Getting Things Done in Spite of HIPAA:

Overcoming Barriers to Data-Sharing Related to the HIPAA Privacy Rule

A Guide for State and Local Childhood Lead Poisoning Prevention Programs

Introduction

Over the past few years, the health care system has devoted considerable energy and attention to ensuring compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA).[1] A primary focus of HIPAA is on improving the efficiency and effectiveness of health care systems by standardizing the electronic exchange of administrative and financial data. HIPAA also established new national standards for protecting the privacy of personal medical information and authorized the U.S. Department of Health and Human Services (HHS) to implement these standards through a regulation known as the Privacy Rule.[2] These new requirements have changed the way traditional health care providers, health plans, and health care clearinghouses transmit and manage health information. However, misinterpretation of the Privacy Rule has caused some concern about the authority of health departments to disclose personal health information for public health purposes related to childhood lead poisoning. In reading the letter of the law, it is important to consider the spirit of the law. HIPAA was intended to improve patient privacy protections – not to undermine legitimate public health practice. This paper reviews HIPAA requirements and exceptions, focusing on those for public health agencies, and describes permissible uses of lead-related data under the HIPAA Privacy Rule. Readers are cautioned that this paper reflects publicly available guidance but does not constitute legal advice.

What Does the HIPAA Privacy Rule Require?

The Privacy Rule establishes new national standards for protecting the privacy of certain individually identifiable health data, referred to as “protected health information” (PHI).[3] It defines what information must be protected, what entities must comply, and under what circumstances they are permitted or required to share personal medical information. If an entity that handles PHI is covered by HIPAA, it is subject to strict requirements regarding information handling and disclosure, and there are civil or criminal penalties for failure to comply. However, in order to balance personal privacy with public health, the Privacy Rule contains broad authorizations for public health agencies to make the disclosures necessary to provide appropriate services, including those for lead poisoning prevention. When public health disclosure is permitted, the Privacy Rule specifies required administrative processes for covered entities, including accounting for public health disclosures, disclosure of the “minimum necessary” information, and notice of privacy policies. (These requirements are described in detail in HHS guidance, but not reviewed in this paper.)

Does the HIPAA Privacy Rule Affect CLPPPs?

While HIPAA covers many entities and regulates various kinds of data, many public agencies and considerable data are simply not subject to HIPAA. For instance, if an agency is not defined as a “covered entity” under HIPAA, this law does not apply – no matter what types of personal medical information are involved. Similarly, if data are not “protected health information,” then HIPAA does not apply. The remainder of this paper explores the application of these and related HIPAA issues to childhood lead poisoning prevention programs (CLPPPs).

Figure 1 - Public Health Disclosure Alternatives under the HIPAA Privacy Rule

When Can Data Be Used or Disclosed Without Violating the Privacy Rule?

This paper offers six key questions to help determine whether the Privacy Rule is relevant for a particular data use or disclosure, and if so, under what circumstances the data can be used in compliance with the Privacy Rule. These decision points are also summarized in Figure 1, Public Health Disclosure Alternatives under the HIPAA Privacy Rule, on page 2.

1) Is the program covered by HIPAA?

The HIPAA Privacy Rule applies only to three types of covered entities: health plans (including Medicaid programs), health care clearinghouses, and health care providers who conduct certain health care transactions electronically. [4] An agency that acts both as a covered and non-covered entity may qualify as a hybrid entity, by designating agency components that perform covered functions as the health care component(s) of the organization.[5] The requirements of the Privacy Rule thereby apply only to the hybrid entity’s health care component(s), and not to the other parts of the agency (which do not perform covered services).[6] [7]

Most state and local health departments have already made determinations about whether they are defined as “covered entities” and thus subject to the Privacy Rule. In June 2003, the National Governors Association (NGA) and Association of State and Territorial Health Officials (ASTHO) released results of a survey on the status of state health authorities under the HIPAA Privacy Rule.[8] Of the 44 states that responded, 29 (66%) self-declared as hybrid entities, nine (20%) as covered entities, and two (5%) as business associates of covered entities.[9] [10] For health departments that have not already made this determination, it should be relatively straightforward for a CLPPP to determine whether or not it is part of a covered entity and, if so, whether it is part of the covered portion of a “hybrid” agency. CLPPPs that receive Medicaid reimbursement for services are likely to be covered by HIPAA (because they are health care providers using electronic billing transactions). However, even if covered by HIPAA, CLPPPs are likely to have authority under one or more Privacy Rule provisions to disclose (consistent with the regulations) most types of data that are appropriate to lead poisoning prevention activities.

Agencies that are not covered by HIPAA are likely to include the following: State or local health departments that are not covered entities in whole or in part; State or local health departments that are part of a hybrid entity but not part of the designated health care component; State housing agencies; public housing authorities; and local housing departments. Of course, agencies should also be aware of any state-specific health privacy laws, since disclosures may not be made if state law does not allow it.[11] This is because more protective state privacy laws still apply, even if HIPAA allows a disclosure.[12]

2) Are the data “Protected Health Information” (PHI)?

Under the Privacy Rule, protected health information is individually identifiable health information that is electronically transmitted or transmitted or maintained in any other form or medium.[13] The Rule specifies the kinds of data that are “individually identifiable,” including name, social security number, address, and the like. However, some lead-related information, including property addresses in some situations, do not automatically fall within HIPAA’s purview, because they are not protected health information. A documented lead-based paint hazard or code violation in a given property is a physical condition that exists in the property completely independently of the property’s occupancy or the health status of its occupants. As such, data pertaining solely to physical conditions in a property do not qualify as protected health information when cited or released apart from health data. For example, a list of addresses of properties that have been cited for code violations or found to contain lead hazards does not constitute protected health information – regardless of whether the agency that documented the problem is a covered entity or not and regardless of the impetus for the inspection. Similarly, covered entities can release the names of the owners of such properties without impediment from the Privacy Rule.

For data that are protected health information, such as the linked names and addresses of EBL children, the Privacy Rule provides for “de-identifying” individually identifiable health information by meeting criteria or using processes specified therein.[14] The de-identification process is also useful for community-wide analysis or for research projects.[15] One approach being pursued in Massachusetts is to combine address data of EBL children for many years into a large data set, rendering it untraceable to individual children but providing valuable information about patterns over time. However, since the Rule is intended to provide strict privacy protections, it is conservative about what constitutes allowable de-identification.

When it is difficult to discern whether data constitute personal health information (or programmatically burdensome to avoid this categorization), health departments may want to rely instead on the Privacy Rule provisions that allow (or in some cases require) the release of data, as described in the following questions. In particular, health departments should note the broad authority granted by the public health use and disclosure provisions to accomplish program objectives, as discussed in question 6.

3) Will the patient authorize disclosure?

The Privacy Rule permits covered entities to use and disclose protected health information if they get written permission from the patient.[16] This alternative can be a simple and expeditious mechanism for lead poisoning prevention programs to share protected health information if the child’s parents or guardian will authorize such disclosure. For example, families may have a self interest in authorizing such disclosure in jurisdictions where families with EBL children are entitled to receive prioritized access to lead hazard control or subsidized housing. Lead poisoning prevention programs can create authorization forms for routine use to facilitate the exchange of lead-specific information.[17] Some CLPPPs routinely request all clients to sign such an authorization during the intake process for blood lead tests. For example, the standard authorization form used by Marion County, IN is provided as Appendix A.

4) Is the disclosure necessary to support treatment or payment?

The Privacy Rule permits a covered entity to use and disclose protected health information for “treatment, payment, and health care operations activities” (TPO).[18] HHS guidance clarifies that a covered entity may disclose protected health information for the treatment activities of any health care provider who has a treatment relationship with the individual (including providers not covered by the Privacy Rule). Thus, there are some circumstances in which disclosures by CLPPPs of PHI without authorization may qualify as TPO activities.

Disclosure of data to health care providers for the purpose of providing blood lead testing to individuals at high risk (targeting screening) would qualify under this provision. In addition, referral of lead-poisoned children for special education and related services would qualify. These data uses are consistent with PHI disclosure precedents in other public health programs for treatment, such as referral of persons with developmental disabilities to speech therapists.

Disclosures necessary to ensure lead hazard evaluation or control may also fall under the TPO provision, since the necessary treatment of a child with lead poisoning is interventions to lower the child’s blood lead level (BLL). [19] [20] This is especially true since Medicaid requires reimbursement for environmental investigation and case management services for lead-poisoned children.[21] [22] In the course of providing treatment, CLPPPs may need to notify property owners of the presence of an EBL child or the presence of lead hazards. However, since private property owners are not generally considered to be “health care providers,” other authorities, outlined below under questions 5 and 6, will more typically justify sharing information with landlords.

5) Is disclosure of health information required by law?

Some jurisdictions have expressed specific concern about the effect of HIPAA on blood lead surveillance systems and reporting requirements. For this reason, it is important to note that the Privacy Rule permits any disclosures that are required by other laws, including federal, tribal, state, or local laws (as described in this section) and for public health purposes (described in section 6 below).[23] The Rule is consistent with the explicit direction of Congress in the underlying law:

Nothing in this part shall be construed to invalidate or limit the authority, power, or procedures established under any law providing for the reporting of disease or injury, child abuse, birth, or death, public health surveillance, or public health investigation or intervention.[24]

Thus, the HIPAA Privacy Rule in no way limits state or local laws or regulations that require the reporting of public health data, such as mandatory blood lead reporting to surveillance systems by laboratories, local health departments, managed care organizations, physicians, Medicaid, health clinics, and/or WIC, either electronically or via other means.[25]

The state law or “required by law” provision is not limited in scope, and is distinct from disclosures to public health authorities, so it also ensures the continued authority of state or local laws requiring notification of property owners, abatement, or any other appropriate authorized interventions.

This Privacy Rule provision is perhaps the easiest exit from HIPAA requirements.

6) Is disclosure permissible under the Rule’s provisions for public health disclosure?

The Privacy Rule also permits covered entities to disclose PHI, without patient authorization, for public health purposes authorized by law.[26] Thus, CLPPPs have authority to use or disclose PHI, without patient authorization, for authorized public health purposes, even if such purposes are not expressly itemized in law or otherwise allowable under the exclusions and provisions described in questions 1 through 5 above. Notably, the Centers for Disease Control and Prevention (CDC) has already clarified the application of this principle for public health agencies:

For disclosures not required by law, covered entities may still disclose, without authorization, to a public health authority authorized by law to collect or receive the information for the purpose of preventing or controlling disease, injury, or disability, the minimum necessary information to accomplish the intended public health purpose of the disclosure [45 CFR 164.512 (b)] . . .

Although it is not a defined term, DHHS interpreted the phrase "authorized by law" to mean that a legal basis exists for the activity. Further, DHHS called the phrase "a term of art," including both actions that are permitted and actions that are required by law [64 FR 59929, November 3, 1999]. This does not mean a public health authority at the federal, tribal, state, or local level must have multiple disease or condition-specific laws that authorize each collection of information. Public health authorities operate under broad mandates to protect the health of their constituent populations. [27]

This guidance from CDC makes clear that state or local laws need not specify each and every case in which use of PHI may be necessary to protect the public’s health. This broad reading of the statute by HHS and the Office for Civil Rights (OCR) suggests that many, if not all, authorized public health uses of data related to lead poisoning prevention can be legally accomplished under the Privacy Rule, when the activities are undertaken by public health agencies (for public health activities) or other individuals or entities designated as their authorized agents.

Under the Privacy Rule, covered entities can designate other agencies, individuals, or entities as their agents in conducting lead poisoning prevention activities in order to be eligible to receive PHI. CLPPPs can therefore elect to designate as their agents various entities for specific purposes, such as WIC agencies or clinics, state or local housing agencies or public housing authorities, managed care organizations, school nurses, or even community-based organizations. CDC has already developed templates and sample letters for state and local health departments to grant public health authority to appropriate agents.[28] Without such grants of authority, non-governmental entities may not be considered public health authorities. A practical advantage of this approach is that agencies can designate certain authorized agents once, for an ongoing public health program, enabling them to share data as needed on a continuing basis. CDC and HUD have already demonstrated the use of this provision for lead poisoning prevention. In a March 2004 CDC/HUD letter (Appendix B), CDC authorized HUD’s Office of Healthy Homes and Lead Hazard Control (OHHLHC) to collect or receive addresses of lead poisoned children from lead poisoning prevention programs.[29] The letter defines OHHLHC as a “public health authority” for this purpose, merely by establishing that “HUD, CDC, and EPA are authorized by statute to conduct lead poisoning prevention activities, consistent with [their] missions and capabilities, to address the public health problem of lead poisoning…” No specific provision authorizing disclosure of address information in this situation was needed to support this determination.

The Privacy Rule only regulates the behavior of covered entities; it does not require protection of data received by a public health authority unless it is also a covered entity or the covered health care component of a covered entity.[30] Thus, Privacy Rule restraints do not follow to recipients of data, so public housing authorities and others normally outside the scope of HIPAA must comply only with the terms of their grant of authority, but they do not accept any additional liability or record keeping burdens associated with HIPAA.

For jurisdictions that choose not to assert that notification of property owners of lead hazards or lead poisoning is justified under the “Treatment” provision (see section 4), the broad public health exemption gives ample latitude to provide appropriate environmental investigation, lead hazard control, and enforcement services to lead-poisoned children. Thus, if notification of the property owner is necessary to prevent or limit lead exposures, CLPPPs are authorized to do so as a means of preventing or controlling disease. As noted earlier, adequate treatment of a child with lead poisoning must include interventions to lower the child’s BLL, normally including environmental investigation of the child’s residence to identify the source of the lead exposure as well as steps to control identified hazards followed by clearance testing.[31] Thus, adequate treatment requires identifying the property, and, in most cases, compelling the property owner or manager to implement effective lead hazard controls.

Finally, the Privacy Rule also provides another possibility for disclosure without patient authorization that might be invoked in some circumstances. It permits disclosure “to prevent or lessen a serious and imminent threat to the health or safety of a person or the public.” However, given the broad authorities provided to public health agencies under the Privacy Rule, most CLPPPs would need to rely on this authority only in rare cases, as the last resort.

Appropriate Uses of Lead-Related Data

As in many types of public health practice, the collection and analysis of various kinds of lead poisoning data are essential to efforts to identify and control lead hazards and to reduce children’s blood lead levels. Some common or expected uses of health and environmental data related to lead poisoning prevention are explored in Table 1, Applicability of the Privacy Rule: Common data-sharing scenarios, which begins on page 9. The table outlines which requirements or exemptions apply to specific data-sharing scenarios, but the table is not exhaustive. It merely seeks to illustrate the different kinds of authorizations that are available for public health uses of data under the Privacy Rule.

Conclusion

The worthy objective of protecting the confidentiality of personal health information should not undermine state and federal mandates to protect the public’s health. Before suppressing or withholding data that are integral to the effectiveness of public health programs, childhood lead poisoning prevention programs should examine the key questions outlined in this paper.

The Privacy Rule does not apply to many CLPPPs because they are simply not required to comply with HIPAA. For those agencies that are subject to the Privacy Rule, CLPPPs have a number of options to enable them to use and share public health data as necessary to prevent childhood lead poisoning. Instead of inappropriate invocation of HIPAA as an excuse for withholding data, CLPPPs should rely on the Privacy Rule’s provisions that permit disclosures for public health. In many cases, multiple provisions will justify the use of key data. For example, state blood lead reporting laws would be covered under the “required by law” provision, but could also be covered under the “public health purposes” provision. In fact, almost all the lead-related disclosures described in this paper are likely covered by the broad public health purpose of “preventing or controlling disease, injury, or disability,” and therefore are permissible under the Privacy Rule.

In addition, some public health agencies may find it useful to revisit their self-declarations about their status under HIPAA, because some CLPPPs may have been declared covered entities erroneously. If programs believe that they do not perform covered functions, the agencies can revise their self-categorizations and redesignate organizational components. Public health agencies are not required to register the change with OCR; the department or program need only document the change and retain that documentation.

Finally, if necessary, technical assistance and individual guidance can be secured from the Department of Health and Human Services through either the Office for Civil Rights or the Centers for Disease Control and Prevention. OCR and CDC continue to expand their guidance and FAQs in response to inquiries they receive and problems that are brought to their attention.

	Who holds data?	What would be disclosed?	Who would receive information?	For what purpose?
Agency Not Covered By HIPAA (Agencies may be subject to state or other privacy laws or regs; this table just addresses the HIPAA Privacy Rule)	State or local health departments that are not “covered entities”	Any	Any	Any
	State or local health departments that are part of “hybrid entity” but not part of “designated health care component”	Any	Any	Any
	Housing agencies	Individual addresses of properties with known lead hazards	Public Community groups	Informed decision making
		Individual addresses of properties with possible lead hazards
		Individual addresses of properties with EBL children
		Individual addresses of properties with code violations
	Public housing authorities or local housing departments	Individual addresses of units associated with EBL children or with identified lead hazards	HUD or EPA	Enforcement of disclosure rule or Lead-Safe Housing Rule
	Public housing authorities or local housing departments	Owners of property associated with EBL children or with identified lead hazards	HUD or EPA	Enforcement of disclosure rule or Lead-Safe Housing Rule
Data Not Covered	State or local health departments	Addresses of properties with documented lead hazards	Anyone - community groups, general public, housing agencies	Direct prevention resources; Informed decision making
		Addresses of properties with documented code violations
		Names of property owners whose properties have had documented lead hazards

Table 1 – Applicability of the Privacy Rule: Common data-sharing scenarios

	Who holds data?	What would be disclosed?	Who would receive information?	For what purpose?
Disclosure Authorized By Individual	Any covered entity	Any	Any	Any
Disclosure Authorized By Individual	State and local health departments	Names and address of EBL children	Lead Hazard Control grantees, public housing authority	Allow families w/EBL children to receive priority enrollment in LHC or subsidized housing
Disclosure Authorized For TPO (Treatment, Payment, Or Health Care Operations)	State or local health departments	Lists of unscreened children Maps of unscreened children	Health care providers, managed care organizations	Targeting EBL screening
	State or local health departments	Lists of EBL children Lists of unscreened children Maps of EBL children Maps of unscreened children	State Medicaid agency or its contractors	Targeting or quality assurance activities regarding screening Medicaid enrollees
	State or local health departments	Names of EBL children	Schools	Referral to special education screening or services
	Physician or MCO	Names of EBL children	Schools	Referral to special education screening or services
	State or local health department	Address of EBL child	Property owner/landlord PHA/Section 8 Staff	Order LHC or abatement
Disclosure Permitted by Privacy Rule When Required by Other Law	Laboratories, MCOs, physicians, Medicaid, health clinics, WIC	Blood lead screening data	State/local health department	Surveillance/ reporting required by state law
	State or local health department	Any	Any	When disclosure or other action, e.g., enforcement or reporting, is required by state law

	Who holds data?	What would be disclosed?	Who would receive information?	For what purpose?
Disclosure Permitted by Privacy Rule Per Public Health Exemption	State or local health departments	Individual addresses of units associated with EBL children	HUD OHHLHC	Enforcement of disclosure rule or Lead-Safe Housing Rule (*See joint HUD/CDC letter to health departments)
	State or local health departments	Names of property owners	HUD OHHLHC
	State or local health departments	Individual addresses of units associated with EBL children	State or local housing agencies	Targeting lead hazard evaluation or control resources; targeting code enforcement
	State or local health departments	Maps an

Acknowledgements

Introduction