HIPAA Privacy Rule Questions & Answers for NHAMCS
Q. Am I required to comply with the HIPAA Privacy Rule?
A. Health care providers who transmit certain financial and administrative health information electronically must comply with the Rule as of April 14, 2003. For example, if you submit claims electronically, you would be required to comply with the Rule.
Q. Does the Privacy Rule allow me to participate in this survey?
A. Yes. The Privacy Rule permits you to make disclosures of protected health information without patient authorization for public health purposes and for research that has been approved by an Institutional Review Board (IRB). This survey meets both of those criteria. Click to see the IRB approval letter [PDF - 355 KB] for NHAMCS.
Q. What is protected health information?
A. Protected health information includes all medical records and other individually identifiable information used or disclosed by an entity subject to the Privacy Rule. This would include directly identifiable information such as patient names and other information such as social security numbers that could be used to identify an individual.
Q. What do I have to do to participate and comply with the Privacy Rule?
A. There are several things that would assure that you comply with the Rule when participating in the survey. First, the privacy notice that you provide to your patients must indicate that patient information may be disclosed for research or public health purposes. Many of the model notices that have been developed and made available by professional associations provide for this.
Also, we have provided and made available on our website the material that you may need to verify, under the requirements of the Privacy Rule, that you are allowed to disclose to CDC/NCHS the information requested as part of this survey. This includes the authority under which NCHS is collecting this information and that the information being collected is the minimum necessary.
Finally, your hospital may need to keep track of disclosures made for this survey. If we perform the abstraction, we will give you a document [PDF - 17 KB] that contains the information that you need to keep track of the disclosures. If your staff does the abstracting of data from patient records and your hospital accepts the data use agreement [PDF - 25 KB] that we provide, it is not required to account for the disclosures.
Q. What is the data use agreement?
A. It is an agreement that describes how we may use the information that you provide to us. It was developed based on the provision of the Privacy Rule that specified that if certain data elements that are not directly identifiable (referred to as a limited data set) were disclosed for research or public health purposes, these disclosures could be made if the facility providing the data agreed to the elements of the data use agreement [PDF - 25 KB]. An advantage of this approach is that, since we do not actually access identifiable information, you are not required to account for these disclosures.
Q. Is there any other information that I need to assess to assure that my disclosure is authorized under the Privacy Rule?
A. No. The letter [PDF - 32 KB] that your hospital received requesting that your hospital participate in this survey is from the Director of the National Center for Health Statistics, which is part of CDC. The Privacy Rule specifies that your hospital is allowed to disclose information requested for public health purposes to public health agencies such as CDC without patient authorization.
Q. What demonstrates that you are a public health authority?
A. The survey is sponsored by the CDC/National Center for Health Statistics. CDC is a public health authority whose mission is to protect the health of the public. The letter [PDF - 31 KB] that we sent asking your facility to participate was sent on official CDC/NCHS letterhead and described our authority to conduct this survey. That letter also made clear that the U.S. Census Bureau is acting as our data collection agent. Finally, the Census Bureau representative has an official identification badge.
Q. Why do we have to account for these disclosures?
A. Under the Privacy Rule, patients have a right to an accounting of disclosures that have been made of their identifiable information for various purposes, including disclosures for public health and research purposes. We will provide you with the information your hospital needs to account [PDF - 17 KB] for the disclosures made as part of this survey. If hospital staff do the abstracting of data from patient records, and your hospital accepts the data use agreement [PDF - 25 KB] that we provide, your hospital is not required to account for the disclosures.
Q. Do we need to worry about whether this is the minimum necessary information for the purposes of the project?
A. No. The Privacy Rule specifies that in providing information to public agencies, such as CDC, you may rely on our representation that the request constitutes the minimum necessary information required. This issue is also considered as part of the Institutional Review Board (IRB) approval process, and the Privacy Rule specifies that you may rely on the documentation of IRB approval that the information requested is the minimum necessary for the research purpose.
Q. Do we have to have an Institutional Review Board (IRB) review this research project?
A. No. For research projects, only one IRB must review the project and CDC’s IRB (which has the authority to review such projects under the Regulations for the Protection of Human Subjects) has done so. We have the IRB approval letter [PDF - 29 KB] that indicates that a waiver has been approved by an IRB for this survey, and contains the documentation that is required by the Privacy Rule. If you desire, your hospital’s IRB may review the project as well.
Q. What if we want our Institutional Review Board (IRB) to review this project?
A. Your IRB could verify that the IRB approval letter [PDF - 29 KB] we have provided adheres to the requirements of the Privacy Rule, and NHCS could send you a copy of the materials submitted to the IRB.
Q. Is a business associate contract required for my hospital to disclose protected health information to NCHS for the survey?
A. No. A business associate contract is needed only when a person or entity is conducting a function or activity to help a provider carry out its health care function. NCHS is not a business associate of the provider. A business associate agreement is not required.
Q. Where can we find the requirements of the Privacy Rule?
A. The entire text of the Privacy Rule can be found at http://www.hhs.gov/ocr/hipaa/finalreg.html. The following parts of the rule were referred to above:
- Disclosures without patient authorization – 45 CFR 164.512
- Disclosures for public health activities – 45 CFR 164.512(b)
- Disclosures for research purposes – 45 CFR 164.512(i)
- Limited data set and data use agreement – 45 CFR 164.514(e)
- Verification requirements – 45 CFR 164.514(h)
- Privacy notice – 45 CFR 164.520
- Accounting of disclosures – 45 CFR 164.528
- Minimum necessary requirements – 45 CFR 164.502(b) and 45 CFR 164.514(d)