Protected Health Information

If individual identifiers are removed from the samples and medical records, these de-identified records and materials are not considered "protected health information" under the Privacy Regulations of the Health... 

A survey conducted by the Medical Records Institute in 2002 on health care practitioners concerns with the implementation of mobile technology devices and applications cited security/confidentiality when sending or receiving information and the lack of Health Information Portability and Accountability Act (HIPAA) compliance as primary concerns by 50 and 34 percent of respondents, respectively. Confidentiality and security of information against unauthorized access must be HIPAA-compliant. A number of systems are available that can help a pharmacy organization to remain in compliance with HIPAA regulations. Pharmacists are required by law to use reasonable methods to ensure that protected health information remains... 

The release of a patient s protected health information constitutes the unauthorized release of confidential records. 

Business Associate Contract. When a covered entity uses a contractor or other non workforce member to perform business associate services or activities, the Rule requires that the covered entity include certain protections for the information in a business associate agreement (in certain circumstances governmental entities may use alternative means to achieve the same protections). In the business associate contract, a covered entity must impose specified written safeguards on the individually identifiable health information used or disclosed by its business associates. Moreover, a covered entity may not contractually authorize its business associate to make any use or disclosure of protected health information that would violate the Rule [DHHS, 2003b],... 

Ibid. 164.514. Other requirements relating to nses and disclosures of protected health information. 

Given clinician concerns regarding patient privacy, the CDC has produced a document that summarizes the HIPAA Privacy Rule regarding reporting information to public health authorities (6). Although the HIPAA Privacy Rule does not require reporting, it allows healthcare organizations and clinicians to report protected health information (PHI) to public health officials. PHI includes individually identifiable health information transmissible electronically or in any other form. The three types of individually identifiable health information concern (6) ... 

In 1996, the DHHS passed the Health Insurance Portability and Accountability Act (HIPAA) to facilitate the sharing of information while protecting patient confidentiality (medical records) subsequently, associated privacy regulations were issued in 2000 (Privacy Rule). Amendments to the Privacy Rule were proposed on March 27, 2002, to address research-related situations, and become effective on April 14, 2003. In essence, the Privacy Rule is the governing law for the use and disclosure of individually identifiable protected health information (PHI) by covered entities, defined as health care providers, health plans, or health clearing houses. HIPAA-compliant consents that include elements specified in federal regulations (45 CFR 164.508) will have to be provided by covered entities that carry out the activities of health care payment, treatment, or operations (PTO). Clinical research-related uses and/or disclosures of PHI beyond PTO will require that a specifically defined authorization be obtained from a research subject. HIPAA-compliant authorizations will have to include the following core elements ... 

V. PROTECTED HEALTH INFORMATION (PHI) AUTHORIZATION FOR CLINICAL TRIALS... 

Where HIPAA requirements are combined with the informed consent requirements, the entire document needs to be reviewed by the Institutional Review Board (IRB). The Office of Civil Rights as well as the FDA s General Counsel, as of April 7, 2003, had confirmed that IRB approval of subject authorization for use or disclosure of protected health information required by the HIPAA privacy rule is only required if the authorization language is to be part of the IRB approved informed consent document for human subjects review. 

IRBs are also permitted to waive authorization requirements for a drug sponsor using expedited review procedures permitted by the Common Rule. Expedited review is permitted for each on-going research protocol when the only addition is that of the subject authorization for the use or disclosure of protected health information. This waiver may be permitted to a researcher when the research is not possible without the waiver. The IRB must assure that an adequate plan is available to protect identifiers and to be sure that the identifiers are destroyed at the earliest possible date. 

The use or disclosure of protected health information involves no more than a minimal risk to the privacy of the individual. 

The research could not practicably be conducted without access to and use of the protected health information (PHI). 

A research database using protected health information may be created by a noncovered entity without individuals authorizations. Documentation must be obtained from the IRB or the Privacy Board that the specified waiver criteria were satisfied. This database could then be used or disclosed for future research studies as permitted by the Privacy Rule. Specifically, the database can be used as the basis for future research in which individual authorization has been obtained or where the IRB or Privacy Board grants a waiver. 

The covered entity s workforce can use protected health information to identify and contact prospective research subjects. The covered entity s health care provider can discuss the enrollment in a clinical trial with a potential subject before authorization is completed or there has been an Institutional Review Board or Privacy Board waiver of authorization. A clinician may use or disclose the PHI if such information is being used to treat the subject or using an experimental treatment that may benefit a subject. However, at no time can the research health care provider remove the protected data from the covered entity s site according to the HIPAA requirements. 

Indeed typically the strongest of a patient s concerns is vague and ill formed. As also discussed below, if the privacy of health-related information, such as the Protected Health Information (PHI) defined by the Health Insurance Portability and Accountability Act (HIPAA) enacted by the US Congress in 1996, is compromised, we could be talking about a bankruptcy of a financially healthy institution or a prosecution of senior executives of the institution. The biggest challenge with privacy compliance is limiting the use of personal information to the purposes stated at the time of collection. 

In any event, the problem of encoding key identification remains the same, whatever we do with them. The US statutory law for protection of personal privacy, namely HIPAA defines 17 specific personal information items as protected health information (PHI). Protected, by the federal law, has a catch-all other categories of information as protected health information (PHI 18) to prevent an individual from being re-identified based on other nonpersonal information that can be used as a link to a particular person. The 17 PHI must be de-identified to comply with the federal law, which came into effect on April 1,2003. HIPAA, in general, was not enforced until April 15,2005, and calls for compliance by all healthcare organizational entities in the United States. 

General rules for anonymization of the Protected Health Information defined by HIPAA are described below to give you a sense of the 18 PHI elements and how they can be anonymized for de-identification process. The term de-identification is a legal term to indicate that provisions have been made to prevent someone from being identified. Therefore any information directly attributed to a specific individual needs to be removed or obfuscated, as well as any other information that can be used to identify the individual, even if the information is not a personal information (this is precisely what the PHI element 18, other, is all about) ... 

Protected health information is information used to identify a patient. This information relates to a patient s health status, a patient s health care, or payment for the patient s health care. The use or disclosure of protected health information is limited by HIPAA. The HIPAA privacy rules apply to pharmacies because they provide treatment and/or they submit claims for payment for health care services. 

Request amendments to their protected health information. 

When protected health information is used for any purpose not generally associated with the treatment, payment, or health care operations of the covered entity, authorizations and acknowledgements from the patient must he obtained. Covered entities include health plans, clearinghouses, and health care providers. Health care providers include pharmacists and pharmacies. The general rule is health care providers must obtain patient consent prior to using or disclosing protected health information to carry out treatment, payment, or health care operations. 

Usg of Protected Health Information Without Patient Consent ... 

Health care providers may use protected health information without patient consent under the following conditions ... 

Inform the patient that protected health information may be used and disclosed to carry out treatment, payment, or health care operations. 

Refer the patient to the entity s Notice of Privacy Practice. Each entity must establish a notice of privacy practice that advises the patient how, where, and when his or her protected health information will be used. 

Inform the patient of the right to request restrictions on the use and disclosure of protected health information. 

Consents must be signed and dated by the patient and be kept on file for at least 6 years from the date signed. These may be stored electronically and may be a condition of treatment. Health care providers may condition treatment upon the patient s consent to the use and/or disclosure of protected health information. Health plans may condition enrollment in the plan upon patient s consent to the use and/or disclosure of protected health information. The use of a patient s health information is essential to the appropriate treatment and care of the patient. It is also necessary for the payment for the care and treatment of the patient. There is a limit on the use of psychotherapy notes. The notes can be used only for treatment of the patient by the note taker, in legal action, or for the health and safety of the patient. The consent cannot be combined with the notice of privacy practice but... 

If an entity intends to nse protected health information for a reason... 

Patient s right to inspect or copy the protected health information to be used or disclosed. 

No limitation on the right of a covered entity to use or disclose protected health information as required by law or to avert a serious threat to health and safety. 

Penalties for civil violations 100 per offense with a cap at 25,000 in a calendar year. Criminal violations Up to 50,000 and 1 year prison if person knowingly obtains or discloses protected health information. Up to 100,000 and 5 years prison if person obtains protected health information imder false pretenses. Up to 250,000 and 10 years if person obtains or discloses protected health information with intent to sell, transfer, or use information for personal gain or malicious harm. 

---