TM The HIPAA Privacy Rule: Safeguarding Health Information in Research and Public Health Practice...
-
Upload
shawna-greenleaf -
Category
Documents
-
view
214 -
download
2
Transcript of TM The HIPAA Privacy Rule: Safeguarding Health Information in Research and Public Health Practice...
![Page 1: TM The HIPAA Privacy Rule: Safeguarding Health Information in Research and Public Health Practice Centers for Disease Control and Prevention Beverly A.](https://reader031.fdocuments.us/reader031/viewer/2022032517/56649c985503460f94954c21/html5/thumbnails/1.jpg)
TMTM
The HIPAA Privacy Rule: Safeguarding Health Information in
Research and Public Health Practice
Centers for Disease Control and Prevention
Beverly A. Peeples, J.D.
December 13, 2005
![Page 2: TM The HIPAA Privacy Rule: Safeguarding Health Information in Research and Public Health Practice Centers for Disease Control and Prevention Beverly A.](https://reader031.fdocuments.us/reader031/viewer/2022032517/56649c985503460f94954c21/html5/thumbnails/2.jpg)
TMTM
Brief Overview of HIPAA
What is the Privacy Rule?
Who is covered by the Privacy
Rule?
What information is protected?
![Page 3: TM The HIPAA Privacy Rule: Safeguarding Health Information in Research and Public Health Practice Centers for Disease Control and Prevention Beverly A.](https://reader031.fdocuments.us/reader031/viewer/2022032517/56649c985503460f94954c21/html5/thumbnails/3.jpg)
TMTM
What is the Privacy Rule?• Establishes a set of national
standards
• Promulgated by the US DHHS
• Addresses use and disclosure of individual’s health information
• Addresses standards and protection of individual’s privacy rights
![Page 4: TM The HIPAA Privacy Rule: Safeguarding Health Information in Research and Public Health Practice Centers for Disease Control and Prevention Beverly A.](https://reader031.fdocuments.us/reader031/viewer/2022032517/56649c985503460f94954c21/html5/thumbnails/4.jpg)
TMTM
Major Goals of Privacy Rule
•Assures that individual’s health information is properly protected
•Strives to maintain balance
•Designed to be flexible and comprehensive
![Page 5: TM The HIPAA Privacy Rule: Safeguarding Health Information in Research and Public Health Practice Centers for Disease Control and Prevention Beverly A.](https://reader031.fdocuments.us/reader031/viewer/2022032517/56649c985503460f94954c21/html5/thumbnails/5.jpg)
TMTM
Who is Covered by the Privacy Rule?
•Covered Healthcare Providers
Known as Covered Entities (CE)
•Health Plans
•Healthcare Clearinghouses
![Page 6: TM The HIPAA Privacy Rule: Safeguarding Health Information in Research and Public Health Practice Centers for Disease Control and Prevention Beverly A.](https://reader031.fdocuments.us/reader031/viewer/2022032517/56649c985503460f94954c21/html5/thumbnails/6.jpg)
TMTM
What is a Covered Entity?
Health Care Provider
+
Conducts electronic transactions
![Page 7: TM The HIPAA Privacy Rule: Safeguarding Health Information in Research and Public Health Practice Centers for Disease Control and Prevention Beverly A.](https://reader031.fdocuments.us/reader031/viewer/2022032517/56649c985503460f94954c21/html5/thumbnails/7.jpg)
TMTM
What is a HIPAA transaction?
•health care claims
• health care payment
•coordination of benefits
•health care claim status
•enrollment and disenrollment in a health plan
![Page 8: TM The HIPAA Privacy Rule: Safeguarding Health Information in Research and Public Health Practice Centers for Disease Control and Prevention Beverly A.](https://reader031.fdocuments.us/reader031/viewer/2022032517/56649c985503460f94954c21/html5/thumbnails/8.jpg)
TMTM
What is a HIPAA transaction?
•eligibility for a health plan
•health plan premium payments
• referral certification and authorization
•first report of injury
•health care claims attachments
•other transactions that the Secretary may prescribe by regulation.
![Page 9: TM The HIPAA Privacy Rule: Safeguarding Health Information in Research and Public Health Practice Centers for Disease Control and Prevention Beverly A.](https://reader031.fdocuments.us/reader031/viewer/2022032517/56649c985503460f94954c21/html5/thumbnails/9.jpg)
TMTM
Protected Health Information (PHI)
Individual’s past, present or future physical or mental health
Provision of healthcare Past, present or future payment
for provision of healthcare Does not include FERPA records
What Information is Protected?
![Page 10: TM The HIPAA Privacy Rule: Safeguarding Health Information in Research and Public Health Practice Centers for Disease Control and Prevention Beverly A.](https://reader031.fdocuments.us/reader031/viewer/2022032517/56649c985503460f94954c21/html5/thumbnails/10.jpg)
TMTM
Limits on Use of Individually Identifiable Health Information
-Privacy Rule sets limits
-Does not restrict ability of health care providers … to share information to treat patients
-May not be used for purposes unrelated to health care
![Page 11: TM The HIPAA Privacy Rule: Safeguarding Health Information in Research and Public Health Practice Centers for Disease Control and Prevention Beverly A.](https://reader031.fdocuments.us/reader031/viewer/2022032517/56649c985503460f94954c21/html5/thumbnails/11.jpg)
TMTM
Limits on Use of Individually Identifiable Health Information
•Specific authorizations required before a CE can release information to a:
−life insurer
−bank
−marketing firm or
−school
![Page 12: TM The HIPAA Privacy Rule: Safeguarding Health Information in Research and Public Health Practice Centers for Disease Control and Prevention Beverly A.](https://reader031.fdocuments.us/reader031/viewer/2022032517/56649c985503460f94954c21/html5/thumbnails/12.jpg)
TMTM
Limits on Use of Individually Identifiable Health Information
•Permits health care providers and other CEs to share information about:−treatment options
−disease-management programs
When they have a treatment relationship with the individual
![Page 13: TM The HIPAA Privacy Rule: Safeguarding Health Information in Research and Public Health Practice Centers for Disease Control and Prevention Beverly A.](https://reader031.fdocuments.us/reader031/viewer/2022032517/56649c985503460f94954c21/html5/thumbnails/13.jpg)
TMTM
Limits on Use of Individually Identifiable Health Information
•A person or entity conducting certain functions on behalf of a CE --business associate
•CE may disclose PHI to a business associate
•CE must obtain satisfactory assurances to safeguard the information
![Page 14: TM The HIPAA Privacy Rule: Safeguarding Health Information in Research and Public Health Practice Centers for Disease Control and Prevention Beverly A.](https://reader031.fdocuments.us/reader031/viewer/2022032517/56649c985503460f94954c21/html5/thumbnails/14.jpg)
TMTM
Limits on Use of Individually Identifiable Health Information
•Privacy standards do not affect state laws
•Privacy Rule sets a national “floor” of privacy standards
•State law providing additional protections would continue to apply
![Page 15: TM The HIPAA Privacy Rule: Safeguarding Health Information in Research and Public Health Practice Centers for Disease Control and Prevention Beverly A.](https://reader031.fdocuments.us/reader031/viewer/2022032517/56649c985503460f94954c21/html5/thumbnails/15.jpg)
TMTM
What is the “Minimum Necessary” Standard?
- CE must make reasonable efforts to disclose only the minimum amount of PHI
- CEs may “reasonably” rely on public health authorities’ representation
- Applies to disclosures to a public health agency
![Page 16: TM The HIPAA Privacy Rule: Safeguarding Health Information in Research and Public Health Practice Centers for Disease Control and Prevention Beverly A.](https://reader031.fdocuments.us/reader031/viewer/2022032517/56649c985503460f94954c21/html5/thumbnails/16.jpg)
TMTM
Exceptions to the “Minimum Necessary” Requirements
Minimum Necessary Standard does not apply if disclosures are: Required by lawAuthorized by individual Requested by health care
provider for treatment purposes
![Page 17: TM The HIPAA Privacy Rule: Safeguarding Health Information in Research and Public Health Practice Centers for Disease Control and Prevention Beverly A.](https://reader031.fdocuments.us/reader031/viewer/2022032517/56649c985503460f94954c21/html5/thumbnails/17.jpg)
TMTM
Exceptions to the “Minimum Necessary” Requirements
•Disclosures to the individual
•Disclosures to HHS
•When required for compliance with other HIPAA rules −e.g. to fill out required or
situationally required data fields in standard transactions
![Page 18: TM The HIPAA Privacy Rule: Safeguarding Health Information in Research and Public Health Practice Centers for Disease Control and Prevention Beverly A.](https://reader031.fdocuments.us/reader031/viewer/2022032517/56649c985503460f94954c21/html5/thumbnails/18.jpg)
TMTM
Uses and Disclosures of PHI
•A covered entity may not use or disclose PHI except either
−as the Privacy Rule permits or requires; or
−as the individuals …or their …representatives authorize in writing
![Page 19: TM The HIPAA Privacy Rule: Safeguarding Health Information in Research and Public Health Practice Centers for Disease Control and Prevention Beverly A.](https://reader031.fdocuments.us/reader031/viewer/2022032517/56649c985503460f94954c21/html5/thumbnails/19.jpg)
TMTM
Permitted Uses and Disclosures without Authorizations
•To the individual
•For treatment, payment, and healthcare operations
•Opportunity to agree or object
•As incident
•Public interest and benefit activities
•Limited Data Set
![Page 20: TM The HIPAA Privacy Rule: Safeguarding Health Information in Research and Public Health Practice Centers for Disease Control and Prevention Beverly A.](https://reader031.fdocuments.us/reader031/viewer/2022032517/56649c985503460f94954c21/html5/thumbnails/20.jpg)
TMTM
Permitted Uses and Disclosures without Authorizations
•A limited data set is PHI from which certain specified direct identifiers or individuals and their relatives, household members, and employers have been removed.
•May contain more identifiers than deidentified data stripped of the 18 identifiers-still PHI
![Page 21: TM The HIPAA Privacy Rule: Safeguarding Health Information in Research and Public Health Practice Centers for Disease Control and Prevention Beverly A.](https://reader031.fdocuments.us/reader031/viewer/2022032517/56649c985503460f94954c21/html5/thumbnails/21.jpg)
TMTM
Written Authorizations
•Must be written in specific terms
•Must be in plain language
•Contain specific information
![Page 22: TM The HIPAA Privacy Rule: Safeguarding Health Information in Research and Public Health Practice Centers for Disease Control and Prevention Beverly A.](https://reader031.fdocuments.us/reader031/viewer/2022032517/56649c985503460f94954c21/html5/thumbnails/22.jpg)
TMTM
Written Authorizations
•Allows use and disclosure of PHI by the covered entity or a 3rd party
•Examples of disclosures: to a life insurer to an employer To a school employee who is not a heath care provider
![Page 23: TM The HIPAA Privacy Rule: Safeguarding Health Information in Research and Public Health Practice Centers for Disease Control and Prevention Beverly A.](https://reader031.fdocuments.us/reader031/viewer/2022032517/56649c985503460f94954c21/html5/thumbnails/23.jpg)
TMTM
Public Health Authority• Public Health Authorities are not
subject to the Privacy Rule
−When they are conducting public health activities as defined in the Rule:
−Even when they are covered entities acting in the capacity of a public health authority Funded by a federal (CDC) or state public health authority
With a grant of authority to conduct a public health activity
![Page 24: TM The HIPAA Privacy Rule: Safeguarding Health Information in Research and Public Health Practice Centers for Disease Control and Prevention Beverly A.](https://reader031.fdocuments.us/reader031/viewer/2022032517/56649c985503460f94954c21/html5/thumbnails/24.jpg)
TMTM
Examples of PHAs
•Federal public health agencies Include:−CDC; NIH; SAMSHA; FDA; OSHA; and
tribal health agencies
•State public health agencies include:−public health departments or
divisions, state cancer registries; and vital statistics departments
•Local public health agencies include:−similar departments
![Page 25: TM The HIPAA Privacy Rule: Safeguarding Health Information in Research and Public Health Practice Centers for Disease Control and Prevention Beverly A.](https://reader031.fdocuments.us/reader031/viewer/2022032517/56649c985503460f94954c21/html5/thumbnails/25.jpg)
TMTM
Public Health Authorities
Hybrid entities
•A hybrid entity is a single legal entity that is a CE, performs business activities that include both covered and noncovered functions, and designates its health care components as provided in the Privacy Rule.
![Page 26: TM The HIPAA Privacy Rule: Safeguarding Health Information in Research and Public Health Practice Centers for Disease Control and Prevention Beverly A.](https://reader031.fdocuments.us/reader031/viewer/2022032517/56649c985503460f94954c21/html5/thumbnails/26.jpg)
TMTM
Public Heath Authorities that are CE’s or Hybrid Entities
•A university or school that includes an academic medical center’s hospital is a CE
• It may choose to be a hybrid entity via designating the hospital as its health care component
![Page 27: TM The HIPAA Privacy Rule: Safeguarding Health Information in Research and Public Health Practice Centers for Disease Control and Prevention Beverly A.](https://reader031.fdocuments.us/reader031/viewer/2022032517/56649c985503460f94954c21/html5/thumbnails/27.jpg)
TMTM
Hybrid Entities
•A school clinic if it conducts electronic transactions−Bills for services
−Files insurance reimbursement claims
−Provides health care to students Physical or mental health services
![Page 28: TM The HIPAA Privacy Rule: Safeguarding Health Information in Research and Public Health Practice Centers for Disease Control and Prevention Beverly A.](https://reader031.fdocuments.us/reader031/viewer/2022032517/56649c985503460f94954c21/html5/thumbnails/28.jpg)
TMTM
Highlights of the Privacy Rule
- Contains standards to protect privacy of individuals identifiable health information
- Sets minimum standards for how PHI may be used and disclosed; and
- Individuals can have control of their health information
![Page 29: TM The HIPAA Privacy Rule: Safeguarding Health Information in Research and Public Health Practice Centers for Disease Control and Prevention Beverly A.](https://reader031.fdocuments.us/reader031/viewer/2022032517/56649c985503460f94954c21/html5/thumbnails/29.jpg)
TMTM
Highlights of the Privacy Rule
−Describes methods to de-identify health information
−Provides alternatives to obtaining an Authorization e.g. limited data sets
−Important steps toward understanding: how and why the Privacy Rule protects
How CEs implement the Rule’s standards
![Page 30: TM The HIPAA Privacy Rule: Safeguarding Health Information in Research and Public Health Practice Centers for Disease Control and Prevention Beverly A.](https://reader031.fdocuments.us/reader031/viewer/2022032517/56649c985503460f94954c21/html5/thumbnails/30.jpg)
TMTM
Contact Information
Beverly A. Peeples, JDPrivacy Rule Coordinator
Office of Chief Science OfficerOffice of Scientific Regulatory
ServicesHealth Information Privacy
[email protected]: 404-371-5977