HIPAA Privacy Rule Questions & Answers for NAMCS

A1. Health care providers who transmit certain financial and administrative health information electronically have been required to comply with the Rule since April 14, 2003. For example, if you submit claims electronically, you would be required to comply with the Rule.

A2. Yes. The Privacy Rule permits you to make disclosures of protected health information without patient authorization for public health purposes and for research that has been approved by the NCHS Ethics Review Board (ERB). This survey meets both of these criteria. Click to see the ERB approval letter pdf icon[PDF – 77 KB] for NAMCS.

A3. Protected health information includes all medical records and other individually identifiable information used or disclosed by an entity subject to the Privacy Rule. This would include directly identifiable information such as patient names and other information such as social security numbers that could be used to identify an individual.

A4. There are several things that would assure that you comply with the Rule when participating in the survey. First, the privacy notice that you provide to your patients must indicate that patient information may be disclosed for research or public health purposes. Many of the model notices that have been developed and made available by professional associations provide for this.

Also, we have materials available on our website to assist you in verifying what information you are able to provide that is still in compliance with the requirements of the Privacy Rule. This includes the authority under which NCHS is collecting this information and that the information being collected is the minimum necessary.

Finally, your hospital may need to keep track of disclosures made for this survey. When we perform the abstraction, we will give you a document pdf icon[PDF – 2 MB] that contains the information that you need to keep track of the disclosures.

A5. It is an agreement that describes how we may use the information that you provide to us. It was developed based on the provision of the Privacy Rule that specified that if certain data elements that are not directly identifiable (referred to as a limited data set) were disclosed for research or public health purposes, these disclosures could be made if the facility providing the data agreed to the elements of the data use agreement pdf icon[PDF – 77 KB]. An advantage of this approach is that, since we do not actually access identifiable information, you are not required to account for these disclosures.

A6. No. The letter pdf icon[PDF – 839 KB] that you received requesting that you participate in this survey is from the Director of the National Center for Health Statistics, which is part of CDC. The Privacy Rule specifies that you are allowed to disclose information requested for public health purposes to public health agencies such as CDC without patient authorization.

A7. The survey is sponsored by the CDC/National Center for Health Statistics. CDC is a public health authority whose mission is to protect the health of the public. The letter pdf icon[PDF – 839 KB] that we sent asking your facility to participate was sent on official CDC/NCHS letterhead and described our authority to conduct this survey. That letter also made clear that the U.S. Census Bureau is acting as our data collection agent. Finally, the U.S. Census Bureau representative has an official identification badge.

A8. Under the Privacy Rule, patients have a right to an accounting of disclosures that have been made of their identifiable information for various purposes, including disclosures for public health and research purposes. We will provide you with the information you need to account pdf icon[PDF – 69 KB] for the disclosures made as part of this survey.

A9. No. The Privacy Rule specifies that in providing information to public agencies, such as CDC, you may rely on our representation that the request constitutes the minimum necessary information required. This issue is also considered as part of the NCHS Ethics Review Board (ERB) approval process, and the Privacy Rule specifies that you may rely on the documentation of ERB approval that the information requested is the minimum necessary for the research purpose.

A10. No. For research projects, only one IRB must review the project, and the NCHS Ethics Review Board (ERB) (which has the authority to review such projects under the Regulations for the Protection of Human Subjects) has done so. We have the ERB approval letter pdf icon[PDF – 77 KB] that indicates that a waiver has been approved by an ERB for this survey, and contains the documentation that is required by the Privacy Rule. If you desire, your IRB may review the project as well.

A11. Your IRB could verify that the NCHS Ethics Review Board (ERB) approval letter pdf icon[PDF – 77 KB] we have provided adheres to the requirements of the Privacy Rule, and NCHS could send you a copy of the materials submitted to the ERB.

A12. No. A business associate contract is needed only when a person or entity is conducting a function or activity to help a provider carry out its health care function. NCHS is not a business associate of the provider. A business associate agreement is not required.

A13. The entire text of the Privacy Rule can be found at the U.S. Department of Health & Human Services websiteexternal icon. The following parts of the rule were referred to above:

• Disclosures without patient authorization – 45 CFR 164.512
• Disclosures for public health activities – 45 CFR 164.512(b)
• Disclosures for research purposes – 45 CFR 164.512(i)
• Limited data set and data use agreement – 45 CFR 164.514(e)
• Verification requirements – 45 CFR 164.514(h)
• Privacy notice – 45 CFR 164.520
• Accounting of disclosures – 45 CFR 164.528
• Minimum necessary requirements – 45 CFR 164.502(b) and 45 CFR 164.514(d)