1 / 19

HIPAA and Public Health

HIPAA and Public Health. 2007 Epi Rapid Response Team Conference. HIPAA Standard. The HIPAA Privacy Rule provides the first national standards for protecting the privacy of health information. (Standard)

palti
Télécharger la présentation

HIPAA and Public Health

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. HIPAA and Public Health 2007 Epi Rapid Response Team Conference

  2. HIPAA Standard • The HIPAA Privacy Rule provides the first national standards for protecting the privacy of health information. (Standard) • The Privacy Rule regulates how certain entities, called covered entities, use and disclose certain individually identifiable health information, called protected health information (PHI). • PHI is individually identifiable health information

  3. Legislative History • Health Insurance Portability and Accountability Act of 1996 (HIPAA) • Subtitle F--Administrative Simplification • Encourage development of (electronic) health information technologies (transactions) • Easier information sharing—security and privacy

  4. HIPAA … • gives patients more control over their health information • sets boundaries on the use and release of health records • establishes appropriate safeguards that the majority of health-care providers and others must achieve to protect the privacy of health information • holds violators accountable with civil and criminal penalties that can be imposed if they violate patients' privacy rights • strikes a balance when public health responsibilities support disclosure of certain forms of data

  5. HIPAA … • enables patients to make informed choices based on how individual health information may be used • enables patients to find out how their information may be used and what disclosures of their information have been made • generally limits release of information to the minimum reasonably needed for the purpose of the disclosure • generally gives patients the right to obtain a copy of their own health records and request corrections • empowers individuals to control certain uses and disclosures of their health information

  6. Scope: Who is Covered? • Limited by HIPAA to: • Health care providers who transmit health information in electronic transactions • Health plans • Health care clearinghouses • Business associate relationships

  7. Scope: What is Covered? • Protected health information (PHI) is: • Individually identifiable health information • Transmitted or maintained in any form or medium • Held by covered entities or their business associates • De-identified information is not covered

  8. Individual’s Rights • Individuals have the right to: • A written notice of information practices from health plans and providers • Inspect and obtain a copy of their PHI • Obtain an accounting of disclosures • Amend their records • Request restrictions on uses and disclosures • Accommodation of reasonable communication requests • Complain to the covered entity and to HHS

  9. Day-to-day Data Sharing with Public Health • Disclosures permitted if required by law • Disclosures also permitted for “public health activities and purposes” • Consent or authorization not required for above disclosures • Rule does not require public health disclosures

  10. Information Types • De-Identified Information - require no individual privacy protections and are not covered by the Privacy Rule. • statistical de-identification --- a properly qualified statistician using accepted analytic techniques concludes the risk is substantially limited that the information might be used, alone or in combination with other reasonably available information, to identify the subject of the information; or the • safe-harbor method --- a covered entity or its business associate de-identifies information by removing 18 identifiers and the covered entity does not have actual knowledge that the remaining information can be used alone or in combination with other data to identify the subject.

  11. Information Types • Limited Data Set - Health information in a limited data set is not directly identifiable, but may contain more identifiers than de-identified data that has been stripped of the 18 identifiers.

  12. Limited Data Set • A data-use agreement must establish who is permitted to use or receive the limited data set, and provide that the recipient will • not use or disclose the information other than as permitted by the agreement or as otherwise required by law; • use appropriate safeguards to prevent uses or disclosures of the information that are inconsistent with the data-use agreement; • report to the covered entity any use or disclosure of the information, in violation of the agreement, of which it becomes aware; • ensure that any agents to whom it provides the limited data set agree to the same restrictions and conditions that apply to the limited data set recipient with respect to such information; and • not attempt to re-identify the information or contact the individual.

  13. Names Geographic subunits smaller than state Age Telephone # Fax # Email SSN IP addresses Biometric IDs Medical Record Number Health plan beneficiary # Account # Certificate and License # Vehicle ID Medical Device ID URLs Full face photographs Any other unique identifying number, characteristic, or code Identifiers

  14. Data Shared with Whom? Includes: • “Public health authority” for public health activities • Official of foreign government acting in collaboration with public health authority • Person exposed to or at risk of contracting or spreading disease

  15. Definition of Public Health Authority “an agency or authority of the U.S., a State, a territory, a political subdivision of a State or territory, or an Indian tribe, or a person or entity acting under a grant of authority from or contract with such public agency or its contractors or persons or entities to whom it has granted authority, that is responsible for public health matters as part of its official mandate.”

  16. “Minimum Necessary” Data • Information use/disclosed/requested should be “minimum necessary” needed • Covered entities may rely on public officials to determine

  17. Not Required by Privacy Rule • Sharing of data with public health authorities • Specification of particular activity in law—general authority under law suffices (e.g., to receive data for surveillance activities) • Specification of data requested by public health in law • Protection of data received by public health authority unless it is also a covered entity (e.g., a health care provider)

  18. Useful sites • http://www.hhs.gov/ocr/hipaa • http://www.cdc.gov/cic • http://www.naaccr.org

  19. Source • Health and Human Services, Office of Civil Rights • Centers for Disease Control and Prevention

More Related