the prism privacy tool: a user’s guide phdsc home page prism web page
TRANSCRIPT
The PRISM Privacy Tool:A User’s Guide
PHDSC Home Page PHDSC Home Page http://www.phdsc.org/ http://www.phdsc.org/PRISM Web Page PRISM Web Page http://www.phdsc.org/prism/introduction.htm http://www.phdsc.org/prism/introduction.htm
What is PRISM? A framework for understanding the basic
legal privacy requirements for the use and disclosure of health information
Created to help public sector health programs understand and apply state and federal privacy laws to their activities
What is PRISM? (cont’d)
An electronic, web-based tool Set up as web tables to easily
access and focus information relevant to a specific situation
Multiple tables created to inform all the common public sector health functions
Purpose of PRISM
Identifies and defines the baseline conditions and requirements that a government or other health entity must follow when using and disclosing specific types of health information
Organizes key privacy requirements related to uses and disclosures to provide direction to improve privacy policies, procedures, and compliance
What Information is in PRISM?
Uses the HIPAA privacy rule to set the basic framework
Incorporates other federal privacy laws, such as 42 CFR pt. 2 and FERPA, where relevant
References common provisions in state law
Focuses on DISCLOSURES of health information done by public programs
Includes other laws or requirements that may have an impact
Provides additional information on how the requirement may be interpreted or applied in public programs
What Information is in PRISM? (cont’d)
Why was PRISM developed?
Address a gap in federal HIPAA privacy guidance
HIPAA requirements do not always map to public sector health program activities
Why was PRISM developed? (cont’d)
Public sector health programs often combine multiple activities and functions, so rule application can be confusing
Useful for most payer and provider entities, whether public or private
Who developed PRISM? Developed through the Public Health
Data Standards Consortium (PHDSC)
Funded by the National Center for Health Statistics (NCHS)
Development oversight provided by the Consortium’s Privacy, Security, and Data Sharing Committee (PSDSC)
Who developed PRISM? (Cont’d)
Content developed by Consortium members: Walter Suarez, MD, PHDSC President Vicki Hohner, Co-Chair PSDS Committee
Legal Reviewer: Joy Pritts, JD, Senior Policy Analyst and
HIPAA Privacy expert, Georgetown University
How is PRISM structured?
Three separate tables for common public sector health-related functions:
Public Health Authority Provider Payer
Focus is on disclosures of specific types of identifiable health information
How is PRISM structured? (cont’d)
Tables organized by: Disclosure Purpose
Treatment, Payment, Operations Required by law (public health,
health oversight) Judicial/administrative
proceedings, law enforcement
How is PRISM structured?(cont’d)
Tables organized by: Disclosure Purpose Type of Information
HIV, immunizations, medical records Separate section for minors Separate table addressing who (as
the individual) can control uses and disclosures and under what conditions
What information is in the PRISM tables?
Tables divided into cells that contain information about specific disclosures
HIPAA citation Type of disclosure (required vs.
permitted) Information related to the disclosure
(conditions, special requirements)
What information is in the PRISM tables (cont’d)?
HIPAA requirements of the disclosure Whether consent/authorization is required Whether minimum necessary applies If an accounting of disclosure is required
Additional general state law issues/ requirements that may apply
Where can I find PRISM?
PHDSC Home Page: PHDSC Home Page: http://www.phdsc.org/ PRISM Web Page: PRISM Web Page: http://www.phdsc.org/prism/introduction.htm
Introduction to PRISM
Click on Click on “Proceed to PRISM Privacy Tool”“Proceed to PRISM Privacy Tool” at bottom of this web page at bottom of this web page
Understanding and Using PRISM
Proceed down the page and click on Proceed down the page and click on “Government Entity Acting As….”“Government Entity Acting As….”
Understanding and Using PRISM
Government Entity Acting As…
Proceed down the page and click on one of the Proceed down the page and click on one of the Type of DisclosureType of Disclosure tables tables
Government Entity Acting As…
How do I use PRISM? (Cont’d)
Click on a specific functional table to access the actual table
This takes you to the grid of disclosure purposes for that table by specific data type
Click on a folder icon to access the content for a specific disclosure/data type
This screen provides you with disclosure guidelines specific to this type of disclosure
How do I use PRISM? (Cont’d)
Example #1 My program functions as a provider I want to disclose information on
children’s immunizations for public health purposes
1. First click to access the Public Health Healthcare Provider table
Example #1 (Cont’d)
2. Then go to table 4, Disclosures Required by Law; for Public Health; etc., which covers disclosures for public health purposes
3. Look along the top for the Public health purpose column, then for Unemancipated minors information down the side, and click to open
Example #1 (Cont’d)
4. Using the information in the cell: If an entity is performing public health activities
as a provider, that disclosure is allowed without consent or authorization under HIPAA
State laws define and control legal issues related to minors, but public health activities are normally not affected by these laws
Example #1 (Cont’d)
Example #2 My program functions as a provider
AND a public health authority I need to disclose HIV AIDS
information for treatment purposes
1. First click to access the Provider table
Example #2 (Cont’d)
2. Then go to table 2, Disclosures for Treatment, Payment, and Health Care Operations, which contains specific information for TPO purposes
3. Look for the Treatment disclosures column, and the STD/AIDS row, and click on the cell to open
Example #2 (Cont’d)
4. Then click on the Public Health Authority table, go to table 2,Disclosures for Treatment, Payment, and Health Care Operations, which contains specific information for TPO purposes
Example #2 (Cont’d)
5. Look for the Treatment disclosures column, and the STD/AIDS row, and click on the cell to open
Example #2 (Cont’d)
6. Using the information in both cells: If an entity is performing treatment activities as a
provider, that disclosure is allowed without consent or authorization under HIPAA
However, HIV information is often subject to stricter state protections, so state laws may require consent or authorization for some or all treatment activities
If an entity is performing treatment activities as a public health authority, then that disclosure is not subject to the HIPAA requirements
However, those treatment activities must be clearly identifiable as public health activities defined by law to qualify
Example #2 (Cont’d)
PRISM Privacy Definitions and Resources
PRISM Privacy Definitions and Resources
How can I provide feedback on PRISM?
Feedback/Comment form:http://www.phdsc.org/about/feedback.asp?cf=pr
Your comments are critical to future revisions and enhancements to this tool
How can I provide feedback on PRISM?
Feedback/Comment form:http://www.phdsc.org/about/feedback.asp?cf=pr
Your comments are critical to future revisions and enhancements to this tool
Other Consortium Products and Activities
Products Websites Local health privacy case studies
Activities Participate in state and national privacy
and security projects (HISPC) Participate in national privacy and
security standards harmonization (HITSP)
For more information
About the Consortium and other Consortium products: http://www.phdsc.org
Invite participation in Consortium activities
Help produce more useful tools and information
Consider joining the Consortium to further these and other efforts
Contact Information
Walter G. Suarez, MDPresident and CEOInstitute for HIPAA/HIT Education and ResearchEmail: [email protected]: 703-519-1828
Vicki Hohner, MBASenior ConsultantFox Systems, Inc.Email: [email protected]: 360-970-6856