1 / 65

Health Information Privacy: Scope, Structure, and Implementation

Health Information Privacy: Scope, Structure, and Implementation. Lance Gable, JD, MPH Professor of Law Wayne State University Law School. A Quick Overview. Objective One Understand the basic principles of health information privacy, confidentiality, and security. Objective Two

azia
Download Presentation

Health Information Privacy: Scope, Structure, and Implementation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Health Information Privacy: Scope, Structure, and Implementation Lance Gable, JD, MPH Professor of Law Wayne State University Law School

  2. A Quick Overview • Objective One • Understand the basic principles of health information privacy, confidentiality, and security. • Objective Two • Assess the existing universe of legal protections for the privacy and confidentiality of health data. • Objective Three • Examine the scope, structure, and implementation of the HIPAA Privacy Rule • Objective Four • Discuss the impact of the HIPAA Privacy Rule on public health authorities. • Objective Five • Explore new legal developments related to health information privacy

  3. Objective OneUnderstand the basic principles of health information privacy, confidentiality, and security.

  4. Health Information Privacy - Key Terms • Privacy - an individual’s right to control circumstances where their identifiable health information data is collected, used, stored, and transmitted. • Confidentiality - privacy interests that arise from a specific relationship (e.g., doctor/patient, researcher/subject) and corresponding legal and ethical duties. • Security – technological, organizational, or administrative safeguards or tools to protect identifiable health information from unwarranted access or disclosure.

  5. Health Information Privacy - Key Terms If the security safeguards in an automated system fail or are compromised, a breach of confidentiality can occur and the privacy of data subjects invaded. • Willis Ware, Lessons for the Future: Dimensions of Medical Record Keeping, in Health Records: Social Needs and Personal Privacy 43 (Task Force on Privacy, U.S. Department of Health and Human Services (1993) (http://aspe.hhs.gov/pic/pdf/4441.pdf

  6. Health Information Privacy – Key Concepts • Protecting health information privacy requires legal protections addressing 4 types of data exchanges: • Acquisitions: acquiring or accessing identifiable health data by an entity • Uses: the sharing, employment, examination, or analyses of identifiable health data within an entity • Disclosures: the release, transfer, provision of, access to, or divulging identifiable health data outside an entity that holds it. • Storage: keeping identifiable health data in any medium within an entity that is not actively using the data

  7. Health Information Privacy - Key Concepts Acquisition Use Storage Disclosure

  8. Risks to Health Information Privacy • Disclosure of health data:Accessibilityand intimate nature of health data combine to harm those whose privacy is violated. • Unwarranted disclosurescan causesocial, psychological and economic harm. • Emerging computer technologiesthreaten individual privacy. • Synergies:Protecting health information privacy is essential to the functioning of health care and public health systems.

  9. Synergies of Health Information Privacy • Absent privacy protections, patients and others will avoid some clinical, public health, and research interventions. • Only through the responsible sharing of some health data may improvements in health care and community health be made.

  10. Health Information Privacy -Communal Needs for Identifiable Health Data Individual privacy protections must be balanced with legitimate communal uses of health data like health research and public health.

  11. Objective TwoAssess the existing universe of legal protections for the privacy and confidentiality of health data.

  12. The Universe of Health Information Privacy Laws and Policies • A host of laws of every type at every level of government, affecting multiple types of entities, and covering an array of health data are all part of the universe of health information privacy laws.

  13. The Universe of Health Information Privacy Laws and Policies – Types of Laws

  14. The Universe of Health Information Privacy Laws and Policies – Levels of Government

  15. The Universe of Health Information Privacy Laws and Policies – Regulated Entities

  16. The Universe of Health Information Privacy Laws and Policies – Examples of Types of Health Data

  17. The Universe of Health Information Privacy Laws and Policies • Underlying all of these laws are some essential features: • Focus is almost always on individual (as contrasted with group) privacy protections • Only identifiable health data are covered (as non-identifiable data do not require individual health privacy protections • Consistent need to balance individual and communal interests in identifiable health data • Failure of many laws to address modern electronic exchanges of health data

  18. The Universe of Health Information Privacy Laws and Policies • In combination, this existing universe of laws provides a “patchwork quilt” of privacy protections • Health information privacy protections vary across the U.S. • Inconsistencies in interpretation, application, and analyses inevitably arise.

  19. Objective ThreeExamine the scope, structure, and implementation of the HIPAA Privacy Rule as related to health care providers and public health authorities.

  20. Health Information Privacy - Modern Protections HIPAA The Health Insurance Portability and Accountability Act of 1996

  21. HIPAA and the Basis for Health Info. Privacy HIPAA seeks to: > Increase access to health insurance > By reducing insurance costs >By lowering administrative costs >By transmitting electronic data>Under enhanced health info. privacy protections >That encourage people to seek health care!

  22. Health Information Privacy -Modern Protections HIPAA = Administrative Simplification Provisions = Standards for Privacy of Individually Identifiable Health Info. = Health Information Privacy Regulations = 45 CFR Parts 160 – 164 = The Privacy Rule

  23. HIPAA Privacy Rule –A Brief Timeline • August, 21, 1996. HIPAA passes Congress and was signed into law. • August 21, 1999. Congress fails to pass health info. privacy law. • August, 1999 - January, 2001. Absent Congressional action, DHHS was authorized to produce administrative regulations. • April 14, 2001. After months of work and public commentary, DHHS finalizes its Privacy Rule with President Bush’s approval. • August 14, 2002. Bush administration modifies original Rule. • April 14, 2003. The Rule becomes effective for most “covered entities” [or one year later for small health plans]. • April 14, 2004. The Rule is fully effective for all covered entities.

  24. HIPAA Privacy Rule –Scope, Structure, and Implementation • What is covered? • Who is covered? • How is it covered? • What about other laws? • What about violations?

  25. What Is Covered? “Protected Health Information (PHI)” individually-identifiable health information used or disclosed by a covered entity in any form, whether electronically, on paper, or orally. 45 C.F.R. 160.103

  26. What Is Covered? • “Protected Health Information (PHI)” • DOES NOT include: • Education records covered by FERPA; • Employment records held by a covered entity in its role as employer; • Non-identifiable health information • 45 C.F.R. 160.103

  27. Who Is Covered? “Covered Entities (CEs): • Health Plans • Health Care Clearinghouses • Health Providers - that exchange identifiable health data electronically • and their business associates 45 C.F.R. 160.103

  28. Who Is Covered? Business associates include: • Claims or data processors • Billing companies • Quality assurance providers • Utilization reviewers • Lawyers • Accountants • Financial service providers 45 C.F.R. 160.103

  29. Who Is Covered? Beyond CE’s and their Business Associates are those who engage in: Covered functions – those functions of a covered entity the performance of which makes the entity a health plan, health care providers, or health care clearinghouse. 45 CFR 164.103 Hybrid entities that perform both “covered” and “not covered” functions MAY have to adhere to relevant portions of the Privacy Rule to the extent to which some part of the entity conducts these activities.

  30. Who IsNotCovered? • Life insurances companies • Auto insurance companies • Worker’s compensation carriers • Employers • Others who may still acquire, use, and disclose vast quantities of health data

  31. How is PHI Covered? Boundaries - setting limits on uses and disclosures Security - imposing security requirements Fair Information Practices - allowing individuals some level of access to their health data Accountability - making covered entities accountable for handling and abuses

  32. How is PHI Covered? Boundaries • 164.502 – Uses and Disclosures – General Rules • 164.504 – Uses and Disclosures – Organizational Req. • 164.506 – Uses and Disclosures – Std. Transactions • 164.508 – Uses and Disclosures – Authorization Req. • 164.510 – Uses and Disclosures – Individual Oppy. • 164.512 – Uses and Disclosures – No Authorization Req. • 164.514 – Uses and Disclosures – Other Requirements

  33. How Are Uses/Disclosures Regulated? CEs may use or disclose PHI without individual informed consent to carry out treatment, payment, or health care operations (aka. Standard transactions).

  34. How Are Uses/Disclosures Regulated? Otherwise, uses or disclosures of PHI require either individual opportunities to object or written authorizations pursuant to the “anti-disclosure rule.” “Except as otherwise permitted or required. . . , a CE may not use or disclose PHI without an authorization. . . “ 45 CFR 164.508(a)(1)

  35. How Are Uses/Disclosures Regulated? • 2 Major Categories of Uses or Disclosures Requiring Individual Opportunity to Object • Family Directories • Individual Health Care Purposes • 45 CFR 164.510

  36. How are Uses/Disclosures Regulated? Some exceptions to the anti-disclosure rule: • Law Enforcement • Judicial and Administrative Proceedings • Decedents • Health emergencies • Limited Commercial Marketing • Minors • Health Research • Public Health

  37. Specific Public Health-based exceptions include disclosures: • To maintain quality, safety or effectiveness of FDA products • To notify people exposed to communicable diseases • Concerning work-related injuries • About victims of abuse, neglect or domestic violence • Health oversight activities • Prevent serious threats to people or the general public

  38. How is PHI Covered? Security • 164.102 – 164.318 • Security Standards – Generally • Administrative Safeguards • Physical Safeguards • Technical Safeguards • Organizational Requirements • CIA – Confidentiality, Integrity, and Availability

  39. How is PHI Covered? Fair Information Practices • 164.522 – Rights to Request Privacy Protections • Request Restrictions on Uses and Disclosures • Confidential Communications • 164.524 – Individual Access to PHI • 164.526 – Amendment of PHI

  40. How is PHI Covered? Accountability • 164.520 – Notice • Rights • Content • Provision • 164.528 – Accounting • Rights • Content • Provision

  41. What About Other Laws? Federal/State Constitutions Federal/State Statutory Laws Federal/State Administrative Laws Federal/State Judicial Law Does the privacy rule supplant these laws?

  42. Does the Privacy Rule Supplant These Laws? No, the Privacy Rule creates a floor of federal protections. Existing federal or state laws that provide greater health information privacy protections or do not otherwise conflict with the Rule remain in effect. Like a patchwork quilt, they lay over Privacy Rule protections.

  43. What About Violations? Violations or breaches of the Privacy Rule may result in: • Complaints filed with the Secretary of HHS; • Ensuing investigation by the Secretary; • Compliance reviews by the Secretary; • Informal resolution by the Secretary whenever possible; and • Imposition of civil penalties, which can be collected through release of federal debts owed to the entity. • Does not include criminal sanctions against individuals 45 CFR 160.300-.500 Civil and criminal penalties have rarely been assessed. HHS has focused almost exclusively on compliance reviews and investigations.

  44. What About Violations? DHHS Office of Civil Rights, Compliance and Enforcement Numbers at a Glance, http://www.hhs.gov/ocr/privacy/enforcement/numbersglance.html (visited May 10, 2007).

  45. What About Violations? DHHS Office of Civil Rights, Compliance and Enforcement Numbers at a Glance, http://www.hhs.gov/ocr/privacy/enforcement/numbersglance.html (visited May 10, 2007).

  46. What About Violations? DHHS Office of Civil Rights, Compliance and Enforcement Numbers at a Glance, http://www.hhs.gov/ocr/privacy/enforcement/numbersglance.html (visited May 10, 2007).

  47. What About Violations? Beyond formal or informal approaches to addressing violations pursuant to the Privacy Rule are: • Judicial uses of the Privacy Rule as a per se standard for protecting health information privacy; • Contractual obligations to adhere to the Privacy Rule • Business Associates • Limited Data Sets • Institutional, corporate, and organizational policies requiring adherence to the Rule

  48. Objective FourDiscuss the impact of the HIPAA Privacy Rule on public health authorities.

  49. Impact of the Privacy Rule on Public Health Externally– how does the Rule impact the flow of identifiable health data into or out of public health agencies? Internally– what are ways that the Rule affects the practice of public health or public health research done by public health agencies or its partners?

  50. External Impacts of the Privacy Rule on Public Health The public health exception within the HIPAA Privacy Rule allows a covered entity to disclose PHI without individual authorization to a “public health authority that is authorized by law to collect and receive such information for the purpose of preventing and controlling disease, injury, or disability, including . . . reporting of disease . . . and the conduct of public health surveillance . . . .”

More Related