1 SCHOOL OF PUBLIC HEALTH HIPAA Privacy Training
2 Public Health and HIPAA This presentation will address the HIPAA Privacy regulations as they effect the activities of the School of Public Health. It is imperative to comply with the HIPAA Privacy Rule in all aspects in order to ensure the public s trust and cooperation in School of Public Health activities.
3 School of Public Health Roles When interacting with patients, SOPH can take on a number of different roles. These include, but are not limited to: Public health researcher Federal grant recipient Health educator State oversight agency Each role carries with it unique regulatory responsibilities when protecting patient privacy.
4 School of Public Health Activities Louisiana Breast and Cervical Health Program Louisiana Cancer Control Partnership Louisiana Tumor Registry Delta AIDS Education and Training Center (Delta AETC) Nurse Family Partnership Tobacco Control Initiative SILLY Study (Study of Insulin sensitivity in Low-birth weight Louisiana Youth)
5 Research Some public health activities may fall under the definition of research. When in doubt as to whether the public health activity undertaken is research, the LSUHSC-NO IRB must make a determination of whether the activity is human subjects research under the Common Rule and therefore, the Privacy Rule. The following activities are not research : Quality assessment and improvement activities, including outcomes evaluation, and development of clinical guidelines or protocols, fall under the category of health care operations provided the primary aim is not obtaining generalizable knowledge. Activities that aim primarily for generalizable knowledge of population health can fall into the category of public health activity.
6 Research (cont.) Research is defined by the Common Rule as systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalizable knowledge. Activities which meet this definition constitute research for purposes of this policy, whether or not they are conducted or supported under a program which is considered research for other purposes. For example, some demonstration and service programs may include research activities. 45 CFR If the activity is research under the Common Rule, please contact the Office of Research Services and reference the HIPAA and Human Subjects Research Training Module for the proper handling of PHI.
7 Public Health Data Collection Public Health data collection is not directly linked to disease control activities. Data Collection includes but is not limited to: Vital Records (births, deaths) Disease registries
8 Public Health Surveillance Public Health Surveillance is the systematic collection, analysis, interpretation, and dissemination of health data on an ongoing basis, to gain knowledge of the pattern of disease occurrence and potential in a community, in order to control and prevent disease in the community Source: Centers for Disease Control (CDC)
9 HIPAA Privacy Rules affect Public Health Surveillance Public Health Authorities Definition of Public Health Authority Minimum Necessary Requirement Public Health Disclosures without an Authorization Child Abuse or Neglect Person at risk of contracting or spreading a disease Quality, safety or effectiveness of a product or activity regulated by the FDA. Ways to Submit Information to Public Health Authorities De-identified Information Limited Data Sets Full Data Sets NOTE: Additional regulations affecting the Juvenile Justice Program are addressed in a separate presentation.
10 Disclosures for Public Health Activities When disclosing information for public health purposes, LSUHSC-NO must consider the following: Whether the entity requesting the information is a public health authority or other agencies that are authorized by law to collect under HIPAA? Whether the disclosure is subject to the minimum necessary requirement? Whether the disclosure requires a signed HIPAA authorization form from the individual?
11 What is a Public Health Authority? A public health authority is: an agency or authority of the United States, a State, a territory, a political subdivision of a State or territory, an Indian tribe, a person or entity acting under a grant of authority from or contract with such public agency, including the employees or agents of such public agency or its contractors ; or persons or entities to whom it has granted authority, that is responsible for public health matters, as part of its official mandate.
12 Examples of Public Health Authorities Examples of Public Health Authorities are: Department of Health and Human Services (DHHS), National Institute of Health (NIH), Health Resources and Services Administration (HRSA); State and local health departments (Louisiana Department of Health and Hospitals) the Food and Drug Administration (FDA), the Centers for Disease Control and Prevention (CDC) Occupational Safety and Health Administration (OSHA) Contact the LSUHSC-NO Privacy Officer if you are unsure whether the entity requesting information is a public health authority.
13 Public Health Authorities (cont.) Additionally, there may be some instances where LSUHSC-NO is the public health authority. For example, LSUHSC-NO is the a public health authority in its role as the administrator of the Louisiana Tumor Registry. The Legislature created the Tumor Registry, therefore, as an entity the Tumor Registry is acting under a grant of authority from the State and qualifies as a public health authority.
14 Minimum Necessary Requirement When disclosing PHI for public health purposes, LSUHSC-NO is required to reasonably limit the information disclosed to the minimum necessary to accomplish the purpose. LSUHSC-NO is not required to make a minimum necessary determination if the public health disclosures are made pursuant to an individual s authorization or for a disclosure that is required by other law.
15 Minimum Necessary Requirement (cont.) LSUHSC-NO may reasonably rely on a minimum necessary determination made by a public health authority in requesting PHI. LSUHSC-NO may develop for specific procedures that address the types and amounts of PHI disclosed for routine and recurring public health disclosures. Should your area need assistance in developing procedures, contact the LSUHSC-NO Privacy Officer.
16 Authorization Requirement In general, the HIPAA Privacy requires LSUHSC-NO to obtain a signed HIPAA authorization form from the individual to disclose his/her PHI. However, there are certain health disclosures where obtaining an authorization is not required, such as treatment, payment, operations, and to the individual whom the information is about. If in doubt to whether an authorization is needed, contact the LSUHSC-NO Privacy Officer or obtain an authorization from the individual.
17 Public Health Disclosures LSUHSC-NO may make the following disclosures of PHI, without a signed HIPAA authorization form from the individual: May report to a public health authority that is authorized by law to collect and receive information for the purposes of: preventing or controlling disease, injury, or disability, including but not limited to: the reporting of disease, injury, vital events, such as birth or death, the conduct of public health surveillance, public health investigations, and public health interventions at the discretion of a public health authority, to an official of a foreign government agency that is acting in collaboration with a public health authority;
18 Public Health Disclosures (cont.) Under the Privacy Rule, LSUHSC-NO can also make public health disclosures without a signed HIPAA authorization form by the individual in cases where required by law. For example, The Louisiana Legislature passed R.S. 40: et seq. which mandates the collection of information on cancer cases in the state of Louisiana. This law requires healthcare providers to submit diagnostic, treatment, and follow-up information on cancer cases to the Louisiana Tumor Registry or its regional registries.
19 Public Health Disclosures (cont.) Reporting of child abuse and neglect LSUHSC-NO may report known or suspected child abuse or neglect, if the report is made to a public health authority or other appropriate government authority that is authorized by law to receive such reports. For example, the Louisiana Department of Social Services has the legal authority to receive reports of child abuse or neglect. The Privacy Rule allows LSUHSC-NO to report such cases to that authority without obtaining an authorization from the individual.
20 Public Health Disclosures (cont.) Persons at risk of contracting or spreading a disease LSUHSC-NO may disclose PHI to a person who may have been exposed to a communicable disease or may otherwise be at risk of contracting or spreading a disease or condition, if other law authorizes LSUHSC- NO to notify such individuals as necessary to carry out public health interventions or investigations.
21 Public Health Disclosures (cont.) Quality, safety, or effectiveness of a product or activity regulated by the FDA. Examples of purposes or activities for which such disclosures may be made include, but are not limited to: Collecting and reporting adverse events (or similar activities regarding food or dietary supplements), product defects or problems (including problems with the use or labeling of a product) or biological product deviations Tracking FDA-regulated products Enabling product recalls, repairs, or replacement or for lookback (including locating and notifying persons who have received products that have been withdrawn, recalled, or are subject of lookback.) Conducting post-marketing surveillance
22 Ways to Submit the Information to Public Health Authorities De-identified Data Limited Data Sets Full Data Sets
23 De-identified Information To submit to a public health authority, LSUHSC-NO may take PHI and remove all direct and indirect identifiers to eliminate or make highly improbable, re-identification using statistical techniques. Once the PHI is de-identified, the information is no longer subject to the Privacy Rule and may be disclosed freely.
24 Direct Identifiers Names Postal address information, other than town or city, State, and zip code Telephone numbers Fax numbers Electronic mail addresses Social Security numbers Medical records numbers Health plan beneficiary numbers Account numbers Vehicle identifiers and serial numbers, including license plate numbers Device identifiers and serial numbers Web Universal Resource Locators (URLs) Internet Protocol (IP) address numbers Biometric identifiers, including finger and voice prints Full face photographic images and any comparable images Any other unique identifying number, characteristic, or code. Certificate/license numbers
25 Indirect Identifiers All geographic subdivisions smaller than a state including street address, city, county, precinct, zip code, and their equivalent, except for the initial three digits of zip code, if according to the current publicly available data from the Bureau of Census; the geographical unit formed by combining all zip codes with the same initial three digits contains more than 20,000 people; and the initial three digits of a zip code for all such geographical units containing 20,000 or fewer people is changed to 000. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death, and all ages over 89 and all elements of dates (including year) indicative of age, except that such ages and elements may be aggregated into a single category of age 90 or older.
26 Statistical Standard Option HIPAA provides that LSUHSC-NO may determine that health information is not individually identifiable if: A person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable, applying such principles and methods, determines that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is the subject of the information; and that person documents the methods and results of the analysis that justify such determination. If you feel you need to utilize this option, you must contact the LSUHSC-NO Privacy Officer BEFORE any disclosure of information occurs.
27 Re-identification of Data LSUHSC-NO may assign a code or other means of record identification to allow de-identified information to be re-identified, if the code is not derived from, or related to, the removed identifiers. Only LSUHSC-NO will have the re-identification information and must be closely guarded to prevent unauthorized disclosure of PHI. If the data is re-identified, the information once again becomes subject to all the requirements of the Privacy Rule.
28 Where to find LSUHSC-NO policy and procedures on De-identification of PHI? LSUHSC-NO s HIPAA Policies and Procedures on De-identification of PHI are contained in Chancellor s Memorandum (CM) 53 and may be found at: Policy O: De-identification of Protected Health Information 53/Deidentification1.aspx Policy O Attachment A: Request for De-identified Information 53/pdf/AttachmentA-Deidentification.pdf Policy S Attachment D: Principal Investigator s Request De-identification form for Approved Exempt Research 53/pdf/AttachmentD-InstitutionalReviewBoard.pdf
29 Limited Data Sets LSUHSC-NO may disclose PHI in a limited data set (LDS) to a researcher who has entered into an appropriate data use agreement LDS must have all direct identifiers removed; they may still include information that could indirectly identify the subject using statistical methods.
30 Data Use Agreement LSUHSC-NO must condition the disclosure of the LDS on the execution of a data use agreement. Data use agreement must establish: the permitted uses and disclosures of such information by the recipient, consistent with the purposes of research; limit who can use or receive the data; require the recipient to agree not to re-identify the data or contact the individuals.
31 Where to find LSUHSC-NO s HIPAA policies and procedures on Limited Data Sets and Data Use Agreements? LSUHSC-NO s HIPAA Policies and Procedures on Limited Data Sets and Data Use Agreements are contained in Chancellor s Memorandum (CM) 53 and may be found at: Policy N: Limited Data Set 53/LimitedDataSet14.aspx Policy N Attachment A: Limited Data Set Request and Data Use Agreement 53/pdf/AttachmentA-LimitedDataSetRequest.pdf
32 Full Data Sets The Privacy Rules allows LSUHSC-NO to disclose directly identifiable PHI, such as name, address and social security number for public health purposes. However, because of the security and privacy risks of associated with the transfer of this sensitive information, the LSUHSC-NO Privacy Officer and LSUHSC-NO Security Officer MUST be contacted before any transmission of full data sets takes place.
33 Penalties for HIPAA violations There is a tiered system for assessing the level and penalty of each violation: Tier A-violations that are accidental not intentional-fines of $100 per violation up to $25,000 for violations of an identical type per calendar year. Tier B-violations due to reasonable cause and not willful neglect- fines of $1000 per violation up to $50,000 for violations of an identical type per calendar year.
34 Penalties for HIPAA violations (cont.) Tier C- violations that the hospital corrected, but were due to willful neglect of the policies/procedures-fines $10,000 per violation up to $250,000 for violations of an identical type per calendar year. Tier D- violations due to willful neglect that the hospital did not correct-fines $50,000 per violation up to $1.5 million for violations of an identical type per calendar year.
35 Additional Penalties Loss of your job or student status. Individuals and health care providers (hospitals, etc.) can also face civil and criminal prosecution, depending on the facts of the case.
36 Role of Privacy Officer Responds to HIPAA privacy complaints Implements policies and procedures Conducts educational programs Reviews LSUHSC s privacy program Is available to answer any privacy questions or concerns.
37 Reporting a HIPAA violation If anyone suspects or knows of mishandling or misuse of patient PHI, a complaint can be made to: Contact the LSUHSC-NO Privacy Officer or the Office of Compliance Programs by: Telephone at: Office: (504) Confidential reporting hotline: (504) , or at:
38 Questions? We Are Here to Help! Office of Compliance Programs 433 Bolivar St. Suite 807 New Orleans, LA