Privacy Rule

U.S. Department of Health Human Services (DHHS). 2003. OCR Privacy Brief Summary of the HIPAA Privacy Rule. Available at www.hhs.gov/ocr/privacy summary.pdf. 

From a pharmacy manager s perspective, it is essential to understand that HIPAA establishes transaction standards, security standards, and privacy standards for PHI. Transaction standards and security standards are concerned primarily with how data are handled and transmitted. In the day-to-day operation of pharmacy, a manager needs to understand and comply with the requirements for privacy standards. As stated in the summary of the HIPAA privacy rule ... 

Who is covered by the privacy rule The privacy rule considers health plans, health care providers, and health care clearinghouses as covered entities. Every health care provider, regardless of size, who electronically transmits health information in connection with certain transactions, is a covered entity (DHHS, 2003b). This definition includes pharmacies. 

The Privacy Rule protects all individually identifiable health information held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information... 

What must the covered entity do to protect information Every covered entity must have an individual designated as the facility s privacy officer —a person who is charged with the responsibility of keeping the site in compliance with HIPAA. Essentially, a covered entity may not release or disclose PHI except as allowed under the privacy rule. The following subsections summarize briefly what a pharmacy manager (a person who also may be the privacy officer) must be aware of. 

The HIPAA privacy rule definition of a business associate and requirements regarding business associates are as follows ... 

Unfortunately, as with all things, HIPAA came with a few unintended consequences. HIPAA s intention was to prevent citizens from losing their insurance coverage as a result of new medical information discovered in the course of regular doctor s appointments or research. However, the impact of the Privacy Rule on researchers is to make it much more difficult to do fieldwork or even to mine existing data sets. Any data set that includes one of the 18 PHI markers mentioned in the Privacy Rule must follow HIPAA guidelines to progress. The 18... 

One positive aspect is that the HIPAA Privacy Rule only applies to covered entities. Covered entities include health plans, health care clearinghouses (i.e., those companies that deal with the administrative and financial aspects of health care), and health care providers whose electronic transactions contain health information. Additionally, the Privacy Rule is somewhat less strict for public health authorities (PHAs). If the intended recipient of the PHI is a PHA and if that PHA is authorized by law to collect PHI in order to prevent disease, injury, or disability, then a disclosure can be made, provided the disclosure contains the minimum necessary information that the PHA requires to carry out its job effectively. Disclosures can also be made if the PHI recipient is a health care provider and the information is needed to perform adequate treatment. If the disclosure is to be used for anything besides treatment, research, for example, the disclosure cannot be made unless the patient gives the covered entity a signed authorization. ... 

Hodge, J., Brown, E., O Connell, J. (2004). The HIPAA Privacy Rule and hioterrorism planning, prevention, and response. Biosecurity and Bioterrorism Biodefense Strategy, Practice, and Science, 2(2), 75. 

Centers for Disease Control and Prevention. (2003). HIPAA privacy rule and public health. MMWR 52, 1-12. 

Given clinician concerns regarding patient privacy, the CDC has produced a document that summarizes the HIPAA Privacy Rule regarding reporting information to public health authorities (6). Although the HIPAA Privacy Rule does not require reporting, it allows healthcare organizations and clinicians to report protected health information (PHI) to public health officials. PHI includes individually identifiable health information transmissible electronically or in any other form. The three types of individually identifiable health information concern (6) ... 

All state laws require reporting of specific communicable diseases and unusual disease occurrences. The US Department of Health and Human Services (DHHS) recognizes the importance of sharing PHI to accomplish essential public health objectives (6). Therefore, the HIPAA Privacy rule expressly permits clinicians and hospitals to share PHI for public health purposes (6). Specifically, HIPAA allows covered entities, without individual authorization, to disclose PHI to a public... 

The HIPAA Privacy Rule defines public health authorities as agencies or authorities of the United States, states, territories, political subdivisions of states or territories, American Indian tribes, or an individual or entity acting under a grant of authority form such agencies and responsible for public health matters as part of an official mandate (6). Public health authorities include (6) ... 

Centers for Disease Control and Prevention. HIPAA Privacy Rule and Public Health. Guidance from the CDC and the U.S. Department of Health and Human Services. Morbidity and Mortality Weekly Report (MMWR), 52(Supp. 1) 1-12, May 2, 2003. Also at http //www. cdc.gOv/mmwr/preview/mmwrhtml/su5201al.htm (last accessed 3-18-06)... 

In 1996, the DHHS passed the Health Insurance Portability and Accountability Act (HIPAA) to facilitate the sharing of information while protecting patient confidentiality (medical records) subsequently, associated privacy regulations were issued in 2000 (Privacy Rule). Amendments to the Privacy Rule were proposed on March 27, 2002, to address research-related situations, and become effective on April 14, 2003. In essence, the Privacy Rule is the governing law for the use and disclosure of individually identifiable protected health information (PHI) by covered entities, defined as health care providers, health plans, or health clearing houses. HIPAA-compliant consents that include elements specified in federal regulations (45 CFR 164.508) will have to be provided by covered entities that carry out the activities of health care payment, treatment, or operations (PTO). Clinical research-related uses and/or disclosures of PHI beyond PTO will require that a specifically defined authorization be obtained from a research subject. HIPAA-compliant authorizations will have to include the following core elements ... 

Two logistical aspects of the Privacy Rule authorization should be noted. First, grandfather clauses will be implemented for research studies that began prior to the Privacy Rule s compliance date (April 14, 2003). Second, it should be noted that an IRB may approve a waiver of authorization if the use or disclosure of PHI would involve no more than minimal risk to subjects and if the IRB judges it impractical to conduct the research without the waiver and without access to the PHI. 

HIPAA is the acronym for the Health Insurance Portability and Accountability Act of 1996. HIPAA evolved as a result of the rapid evolution of health information systems technology as well as the challenges for maintaining the confidentiality of health information. HIPAA was introduced initially as the Kennedy-Kassebaum bill, an outgrowth of the Clinton administration s attempt to revamp the health care system. The result in HIPAA was an effort to streamline and standardize the health care system and to establish the privacy of subject information. The result of this effort was the issuance of the final HIPAA rules in August, 2002, which establish the requirements that prevent the disclosure of individually identifiable health information (Privacy Rule) (1) without authorization from the subject. An accidental posting of individuals health records and fraudulent use of medical records precipitated the passage of HIPAA. 

HIPAA and the Administration Simplification Provisions cover the electronic transactions and code sets, national identifiers for plans and providers, and employers and will include subjects, security, and privacy provisions that were intended to balance the simplification of the transaction and identifiers. The HIPAA privacy regulations are in Title 45 of the Code of Federal Regulations. Those who work in research and are familiar with the common rule, IRB, and informed consent regulations, also in Title 45, part 46. Administrative simplification and privacy rules can be found in Title 45, parts 160 and 164. 

HIPAA also allows for the creation of hybrid entities when certain parts of the entity are not engaged in the covered activities. However, research components of these hybrid entities that function as health care providers and engage in standard electronic transactions are subject to the privacy rule. 

HIPAA applies to the use or disclosure of health information. The following are among the items considered to be part of the privacy rule ... 

How is the HIPAA framework applicable for clinical research There are several different ways to disclose and use information for research including database research. There is nothing HIPAA and its application to research that is specific for databases. Each type of database research, whether it is in the creation of the database, the type of study using the database, the analysis, future analysis, etc., must be assessed with the same HIPAA privacy rules that apply to research, and the question must be asked, How would this apply to this database and what is the best mechanism in order to be able to disclose the information for research purposes ... 

It should be noted that according to the HIPAA privacy rules, in the final form when research has obtained valid consent or waiver of consent from an IRB prior to the enforcement date of April 14, 2003, the research may continue without requiring a HIPAA authorization. Therefore if subjects in a clinical trial gave their informed valid consent prior to that date, the data can be continued to be collected and analyzed after the... 

Where HIPAA requirements are combined with the informed consent requirements, the entire document needs to be reviewed by the Institutional Review Board (IRB). The Office of Civil Rights as well as the FDA s General Counsel, as of April 7, 2003, had confirmed that IRB approval of subject authorization for use or disclosure of protected health information required by the HIPAA privacy rule is only required if the authorization language is to be part of the IRB approved informed consent document for human subjects review. 

A research database using protected health information may be created by a noncovered entity without individuals authorizations. Documentation must be obtained from the IRB or the Privacy Board that the specified waiver criteria were satisfied. This database could then be used or disclosed for future research studies as permitted by the Privacy Rule. Specifically, the database can be used as the basis for future research in which individual authorization has been obtained or where the IRB or Privacy Board grants a waiver. 

Privacy Rule guidance posted on the website for the NIH, which was approved by the Office of... 

Specific permitted uses and disclosures of the limited data set by the recipient consistent with the purpose for which it was disclosed (a data use agreement cannot authorize the recipient to use or further disclose the information in a way that, if done by the covered entity, would violate the privacy rule). 

A limited data set is described as health information that excludes certain, listed direct identifiers as shown below but that may include city, state, zip code, elements of date, and other numbers, characteristics, or codes not listed as direct identifiers. The direct identifiers listed in the privacy rule s limited data set provisions apply both to information about the individual and to information about the individual s relatives, employers, or household members. 

---