HIPAA Privacy Rule Questions & Answers for NHAMCS
Q1. Am I required to comply with the HIPAA Privacy Rule?
A1. Health care providers who transmit certain financial and administrative health information electronically have been required to comply with the Rule since April 14, 2003. For example, if you submit claims electronically, you would be required to comply with the Rule.
Q2. Does the Privacy Rule allow me to participate in this survey?
A2. Yes. The Privacy Rule permits you to make disclosures of protected health information without patient authorization for public health purposes and for research that has been approved by an NCHS Ethics Review Board (ERB). This survey meets both of these criteria. Click to see the ERB approval letter pdf icon[PDF – 121 KB] for NHAMCS.
Q3. What is protected health information?
A3. Protected health information includes all medical records and other individually identifiable information used or disclosed by an entity subject to the Privacy Rule. This includes directly identifiable information such as patient names, social security numbers and other information such as race and age that could be used to identify an individual.
Q4. What do I have to do to participate and comply with the Privacy Rule?
A4. There are several things that would assure that you comply with the Rule when participating in the survey. First, the privacy notice that you provide to your patients must indicate that patient information may be disclosed for research or public health purposes. Many of the model notices that have been developed and made available by professional associations provide this language.
Also, we have materials available on our website to assist you in verifying what information you are able to provide that is still in compliance with the requirements of the Privacy Rule. This includes the authority under which NCHS is collecting this information and that the information being collected is the minimum necessary.
Finally, your hospital may need to keep track of disclosures made for this survey. When we perform the abstraction, we will give you a document pdf icon[PDF – 17 KB] that contains the information that you need to keep track of disclosures.
Q5. What is the data use agreement?
A5. It is an agreement that describes how we may use the information that you provide to us. It was developed based on the provision of the Privacy Rule that specified that if certain data elements that are not directly identifiable (referred to as a limited data set) were disclosed for research or public health purposes, these disclosures could be made if the facility providing the data agreed to the elements of the data use agreement pdf icon[PDF – 177 KB] . An advantage of this approach is that, since we do not actually access identifiable information, you are not required to account for these disclosures.
Q6. Is there any other information that I need to assess to assure that my disclosure is authorized under the Privacy Rule?
A6. No. The letter pdf icon[PDF – 32 KB] that your hospital received requesting that your hospital participate in this survey is from the Director of the National Center for Health Statistics, which is part of CDC. The Privacy Rule specifies that your hospital is allowed to disclose information requested for public health purposes to public health agencies such as CDC without patient authorization.
Q7. What demonstrates that you are a public health authority?
A7. The survey is sponsored by the CDC/National Center for Health Statistics. CDC is a public health authority whose mission is to protect the health of the public. The letter pdf icon[PDF – 32 KB] that we sent asking your facility to participate was sent on official CDC/NCHS letterhead and described our authority to conduct this survey. That letter also made clear that the U.S. Census Bureau is acting as our data collection agent. Finally, the Census Bureau representative has an official identification badge.
Q8. Why do we have to account for these disclosures?
A8. Under the Privacy Rule, patients have a right to an accounting of disclosures that have been made of their identifiable information for various purposes, including disclosures for public health and research purposes. We will provide you with the information your hospital needs to account pdf icon[PDF – 17 KB] for the disclosures made as part of this survey.
Q9. Do we need to worry about whether this is the minimum necessary information for the purposes of the project?
A9. No. The Privacy Rule specifies that in providing information to public agencies, such as CDC, you may rely on our representation that the request constitutes the minimum necessary information required. This issue is also considered as part of the NCHS Ethics Review Board (ERB) approval process, and the Privacy Rule specifies that you may rely on the documentation of ERB approval that the information requested is the minimum necessary for the research purpose.
Q10. Do we have to have an Institutional Review Board (IRB) review this research project?
A10. No. For research projects, only one IRB must review the project, and the NCHS Ethics Review Board (ERB) (which has the authority to review such projects under the Regulations for the Protection of Human Subjects) has done so. We have the ERB approval letter pdf icon[PDF – 121 KB] that indicates that a waiver has been approved by an ERB for this survey, and contains the documentation that is required by the Privacy Rule. If you desire, your hospital’s IRB may review the project as well.
Q11. What if we want our Institutional Review Board (IRB) to review this project?
A11. Your IRB could verify that the ERB approval letter pdf icon[PDF – 121 KB] we have provided adheres to the requirements of the Privacy Rule, and NHCS could send you a copy of the materials submitted to the ERB.
Q12. Is a business associate contract required for my hospital to disclose protected health information to NCHS for the survey?
A12. No. A business associate contract is needed only when a person or entity is conducting a function or activity to help a provider carry out its health care function. NCHS is not a business associate of the provider. A business associate agreement is not required.
Q13. Where can we find the requirements of the Privacy Rule?
A13. The entire text of the Privacy Rule can be found at the U.S Department of Health & Human Services websiteexternal icon. The following parts of the rule were referred to above:
- Disclosures without patient authorization – 45 CFR 164.512
- Disclosures for public health activities – 45 CFR 164.512(b)
- Disclosures for research purposes – 45 CFR 164.512(i)
- Limited data set and data use agreement – 45 CFR 164.514(e)
- Verification requirements – 45 CFR 164.514(h)
- Privacy notice – 45 CFR 164.520
- Accounting of disclosures – 45 CFR 164.528
- Minimum necessary requirements – 45 CFR 164.502(b) and 45 CFR 164.514(d)