health information privacy scope structure and implementation n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Health Information Privacy: Scope, Structure, and Implementation PowerPoint Presentation
Download Presentation
Health Information Privacy: Scope, Structure, and Implementation

Loading in 2 Seconds...

play fullscreen
1 / 65

Health Information Privacy: Scope, Structure, and Implementation - PowerPoint PPT Presentation


  • 106 Views
  • Uploaded on

Health Information Privacy: Scope, Structure, and Implementation. Lance Gable, JD, MPH Professor of Law Wayne State University Law School. A Quick Overview. Objective One Understand the basic principles of health information privacy, confidentiality, and security. Objective Two

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Health Information Privacy: Scope, Structure, and Implementation' - azia


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
health information privacy scope structure and implementation

Health Information Privacy: Scope, Structure, and Implementation

Lance Gable, JD, MPH

Professor of Law

Wayne State University Law School

a quick overview
A Quick Overview
  • Objective One
    • Understand the basic principles of health information privacy, confidentiality, and security.
  • Objective Two
    • Assess the existing universe of legal protections for the privacy and confidentiality of health data.
  • Objective Three
    • Examine the scope, structure, and implementation of the HIPAA Privacy Rule
  • Objective Four
    • Discuss the impact of the HIPAA Privacy Rule on public health authorities.
  • Objective Five
    • Explore new legal developments related to health information privacy
slide3

Objective OneUnderstand the basic principles of health information privacy, confidentiality, and security.

health information privacy key terms
Health Information Privacy - Key Terms
  • Privacy - an individual’s right to control circumstances where their identifiable health information data is collected, used, stored, and transmitted.
  • Confidentiality - privacy interests that arise from a specific relationship (e.g., doctor/patient, researcher/subject) and corresponding legal and ethical duties.
  • Security – technological, organizational, or administrative safeguards or tools to protect identifiable health information from unwarranted access or disclosure.
health information privacy key terms1
Health Information Privacy - Key Terms

If the security safeguards in an automated system fail or are compromised, a breach of confidentiality can occur and the privacy of data subjects invaded.

  • Willis Ware, Lessons for the Future: Dimensions of Medical Record Keeping, in Health Records: Social Needs and Personal Privacy 43 (Task Force on Privacy, U.S. Department of Health and Human Services (1993) (http://aspe.hhs.gov/pic/pdf/4441.pdf
health information privacy key concepts
Health Information Privacy – Key Concepts
  • Protecting health information privacy requires legal protections addressing 4 types of data exchanges:
    • Acquisitions: acquiring or accessing identifiable health data by an entity
    • Uses: the sharing, employment, examination, or analyses of identifiable health data within an entity
    • Disclosures: the release, transfer, provision of, access to, or divulging identifiable health data outside an entity that holds it.
    • Storage: keeping identifiable health data in any medium within an entity that is not actively using the data
health information privacy key concepts1
Health Information Privacy - Key Concepts

Acquisition

Use

Storage

Disclosure

risks to health information privacy
Risks to Health Information Privacy
  • Disclosure of health data:Accessibilityand intimate nature of health data combine to harm those whose privacy is violated.
  • Unwarranted disclosurescan causesocial, psychological and economic harm.
  • Emerging computer technologiesthreaten individual privacy.
  • Synergies:Protecting health information privacy is essential to the functioning of health care and public health systems.
synergies of health information privacy
Synergies of Health Information Privacy
  • Absent privacy protections, patients and others will avoid some clinical, public health, and research interventions.
  • Only through the responsible sharing of some health data may improvements in health care and community health be made.
health information privacy communal needs for identifiable health data
Health Information Privacy -Communal Needs for Identifiable Health Data

Individual privacy protections must be balanced with legitimate communal uses of health data like health research and public health.

slide11

Objective TwoAssess the existing universe of legal protections for the privacy and confidentiality of health data.

the universe of health information privacy laws and policies
The Universe of Health Information Privacy Laws and Policies
  • A host of laws of every type at every level of government, affecting multiple types of entities, and covering an array of health data are all part of the universe of health information privacy laws.
the universe of health information privacy laws and policies1
The Universe of Health Information Privacy Laws and Policies
  • Underlying all of these laws are some essential features:
    • Focus is almost always on individual (as contrasted with group) privacy protections
    • Only identifiable health data are covered (as non-identifiable data do not require individual health privacy protections
    • Consistent need to balance individual and communal interests in identifiable health data
    • Failure of many laws to address modern electronic exchanges of health data
the universe of health information privacy laws and policies2
The Universe of Health Information Privacy Laws and Policies
  • In combination, this existing universe of laws provides a “patchwork quilt” of privacy protections
  • Health information privacy protections vary across the U.S.
  • Inconsistencies in interpretation, application, and analyses inevitably arise.
slide19

Objective ThreeExamine the scope, structure, and implementation of the HIPAA Privacy Rule as related to health care providers and public health authorities.

health information privacy modern protections
Health Information Privacy - Modern Protections

HIPAA

The Health Insurance Portability

and Accountability Act of 1996

hipaa and the basis for health info privacy
HIPAA and the Basis for Health Info. Privacy

HIPAA seeks to:

> Increase access to health insurance

> By reducing insurance costs

>By lowering administrative costs

>By transmitting electronic data>Under enhanced health info. privacy protections

>That encourage people to seek health care!

health information privacy modern protections1
Health Information Privacy -Modern Protections

HIPAA =

Administrative Simplification Provisions =

Standards for Privacy of Individually Identifiable Health Info. =

Health Information Privacy Regulations =

45 CFR Parts 160 – 164 =

The Privacy Rule

hipaa privacy rule a brief timeline
HIPAA Privacy Rule –A Brief Timeline
  • August, 21, 1996. HIPAA passes Congress and was signed into law.
  • August 21, 1999. Congress fails to pass health info. privacy law.
  • August, 1999 - January, 2001. Absent Congressional action, DHHS was authorized to produce administrative regulations.
  • April 14, 2001. After months of work and public commentary, DHHS finalizes its Privacy Rule with President Bush’s approval.
  • August 14, 2002. Bush administration modifies original Rule.
  • April 14, 2003. The Rule becomes effective for most “covered entities” [or one year later for small health plans].
  • April 14, 2004. The Rule is fully effective for all covered entities.
hipaa privacy rule scope structure and implementation
HIPAA Privacy Rule –Scope, Structure, and Implementation
  • What is covered?
  • Who is covered?
  • How is it covered?
  • What about other laws?
  • What about violations?
what is covered
What Is Covered?

“Protected Health Information (PHI)”

individually-identifiable health information used or disclosed by a covered entity in any form, whether electronically, on paper, or orally.

45 C.F.R. 160.103

what is covered1
What Is Covered?
  • “Protected Health Information (PHI)”
  • DOES NOT include:
  • Education records covered by FERPA;
  • Employment records held by a covered entity in its role as employer;
  • Non-identifiable health information
  • 45 C.F.R. 160.103
who is covered
Who Is Covered?

“Covered Entities (CEs):

  • Health Plans
  • Health Care Clearinghouses
  • Health Providers - that exchange identifiable health data electronically
      • and their business associates

45 C.F.R. 160.103

who is covered1
Who Is Covered?

Business associates include:

  • Claims or data processors
  • Billing companies
  • Quality assurance providers
  • Utilization reviewers
  • Lawyers
  • Accountants
  • Financial service providers

45 C.F.R. 160.103

who is covered2
Who Is Covered?

Beyond CE’s and their Business Associates are those who engage in:

Covered functions – those functions of a covered entity the performance of which makes the entity a health plan, health care providers, or health care clearinghouse. 45 CFR 164.103

Hybrid entities that perform both “covered” and “not covered” functions MAY have to adhere to relevant portions of the Privacy Rule to the extent to which some part of the entity conducts these activities.

who is not covered
Who IsNotCovered?
  • Life insurances companies
  • Auto insurance companies
  • Worker’s compensation carriers
  • Employers
  • Others who may still acquire,

use, and disclose vast quantities

of health data

how is phi covered
How is PHI Covered?

Boundaries - setting limits on uses and disclosures

Security - imposing security requirements

Fair Information Practices - allowing individuals some level of access to their health data

Accountability - making covered entities accountable for handling and abuses

how is phi covered1
How is PHI Covered?

Boundaries

  • 164.502 – Uses and Disclosures – General Rules
  • 164.504 – Uses and Disclosures – Organizational Req.
  • 164.506 – Uses and Disclosures – Std. Transactions
  • 164.508 – Uses and Disclosures – Authorization Req.
  • 164.510 – Uses and Disclosures – Individual Oppy.
  • 164.512 – Uses and Disclosures – No Authorization Req.
  • 164.514 – Uses and Disclosures – Other Requirements
how are uses disclosures regulated
How Are Uses/Disclosures Regulated?

CEs may use or disclose PHI without individual informed consent to carry out treatment, payment, or health care operations (aka. Standard transactions).

how are uses disclosures regulated1
How Are Uses/Disclosures Regulated?

Otherwise, uses or disclosures of PHI require either individual opportunities to object or written authorizations pursuant to the “anti-disclosure rule.”

“Except as otherwise permitted or required. . . , a CE may not use or disclose PHI without an authorization. . . “

45 CFR 164.508(a)(1)

how are uses disclosures regulated2
How Are Uses/Disclosures Regulated?
  • 2 Major Categories of Uses or Disclosures Requiring Individual Opportunity to Object
  • Family Directories
  • Individual Health Care Purposes
  • 45 CFR 164.510
how are uses disclosures regulated3
How are Uses/Disclosures Regulated?

Some exceptions to the anti-disclosure rule:

  • Law Enforcement
  • Judicial and Administrative Proceedings
  • Decedents
  • Health emergencies
  • Limited Commercial Marketing
  • Minors
  • Health Research
  • Public Health
specific public health based exceptions include disclosures
Specific Public Health-based exceptions include disclosures:
  • To maintain quality, safety or effectiveness of FDA products
  • To notify people exposed to communicable diseases
  • Concerning work-related injuries
  • About victims of abuse, neglect or domestic violence
  • Health oversight activities
  • Prevent serious threats to people or the general public
how is phi covered2
How is PHI Covered?

Security

  • 164.102 – 164.318
  • Security Standards – Generally
  • Administrative Safeguards
  • Physical Safeguards
  • Technical Safeguards
  • Organizational Requirements
  • CIA – Confidentiality, Integrity, and Availability
how is phi covered3
How is PHI Covered?

Fair Information Practices

  • 164.522 – Rights to Request Privacy Protections
    • Request Restrictions on Uses and Disclosures
    • Confidential Communications
  • 164.524 – Individual Access to PHI
  • 164.526 – Amendment of PHI
how is phi covered4
How is PHI Covered?

Accountability

  • 164.520 – Notice
    • Rights
    • Content
    • Provision
  • 164.528 – Accounting
    • Rights
    • Content
    • Provision
what about other laws
What About Other Laws?

Federal/State Constitutions

Federal/State Statutory Laws

Federal/State Administrative Laws Federal/State Judicial Law

Does the privacy rule supplant these laws?

does the privacy rule supplant these laws
Does the Privacy Rule Supplant These Laws?

No, the Privacy Rule creates a

floor of federal protections.

Existing federal or state laws that provide greater health information privacy protections or do not otherwise conflict with the Rule remain in effect. Like a patchwork quilt, they lay over Privacy Rule protections.

what about violations
What About Violations?

Violations or breaches of the Privacy Rule may result in:

  • Complaints filed with the Secretary of HHS;
  • Ensuing investigation by the Secretary;
  • Compliance reviews by the Secretary;
  • Informal resolution by the Secretary whenever possible; and
  • Imposition of civil penalties, which can be collected through release of federal debts owed to the entity.
  • Does not include criminal sanctions against individuals

45 CFR 160.300-.500

Civil and criminal penalties have rarely been assessed. HHS has focused almost exclusively on compliance reviews and investigations.

what about violations1
What About Violations?

DHHS Office of Civil Rights, Compliance and Enforcement Numbers at a Glance, http://www.hhs.gov/ocr/privacy/enforcement/numbersglance.html (visited May 10, 2007).

what about violations2
What About Violations?

DHHS Office of Civil Rights, Compliance and Enforcement Numbers at a Glance, http://www.hhs.gov/ocr/privacy/enforcement/numbersglance.html (visited May 10, 2007).

what about violations3
What About Violations?

DHHS Office of Civil Rights, Compliance and Enforcement Numbers at a Glance, http://www.hhs.gov/ocr/privacy/enforcement/numbersglance.html (visited May 10, 2007).

what about violations4
What About Violations?

Beyond formal or informal approaches to addressing violations pursuant to the Privacy Rule are:

  • Judicial uses of the Privacy Rule as a per se standard for protecting health information privacy;
  • Contractual obligations to adhere to the Privacy Rule
    • Business Associates
    • Limited Data Sets
  • Institutional, corporate, and organizational policies requiring adherence to the Rule
impact of the privacy rule on public health
Impact of the Privacy Rule on Public Health

Externally– how does the Rule impact the flow of identifiable health data into or out of public health agencies?

Internally– what are ways that the Rule affects the practice of public health or public health research done by public health agencies or its partners?

external impacts of the privacy rule on public health
External Impacts of the Privacy Rule on Public Health

The public health exception within the HIPAA Privacy Rule allows a covered entity to disclose PHI without individual authorization to a “public health authority that is authorized by law to collect and receive such information for the purpose of preventing and controlling disease, injury, or disability, including . . . reporting of disease . . . and the conduct of public health surveillance . . . .”

external impacts of the privacy rule on public health1
External Impacts of the Privacy Rule on Public Health

Beyond this general authorization, specific public health-based exceptions include disclosures:

  • To maintain the quality, safety, or effectiveness of FDA products
  • To notify persons exposed to communicable diseases
  • Concerning work-related injuries
  • About victims of abuse, neglect, or domestic violence
  • For health oversight activities
  • To prevent serious threats to persons or the public
who is a public health authority
Who Is a Public Health Authority?

A public health authority is an:

agency or authority of the United States, a State, a territory, a political subdivision of a State or territory, or an Indian tribe, or a person or entity acting under a grant of authority from or contract with such public agency . . . that is responsible for public health matters as part of its official mandate.

who is a public health authority1
Who Is a Public Health Authority?

Public health authorities include:

  • State or Tribal Health Departments
  • Local Health Departments
  • Contractors/others acting under authority of these agencies
what about state public health reporting laws
What About State Public Health Reporting Laws?
  • All states require health care providers to report communicable diseases and other conditions
    • The specific diseases or conditions vary from state to state
    • May be found in statutory or regulatory laws
  • The Privacy Rule does not pre-empt (or override) state law that “provides for the reporting of disease or injury . . . or for the conduct of public health surveillance [or] investigation . . . .”
internal impacts of the privacy rule on public health
Internal Impacts of the Privacy Rule on Public Health

To the extent that public health authorities use or disclose identifiable health data for public health purposes, they are not “covered entities,” and are thus not required to adhere to the provisions of the Privacy Rule.

Simply stated– public health authorities performing public health practice activities are not covered by the Privacy Rule

internal impacts of the privacy rule on public health1
Internal Impacts of the Privacy Rule on Public Health

Public Health Authorities As Providers/Plans

A profound area of potential internal impact concerns those activities of public health authorities that resemble the provision of health care (e.g. direct delivery of health services to disadvantaged individuals) or administration of health plans (e.g., state “well person” programs).

internal impacts of the privacy rule on public health2
Internal Impacts of the Privacy Rule on Public Health
  • Public health authorities doing health care/plan activities may be considered as engaging in “covered functions.” If so, these activities would be deemed as covered under the Rule.
  • Thus, a local health clinic that provides flu vaccines or other health services for a minimal charge (and bills electronically) may be engaged in “covered functions.”
internal impacts of the privacy rule on public health3
Internal Impacts of the Privacy Rule on Public Health

Many state and local public health authorities declare themselves as Hybrid Entities pursuant to the Privacy Rule.

The practical effect of hybridstatus is that the

public health authority must only adhere to the Privacy Rule concerning those components of its practices that are covered. Other parts of the PHA may not have to adhere to the same requirements concerning their duties.

nationwide health information network
Nationwide Health Information Network
  • Understanding and resolving legal and policy issues, such as those related to variations in states’ privacy laws;
  • Ensuring that only the minimum amount of information necessary is disclosed to only those entities authorized to receive the information;
  • Ensuring individuals’ rights to request access and amendments to their own health information; and
  • Implementing adequate security measures for protecting health information.

GAO, Health Information Technology, GAO-07-238 (January 2007).

genetic non discrimination act
Genetic Non-Discrimination Act
  • The Genetic Information Nondiscrimination Act (HR 493) passed the House April 25, 420-3. It would:
  • Ban health insurers and group plans from using genetic information to determine eligibility or rates.
  • Prohibit employers from using genetic information in hiring, firing, job placement or promotion decisions.
  • Protect individuals until the point of diagnosis, when the Americans with Disabilities Act would assume jurisdiction.
  • Michigan has similar protections under state law, but not all states have enacted privacy protections for genetic information.
conclusions
Conclusions
  • A multitude of health information privacy laws and policies attempt to balance individual and communal interests in acquisitions, uses, and disclosures of identifiable health data
  • The HIPAA Privacy Rule presents a national health information privacy standards in the U.S.
  • The Privacy Rule creates a Floor [but not a ceiling] for privacy protections
  • The Rule impacts public health authorities in internal and external ways related to their practice and research activities
  • Other legislative efforts are seeking to expand privacy protections for health information
resources
Resources
  • Department of Health and Human Services: www.hhs.gov
    • Office of Civil Rights – HIPAA: www.hhs.gov/ocr/hipaa
  • U.S. Government Accountability Office: www.gao.gov
  • National Conf. of State Legislatures - HIPAA: http://www.ncsl.org/programs/health/HIPAA.htm
  • Michigan HIPAA Information: http://www.michigan.gov/mdch/0,1607,7-132-2945_24020---,00.html
resources cont
Resources, cont.
  • HIPAA Listserv(s): www.list.nih.gov
    • Go to “Browse” and enter Keyword “HIPAA”
  • National Committee on Vital and Health Statistics (NCVHS): www.ncvhs.hhs.gov
  • Designated Standard Maintenance Organizations: www.hipaa-dsmo.org
  • Workgroup for Electronic Data Interchange (WEDI): www.wedi.org
    • Strategic National Implementation Process (SNIP): www.wedi.org/snip
thank you
Thank You!
  • For more information, contact me at lancegable@wayne.edu
  • Special thanks to Nicole Rowley for research assistance and to Professor James G. Hodge, Jr., and the Centers for Disease Control and Prevention for use of some of these slides.