Covered entity

Pharmacies are affected by these rules in two ways. Pharmacies, by definition, deal with PHI (e.g., a prescription itself is PHI). If the pharmacy uses a computer, the information is then electronic and is known as ePHI (Barlas, 2004). HIPAA protects all individually identifiable health information held or transmitted by a covered entity or its business associate in any form or media, whether electronic, paper, or oral (DHHS, 2003). This covered information includes demographic data, including the individual s physical or mental health (past, present, or future) the health care provided to the individual and payment information and common identifiers (e.g., name, address, birth date, and Social Security Number) that can be used to identify the individual. Pharmacies must have numerous policies and procedures in place to be in compliance with the HIPPA mandates. These include conducting risk assessments, appointing security and privacy officers to ensure compliance, and implementing policies and procedures to detect and prevent security violations. 

Who is covered by the privacy rule The privacy rule considers health plans, health care providers, and health care clearinghouses as covered entities. Every health care provider, regardless of size, who electronically transmits health information in connection with certain transactions, is a covered entity (DHHS, 2003b). This definition includes pharmacies. 

The Privacy Rule protects all individually identifiable health information held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information... 

What must the covered entity do to protect information Every covered entity must have an individual designated as the facility s privacy officer —a person who is charged with the responsibility of keeping the site in compliance with HIPAA. Essentially, a covered entity may not release or disclose PHI except as allowed under the privacy rule. The following subsections summarize briefly what a pharmacy manager (a person who also may be the privacy officer) must be aware of. 

Business Associate Defined. In general, a business associate is a person or organization, other than a member of a covered entity s workforce, that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of individually identifiable health information. 

Business Associate Contract. When a covered entity uses a contractor or other non workforce member to perform business associate services or activities, the Rule requires that the covered entity include certain protections for the information in a business associate agreement (in certain circumstances governmental entities may use alternative means to achieve the same protections). In the business associate contract, a covered entity must impose specified written safeguards on the individually identifiable health information used or disclosed by its business associates. Moreover, a covered entity may not contractually authorize its business associate to make any use or disclosure of protected health information that would violate the Rule [DHHS, 2003b],... 

Patient Authorization Required for Release of PHI A pharmacy, as a covered entity, needs to obtain a patient s written authorization for any disclosure or use... 

Remember, though, that de-identification of information is not necessary between covered entities involved in a patient s care. De-identification is also not necessary between a covered entity and a business associate with which the covered entity has a business associate contract. 

U.S. Department of Health and Human Services (DHHS). 2003a. Covered Entity Decision Tools, Centers for Medicare and Medicaid Services, modified July 24, 2003 available at www.cms.hhs.gov/hipaa/hipaa2/ support/tools/decisionsupport/default.asp. 

Any other unique characteristic, code, or number that could be used to identify the patient. However, a covered entity can assign a new code to a patient once that patient has been de-identified that would allow for subsequent re-identification provided that code is not derived from any related identifying code (e.g., social security number) and that the covered entity does not disclose the method by which the de-identified person can be re-identified. ... 

If a researcher who is in any way affiliated with a covered entity, or will be receiving his data from a covered entity, like a hospital, wishes to use information from a patient or set of patients that includes information that falls under any of the above 18 categories, then they must obtain either signed consent from the patient or a waiver from an Internal Review Board. These steps are required for each patient and for each study, regardless of whether the patient is living or dead. ... 

One positive aspect is that the HIPAA Privacy Rule only applies to covered entities. Covered entities include health plans, health care clearinghouses (i.e., those companies that deal with the administrative and financial aspects of health care), and health care providers whose electronic transactions contain health information. Additionally, the Privacy Rule is somewhat less strict for public health authorities (PHAs). If the intended recipient of the PHI is a PHA and if that PHA is authorized by law to collect PHI in order to prevent disease, injury, or disability, then a disclosure can be made, provided the disclosure contains the minimum necessary information that the PHA requires to carry out its job effectively. Disclosures can also be made if the PHI recipient is a health care provider and the information is needed to perform adequate treatment. If the disclosure is to be used for anything besides treatment, research, for example, the disclosure cannot be made unless the patient gives the covered entity a signed authorization. ... 

All state laws require reporting of specific communicable diseases and unusual disease occurrences. The US Department of Health and Human Services (DHHS) recognizes the importance of sharing PHI to accomplish essential public health objectives (6). Therefore, the HIPAA Privacy rule expressly permits clinicians and hospitals to share PHI for public health purposes (6). Specifically, HIPAA allows covered entities, without individual authorization, to disclose PHI to a public... 

Without individual authorization, covered entities may also disclose PHI to any person who may have been exposed to a communicable disease or may be at risk for contracting or spreading a disease or condition, when legally authorized to notify the person as necessary to conduct a public health intervention or investigation. Covered entities include (6) ... 

Health care providers, defined as a provider of healthcare services and any other person or organization that furnishes, bills, or is paid for health care in the normal course of business. Healthcare providers, such as physicians, hospitals, and clinics, are covered entities if they transmit health information in electronic form in connection with a transaction for which a HIPAA standard has been adopted by DHHS. ... 

The European Union s Directive on Data Protection bars the movement of personal data to countries that do not have sufficient data privacy laws in place. Additionally, the US Health Insurance Portability and Accountability Act (HIPAA) sets national standards for the protection of health information, as applied to the three types of covered entities health plans, healthcare clearinghouses and healthcare providers who conduct certain healthcare transactions electronically. HHS OCR HIPAA Privacy (2003). This law was enacted in recognition of the fact that advances in... 

In the United States, federal legislation called the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to make patient information more strictly protected than before. Although most pharmaceutical companies have limited access to patient names and other health information, any patient information must be carefully guarded to avoid violation of HIPAA statutes, which address the use and disclosure of individuals medical information by covered entities , and set standards for individuals rights to control the use of their medical information. Violations can result in fines and/ or, in some instances, imprisonment. 

In 1996, the DHHS passed the Health Insurance Portability and Accountability Act (HIPAA) to facilitate the sharing of information while protecting patient confidentiality (medical records) subsequently, associated privacy regulations were issued in 2000 (Privacy Rule). Amendments to the Privacy Rule were proposed on March 27, 2002, to address research-related situations, and become effective on April 14, 2003. In essence, the Privacy Rule is the governing law for the use and disclosure of individually identifiable protected health information (PHI) by covered entities, defined as health care providers, health plans, or health clearing houses. HIPAA-compliant consents that include elements specified in federal regulations (45 CFR 164.508) will have to be provided by covered entities that carry out the activities of health care payment, treatment, or operations (PTO). Clinical research-related uses and/or disclosures of PHI beyond PTO will require that a specifically defined authorization be obtained from a research subject. HIPAA-compliant authorizations will have to include the following core elements ... 

Anything that is not a covered entity e.g., pharmaceutical, biotech, or medical device companies or contract research organizations, typically are not covered entities. It is possible that a large organization may have a health clinic, or an infirmary on site, or there may be doctors there who may provide services, and those services may be billed to an insurer under those circumstances. It is possible that that part of a pharmaceutical or contract research organization is a covered entity. But for the most part, pharmaceutical companies, medical device companies, and contract research organizations are not health care providers, plans, or clearinghouses. 

A single consolidated authorization for the subject, which includes needed authorization for access to data for the clinical trial, can be included with the covered entities authorizations for subject privacy, according to the HIPAA regulations. The drug sponsor s access to the needed data is best handled by a separate authorization from each subject for each clinical trial. In addition, a special authorization for subjects is needed for the release of records that involve psychotherapy notes. Drug sponsors should be sure that a special authorization is available for the drug sponsor s access to psycho therapy notes to complete the trial successfully. 

In cases where IRBs are not responsible for reviewing, the HIPAA Authorization Privacy Board may be formed to undertake this task. Members of privacy boards should have varying backgrounds and appropriate professional competence. At least one member must not be affiliated with the covered entity or research sponsor. As with the IRB, there must be no conflicts of interest on a case-by-case basis. A quorum consists of a majority of members. Expedited review by the chairperson or designees is allowed for the waiver of authorization. 

Similarly, existing databases or repositories created prior to the April 14, 2003, compliance data can be disclosed for research either with individual authorizations or with a waiver from either the IRB or the Privacy Board. Approval from both the IRB and the Privacy Board is not required for the covered entity. 

The covered entity s workforce can use protected health information to identify and contact prospective research subjects. The covered entity s health care provider can discuss the enrollment in a clinical trial with a potential subject before authorization is completed or there has been an Institutional Review Board or Privacy Board waiver of authorization. A clinician may use or disclose the PHI if such information is being used to treat the subject or using an experimental treatment that may benefit a subject. However, at no time can the research health care provider remove the protected data from the covered entity s site according to the HIPAA requirements. 

If a researcher is not employed by the covered entity, the researcher can still have access to the protected information as a result of a partial waiver of individual authorization by an IRB or Privacy Board. 

Deidentification requires the covered entity to retain individuals) who have experience using methods with generally accepted statistical and scientific principles and methods that mask identifying characteristics of information to assure that the information is not individually identifiable. For example, statisticians use scientific principles and methodology in statistical analysis. 

Specific permitted uses and disclosures of the limited data set by the recipient consistent with the purpose for which it was disclosed (a data use agreement cannot authorize the recipient to use or further disclose the information in a way that, if done by the covered entity, would violate the privacy rule). 

THE NOTION OF THE COVERED ENTITY, LIMITED DATA SET, AND DATA USE AGREEMENT... 

Surprisingly, HIPAA rule permits a covered entity (a person) to have access to health information for research purposes, without obtaining an authorization or documentation of a waiver or an alteration of authorization, to use and disclose PHI included in a limited data set. A covered entity may use and disclose a limited data set for research activities conducted by the covered entity itself, another covered entity, or a researcher who is not a covered entity if the disclosing covered entity and the limited data set recipient enter into a data use agreement. Limited data sets may be used or disclosed only for purposes of research, public health, or healthcare operations. Should the patient find this objectionable, it may be possible to formulate reform such that a patient still contribute anonymized records to an archive of Anonymous Record Contributions (see Chapter 5) ... 

A Data Use Agreement refers to an agreement into which the covered entity enters with the intended recipient of a limited data set that establishes the ways in which the information in the limited data set may be used, and how it will be protected. 

When protected health information is used for any purpose not generally associated with the treatment, payment, or health care operations of the covered entity, authorizations and acknowledgements from the patient must he obtained. Covered entities include health plans, clearinghouses, and health care providers. Health care providers include pharmacists and pharmacies. The general rule is health care providers must obtain patient consent prior to using or disclosing protected health information to carry out treatment, payment, or health care operations. 

Notify patient that covered entity is not required to agree to requested restrictions. 

Statement that covered entity will not condition treatment, payment, enrollment, or eligibility on patient s grant of authorization. 

No limitation on the right of a covered entity to use or disclose protected health information as required by law or to avert a serious threat to health and safety. 

If the covered entity knows that patient has revoked the authorization. 

---