access or disclosure.

5

Health Information Privacy - Key Terms

If the security safeguards in an automated system fail or are compromised, a breach of confidentiality can occur and the privacy of data subjects invaded.

• Willis Ware, Lessons for the Future: Dimensions of Medical Record Keeping, in Health Records: Social Needs and Personal Privacy 43 (Task Force on Privacy, U.S. Department of Health and Human Services (1993) (http://aspe.hhs.gov/pic/pdf/4441.pdf

6

Health Information Privacy – Key Concepts

Protecting health information privacy requires legal protections addressing 4 types of data exchanges: Acquisitions: acquiring or accessing identifiable

health data by an entity Uses: the sharing, employment, examination, or

analyses of identifiable health data within an entity

Disclosures: the release, transfer, provision of, access to, or divulging identifiable health data outside an entity that holds it.

Storage: keeping identifiable health data in any medium within an entity that is not actively using the data

7

Health Information Privacy - Key Concepts

Disclosure

Acquisition Use

Storage

8

Risks to Health Information Privacy

•Disclosure of health data: Accessibility and intimate nature of health data combine to harm those whose privacy is violated.

•Unwarranted disclosures can cause social, psychological and economic harm.

•Emerging computer technologies threaten individual privacy.

•Synergies: Protecting health information privacy is essential to the functioning of health care and public health systems.

9

Synergies of Health Information Privacy

• Absent privacy protections, patients and others will avoid some clinical, public health, and research interventions.

• Only through the responsible sharing of some health data may improvements in health care and community health be made.

10

Health Information Privacy - Communal Needs for Identifiable Health Data

Individual privacy protections must be balanced with legitimate communal uses of health data like health research and public health.

11

Objective Two

Assess the existing universe of legal protections for the privacy and confidentiality of health data.

12

The Universe of Health Information Privacy Laws and Policies

A host of laws of every type at every level of government, affecting multiple types of entities, and covering an array of health data are all part of the universe of health information privacy laws.

13

The Universe of Health Information Privacy Laws and Policies – Types of Laws

Compacts

Cases

Policies Regulations

Statutes

Constitutions

Treaties

Types of Laws

14

The Universe of Health Information Privacy Laws and Policies – Levels of Government

Community

City

County Tribal

State

National

International

Govern-ment

15

The Universe of Health Information Privacy Laws and Policies – Regulated Entities

HealthInsurers

Private Industry

NGOsHealth

Providers

National Security

Law Enforcement

Researchers

Public Health

Entities

16

The Universe of Health Information Privacy Laws and Policies – Examples of Types of Health Data

Birthdefects

Medical

MentalHealth

HIV/AIDS

Cancer

Genetic

Research

PublicHealth

Health Data

17


Underlying all of these laws are some essential features: Focus is almost always on individual (as

contrasted with group) privacy protections Only identifiable health data are covered (as

non-identifiable data do not require individual health privacy protections

Consistent need to balance individual and communal interests in identifiable health data

Failure of many laws to address modern electronic exchanges of health data

18


In combination, this existing universe of laws provides a “patchwork quilt” of privacy protections

Health information privacy protections vary across the U.S.

Inconsistencies in interpretation, application, and analyses inevitably arise.

19

Objective Three

Examine the scope, structure, and implementation of the HIPAA Privacy Rule as related to health care providers and public health authorities.

20

Health Information Privacy - Modern Protections

HIPAAThe Health Insurance Portability

and Accountability Act of 1996

21

HIPAA and the Basis for Health Info. Privacy

HIPAA seeks to:> Increase access to health insurance

> By reducing insurance costs> By lowering administrative costs

> By transmitting electronic data > Under

enhanced health info. privacy protections

> That encourage people to seek health care!

22

Health Information Privacy - Modern Protections

HIPAA =Administrative Simplification Provisions =

Standards for Privacy of Individually Identifiable Health Info. =

Health Information Privacy Regulations =45 CFR Parts 160 – 164 =

The Privacy Rule

23

HIPAA Privacy Rule – A Brief Timeline

• August, 21, 1996. HIPAA passes Congress and was signed into law. • August 21, 1999. Congress fails to pass health info. privacy law.• August, 1999 - January, 2001. Absent Congressional action, DHHS

was authorized to produce administrative regulations.• April 14, 2001. After months of work and public commentary,

DHHS finalizes its Privacy Rule with President Bush’s approval.• August 14, 2002. Bush administration modifies original Rule.• April 14, 2003. The Rule becomes effective for most “covered

entities” [or one year later for small health plans].• April 14, 2004. The Rule is fully effective for all covered entities.

24

HIPAA Privacy Rule – Scope, Structure, and Implementation

• What is covered?• Who is covered?• How is it covered?• What about other laws?• What about violations?

25

What Is Covered?

“Protected Health Information (PHI)”

individually-identifiable health information used or disclosed by a covered entity in any form, whether electronically, on paper, or orally.

45 C.F.R. 160.103

26

What Is Covered?

“Protected Health Information (PHI)”

DOES NOT include:

•Education records covered by FERPA;

•Employment records held by a covered entity in its role as employer;

•Non-identifiable health information

45 C.F.R. 160.103

27

Who Is Covered?

“Covered Entities (CEs): Health Plans Health Care Clearinghouses Health Providers - that exchange

identifiable health data electronically and their business associates

45 C.F.R. 160.103

28

Who Is Covered?

Business associates include: Claims or data processors Billing companies Quality assurance providers Utilization reviewers Lawyers Accountants Financial service providers

45 C.F.R. 160.103

29

Who Is Covered?

Beyond CE’s and their Business Associates are those who engage in:

Covered functions – those functions of a covered entity the performance of which makes the entity a health plan, health care providers, or health care clearinghouse. 45 CFR 164.103

Hybrid entities that perform both “covered” and “not covered” functions MAY have to adhere to relevant portions of the Privacy Rule to the extent to which some part of the entity conducts these activities.

30

Who Is Not Covered?

• Life insurances companies• Auto insurance companies• Worker’s compensation carriers• Employers • Others who may still acquire, use, and disclose vast quantities of health data

31

How is PHI Covered?

Boundaries - setting limits on uses and disclosures

Security - imposing security requirements

Fair Information Practices - allowing individuals some level of access to their health data

Accountability - making covered entities accountable for handling and abuses

32

How is PHI Covered?

Boundaries

164.502 – Uses and Disclosures – General Rules 164.504 – Uses and Disclosures – Organizational Req. 164.506 – Uses and Disclosures – Std. Transactions 164.508 – Uses and Disclosures – Authorization Req. 164.510 – Uses and Disclosures – Individual Oppy. 164.512 – Uses and Disclosures – No Authorization Req. 164.514 – Uses and Disclosures – Other Requirements

33

How Are Uses/Disclosures Regulated?

CEs may use or disclose PHI without individual informed consent to carry out treatment, payment, or health care operations (aka. Standard transactions).

34


Otherwise, uses or disclosures of PHI require either individual opportunities to object or written authorizations pursuant to the “anti-disclosure rule.”

“Except as otherwise permitted or required. . . , a CE may not use or disclose PHI without an authorization . . . “

45 CFR 164.508(a)(1)

35


2 Major Categories of Uses or Disclosures Requiring Individual Opportunity to Object

•Family Directories

•Individual Health Care Purposes

45 CFR 164.510

36

How are Uses/Disclosures Regulated?

Some exceptions to the anti-disclosure rule:• Law Enforcement• Judicial and Administrative Proceedings• Decedents• Health emergencies• Limited Commercial Marketing• Minors• Health Research• Public Health

37

Specific Public Health-based exceptions include disclosures:

To maintain quality, safety or effectiveness of FDA products

To notify people exposed to communicable diseases

Concerning work-related injuries About victims of abuse, neglect or domestic

violence Health oversight activities Prevent serious threats to people or the

general public

38

How is PHI Covered?

Security

• 164.102 – 164.318• Security Standards – Generally• Administrative Safeguards• Physical Safeguards• Technical Safeguards• Organizational Requirements• CIA – Confidentiality, Integrity, and

Availability

39

How is PHI Covered?

Fair Information Practices

• 164.522 – Rights to Request Privacy Protections Request Restrictions on Uses and

Disclosures Confidential Communications

• 164.524 – Individual Access to PHI• 164.526 – Amendment of PHI

40

How is PHI Covered?

Accountability• 164.520 – Notice

Rights Content Provision

• 164.528 – Accounting Rights Content Provision

41

What About Other Laws?

Federal/State ConstitutionsFederal/State Statutory Laws

Federal/State Administrative Laws Federal/State Judicial Law

Does the privacy rule supplant these laws?

42

Does the Privacy Rule Supplant These Laws?

No, the Privacy Rule creates a floor of federal protections.

Existing federal or state laws that provide greater health information privacy protections or do not otherwise conflict with the Rule remain in effect. Like a patchwork quilt, they lay over Privacy Rule protections.

43

What About Violations?Violations or breaches of the Privacy Rule may result in:

• Complaints filed with the Secretary of HHS;• Ensuing investigation by the Secretary;• Compliance reviews by the Secretary;• Informal resolution by the Secretary whenever possible; and• Imposition of civil penalties, which can be collected through

release of federal debts owed to the entity.• Does not include criminal sanctions against individuals 45 CFR 160.300-.500

Civil and criminal penalties have rarely been assessed. HHS has focused almost exclusively on compliance reviews and investigations.

44

What About Violations?

DHHS Office of Civil Rights, Compliance and Enforcement Numbers at a Glance, http://www.hhs.gov/ocr/privacy/enforcement/numbersglance.html (visited May 10, 2007).

45



46



47


Beyond formal or informal approaches to addressing violations pursuant to the Privacy Rule are:

• Judicial uses of the Privacy Rule as a per se standard for protecting health information privacy;

• Contractual obligations to adhere to the Privacy Rule Business Associates Limited Data Sets

• Institutional, corporate, and organizational policies requiring adherence to the Rule

48

Objective Four

Discuss the impact of the HIPAA Privacy Rule on public health authorities.

49

Impact of the Privacy Rule on Public Health

Externally – how does the Rule impact the flow of identifiable health data into or out of public health agencies?

Internally – what are ways that the Rule affects the practice of public health or public health research done by public health agencies or its partners?

50

External Impacts of the Privacy Rule on Public Health

The public health exception within the HIPAA Privacy Rule allows a covered entity to disclose PHI without individual authorization to a “public health authority that is authorized by law to collect and receive such information for the purpose of preventing and controlling disease, injury, or disability, including . . . reporting of disease . . . and the conduct of public health surveillance . . . .”

51

External Impacts of the Privacy Rule on Public Health

Beyond this general authorization, specific public health-based exceptions include disclosures:

• To maintain the quality, safety, or effectiveness of FDA products

• To notify persons exposed to communicable diseases

• Concerning work-related injuries• About victims of abuse, neglect, or domestic

violence• For health oversight activities• To prevent serious threats to persons or the

public

52

Who Is a Public Health Authority?

A public health authority is an:

agency or authority of the United States, a State, a territory, a political subdivision of a State or territory, or an Indian tribe, or a person or entity acting under a grant of authority from or contract with such public agency . . . that is responsible for public health matters as part of its official mandate.

53

Who Is a Public Health Authority?

Public health authorities include:

• State or Tribal Health Departments• Local Health Departments• Contractors/others acting under authority of

these agencies

54

What About State Public Health Reporting Laws?

All states require health care providers to report communicable diseases and other conditions The specific diseases or conditions vary from

state to state May be found in statutory or regulatory laws

The Privacy Rule does not pre-empt (or override) state law that “provides for the reporting of disease or injury . . . or for the conduct of public health surveillance [or] investigation . . . .”

55

Internal Impacts of the Privacy Rule on Public Health

To the extent that public health authorities use or disclose identifiable health data for public health purposes, they are not “covered entities,” and are thus not required to adhere to the provisions of the Privacy Rule.

Simply stated – public health authorities performing public health practice activities are not covered by the Privacy Rule

56


Public Health Authorities As Providers/Plans

A profound area of potential internal impact concerns those activities of public health authorities that resemble the provision of health care (e.g. direct delivery of health services to disadvantaged individuals) or administration of health plans (e.g., state “well person” programs).

57


Public health authorities doing health care/plan activities may be considered as engaging in “covered functions.” If so, these activities would be deemed as covered under the Rule.

Thus, a local health clinic that provides flu vaccines or other health services for a minimal charge (and bills electronically) may be engaged in “covered functions.”

58


Many state and local public health authorities declare themselves as Hybrid Entities pursuant to the Privacy Rule.

The practical effect of hybrid status is that thepublic health authority must only adhere to the Privacy Rule concerning those components of its practices that are covered. Other parts of the PHA may not have to adhere to the same requirements concerning their duties.

59

Objective Five

Explore new legal developments related to health information privacy

60

Nationwide Health Information Network

Understanding and resolving legal and policy issues, such as those related to variations in states’ privacy laws;

Ensuring that only the minimum amount of information necessary is disclosed to only those entities authorized to receive the information;

Ensuring individuals’ rights to request access and amendments to their own health information; and

Implementing adequate security measures for protecting health information.

GAO, Health Information Technology, GAO-07-238 (January 2007).

61

Genetic Non-Discrimination Act

The Genetic Information Nondiscrimination Act (HR 493) passed the House April 25, 420-3. It would:

Ban health insurers and group plans from using genetic information to determine eligibility or rates.

Prohibit employers from using genetic information in hiring, firing, job placement or promotion decisions.

Protect individuals until the point of diagnosis, when the Americans with Disabilities Act would assume jurisdiction.

Michigan has similar protections under state law, but not all states have enacted privacy protections for genetic information.

62

Conclusions

• A multitude of health information privacy laws and policies attempt to balance individual and communal interests in acquisitions, uses, and disclosures of identifiable health data

• The HIPAA Privacy Rule presents a national health information privacy standards in the U.S.

• The Privacy Rule creates a Floor [but not a ceiling] for privacy protections

• The Rule impacts public health authorities in internal and external ways related to their practice and research activities

• Other legislative efforts are seeking to expand privacy protections for health information

63

Resources Department of Health and Human Services:

www.hhs.gov Office of Civil Rights – HIPAA:

www.hhs.gov/ocr/hipaa U.S. Government Accountability Office:

www.gao.gov National Conf. of State Legislatures - HIPAA:

http://www.ncsl.org/programs/health/HIPAA.htm

Michigan HIPAA Information: http://www.michigan.gov/mdch/0,1607,7-132-2945_24020---,00.html

64

Resources, cont. HIPAA Listserv(s): www.list.nih.gov

Go to “Browse” and enter Keyword “HIPAA” National Committee on Vital and Health

Statistics (NCVHS): www.ncvhs.hhs.gov Designated Standard Maintenance

Organizations: www.hipaa-dsmo.org Workgroup for Electronic Data Interchange

(WEDI): www.wedi.org Strategic National Implementation Process

(SNIP): www.wedi.org/snip

65

Thank You!

• For more information, contact me at [email protected]

• Special thanks to Nicole Rowley for research assistance and to Professor James G. Hodge, Jr., and the Centers for Disease Control and Prevention for use of some of these slides.

1 Health Information Privacy: Scope, Structure, and Implementation Lance Gable, JD, MPH Professor of...

Documents

Transcript of 1 Health Information Privacy: Scope, Structure, and Implementation Lance Gable, JD, MPH Professor of...