1

HIPAAHealth Insurance

Portability and Accountability Act

Lab Disclosures March 29, 2004

UAB Health System

2

Education Objective Review the HIPAA Privacy law segments most

applicable to lab disclosures. Explain the UABHS Accounting of Disclosures

electronic and manual processes. Distribute and explain a matrix of typical

disclosures. Answer questions and de-mystify HIPAA privacy

regulations. Provide resources to assist with future

questions.

3

Under the HIPAA Privacy Regulations: PHI may be used for treatment, payment, &

healthcare operations (TPO). PHI may be disclosed to other providers for

treatment. PHI may be disclosed to other covered entities for

payment. PHI may be disclosed to other covered entities that

have a relationship with the patient for certain healthcare operations such as QI, credentialing and compliance.

HIPAA Privacy

4

HIPAA PrivacyOther Permitted Uses & Disclosures

PHI my be used or disclosed without authorization under the following circumstances:

– Public health agencies for purposes such as controlling or preventing disease or collecting vital statistics, i.e. notifiable or communicable diseases which must be reported to AL Dept. of Public Health, PKU Information Reporting.

– Public health or government authorities for law enforcement purposes, such as reporting on victims of abuse, neglect or domestic violence.

5

HIPAA PrivacyOther Permitted Uses & Disclosures

– Health oversight agencies for activities authorized by law, i.e. AQAF.

– Judicial and administrative proceedings, such as compliance with a court order or subpoena.

– Law enforcement officials seeking information for the purpose of identifying a suspect, witness, or victim of a crime.

– Coroners, medical examiners, and funeral directors to identify a deceased person or determine a cause of death.

– Organ donation.

– Worker’s compensation.

6

HIPAA PrivacyOther Uses & Disclosures

Facility Directories– unless patient opts out, their name, location and general medical condition may be disclosed to those asking for patient, by name.

Individuals involved in care or payment for care– PHI may be disclosed unless patient objects.

7

HIPAA Privacy Marketing & Fundraising Marketing

– Covered entities are prohibited from using or disclosing PHI for marketing purposes without the patient’s express authorization.

– Covered entities are prohibited from selling patient/enrollee lists to third parties.

– Providers CAN communicate with patients about treatment options or the covered entities’ own health-related products and services, common health care communications- such as disease management, wellness programs, prescription refill reminders and appointment notifications, recommending alternative treatments, therapies, or health-care products.

Fundraising- limited PHI may be used if patient told how to opt out.

8

HIPAA Privacy Incidental Uses and Disclosures Uses and disclosures that are incidental to an

otherwise permitted use or disclosure may occur and is not considered a violation of the Rule provided that the covered entity meets reasonable safeguards and minimum necessary requirements.

Waiting room sign-in sheets, patient charts at bedside, physician conversations with patients in semi-private room, and physicians conferring at nurse’s stations.

9

HIPAA PrivacyResearch

HIPAA regulations do not replace or reproduce other federal regulations (e.g. 45 CFR 46, 21 CFR 56). All existing regulations remain in force.

Unlike some other regulations, HIPAA applies regardless of whether the research is funded by the government.

10

HIPAA PrivacyResearch HIPAA preempts all less stringent state laws

regarding privacy of health information unless specific requirements are met.

These requirements involve state mandated reporting related to health, safety, or welfare, as well as reporting that is necessary for a health plan to conduct auditing procedures.

11

HIPAA PrivacyResearch

Instructions for requesting an exemption - to follow the state law instead of HIPAA - are given in Subpart B (§160.201-205).

12

HIPAA PrivacyResearch Covered Entities are permitted to use or disclose PHI

for research if the IRB has approved the research and one or more of the following conditions exist:

1. Patient Authorization

2. Decedent Research

3. Preparatory Research

4. Limited Data Set

5. IRB grants a waiver of required authorization.

13

Waiver of Authorization The IRB may waive the authorization, if the reviewing

board finds that:– The use or disclosure of PHI involves no more than

“minimal risk” to privacy.

– The proposed research could not practicably be conducted without the waiver or alteration; and

– The research could not practicably be conducted without access to and use of the PHI.

14

Research with Records of Deceased Individuals If a research subject is deceased, PHI may

be used or disclosed provided that the researcher represents:– The use or disclosure is sought solely for research on

PHI of decedents, and– PHI for which use or disclosure is sought is necessary

for research purposes. Upon request of the covered entity, the

researcher must provide documentation of the death of the individual.

15

Reviews Preparatory to Research A covered entity may use or disclose PHI for

reviews preparatory to research if it obtains the following representations from the researcher:– Use and disclosure is sought solely to review PHI as

necessary to prepare a research protocol or for similar purposes preparatory to research (e.g. recruitment);

– No PHI is removed from the covered entity by the researcher in the course of review; and

– The PHI for which use or access is sought is necessary for the research purpose.

– Look to institutional policy to see if IRB approval is required.

16

De-Identification Standard

De-identified health information is health information that does not identify an individual and for which there is no reasonable basis that the information could be used to identify an individual.

It is not considered individually identifiable information.

There is no actual knowledge that the information could be used to identify an individual.

17

De-Identification Standard (cont.) The Privacy Rule does not apply to information that

has been de-identified under one or two standards set forth in the Privacy Rule.– Removal of 18 identifiers.– Certification by a biostatistician that the method for

de-identifying the PHI has a “very small risk” that the information could be used, alone or in combination with other reasonably available information, to identify an individual who is the subject of the information.

18

De-Identification Standard (cont.) Information is presumed to be de-identified, if the following identifiers of the individual or of relatives, employers, or household members of the individual, have been removed:-Names;

-All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and equivalent geocodes;

-All elements of dates (except year), including birth date, admission & discharge dates, date of death, and all ages over 89 and all elements of dates (including year) indicative of such age;

-Telephone numbers;-Fax numbers;-Electronic mail addresses;-Social security number;-Medical record numbers;-Health plan beneficiary numbers;

 

-Account numbers;-Certificate/license numbers;-Vehicle identifiers and serial numbers,

including license plate numbers-Device identifiers and serial numbers;-Web Universal Resource Locator

(URL);-Internet Protocol (IP) address

numbers;-Biometric identifiers, including finger

and voice prints;-Full face photographic images and any

comparable images; and-Any other unique identifying number,

characteristic, or code, except as allowed under the re-identification specifications 164.514(c).

19

Limited Data Sets Similar to de-identified data sets except certain direct

identifiers must be removed. Can be used for research, public health, and health

care operations. Limited Data Sets can include identifiers such as date

of birth, dates of hospital admissions and discharges, and an individual’s residence by city, county, state, and 5 digit zip codes.

Researcher may access and use the entire array of PHI without authorizations or waivers of authorizations.

20

Minimum Necessary Standard

When HIPAA permits use or disclosure of PHI, providers should disclose or use only the minimum necessary amount of PHI in order to do their jobs.

Exceptions:– Treatment – Anything for which a patient authorization is

signed.– Incidental disclosures.– Disclosures required by law.

21

HIPAA Privacy- Patient Rights

Notice to Individuals of Information Practices. Authorization. Request Access. Request Accounting for Uses and Disclosures. Request Amendment and Correction (subject to approval by the

covered entity). Request Confidential / alternate communication. Request Restriction on use of PHI (subject to approval by the

covered entity). Complaints.

22

What is an Accounting of Disclosures?

Info. provided to the patient, upon request of certain disclosures made by UAB/UABHS in the six years prior to the date of the request, but not prior to April 14, 2003.– Date of disclosure– Name, address (if known) of entity/person receiving

PHI– Brief description of PHI disclosed– Purpose of disclosure or copy of request

23

Accounting of Disclosures

A covered entity must provide an accounting

to the individual of any research disclosure

made pursuant to an IRB.

No accounting is needed for disclosures

made pursuant to an Authorization.

24

Accountings of Disclosures are not required for the following: To carry out TPO, PHI to individuals about themselves, For facility directory purposes, Incidental to an otherwise permitted use/disclosure, To persons involved in the care of the pt., National security or intelligence purposes, Correctional institutions or other law enforcement

officials, For disclosures made prior to April 14, 2003, Pursuant to a valid authorization, For other such reasons as allowed under HIPAA.

25

Mandatory Reporting Involving Protected Health Information

The state of Alabama requires reporting on the following:– Births– Infants of Unknown Parentage– Fetal Deaths/Induced Termination of Pregnancy– Deaths– Notifiable Diseases & Health Conditions– Infected Health Care Workers with HIV or Hepatitis B – Head & Spinal Cord Injuries– Confirmed Cancer Cases (Tumor Registry)– Child Abuse or Neglect– Protection of Aged or Disabled Adults– Victims of Domestic Violence

26

UAB Health System Types of Disclosures

Abuse, Neglect or Exploitation Administrative Hearing Adverse Outcomes ACS Consultation/Verification Review of Trauma in

Hospitals Audits Autopsy Report Billing Records/Reports Birth Certificate (Vital Event) Bureau of Health Care Information Business Associates for Non - T.P.O.

27

UAB Health System Types of Disclosures Center for Disease Control Civil/Criminal Investigation Communicable Diseases Complaint Investigation Consultants/Contractors Coroners/Medical Examiners Court Order Death Certificate (Vital Event) Department of Justice Department of Transportation (D.O.T.)

28

UAB Health System Types of Disclosures Drug Enforcement Agency (D.E.A.) - Narcotics Reporting Environmental Protection Agency (E.P.A.) Federal Bureau of Investigation (F.B.I.) Federal Emergency Management Agencies (F.E.M.A.) Food and Drug Administration Reporting (F.D.A.) Funeral Homes Government Required Disclosures, Not Otherwise

Specified Immunization Records Inspection Insurance Reviewers (N.C.Q.A., etc.)

29

UAB Health System Types of Disclosures Law Enforcement (Aversion of Serious Threat) Law Enforcement (Crime on Premises) Law Enforcement (Suspicious Death, Location of

Suspect/Witness) Law Enforcement (Victims of or Suspected Crime) Law Enforcement (Wounds, Injuries) Licensure/Disciplinary Action Military Command Authorities National Transportation Safety Board (N.T.S.B.) National Trauma Data Bank Neonatal Reporting to State Occupations Safety and Health Administration (O.S.H.A.)

30

UAB Health System Types of Disclosures Organ, Eye and Tissue Donation/Procurement Paternity Testing/Affidavits Peer Review (A.Q.A.F./Alabama Quality Assurance

Foundation) Poison Control Center Public Health Activities, Not Otherwise Specified Public Health Authorities, Not Otherwise Specified Registry: Birth Defects Registry: Births Registry: Burns and Trauma Registry: Cancer/Tumor

31

UAB Health System Types of Disclosures

Registry: Cardiac Registry: Child Abuse or Neglect Registry: Deaths Registry: Eye Injury Registry: Fetal Deaths Registry: Head and Spinal Cord Injury Registry: Hearing Screening Registry: Infants of Unknown Parentage Research (Preparatory, Decedent, or Requirements for

Authorization Waived) Search Warrant

32

UAB Health System Types of Disclosures Subpoena Summons Surveys (CAP, CLIA, FDA, JCAHO) Underage Pregnancy Unlawful Disclosure Discovered Post-Release Vendors Workers' Compensation, if not related to TPO

33

Office of Civil Rights web-site

“FAQ’s” or Frequently

Asked Questions

Accounting of

Disclosures

Research

www.hhs.gov/ocr/hipaa

34

OCR Privacy FAQ’s

List of FAQ’s

Note multiple pages

Click on line item for

details

35

OCR Privacy FAQ’s

Review FAQ for information as it relates to Privacy

36

UABHS Accounting Tool

UAB Health System utilizes one central database for maintaining accounting of disclosures.

37

All “AOD’s” must be manually logged since April 14, 2003, then entered into UABHS’ approved and specified sof tware, when available. Soft-ware field name

1. Request date (document received date)

2. MR# Custom Code (client code)

3. Service Dates (to/ f rom)

4. Patient’s name (fi rst and last)

5. Soc. Sec. #; Date of Birth

6. Suspended (Y/ N); and date range. Limited use of this field.

7. Disclosure Date (date inf o. actually released)

8. Disclosed to: Organization Contact’s Name Street Address, City, State, Zip

9. Type of Disclosure (see “Types” table)

10. I tems (list items actually disclosed)

11. Media (method of disclosure)

12. Employee information 13. Comments field

Manual Documentation of Accounting of Disclosures

38

Miscellaneous

Reminder: HIPAA Privacy requirement to maintain accounting of disclosures, from April 14, 2003.

Questions?

39

For HIPAA questions or to report a suspected HIPAA violation contact:

Carlos Brown,UAB HospitalCorporate Compliance / Privacy Manager

934-2990

Sheila MooreInstitutional Review Board

934-3789

Linda LumAccounting of Disclosures

975-2622llum@uabmc.edu