Health Information Privacy and Security (November 8, 2021)
Information Privacy Laws in Healthcare (September 13, 2020)
1. 1
Information Privacy Laws in Healthcare
นพ.นวนรรน ธีระอัมพรพันธุ์
รองคณบดีฝ่ายปฏิบัติการ และอาจารย์ภาควิชาระบาดวิทยาคลินิกและชีวสถิติ
คณะแพทยศาสตร์โรงพยาบาลรามาธิบดี
13 กันยายน 2563
Except content reproduced from others, used here under Fair Use, that are copyrighted by respective owners.
4. 4
Hippocratic Oath
“...What I may see or hear in the course of
treatment or even outside of the treatment in
regard to the life of men, which on no account one
must spread abroad, I will keep myself holding
such things shameful to be spoken about...”
5. 5
Relevant Ethical Principles
Autonomy (หลักเอกสิทธิ์/ความเป็นอิสระของผู้ป่วย)
Beneficence (หลักการรักษาประโยชน์สูงสุดของผู้ป่วย)
Non-maleficence (หลักการไม่ทาอันตรายต่อผู้ป่วย)
“First, Do No Harm.”
36. 36
▪ Health Insurance Portability and Accountability Act of 1996
http://www.gpo.gov/fdsys/pkg/PLAW-104publ191/pdf/PLAW-104publ191.pdf
▪ More stringent state privacy laws apply
▪ HIPAA Goals
▪ To protect health insurance coverage for workers & families when they change or
lose jobs (Title I)
▪ To require establishment of national standards for electronic health care
transactions and national identifiers for providers, health insurance plans, and
employers (Title II: “Administrative Simplification” provisions)
▪ Administrative Simplification provisions also address security & privacy of health
data
http://en.wikipedia.org/wiki/Health_Insurance_Portability_and_Accountability_Act
U.S. Health Information Privacy Law (HIPAA)
37. 37
▪Title I: Health Care Access, Portability, and Renewability
▪Title II: Preventing Health Care Fraud and Abuse; Administrative
Simplification; Medical Liability Reform
▪ Requires Department of Health & Human Services (HHS) to draft rules
aimed at increasing efficiency of health care system by creating
standards for use and dissemination of health care information
U.S. Health Information Privacy Law (HIPAA)
38. 38
▪Title III: Tax-Related Health Provisions
▪Title IV: Application and Enforcement of Group Health Plan
Requirements
▪Title V: Revenue Offsets
U.S. Health Information Privacy Law (HIPAA)
39. 39
▪HHS promulgated 5 Administrative Simplification rules
▪Privacy Rule
▪Transactions and Code Sets Rule
▪Security Rule
▪Unique Identifiers Rule
▪Enforcement Rule
U.S. Health Information Privacy Law (HIPAA)
40. 40
▪ Covered Entities
▪ A health plan
▪ A health care clearinghouse
▪ A healthcare provider who transmits any health information in electronic form in
connection with a transaction to enable health information to be exchanged
electronically
▪ Business Associates
Some HIPAA Definitions
41. 41
▪ Protected Health Information (PHI)
▪ Individually identifiable health information transmitted or maintained in electronic media or other
form or medium
▪ Individually Identifiable Health Information
▪ Any information, including demographic information collected from an individual, that—
▪ (A) is created or received by a CE; and
▪ (B) relates to the past, present, or future physical
▪ or mental health or condition of an individual, the provision of health care to an individual, or the
past, present, or future payment for the provision of health care to an individual, and—
▪ (i) identifies the individual; or
▪ (ii) with respect to which there is a reasonable basis to believe that the information can be used to
identify the individual.
Some HIPAA Definitions
42. 42
▪ Name
▪ Address
▪ Phone number
▪ Fax number
▪ E-mail address
▪ SSN
▪ Birthdate
▪ Medical Record No.
▪ Health Plan ID
▪ Treatment date
▪ Account No.
▪ Certificate/License No.
▪ Device ID No.
▪ Vehicle ID No.
▪ Drivers license No.
▪ URL
▪ IP Address
▪ Biometric identifier
including fingerprints
▪ Full face photo
Protected Health Information: Personal Identifers
43. 43
▪ Establishes national standards to protect PHI; applies to CE & business associates
▪ Requires appropriate safeguards to protect privacy of PHI
▪ Sets limits & conditions on uses & disclosures that may be made without patient authorization
▪ Gives patients rights over their health information, including rights to examine & obtain copy of
health records & to request corrections
http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/index.html
HIPAA Privacy Rule
44. 44
▪ Timeline
▪ November 3, 1999 Proposed Privacy Rule
▪ December 28, 2000 Final Privacy Rule
▪ August 14, 2002 Modifications to Privacy Rule
▪ April 14, 2003 Compliance Date for most CE
▪ Full text (as amended)
http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/
adminsimpregtext.pdf
http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/index.html
HIPAA Privacy Rule
45. 45
▪Some permitted uses and disclosures
▪Use of PHI
▪Sharing, application, use, examination or analysis within the entity
that maintains the PHI
▪Disclosure of PHI
▪Release or divulgence of information by an entity to persons or
organizations outside of that entity.
HIPAA Privacy Rule
46. 46
▪A covered entity may not use or disclose PHI, except
▪with individual consent for treatment, payment or healthcare
operations (TPO)
▪with individual authorization for other purposes
▪without consent or authorization for governmental and other
specified purposes
HIPAA Privacy Rule
47. 47
▪Treatment, payment, health care operations (TPO)
▪ Quality improvement
▪ Competency assurance
▪ Medical reviews & audits
▪ Insurance functions
▪ Business planning & administration
▪ General administrative activities
HIPAA Privacy Rule
48. 48
▪ Uses & disclosures without the need for patient authorization permitted in
some circumstances
▪ Required by law
▪ For public health activities
▪ About victims of abuse, neglect, or domestic violence
▪ For health oversight activities
▪ For judicial & administrative proceedings
▪ For law enforcement purposes
▪ About decedents
HIPAA Privacy Rule
49. 49
▪ Uses & disclosures without the need for patient authorization permitted in some
circumstances
▪ For cadaveric organ, eye, or tissue donation purposes
▪ For research purposes
▪ To avert a serious threat to health or safety
▪ For workers’ compensation
▪ For specialized government functions
▪ Military & veterans activities
▪ National security & intelligence activities
▪ Protective services for President & others
▪ Medical suitability determinants
▪ Correctional institutions
▪ CE that are government programs providing public benefits
HIPAA Privacy Rule
50. 50
▪ Control use and disclosure of PHI
▪ Notify patients of information practices (NPP, Notice of Privacy Practices)
▪ Specifies how CE can use and share PHI
▪ Specifies patient’s rights regarding their PHI
▪ Provide means for patients to access their own record
▪ Obtain authorization for non-TPO uses and disclosures
▪ Log disclosures
▪ Restrict use or disclosures
▪ Minimum necessary
▪ Privacy policy and practices
▪ Business Associate agreements
▪ Other applicable statutes
▪ Provide management oversight and response to minimize threats and breaches of privacy
From a teaching slide in UMN’s Spring 2006 Health Informatics II class by Dr. David Pieczkiewicz
Responsibilities of a Covered Entity
51. 51
▪ Individually identifiable health information collected and used solely for
research IS NOT PHI
▪ Researchers obtaining PHI from a CE must obtain the subject’s authorization
or must justify an exception:
▪ Waiver of authorization (obtain from the IRB)
▪ Limited Data Set (with data use agreement)
▪ De-identified Data Set
▪ HIPAA Privacy supplements the Common Rule and the FDA’s existing
protection for human subjects
From a teaching slide in UMN’s Spring 2006 Health Informatics II class by Dr. David Pieczkiewicz
HIPAA & Research
52. 52
▪ De-identified Data Set
▪ Remove all 18 personal identifiers of subjects, relatives, employers, or
household members
▪ OR biostatistician confirms that individual cannot be identified with the
available information
▪ Limited Data Set
▪ May include Zip, Birthdate, Date of death, date of service, geographic
subdivision
▪ Remove all other personal identifiers of subject, etc.
▪ Data Use Agreement signed by data recipient that there will be no attempt
to re-identify the subject
From a teaching slide in UMN’s Spring 2006 Health Informatics II class by Dr. David Pieczkiewicz
Research Datasets
53. 53
▪ Assure the CE that all research-initiated HIPAA requirements have been met
▪ Provide letter of approval to the researcher to conduct research using PHI
▪ OR, Certify and document that waiver of authorization criteria have been
met
▪ Review and approve all authorizations and data use agreements
▪ Retain records documenting HIPAA actions for 6 years
From a teaching slide in UMN’s Spring 2006 Health Informatics II class by Dr. David Pieczkiewicz
IRB’s New Responsibilities
54. 54
▪Establishes national standards to protect individuals’ electronic
PHI that is created, received, used, or maintained by a CE.
▪Requires appropriate safeguards to ensure confidentiality, integrity
& security of electronic PHI
▪ Administrative safeguards
▪ Physical safeguards
▪ Technical safeguards
http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/index.html
HIPAA Security Rule
55. 55
▪ Timeline
▪ August 12, 1998 Proposed Security Rule
▪ February 20, 2003 Final Security Rule
▪ April 21, 2005 Compliance Date for most CE
▪Full Text
http://www.hhs.gov/ocr/privacy/hipaa/
administrative/securityrule/securityrulepdf.pdf
http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/index.html
HIPAA Security Rule
56. 56
▪ The HIPAA Security Rule is:
▪ A set of information security “best practices”
▪ A minimum baseline for security
▪ An outline of what to do, and what procedures should be in place
▪ The HIPAA Security Rule is not:
▪ A set of specific instructions
▪ A set of rules for universal, unconditional implementation
▪ A document outlining specific implementations (vendors, equipment,
software, etc.)
From a teaching slide in UMN’s Spring 2006 Health Informatics II class by Dr. David Pieczkiewicz
HIPAA Security Rule: Meaning
57. 57
The HIPAA Security Rule is designed to be:
▪ Technology-neutral
▪ Scalable (doesn’t require all CEs to apply the same policies)
▪ Flexible (allows CEs to determine their own needs)
▪ Comprehensive (covers technical, business, and behavioral issues)
From a teaching slide in UMN’s Spring 2006 Health Informatics II class by Dr. David Pieczkiewicz
HIPAA Security Rule: Meaning
58. 58
▪ Many rules are either Required or Addressable
▪ Required:
▪ Compliance is mandatory
▪ Addressable:
▪ If a specification in the Rule is reasonable and appropriate for the CE, then
the CE must implement
▪ Otherwise, documentation must be made of the reasons the policy
cannot/will not be implemented, and when necessary, offer an alternative
From a teaching slide in UMN’s Spring 2006 Health Informatics II class by Dr. David Pieczkiewicz
HIPAA Security Rule: Meaning
59. 59
▪Breach notification
▪Extension of complete Privacy & Security HIPAA provisions to
business associates of covered entities
▪New rules for accounting of disclosures of a patient’s health
information
New Provisions in HITECH Act of 2009