De-identifying PHI to meet HIPAA Privacy Rule requirements not meet the definition of a covered entity or business associate, it does not have to comply with. The HIPAA Rules apply to covered entities and business associates. entity under HIPAA must comply with the Rules' requirements to protect the privacy and If an entity does not meet the definition of a covered entity or business associate. HIPAA required the Secretary to issue privacy regulations governing A covered entity can be the business associate of another covered entity. 5 Even if an entity, such as a community health center, does not meet the.
However, covered entities often decide to require approval from their own IRB or Privacy Board prior to disclosing PHI to the requesting researcher, regardless of whether another IRB or Privacy Board already granted a waiver of authorization. This leads to delays and variability in the protocol at different sites see also Chapter 5.
Simplification would also be very helpful for smaller or community-based institutions that do not have internal counsel or regulatory affairs specialists, and are thus more likely to opt out of research that requires decisions about authorizations.
Activities Preparatory to Research A second situation where a covered entity is permitted to use and disclose PHI without obtaining authorization is for activities that are preparatory to research.
A covered entity may permit researchers to look through its medical records in order to develop research protocols and to aid the recruitment of research participants if it obtains from the researcher representations that the information sought is necessary for the research purpose, that information will be reviewed only for the stated purposes preparatory to research, and that no PHI will be removed from the covered entity by the researcher in the course of the review 45 HHS, a.
Many research studies, especially those focused on rare conditions with limited eligible patient populations, rely on large-scale medical chart reviews and searches of patient databases to identify patients who might be eligible for and might benefit from a particular study. Sufficient patient enrollment in a timely fashion is essential to ensure the meaningfulness and reliability of the research results. However, confusion regarding what is permitted under this component of the Privacy Rule is widespread SACHRP,and surveys and studies indicate that patient recruitment has become more difficult and costly under the varying interpretations of the Privacy Rule see Chapter 5.
HHS has issued multiple guidance statements on this topic, but these statements, some of which have been contradictory, have failed to eliminate confusion reviewed by SACHRP, According to current HHS guidance on the Privacy Rule, researchers both internal and external to a covered entity may conduct a review of medical records under the preparatory to research exception.
HHS guidance on the Privacy Rule indicates that external researchers are not allowed under the preparatory to research exception to record or remove contact information of patients from a covered entity.
This creates an artificial distinction between internal and external researchers that actually provides less privacy protection than that afforded by the Common Rulewhich requires that any activities preparatory to research involving human subjects, or related to initial recruitment of subjects for research studies, be reviewed and approved by an IRB HHS, Moreover, research shows that patients prefer to be approached by their clinician or an associated nurse as opposed to a stranger Damschroder et al.
It appears, for example, that in some institutions, boilerplate business associate contracts are being signed, and that template applications for partial waivers of authorization are being routinely granted, as methods of perfunctory compliance with these confusing Privacy Rule requirements.
The use or disclosure being sought is solely for research on the PHI of decedents The PHI is necessary for research The death of the individual is documented, if requested by the covered entity 47 Apparently some covered entities interpret the Privacy Rule more conservatively by requiring researchers to obtain authorization from next of kin, or a waiver of authorization from an IRB or Privacy Boardin order to access the PHI of decedents Ness, Deidentified information does not qualify as PHI, and therefore is not protected under the Privacy Rule—it can be disclosed to researchers at any time HHS, c.
The Privacy Rule offers two methods to deidentify personal health information. Under the statistical method, a statistician or person with appropriate training verifies that enough identifiers have been removed that the risk of identification of the individual is very small. Furthermore, the covered entity may not disclose the key to the code to anyone else.
These provisions are more stringent than those of the Common Ruleleading to situations in which some coded data might be subject to the Privacy Rule, but not the Common Rule Rothstein, But because IRBs have not had to review these protocols in the past, they may find it difficult to make appropriate decisions about waivers. The Privacy Rule restrictions put greater emphasis on the possibility that health data could be reidentified using publicly available databases.
Determining what information can be released without inappropriately compromising the privacy of the individual respondents is inherently a statistical issue Fienberg, see also discussion on privacy-preserving data mining and statistical disclosure limitation in Chapter 2.
For example, an academic exercise showed that it was possible to identify the names and addresses of 97 percent of the registered voters in Cambridge, Massachusetts, using the birth date and full postal code Sweeney, Studies indicate that even after removal of the 18 identifiers required under the safe harbor method of the Privacy Rule, recipients could reidentify individuals in a study dataset with a moderately high expectation of accuracy by applying only diagnosis and medication combinations Clause et al.
However, strong security measures as recommended in Chapter 2 and the implementation of legal sanctions against the unauthorized reidentification of deidentified data as recommended in subsequent sections of this chapter may be more effective in protecting privacy than more stringent deidentification standards. Likewise, treatment dates are essential information for determining treatment effects, including adverse side effects.
Concerns were also raised that deidentification would impede longitudinal studies, and subsequent research has indicated that information deidentified using the safe harbor method of removing all of the listed identifiers results in lost chronological spacing of episodes of care Clause et al. However, the following elements may be included in a limited dataset: A limited dataset may be created by a covered entity or the covered entity can enter into a business associate agreement with another party, including the intended recipient, to create the limited dataset on its behalf.
These contracts specify the recipient of the limited dataset and require the recipient to agree to a number of conditions, including: France reportedly uses the equivalent of limited datasets from numerous hospitals to conduct epidemiologic research Berman,but the French health care system and legal environment are quite different than in the United States.
For example, in some health care settings, it can be challenging to identify an individual who will sign a data use agreement on behalf of the covered entity and thus manage the contract according to the perceived risk and obligation to monitor how that limited dataset is used. At the other extreme, it was noted that some covered entities were signing data use agreements as a matter of course, and thus providing little meaningful privacy protection to the patient IOM, Thus, the committee recommends that HHS encourage greater use of limited datasets and develop clear guidance on how to set up and comply with the associated data use agreements more efficiently and effectively.
HIPAA Administrative Safeguards
The Privacy Rule addresses data aggregation only with respect to health care operations, 59 not research. More commonly, data are provided to researchers with direct identifiers removed.
A third party may also collect PHI from covered entities and aggregate the data for research by establishing business associate agreements BAs with the various data sources, but in practice, BAs are used infrequently for this purpose AcademyHealth, This approach is complicated and impractical to set up for individual research projects.
Moreover, BAs can be established by covered entities to gain competitive advantage, rather than to collaborate in research.
HIPAA Security Standards for Covered Entities
The committee believes that a better approach would be to establish secure, trusted, nonconflicted intermediaries that could develop a protocol, or key, for routinely linking data without direct identifiers from different sources and then provide more complete and useful deidentified datasets to researchers. One way this could be accomplished, for example, might be through data warehouses that are certified for the purpose of linking data from different sources IOM, The organizations responsible for such linking would be required to use strong security measures and would maintain the details about how this linkage was done, should another research team need to recreate the linked dataset.
Using such intermediaries would increase patient privacy protections and allay concerns of covered entities, and thus would facilitate greater use of health data for research and also lead to more meaningful study results. CMS provides a similar service for Medicare and Medicaid data, via contractors who create standardized data files that are tailored for research Box The agency has begun pilot projects to aggregate Medicare claims data with data from commercial health plans and, in some cases, Medicaid, in order to calculate and report quality measures for physician groups.
Department of Health and Human Services to make Medicare data more readily available to researchers more The HIPAA administrative simplification provisions specifically provided for the creation of a unique individual identifier, but work on this project has been halted because there is a great deal of controversy regarding how it could be implemented without comprising individual privacy.
Federal agencies are also under pressure from the Office of Management and Budget to reduce the use of Social Security numbers as unique identifiers. But the development of some type of linking key not based on Social Security numbers would make linkages more efficient, standardized, and reliable and less costly. Moreover, this type of linkage could greatly facilitate many types of information research, provide more extensive health histories and facilitate public health surveillance, and improve quality of care HHS, ; Hillestad et al.
Genetic Information and the Privacy Rule Research involving genetic information presents perhaps some of the most challenging areas for protecting the privacy of health information Bregman-Eschet, ; Farmer and Godard, ; Greely, ; NBAC, New knowledge of the human genome, combined with advances in computing capabilities, are expected to help decipher the roles that genetics and the environment play in the origins of complex but common human diseases, such as cancer, heart disease, and diabetes.
In this genomic age of health research, patient samples stored in biospecimen banks can provide a wealth of information for addressing long-standing questions about health and disease, and efforts are underway to create large genomic databases for that purpose Adams, ; Greely, ; Lowrance, ; Lowrance and Collins, However, it is particularly difficult to assess the potential harms to individuals who are the subjects of research in these rapidly advancing areas NBAC, ; Pritts,and precedent does not appear to provide sufficient guidance in this relatively uncharted territory Lowrance, ; Lowrance and Collins, HHS has further stated that the results of an analysis of blood or tissue, if containing or associated with personally identifiable information, would be PHI.
Genetic information does not itself identify an individual in the absence of other identifying information. As genetic information becomes more prevalent in research and health care, the latter scenario is more likely to occur. Implement policies and procedures to address security incidents.
Response and reporting Required. Identify and respond to suspected or known security incidents ; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity or business associate; and document security incidents and their outcomes.
Establish and implement as needed policies and procedures for responding to an emergency or other occurrence for example, fire, vandalism, system failure, and natural disaster that damages systems that contain electronic protected health information.
A Data backup plan Required. Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information.
B Disaster recovery plan Required. Establish and implement as needed procedures to restore any loss of data. C Emergency mode operation plan Required. Establish and implement as needed procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode. D Testing and revision procedures Addressable.
Implement procedures for periodic testing and revision of contingency plans. E Applications and data criticality analysis Addressable. Assess the relative criticality of specific applications and data in support of other contingency plan components. Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and, subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which a covered entity's or business associate's security policies and procedures meet the requirements of this subpart.
Impact on Public Health Public health practice and research, including such traditional public health activities as program operations, public health surveillance, program evaluation, terrorism preparedness, outbreak investigations, direct health services, and public health research, use PHI to identify, monitor, and respond to disease, death, and disability among populations.HIPAA Training: The HIPAA Privacy Rule
Public health authorities have a long history of protecting and preserving the confidentiality of individually identifiable health information. They also recognize the importance of protecting individual privacy and respecting individual dignity to maintaining the quality and integrity of health data. CDC and others have worked to consistently strengthen federal and state public health information privacy practices and legal protections 5. DHHS recognized the importance of sharing PHI to accomplish essential public health objectives and to meet certain other societal needs e.
Further, the Privacy Rule permits covered entities to make disclosures that are required by other laws, including laws that require disclosures for public health purposes. Thus, the Privacy Rule provides for the continued functioning of the U. S public health system. Covered entities should become fully aware of the scope of permissible disclosures for public health activities as well as state and local reporting laws and regulations. Moreover, a public health authority may also be a covered entity.
For example, a public health agency that operates a health clinic, providing essential health-care services and performing covered transactions electronically, is a covered entity. This report provides guidance to public health authorities and their authorized agents, researchers, and health-care providers in interpreting the Privacy Rule as it affects public health.
CDC recommends that public health authorities share the information in this report with covered health-care providers and other covered entities and work closely with those entities to ensure implementation of the rule consistent with its intent to protect privacy while permitting authorized public health activities to continue.
More complete definitions of these, and other terms, are located elsewhere in this report Appendix A. Covered entities are as follows: An individual or group plan that provides, or pays the cost of, medical care that includes the diagnosis, cure, mitigation, treatment, or prevention of disease.
Health plans include private entities e. A public or private entity, including a billing service, repricing company, or community health information system, that processes nonstandard data or transactions received from another entity into standard transactions or data elements, or vice versa. A provider of health-care services and any other person or organization that furnishes, bills, or is paid for health care in the normal course of business. The Privacy Rule also establishes requirements for covered entities with regard to their nonemployee business associates e.
The Privacy Rule allows a covered provider or health plan to disclose PHI to a business associate if satisfactory written assurance is obtained that the business associate will use the information only for the purposes for which it was engaged, will safeguard the information from misuse, and will help the covered entity comply with certain of its duties under the Privacy Rule.
The Privacy Rule does not apply to all persons or entities that regularly use, disclose, or store individually identifiable health information. For example, the Privacy Rule does not cover employers, certain insurers e.
This information is called protected health information PHIwhich is generally individually identifiable health information that is transmitted by, or maintained in, electronic media or any other form or medium. This information must relate to 1 the past, present, or future physical or mental health, or condition of an individual; 2 provision of health care to an individual; or 3 payment for the provision of health care to an individual.
If the information identifies or provides a reasonable basis to believe it can be used to identify an individual, it is considered individually identifiable health information. De-Identified Information De-identified data e. In certain instances, working with de-identified data may have limited value to clinical research and other activities. When that is the case, a limited data set may be useful. A data-use agreement must establish who is permitted to use or receive the limited data set, and provide that the recipient will not use or disclose the information other than as permitted by the agreement or as otherwise required by law; use appropriate safeguards to prevent uses or disclosures of the information that are inconsistent with the data-use agreement; report to the covered entity any use or disclosure of the information, in violation of the agreement, of which it becomes aware; ensure that any agents to whom it provides the limited data set agree to the same restrictions and conditions that apply to the limited data set recipient with respect to such information; and not attempt to re-identify the information or contact the individual.
Among its provisions, the Privacy Rule requires covered entities to notify individuals regarding their privacy rights and how their PHI is used or disclosed; adopt and implement internal privacy policies and procedures; train employees to understand these privacy policies and procedures as appropriate for their functions within the covered entity; designate individuals who are responsible for implementing privacy policies and procedures, and who will receive privacy-related complaints; establish privacy requirements in contracts with business associates that perform covered functions; have in place appropriate administrative, technical, and physical safeguards to protect the privacy of health information; and meet obligations with respect to health consumers exercising their rights under the Privacy Rule.
With respect to individuals, they are vested with the following rights: Receive access to PHI. Request amendments to PHI. Individuals can request that covered entities amend PHI about the individual in a designated record set for as long as the PHI is maintained in a designated record set. With limited exceptions, individuals have the right to receive a notice of the uses and disclosures the covered entity will make of their PHI, their rights under the Privacy Rule, and the covered entity's obligations with respect to that information.
In certain cases, notice may be provided electronically. The notice must be in plain language e. Receive an accounting of disclosures. Upon request, covered entities are required to provide individuals with an accounting for certain types of disclosures of PHI, although the rule contains certain exceptions, including disclosures with individual authorization, disclosures related to providers' treatment, payment and health-care operations TPOand other exceptions.
However, requirements for accounting of public health disclosures may vary see Accounting for Public Health Disclosures. Individuals have the right to request a restriction on certain uses or disclosures of their PHI; however, the covered entity is not obligated to agree to such a request.
If the covered entity does agree to a restriction, it must generally abide by the agreement, except for emergency treatment situations. Certain other uses and disclosures of PHI may be permitted without authorization, but are not required by the Privacy Rule. However, other federal, tribal, state, or local laws may compel disclosure.
Certain other permitted uses and disclosures for which authorization is not required follow. Additional requirements and conditions apply to these disclosures. The Privacy Rule text and OCR guidance should be consulted for a full understanding of the following: Disclosures of PHI are permitted when required by other laws, whether federal, tribal, state, or local. PHI can be disclosed to public health authorities and their authorized agents for public health purposes including but not limited to public health surveillance, investigations, and interventions.
A covered entity can use or disclose PHI for research without authorization under certain conditions, including 1 if it obtains documentation of a waiver from an institutional review board IRB or a privacy board, according to a series of considerations; 2 for activities preparatory to research; and 3 for research on a decedent's information. Abuse, neglect, or domestic violence. PHI may be disclosed to report abuse, neglect, or domestic violence under specified circumstances.
Covered entities may, under specified conditions, disclose PHI to law enforcement officials pursuant to a court order, subpoena, or other legal order, to help identify and locate a suspect, fugitive, or missing person; to provide information related to a victim of a crime or a death that may have resulted from a crime, or to report a crime.
Judicial and administrative proceedings. A covered entity may disclose PHI in the course of a judicial or administrative proceeding under specified circumstances. Cadaveric organ, eye, or tissue donation purposes. Organ-procurement agencies may use PHI for the purposes of facilitating transplant. Covered entities may usually disclose PHI to a health oversight agency for oversight activities authorized by law. The Privacy Rule permits disclosure of work-related health information as authorized by, and to the extent necessary to comply with, workers' compensation programs.