1 Health Information Privacy: Scope, Structure, and Implementation Lance Gable, JD, MPH Professor of...
-
Upload
lesley-coke -
Category
Documents
-
view
216 -
download
0
Transcript of 1 Health Information Privacy: Scope, Structure, and Implementation Lance Gable, JD, MPH Professor of...
1
Health Information Privacy: Scope, Structure, and
Implementation
Lance Gable, JD, MPH Professor of Law
Wayne State University Law School
2
A Quick Overview Objective One
Understand the basic principles of health information privacy, confidentiality, and security.
Objective Two Assess the existing universe of legal protections for the privacy
and confidentiality of health data. Objective Three
Examine the scope, structure, and implementation of the HIPAA Privacy Rule
Objective Four Discuss the impact of the HIPAA Privacy Rule on public health
authorities. Objective Five
Explore new legal developments related to health information privacy
3
Objective One
Understand the basic principles of health information privacy, confidentiality, and security.
4
Health Information Privacy - Key Terms
• Privacy - an individual’s right to control circumstances where their identifiable health information data is collected, used, stored, and transmitted.
• Confidentiality - privacy interests that arise from a specific relationship (e.g., doctor/patient, researcher/subject) and corresponding legal and ethical duties.
• Security – technological, organizational, or administrative safeguards or tools to protect identifiable health information from unwarranted access or disclosure.
5
Health Information Privacy - Key Terms
If the security safeguards in an automated system fail or are compromised, a breach of confidentiality can occur and the privacy of data subjects invaded.
• Willis Ware, Lessons for the Future: Dimensions of Medical Record Keeping, in Health Records: Social Needs and Personal Privacy 43 (Task Force on Privacy, U.S. Department of Health and Human Services (1993) (http://aspe.hhs.gov/pic/pdf/4441.pdf
6
Health Information Privacy – Key Concepts
Protecting health information privacy requires legal protections addressing 4 types of data exchanges: Acquisitions: acquiring or accessing identifiable
health data by an entity Uses: the sharing, employment, examination, or
analyses of identifiable health data within an entity
Disclosures: the release, transfer, provision of, access to, or divulging identifiable health data outside an entity that holds it.
Storage: keeping identifiable health data in any medium within an entity that is not actively using the data
7
Health Information Privacy - Key Concepts
Disclosure
Acquisition Use
Storage
8
Risks to Health Information Privacy
•Disclosure of health data: Accessibility and intimate nature of health data combine to harm those whose privacy is violated.
•Unwarranted disclosures can cause social, psychological and economic harm.
•Emerging computer technologies threaten individual privacy.
•Synergies: Protecting health information privacy is essential to the functioning of health care and public health systems.
9
Synergies of Health Information Privacy
• Absent privacy protections, patients and others will avoid some clinical, public health, and research interventions.
• Only through the responsible sharing of some health data may improvements in health care and community health be made.
10
Health Information Privacy - Communal Needs for Identifiable Health Data
Individual privacy protections must be balanced with legitimate communal uses of health data like health research and public health.
11
Objective Two
Assess the existing universe of legal protections for the privacy and confidentiality of health data.
12
The Universe of Health Information Privacy Laws and Policies
A host of laws of every type at every level of government, affecting multiple types of entities, and covering an array of health data are all part of the universe of health information privacy laws.
13
The Universe of Health Information Privacy Laws and Policies – Types of Laws
Compacts
Cases
Policies Regulations
Statutes
Constitutions
Treaties
Types of Laws
14
The Universe of Health Information Privacy Laws and Policies – Levels of Government
Community
City
County Tribal
State
National
International
Govern-ment
15
The Universe of Health Information Privacy Laws and Policies – Regulated Entities
HealthInsurers
Private Industry
NGOsHealth
Providers
National Security
Law Enforcement
Researchers
Public Health
Entities
16
The Universe of Health Information Privacy Laws and Policies – Examples of Types of Health Data
Birthdefects
Medical
MentalHealth
HIV/AIDS
Cancer
Genetic
Research
PublicHealth
Health Data
17
The Universe of Health Information Privacy Laws and Policies
Underlying all of these laws are some essential features: Focus is almost always on individual (as
contrasted with group) privacy protections Only identifiable health data are covered (as
non-identifiable data do not require individual health privacy protections
Consistent need to balance individual and communal interests in identifiable health data
Failure of many laws to address modern electronic exchanges of health data
18
The Universe of Health Information Privacy Laws and Policies
In combination, this existing universe of laws provides a “patchwork quilt” of privacy protections
Health information privacy protections vary across the U.S.
Inconsistencies in interpretation, application, and analyses inevitably arise.
19
Objective Three
Examine the scope, structure, and implementation of the HIPAA Privacy Rule as related to health care providers and public health authorities.
20
Health Information Privacy - Modern Protections
HIPAAThe Health Insurance Portability
and Accountability Act of 1996
21
HIPAA and the Basis for Health Info. Privacy
HIPAA seeks to:> Increase access to health insurance
> By reducing insurance costs> By lowering administrative costs
> By transmitting electronic data > Under
enhanced health info. privacy protections
> That encourage people to seek health care!
22
Health Information Privacy - Modern Protections
HIPAA =Administrative Simplification Provisions =
Standards for Privacy of Individually Identifiable Health Info. =
Health Information Privacy Regulations =45 CFR Parts 160 – 164 =
The Privacy Rule
23
HIPAA Privacy Rule – A Brief Timeline
• August, 21, 1996. HIPAA passes Congress and was signed into law. • August 21, 1999. Congress fails to pass health info. privacy law.• August, 1999 - January, 2001. Absent Congressional action, DHHS
was authorized to produce administrative regulations.• April 14, 2001. After months of work and public commentary,
DHHS finalizes its Privacy Rule with President Bush’s approval.• August 14, 2002. Bush administration modifies original Rule.• April 14, 2003. The Rule becomes effective for most “covered
entities” [or one year later for small health plans].• April 14, 2004. The Rule is fully effective for all covered entities.
24
HIPAA Privacy Rule – Scope, Structure, and Implementation
• What is covered?• Who is covered?• How is it covered?• What about other laws?• What about violations?
25
What Is Covered?
“Protected Health Information (PHI)”
individually-identifiable health information used or disclosed by a covered entity in any form, whether electronically, on paper, or orally.
45 C.F.R. 160.103
26
What Is Covered?
“Protected Health Information (PHI)”
DOES NOT include:
•Education records covered by FERPA;
•Employment records held by a covered entity in its role as employer;
•Non-identifiable health information
45 C.F.R. 160.103
27
Who Is Covered?
“Covered Entities (CEs): Health Plans Health Care Clearinghouses Health Providers - that exchange
identifiable health data electronically and their business associates
45 C.F.R. 160.103
28
Who Is Covered?
Business associates include: Claims or data processors Billing companies Quality assurance providers Utilization reviewers Lawyers Accountants Financial service providers
45 C.F.R. 160.103
29
Who Is Covered?
Beyond CE’s and their Business Associates are those who engage in:
Covered functions – those functions of a covered entity the performance of which makes the entity a health plan, health care providers, or health care clearinghouse. 45 CFR 164.103
Hybrid entities that perform both “covered” and “not covered” functions MAY have to adhere to relevant portions of the Privacy Rule to the extent to which some part of the entity conducts these activities.
30
Who Is Not Covered?
• Life insurances companies• Auto insurance companies• Worker’s compensation carriers• Employers • Others who may still acquire, use, and disclose vast quantities of health data
31
How is PHI Covered?
Boundaries - setting limits on uses and disclosures
Security - imposing security requirements
Fair Information Practices - allowing individuals some level of access to their health data
Accountability - making covered entities accountable for handling and abuses
32
How is PHI Covered?
Boundaries
164.502 – Uses and Disclosures – General Rules 164.504 – Uses and Disclosures – Organizational Req. 164.506 – Uses and Disclosures – Std. Transactions 164.508 – Uses and Disclosures – Authorization Req. 164.510 – Uses and Disclosures – Individual Oppy. 164.512 – Uses and Disclosures – No Authorization Req. 164.514 – Uses and Disclosures – Other Requirements
33
How Are Uses/Disclosures Regulated?
CEs may use or disclose PHI without individual informed consent to carry out treatment, payment, or health care operations (aka. Standard transactions).
34
How Are Uses/Disclosures Regulated?
Otherwise, uses or disclosures of PHI require either individual opportunities to object or written authorizations pursuant to the “anti-disclosure rule.”
“Except as otherwise permitted or required. . . , a CE may not use or disclose PHI without an authorization . . . “
45 CFR 164.508(a)(1)
35
How Are Uses/Disclosures Regulated?
2 Major Categories of Uses or Disclosures Requiring Individual Opportunity to Object
•Family Directories
•Individual Health Care Purposes
45 CFR 164.510
36
How are Uses/Disclosures Regulated?
Some exceptions to the anti-disclosure rule:• Law Enforcement• Judicial and Administrative Proceedings• Decedents• Health emergencies• Limited Commercial Marketing• Minors• Health Research• Public Health
37
Specific Public Health-based exceptions include disclosures:
To maintain quality, safety or effectiveness of FDA products
To notify people exposed to communicable diseases
Concerning work-related injuries About victims of abuse, neglect or domestic
violence Health oversight activities Prevent serious threats to people or the
general public
38
How is PHI Covered?
Security
• 164.102 – 164.318• Security Standards – Generally• Administrative Safeguards• Physical Safeguards• Technical Safeguards• Organizational Requirements• CIA – Confidentiality, Integrity, and
Availability
39
How is PHI Covered?
Fair Information Practices
• 164.522 – Rights to Request Privacy Protections Request Restrictions on Uses and
Disclosures Confidential Communications
• 164.524 – Individual Access to PHI• 164.526 – Amendment of PHI
40
How is PHI Covered?
Accountability• 164.520 – Notice
Rights Content Provision
• 164.528 – Accounting Rights Content Provision
41
What About Other Laws?
Federal/State ConstitutionsFederal/State Statutory Laws
Federal/State Administrative Laws Federal/State Judicial Law
Does the privacy rule supplant these laws?
42
Does the Privacy Rule Supplant These Laws?
No, the Privacy Rule creates a floor of federal protections.
Existing federal or state laws that provide greater health information privacy protections or do not otherwise conflict with the Rule remain in effect. Like a patchwork quilt, they lay over Privacy Rule protections.
43
What About Violations?Violations or breaches of the Privacy Rule may result in:
• Complaints filed with the Secretary of HHS;• Ensuing investigation by the Secretary;• Compliance reviews by the Secretary;• Informal resolution by the Secretary whenever possible; and• Imposition of civil penalties, which can be collected through
release of federal debts owed to the entity.• Does not include criminal sanctions against individuals 45 CFR 160.300-.500
Civil and criminal penalties have rarely been assessed. HHS has focused almost exclusively on compliance reviews and investigations.
44
What About Violations?
DHHS Office of Civil Rights, Compliance and Enforcement Numbers at a Glance, http://www.hhs.gov/ocr/privacy/enforcement/numbersglance.html (visited May 10, 2007).
45
What About Violations?
DHHS Office of Civil Rights, Compliance and Enforcement Numbers at a Glance, http://www.hhs.gov/ocr/privacy/enforcement/numbersglance.html (visited May 10, 2007).
46
What About Violations?
DHHS Office of Civil Rights, Compliance and Enforcement Numbers at a Glance, http://www.hhs.gov/ocr/privacy/enforcement/numbersglance.html (visited May 10, 2007).
47
What About Violations?
Beyond formal or informal approaches to addressing violations pursuant to the Privacy Rule are:
• Judicial uses of the Privacy Rule as a per se standard for protecting health information privacy;
• Contractual obligations to adhere to the Privacy Rule Business Associates Limited Data Sets
• Institutional, corporate, and organizational policies requiring adherence to the Rule
48
Objective Four
Discuss the impact of the HIPAA Privacy Rule on public health authorities.
49
Impact of the Privacy Rule on Public Health
Externally – how does the Rule impact the flow of identifiable health data into or out of public health agencies?
Internally – what are ways that the Rule affects the practice of public health or public health research done by public health agencies or its partners?
50
External Impacts of the Privacy Rule on Public Health
The public health exception within the HIPAA Privacy Rule allows a covered entity to disclose PHI without individual authorization to a “public health authority that is authorized by law to collect and receive such information for the purpose of preventing and controlling disease, injury, or disability, including . . . reporting of disease . . . and the conduct of public health surveillance . . . .”
51
External Impacts of the Privacy Rule on Public Health
Beyond this general authorization, specific public health-based exceptions include disclosures:
• To maintain the quality, safety, or effectiveness of FDA products
• To notify persons exposed to communicable diseases
• Concerning work-related injuries• About victims of abuse, neglect, or domestic
violence• For health oversight activities• To prevent serious threats to persons or the
public
52
Who Is a Public Health Authority?
A public health authority is an:
agency or authority of the United States, a State, a territory, a political subdivision of a State or territory, or an Indian tribe, or a person or entity acting under a grant of authority from or contract with such public agency . . . that is responsible for public health matters as part of its official mandate.
53
Who Is a Public Health Authority?
Public health authorities include:
• State or Tribal Health Departments• Local Health Departments• Contractors/others acting under authority of
these agencies
54
What About State Public Health Reporting Laws?
All states require health care providers to report communicable diseases and other conditions The specific diseases or conditions vary from
state to state May be found in statutory or regulatory laws
The Privacy Rule does not pre-empt (or override) state law that “provides for the reporting of disease or injury . . . or for the conduct of public health surveillance [or] investigation . . . .”
55
Internal Impacts of the Privacy Rule on Public Health
To the extent that public health authorities use or disclose identifiable health data for public health purposes, they are not “covered entities,” and are thus not required to adhere to the provisions of the Privacy Rule.
Simply stated – public health authorities performing public health practice activities are not covered by the Privacy Rule
56
Internal Impacts of the Privacy Rule on Public Health
Public Health Authorities As Providers/Plans
A profound area of potential internal impact concerns those activities of public health authorities that resemble the provision of health care (e.g. direct delivery of health services to disadvantaged individuals) or administration of health plans (e.g., state “well person” programs).
57
Internal Impacts of the Privacy Rule on Public Health
Public health authorities doing health care/plan activities may be considered as engaging in “covered functions.” If so, these activities would be deemed as covered under the Rule.
Thus, a local health clinic that provides flu vaccines or other health services for a minimal charge (and bills electronically) may be engaged in “covered functions.”
58
Internal Impacts of the Privacy Rule on Public Health
Many state and local public health authorities declare themselves as Hybrid Entities pursuant to the Privacy Rule.
The practical effect of hybrid status is that thepublic health authority must only adhere to the Privacy Rule concerning those components of its practices that are covered. Other parts of the PHA may not have to adhere to the same requirements concerning their duties.
59
Objective Five
Explore new legal developments related to health information privacy
60
Nationwide Health Information Network
Understanding and resolving legal and policy issues, such as those related to variations in states’ privacy laws;
Ensuring that only the minimum amount of information necessary is disclosed to only those entities authorized to receive the information;
Ensuring individuals’ rights to request access and amendments to their own health information; and
Implementing adequate security measures for protecting health information.
GAO, Health Information Technology, GAO-07-238 (January 2007).
61
Genetic Non-Discrimination Act
The Genetic Information Nondiscrimination Act (HR 493) passed the House April 25, 420-3. It would:
Ban health insurers and group plans from using genetic information to determine eligibility or rates.
Prohibit employers from using genetic information in hiring, firing, job placement or promotion decisions.
Protect individuals until the point of diagnosis, when the Americans with Disabilities Act would assume jurisdiction.
Michigan has similar protections under state law, but not all states have enacted privacy protections for genetic information.
62
Conclusions
• A multitude of health information privacy laws and policies attempt to balance individual and communal interests in acquisitions, uses, and disclosures of identifiable health data
• The HIPAA Privacy Rule presents a national health information privacy standards in the U.S.
• The Privacy Rule creates a Floor [but not a ceiling] for privacy protections
• The Rule impacts public health authorities in internal and external ways related to their practice and research activities
• Other legislative efforts are seeking to expand privacy protections for health information
63
Resources Department of Health and Human Services:
www.hhs.gov Office of Civil Rights – HIPAA:
www.hhs.gov/ocr/hipaa U.S. Government Accountability Office:
www.gao.gov National Conf. of State Legislatures - HIPAA:
http://www.ncsl.org/programs/health/HIPAA.htm
Michigan HIPAA Information: http://www.michigan.gov/mdch/0,1607,7-132-2945_24020---,00.html
64
Resources, cont. HIPAA Listserv(s): www.list.nih.gov
Go to “Browse” and enter Keyword “HIPAA” National Committee on Vital and Health
Statistics (NCVHS): www.ncvhs.hhs.gov Designated Standard Maintenance
Organizations: www.hipaa-dsmo.org Workgroup for Electronic Data Interchange
(WEDI): www.wedi.org Strategic National Implementation Process
(SNIP): www.wedi.org/snip
65
Thank You!
• For more information, contact me at [email protected]
• Special thanks to Nicole Rowley for research assistance and to Professor James G. Hodge, Jr., and the Centers for Disease Control and Prevention for use of some of these slides.