HIPAA Privacy Rule Questions & Answers for NAMCS
A. Health care providers who transmit certain financial and administrative health information electronically must comply with the Rule as of April 14, 2003. For example, if you submit claims electronically, you would be required to comply with the Rule.
A. Yes. The Privacy Rule permits you to make disclosures of protected health information without patient authorization for public health purposes and for research that has been approved by an Institutional Review Board (IRB). This survey meets both of those criteria. Click to see the IRB approval letter Cdc-pdf[PDF – 72 KB] for NAMCS.
A. Protected health information includes all medical records and other individually identifiable information used or disclosed by an entity subject to the Privacy Rule. This would include directly identifiable information such as patient names and other information such as social security numbers that could be used to identify an individual.
A. There are several things that would assure that you comply with the Rule when participating in the survey. First, the privacy notice that you provide to your patients must indicate that patient information may be disclosed for research or public health purposes. Many of the model notices that have been developed and made available by professional associations provide for this.
Also, we have provided and made available on our website the material that you may need to verify, under the requirements of the Privacy Rule, that you are allowed to disclose to CDC/NCHS the information requested as part of this survey. This includes the authority under which NCHS is collecting this information and that the information being collected is the minimum necessary.
Finally, you may need to keep track of disclosures made for this survey. When we perform the abstraction, we will give you a document Cdc-pdf[PDF – 65 KB] that contains the information that you need to keep track of the disclosures.
A. It is an agreement that describes how we may use the information that you provide to us. It was developed based on the provision of the Privacy Rule that specified that if certain data elements that are not directly identifiable (referred to as a limited data set) were disclosed for research or public health purposes, these disclosures could be made if the facility providing the data agreed to the elements of the data use agreement Cdc-pdf[PDF – 296 KB]. An advantage of this approach is that, since we do not actually access identifiable information, you are not required to account for these disclosures.
A. No. The letter Cdc-pdf[PDF – 839 KB] that you received requesting that you participate in this survey is from the Director of the National Center for Health Statistics, which is part of CDC. The Privacy Rule specifies that you are allowed to disclose information requested for public health purposes to public health agencies such as CDC without patient authorization. The Rule also states that for research projects you may rely on documentation that we have provided indicating that an Institutional Review Board (IRB) has approved a waiver Cdc-pdf[PDF – 72 KB] to allow for disclosure without patient authorization of the information we are requesting in this survey.
A. The survey is sponsored by the National Center for Health Statistics of CDC. CDC is a public health authority whose mission is to protect the health of the public. The letter Cdc-pdf[PDF – 839 KB] that we sent asking you to participate was sent on official CDC/NCHS letterhead and described our authority to conduct this survey. That letter also made clear that the U.S. Census Bureau is acting as our data collection agent. Finally, the Census Bureau representative has an official identification badge.
A. Under the Privacy Rule, patients have a right to an accounting of disclosures that have been made of their identifiable information for various purposes, including disclosures for public health and research purposes. We will provide you with the information you need to account Cdc-pdf[PDF – 69 KB] for the disclosures made as part of this survey.
A. No. The Privacy Rule specifies that in providing information to public agencies, such as CDC, you may rely on our representation that the request constitutes the minimum necessary information required. This issue is also considered as part of the Institutional Review Board (IRB) approval process, and the Privacy Rule specifies that you may rely on the documentation of IRB approval that the information requested is the minimum necessary for the research purpose.
A. No. For research projects, only one IRB must review the project and CDC’s IRB (which has the authority to review such projects under the Regulations for the Protection of Human Subjects) has done so. We have the IRB approval letter Cdc-pdf[PDF – 72 KB] that indicates that a waiver has been approved by an IRB for this survey, and contains the documentation that is required by the Privacy Rule. If you desire, your IRB may review the project as well.
A. No. A business associate contract is needed only when a person or entity is conducting a function or activity to help a provider carry out its health care function. NCHS is not a business associate of the provider. A business associate agreement is not required.
A. The entire text of the Privacy Rule is available through the U.S. Department of Health & Human Services websiteExternal. The following parts of the rule were referred to above:
- Disclosures without patient authorization – 45 CFR 164.512
- Disclosures for public health activities – 45 CFR 164.512(b)
- Disclosures for research purposes – 45 CFR 164.512(i)
- Limited data set and data use agreement – 45 CFR 164.514(e)
- Verification requirements – 45 CFR 164.514(h)
- Privacy notice – 45 CFR 164.520
- Accounting of disclosures – 45 CFR 164.528
- Minimum necessary requirements – 45 CFR 164.502(b) and 45 CFR 164.514(d)