Loading in 2 Seconds...
Loading in 2 Seconds...
Health Information Privacy: Scope, Structure, and Implementation. Lance Gable, JD, MPH Professor of Law Wayne State University Law School. A Quick Overview. Objective One Understand the basic principles of health information privacy, confidentiality, and security. Objective Two
Lance Gable, JD, MPH
Professor of Law
Wayne State University Law School
If the security safeguards in an automated system fail or are compromised, a breach of confidentiality can occur and the privacy of data subjects invaded.
Individual privacy protections must be balanced with legitimate communal uses of health data like health research and public health.
Objective ThreeExamine the scope, structure, and implementation of the HIPAA Privacy Rule as related to health care providers and public health authorities.
The Health Insurance Portability
and Accountability Act of 1996
HIPAA seeks to:
> Increase access to health insurance
> By reducing insurance costs
>By lowering administrative costs
>By transmitting electronic data>Under enhanced health info. privacy protections
>That encourage people to seek health care!
Administrative Simplification Provisions =
Standards for Privacy of Individually Identifiable Health Info. =
Health Information Privacy Regulations =
45 CFR Parts 160 – 164 =
The Privacy Rule
“Protected Health Information (PHI)”
individually-identifiable health information used or disclosed by a covered entity in any form, whether electronically, on paper, or orally.
45 C.F.R. 160.103
“Covered Entities (CEs):
45 C.F.R. 160.103
Business associates include:
45 C.F.R. 160.103
Beyond CE’s and their Business Associates are those who engage in:
Covered functions – those functions of a covered entity the performance of which makes the entity a health plan, health care providers, or health care clearinghouse. 45 CFR 164.103
Hybrid entities that perform both “covered” and “not covered” functions MAY have to adhere to relevant portions of the Privacy Rule to the extent to which some part of the entity conducts these activities.
use, and disclose vast quantities
of health data
Boundaries - setting limits on uses and disclosures
Security - imposing security requirements
Fair Information Practices - allowing individuals some level of access to their health data
Accountability - making covered entities accountable for handling and abuses
CEs may use or disclose PHI without individual informed consent to carry out treatment, payment, or health care operations (aka. Standard transactions).
Otherwise, uses or disclosures of PHI require either individual opportunities to object or written authorizations pursuant to the “anti-disclosure rule.”
“Except as otherwise permitted or required. . . , a CE may not use or disclose PHI without an authorization. . . “
45 CFR 164.508(a)(1)
Some exceptions to the anti-disclosure rule:
Fair Information Practices
Federal/State Statutory Laws
Federal/State Administrative Laws Federal/State Judicial Law
Does the privacy rule supplant these laws?
No, the Privacy Rule creates a
floor of federal protections.
Existing federal or state laws that provide greater health information privacy protections or do not otherwise conflict with the Rule remain in effect. Like a patchwork quilt, they lay over Privacy Rule protections.
Violations or breaches of the Privacy Rule may result in:
45 CFR 160.300-.500
Civil and criminal penalties have rarely been assessed. HHS has focused almost exclusively on compliance reviews and investigations.
Beyond formal or informal approaches to addressing violations pursuant to the Privacy Rule are:
Externally– how does the Rule impact the flow of identifiable health data into or out of public health agencies?
Internally– what are ways that the Rule affects the practice of public health or public health research done by public health agencies or its partners?
The public health exception within the HIPAA Privacy Rule allows a covered entity to disclose PHI without individual authorization to a “public health authority that is authorized by law to collect and receive such information for the purpose of preventing and controlling disease, injury, or disability, including . . . reporting of disease . . . and the conduct of public health surveillance . . . .”
Beyond this general authorization, specific public health-based exceptions include disclosures:
A public health authority is an:
agency or authority of the United States, a State, a territory, a political subdivision of a State or territory, or an Indian tribe, or a person or entity acting under a grant of authority from or contract with such public agency . . . that is responsible for public health matters as part of its official mandate.
Public health authorities include:
To the extent that public health authorities use or disclose identifiable health data for public health purposes, they are not “covered entities,” and are thus not required to adhere to the provisions of the Privacy Rule.
Simply stated– public health authorities performing public health practice activities are not covered by the Privacy Rule
Public Health Authorities As Providers/Plans
A profound area of potential internal impact concerns those activities of public health authorities that resemble the provision of health care (e.g. direct delivery of health services to disadvantaged individuals) or administration of health plans (e.g., state “well person” programs).
Many state and local public health authorities declare themselves as Hybrid Entities pursuant to the Privacy Rule.
The practical effect of hybridstatus is that the
public health authority must only adhere to the Privacy Rule concerning those components of its practices that are covered. Other parts of the PHA may not have to adhere to the same requirements concerning their duties.
GAO, Health Information Technology, GAO-07-238 (January 2007).