HIPAA Privacy Rule

U.S. Department of Health Human Services (DHHS). 2003. OCR Privacy Brief Summary of the HIPAA Privacy Rule. Available at www.hhs.gov/ocr/privacy summary.pdf. 

From a pharmacy manager s perspective, it is essential to understand that HIPAA establishes transaction standards, security standards, and privacy standards for PHI. Transaction standards and security standards are concerned primarily with how data are handled and transmitted. In the day-to-day operation of pharmacy, a manager needs to understand and comply with the requirements for privacy standards. As stated in the summary of the HIPAA privacy rule ... 

The HIPAA privacy rule definition of a business associate and requirements regarding business associates are as follows ... 

One positive aspect is that the HIPAA Privacy Rule only applies to covered entities. Covered entities include health plans, health care clearinghouses (i.e., those companies that deal with the administrative and financial aspects of health care), and health care providers whose electronic transactions contain health information. Additionally, the Privacy Rule is somewhat less strict for public health authorities (PHAs). If the intended recipient of the PHI is a PHA and if that PHA is authorized by law to collect PHI in order to prevent disease, injury, or disability, then a disclosure can be made, provided the disclosure contains the minimum necessary information that the PHA requires to carry out its job effectively. Disclosures can also be made if the PHI recipient is a health care provider and the information is needed to perform adequate treatment. If the disclosure is to be used for anything besides treatment, research, for example, the disclosure cannot be made unless the patient gives the covered entity a signed authorization. ... 

Hodge, J., Brown, E., O Connell, J. (2004). The HIPAA Privacy Rule and hioterrorism planning, prevention, and response. Biosecurity and Bioterrorism Biodefense Strategy, Practice, and Science, 2(2), 75. 

Centers for Disease Control and Prevention. (2003). HIPAA privacy rule and public health. MMWR 52, 1-12. 

Given clinician concerns regarding patient privacy, the CDC has produced a document that summarizes the HIPAA Privacy Rule regarding reporting information to public health authorities (6). Although the HIPAA Privacy Rule does not require reporting, it allows healthcare organizations and clinicians to report protected health information (PHI) to public health officials. PHI includes individually identifiable health information transmissible electronically or in any other form. The three types of individually identifiable health information concern (6) ... 

All state laws require reporting of specific communicable diseases and unusual disease occurrences. The US Department of Health and Human Services (DHHS) recognizes the importance of sharing PHI to accomplish essential public health objectives (6). Therefore, the HIPAA Privacy rule expressly permits clinicians and hospitals to share PHI for public health purposes (6). Specifically, HIPAA allows covered entities, without individual authorization, to disclose PHI to a public... 

The HIPAA Privacy Rule defines public health authorities as agencies or authorities of the United States, states, territories, political subdivisions of states or territories, American Indian tribes, or an individual or entity acting under a grant of authority form such agencies and responsible for public health matters as part of an official mandate (6). Public health authorities include (6) ... 

Centers for Disease Control and Prevention. HIPAA Privacy Rule and Public Health. Guidance from the CDC and the U.S. Department of Health and Human Services. Morbidity and Mortality Weekly Report (MMWR), 52(Supp. 1) 1-12, May 2, 2003. Also at http //www. cdc.gOv/mmwr/preview/mmwrhtml/su5201al.htm (last accessed 3-18-06)... 

How is the HIPAA framework applicable for clinical research There are several different ways to disclose and use information for research including database research. There is nothing HIPAA and its application to research that is specific for databases. Each type of database research, whether it is in the creation of the database, the type of study using the database, the analysis, future analysis, etc., must be assessed with the same HIPAA privacy rules that apply to research, and the question must be asked, How would this apply to this database and what is the best mechanism in order to be able to disclose the information for research purposes ... 

It should be noted that according to the HIPAA privacy rules, in the final form when research has obtained valid consent or waiver of consent from an IRB prior to the enforcement date of April 14, 2003, the research may continue without requiring a HIPAA authorization. Therefore if subjects in a clinical trial gave their informed valid consent prior to that date, the data can be continued to be collected and analyzed after the... 

Where HIPAA requirements are combined with the informed consent requirements, the entire document needs to be reviewed by the Institutional Review Board (IRB). The Office of Civil Rights as well as the FDA s General Counsel, as of April 7, 2003, had confirmed that IRB approval of subject authorization for use or disclosure of protected health information required by the HIPAA privacy rule is only required if the authorization language is to be part of the IRB approved informed consent document for human subjects review. 

Protected health information is information used to identify a patient. This information relates to a patient s health status, a patient s health care, or payment for the patient s health care. The use or disclosure of protected health information is limited by HIPAA. The HIPAA privacy rules apply to pharmacies because they provide treatment and/or they submit claims for payment for health care services. 

Jastone, L.O., Federal Protection for Human Research Subjects An Analysis of the Common Rule and its Interactions unth FDA Regulations and the HIPAA Privacy Rule (New York, Novinka Books, 2006). 

---