HIPAA, Health Insurance Portability and Accountability Act, Health Information Privacy, Patient Data Privacy, HIPAA Limited Data Set

  • Definition
  • Security Rules
  1. HIPAA Security Rule Proposed (1998)
    1. HIPAA security rules must be adhered to when transmitting medical data over telecommunications networks
    2. Ensure confidentiality, integrity and availability of all protected health information (e-PHI)
    3. Identify and protect against reasonably anticipated threats to security or integrity of information
    4. Protect against reasonably anticipated impermissable uses or disclosures
    5. Ensure workforce compliance (typically in conjunction with the organization's general counsel)
  2. HIPAA Security - Final Rule (2003)
    1. Specifically sets standards for administrative, physical and technical safeguards
  • Definition
  • Privacy Rules
  1. HIPAA Privacy Rule
    1. Federal protections related to individually identifiable patient health information
    2. Allows for disclosure of health information when needed for patient care and related important uses
      1. Medical providers may discuss patient with other providers caring for patient (consultants, pharmacists...)
      2. Immunization information may be released with verbal consent by patient or parent
    3. Healthcare providers are not covered by HIPAA if they do NOT transmit health information electronically
  2. HIPAA Limited Data Set
    1. Clinical data set that conforms to HIPAA definition may be shared with another institution that agrees to the same guidelines
    2. May contain dates of diagnosis, even sensitive diagnoses such as HIV Test results
    3. Defined in 45 CFR 164.514(e) of the HIPAA Privacy Rule
      1. http://www.dshs.wa.gov/pdf/ms/rda/hrrs/HIPAALimitedDataSets.pdf
    4. Must exclude identifying information (about the patient, family members, housemates, employers)
      1. Names
      2. Address (except for town, city, state, zip code)
      3. Phone or fax numbers
      4. Social security numbers, medical record numbers or health plan beneficiary numbers
      5. Account numbers or license/certificate numbers
      6. Vehicle identifiers, serial numbers or license plate numbers
      7. Web URLs or IP Addresses
      8. Biometrics (e.g. finger or voice prints)
      9. Photographs identifying the patient (e.g. face)
  • History
  1. 1995-1996
    1. HIPAA Privacy Act first passed in U.S. (Kennedy-Kassebaum Bill)
    2. Key legislation focus was initially insurance regulation (e.g. reduced denial based on pre-existing conditions, portability across jobs)
  2. 2009 American Recovery and Reinvestment Act (ARRA) related changes to HIPAA
    1. Addressed additional data restrictions, disclosures (e.g. security breaches), protected health information sales and reporting requirements
    2. Business associates are held to same HIPAA standards as health organizations
      1. Update Business Associate Agreements (BAA) to document policies and procedures to protect patient data
      2. In case of data security breach, business associates must notify the affected entities and Health and Human Services
  3. 2013 HIPAA Final Rule
    1. Patient information on mobile devices must be secured with a strong password
    2. Patient data and messages must be encrypted
    3. Patients may restrict insurers from being notified of their cash purchases
    4. Patients may request electronic copies of their records
    5. Electronic claim transactions must be standardized
  • Legal
  • Disclosure rules
  1. Patient alert with intact Decision-Making Capacity
    1. Patient has right to agree or to object to release of information to others
    2. There is no "implied" authorization of public health information under HIPAA
  2. Patient Visitors
    1. Protected information does not apply (no restriction on disclosure about the visitor)
  3. Dangerous patient
    1. Serious, imminent health and safety threat to an individual or to the public
    2. Suicidality or other serious mental illness interfering with Decision-Making Capacity
  4. Emergency in which person unable to provide consent
    1. Disclosure may be performed in best interest of patient
    2. Informal consent to family or friends as to relate care or payment for care
    3. Notification of patient location, status or death to family or others responsible for patient's care
    4. Entities related to active disaster relief
  5. Attorney
    1. Requires signed release of information by patient
  6. Law enforcement
    1. Requires signed release of information by patient or power of attorney or a court order (or similar authorization)
    2. Release may be warranted where directly applicable to criminal investigation (discuss with organization attorneys)
      1. Required by law such as court order, warrant, subpoena
      2. Location of suspect, fugitive, witness or missing person
      3. Victim of a crime (or suspected victim)
      4. Patient death if that death is suspected to be related to a crime
      5. Health information is thought to be evidence of a crime that occurred on health facility premises
      6. Medical emergency related to a crime
  7. Press
    1. Requires signed release of information by patient
  8. Public Health Department or other similar federal agency protecting public health and safety
    1. Information to prevent or control disease, injury or Disability (e.g. Sexually Transmitted Disease)
    2. Child Abuse or neglect
    3. Seizure Disorder, Epilepsy, hypoglycemic episode or other event resulting in Impaired Driving risk
  9. FDA
    1. Adverse event reporting
    2. Product tracking, recalls and surveillance
  10. Individuals
    1. May be notified of exposure to communicable disease
  11. Employers
    1. Work-Related Illness or injury as it applies to workplace health and safety
  12. Health care facility
    1. Health information as it relates to treatment, payment and operations related activity
    2. Health information as it relates to provider or other facility quality, competency, fraud, abuse, compliance regarding a specific mutual patient
  1. HIPAA Security rule requires that covered entities perform a risk analysis to decide which forms of Patient Communication are acceptable
  2. Secure messaging via a patient portal or encrypted email may be preferred
  3. Unencrypted email is not excluded, but additional precautions should be taken, and patient's may refuse this mode of communication
  4. Text messaging is not defined by the current HIPAA regulations as of 2014, but may be at increased risk of interception
  5. Direct Project is working on standards to securely send health information directly to recipients
    1. http://directproject.org/content.php?key=overview
  • Resources
  • References
  1. (2013) Presc Lett 20(8): 48