HIPAA Privacy Rule and Public Health

Overview of the Privacy Rule

Who Is Covered

The authority of DHHS to issue health-information privacy regulations was limited by Congress in HIPAA to a defined set of covered entities. More complete definitions of these, and other terms, are located elsewhere in this report (Appendix A). Covered entities are as follows:

• Health plans. An individual or group plan that provides, or pays the cost of, medical care that includes the diagnosis, cure, mitigation, treatment, or prevention of disease. Health plans include private entities (e.g., health insurers and managed care organizations) and government organizations (e.g., Medicaid, Medicare, and the Veterans Health Administration).
• Health-care clearinghouses. A public or private entity, including a billing service, repricing company, or community health information system, that processes nonstandard data or transactions received from another entity into standard transactions or data elements, or vice versa.
• Health-care providers. A provider of health-care services and any other person or organization that furnishes, bills, or is paid for health care in the normal course of business. Health-care providers (e.g., physicians, hospitals, and clinics) are covered entities if they transmit health information in electronic form in connection with a transaction for which a HIPAA standard has been adopted by DHHS.

The Privacy Rule also establishes requirements for covered entities with regard to their nonemployee business associates (e.g., lawyers, accountants, billing companies, and other contractors) whose relationship with covered entities requires sharing of PHI. The Privacy Rule allows a covered provider or health plan to disclose PHI to a business associate if satisfactory written assurance is obtained that the business associate will use the information only for the purposes for which it was engaged, will safeguard the information from misuse, and will help the covered entity comply with certain of its duties under the Privacy Rule.

The Privacy Rule does not apply to all persons or entities that regularly use, disclose, or store individually identifiable health information. For example, the Privacy Rule does not cover employers, certain insurers (e.g., auto, life, and worker compensation), or those public agencies that deliver social security or welfare benefits, when functioning solely in these capacities.

Types of Health Information

Protected Health Information

The Privacy Rule protects certain information that covered entities use and disclose. This information is called protected health information (PHI), which is generally individually identifiable health information that is transmitted by, or maintained in, electronic media or any other form or medium. This information must relate to 1) the past, present, or future physical or mental health, or condition of an individual; 2) provision of health care to an individual; or 3) payment for the provision of health care to an individual. If the information identifies or provides a reasonable basis to believe it can be used to identify an individual, it is considered individually identifiable health information.

De-Identified Information

De-identified data (e.g., aggregate statistical data or data stripped of individual identifiers) require no individual privacy protections and are not covered by the Privacy Rule. De-identifying can be conducted through

• statistical de-identification --- a properly qualified statistician using accepted analytic techniques concludes the risk is substantially limited that the information might be used, alone or in combination with other reasonably available information, to identify the subject of the information [45 CFR § 164.514(b)]; or the
• safe-harbor method --- a covered entity or its business associate de-identifies information by removing 18 identifiers (Box 2) and the covered entity does not have actual knowledge that the remaining information can be used alone or in combination with other data to identify the subject [45 CFR § 164.514(b)].

In certain instances, working with de-identified data may have limited value to clinical research and other activities. When that is the case, a limited data set may be useful.

Limited Data Sets

Health information in a limited data set is not directly identifiable, but may contain more identifiers than de-identified data that has been stripped of the 18 identifiers [45 CFR § 164.514] (Box 3). A data-use agreement must establish who is permitted to use or receive the limited data set, and provide that the recipient will

• not use or disclose the information other than as permitted by the agreement or as otherwise required by law;
• use appropriate safeguards to prevent uses or disclosures of the information that are inconsistent with the data-use agreement;
• report to the covered entity any use or disclosure of the information, in violation of the agreement, of which it becomes aware;
• ensure that any agents to whom it provides the limited data set agree to the same restrictions and conditions that apply to the limited data set recipient with respect to such information; and
• not attempt to re-identify the information or contact the individual.

What is Required

For covered entities using or disclosing PHI, the Privacy Rule establishes a range of health-information privacy requirements and standards that attempt to balance individual privacy interests with the community need to use such data [45 CFR § 164.504]. Among its provisions, the Privacy Rule requires covered entities to

• notify individuals regarding their privacy rights and how their PHI is used or disclosed;
• adopt and implement internal privacy policies and procedures;
• train employees to understand these privacy policies and procedures as appropriate for their functions within the covered entity;
• designate individuals who are responsible for implementing privacy policies and procedures, and who will receive privacy-related complaints;
• establish privacy requirements in contracts with business associates that perform covered functions;
• have in place appropriate administrative, technical, and physical safeguards to protect the privacy of health information; and
• meet obligations with respect to health consumers exercising their rights under the Privacy Rule.

With respect to individuals, they are vested with the following rights:

• Receive access to PHI. Individual rights include inspections of records and the provision for copies of PHI about the individual in a designated record set, for as long as the PHI is maintained in the designated record set, except for psychotherapy notes, information complied for use in civil, criminal, or administrative actions, and PHI maintained by a covered entity subject to the Clinical Laboratory Improvement Amendments of 1988 [42 CFR § 263(a)]. In the majority of cases, covered entities must accommodate a request or provide a process of denial, subject to review [45 CFR § 164.524].
• Request amendments to PHI. Individuals can request that covered entities amend PHI about the individual in a designated record set for as long as the PHI is maintained in a designated record set. If the covered entity agrees to the amendment, it must 1) identify the records affected; 2) append or provide a link to the amendment; 3) inform the individual the amendment has been made; and 4) work with other covered entities or business associates who possess or receive the data to make the amendments [45 CFR § 164.526]. If the covered entity denies this request, the Privacy Rule provides a process for contesting the denial [45 CFR § 164.526].
• Receive adequate notice. With limited exceptions, individuals have the right to receive a notice of the uses and disclosures the covered entity will make of their PHI, their rights under the Privacy Rule, and the covered entity's obligations with respect to that information. In certain cases, notice may be provided electronically. The notice must be in plain language (e.g., "your health information may be shared with public health authorities for public health purposes . . ." ) and posted where it is likely to be seen by patients [45 CFR § 164.520].
• Receive an accounting of disclosures. Upon request, covered entities are required to provide individuals with an accounting for certain types of disclosures of PHI, although the rule contains certain exceptions, including disclosures with individual authorization, disclosures related to providers' treatment, payment and health-care operations (TPO), and other exceptions. A typical a ccounting includes the name of the person or entity who received the information, date of the disclosure, a brief description of the information disclosed, and a brief e xplanation of the reasons for disclosure or copy of the request [45 CFR § 164.528]. However, requirements for accounting of public health disclosures may vary (see Accounting for Public Health Disclosures).
• Request restrictions. Individuals have the right to request a restriction on certain uses or disclosures of their PHI; however, the covered entity is not obligated to agree to such a request. If the covered entity does agree to a restriction, it must generally abide by the agreement, except for emergency treatment situations. But such an agreement is not effective to prevent certain permitted uses or disclosures [CFR 45 § 164.512].

Required PHI Disclosures

A covered entity is required by the Privacy Rule to disclose PHI in only two instances: 1) when an individual has a right to access an accounting of his or her PHI (see previous paragraph); and 2) when DHHS needs PHI to determine compliance with the Privacy Rule [45 CFR § 164.502(a)(2)]. Certain other uses and disclosures of PHI may be permitted without authorization, but are not required by the Privacy Rule. However, other federal, tribal, state, or local laws may compel disclosure.

Permitted PHI Disclosures Without Authorization

The Privacy Rule permits a covered entity to use and disclose PHI, with certain limits and protections, for TPO activities [45 CFR § 164.506]. Certain other permitted uses and disclosures for which authorization is not required follow. Additional requirements and conditions apply to these disclosures. The Privacy Rule text and OCR guidance should be consulted for a full understanding of the following:

• Required by law. Disclosures of PHI are permitted when required by other laws, whether federal, tribal, state, or local.
• Public health. PHI can be disclosed to public health authorities and their authorized agents for public health purposes including but not limited to public health surveillance, investigations, and interventions.
• Health research. A covered entity can use or disclose PHI for research without authorization under certain conditions, including 1) if it obtains documentation of a waiver from an institutional review board (IRB) or a privacy board, according to a series of considerations; 2) for activities preparatory to research; and 3) for research on a decedent's information.
• Abuse, neglect, or domestic violence. PHI may be disclosed to report abuse, neglect, or domestic violence under specified circumstances.
• Law enforcement. Covered entities may, under specified conditions, disclose PHI to law enforcement officials pursuant to a court order, subpoena, or other legal order, to help identify and locate a suspect, fugitive, or missing person; to provide information related to a victim of a crime or a death that may have resulted from a crime, or to report a crime.
• Judicial and administrative proceedings. A covered entity may disclose PHI in the course of a judicial or administrative proceeding under specified circumstances.
• Cadaveric organ, eye, or tissue donation purposes. Organ-procurement agencies may use PHI for the purposes of facilitating transplant.
• Oversight. Covered entities may usually disclose PHI to a health oversight agency for oversight activities authorized by law.
• Worker's compensation. The Privacy Rule permits disclosure of work-related health information as authorized by, and to the extent necessary to comply with, workers' compensation programs.

Other Authorized Disclosures

A valid authorization is required for any use or disclosure of PHI that is not required or otherwise permitted without authorization by the Privacy Rule. In general, these authorizations must

• specifically identify the PHI to be used or disclosed;
• provide the names of persons or organizations, or classes of persons or organizations, who will receive, use, or disclose the PHI;
• state the purpose for each request;
• notify individuals of their right to refuse to sign the authorization without negative consequences to treatment, payment, or health plan enrollment or benefit eligibility, except under specific circumstances;
• be signed and dated by the individual or the individual's personal representative;
• be written in plain language;
• include an expiration date or event;
• notify the individual of the right to revoke authorization at any time in writing, and how to exercise that right, and any applicable exceptions to that right under the Privacy Rule; and
• explain the potential for the information to be subject to redisclosure by recipient and no longer protected by the Privacy Rule.