Professional Documents
Culture Documents
Health Care Privacy
Health Care Privacy
Health Care Privacy
Compliance Handbook
Copyright © 2011 by the Health Care Compliance Association. All rights reserved.
No part of this publication may be reproduced or transmitted by any means,
electronic or mechanical, including photocopying and transmittal by fax, without
prior written permission of the Health Care Compliance Association.
ISBN: 978-0-9778430-6-0
CONTENTS
Contributors...................................................................................................................................................................iv
2 Breach Notification................................................................................................................................................17
By John Falcetano
The 1395x(s) reference includes seventeen services • A health maintenance organization (as defined in
with dozens of subsets and clarifications, while section 2791(b) of the Public Health Service Act).
the 1395x(u) says “hospital, critical access hospital,
skilled nursing facility, comprehensive outpatient
• The Federal Employees Health Benefit Plan Organized Health Care Arrangement (OHCA).
under chapter 89 of title 5, United States Code. Typically an OHCA is a clinically integrated
care setting where individuals receive health care
Clearinghouse. This type of entity was included from more than one health care provider. The
so that those who provide electronic translations definition also applies when more than one CE
for health care entities have to live up to the same participate in care but hold themselves out to the
privacy and security standards. A clearinghouse public as participating in a joint arrangement. An
may be a public or private entity that processes OHCA must also participate in joint activities
or facilitates the processing of nonstandard data and do one of the following: utilization review;
There is still much debate on how to perform due • Health claim status
diligence in knowing if a BA is abiding by the
Privacy Rule. • Referral certification and authorization.
NOTE: The BA language and amendments have There are HIPAA Transaction and Code Set
probably been over used. In the maturation of Rules that outline the formats and taxonomies for
the industry, the early stages were fraught with these transactions.
inserting BA language in everything. This was
reasonable, as the industry had no clear idea of
how penalties would work. Everyone was over Covered Data: Information, Health
cautious and leapt into BA language “just in Information, Individually Identifiable
case.” There were even legal debates over whose Health Information, and Protected Health
BA language to use and which party was the Information
BA. Sadly, many institutions did not fully grasp
the intent of the rule and applicability. This was Once it is determined that an entity meets the
understandable, as most health care entities HIPAA CE definition, the entity must identify
had only established privacy officers in 2002/3 what information is covered, “in any format,”
and, all too frequently, only as “other duties.” document where it resides, and how it utilizes the
Additionally, the requirement that they “use or information beyond the initial transaction.
disclose on behalf of the CE” caused debate. As an
It is important that a privacy program be based
industry, we have learned a lot since the Privacy
on the information, yet in many cases it is buried
Rule implementation. Risk aversion is now more
within larger data sets. The following graphic may
properly allocated where contracts are concerned
help.
and the early overzealousness is calming.
All Information
Transactions
Health Information
The second part is determined by comparing the
Individually Identifiable
entities’ electronic transmission and if they meet Health Information
any of the following:
Protected Health
Information
• Health claims or equivalent encounter
information
EPHI
• Geographic subdivisions smaller than a state, • Biometric identifiers, including finger and voice
except for the initial three digits of a zip code if, prints
according to the current publicly available data
from the Bureau of the Census: • Full face photographic images and any
comparable images; and
–– The geographic unit formed by combining
all zip codes with the same three initial digits • Any other unique identifying number,
contains more than 20,000 people; and characteristic, or code, except as permitted; and
–– The initial three digits of a zip code for all –– The CE does not have actual knowledge
such geographic units containing 20,000 or that the information could be used alone or
fewer people is changed to 000 in combination with other information to
identify an individual who is a subject of the
• All elements of dates (except year) for dates information.
directly related to an individual, including birth
date, admission date, discharge date, date of Limited data set. A CE may use or disclose a
death; and all ages over 89 and all elements of limited data set if the CE enters into a data use
The following topics do not necessarily follow the WARNINGS: The 2000 implementation of
legal construct in order. This arrangement is done the Privacy Rule required that an entity track
so that it can be summarized. disclosures but exempted those for treatment,
payment, or health care operations (TPO). This
Permissiveness. It should be noted, and was reversed in HITECH for CEs that have an
committed to memory, that HIPAA uses and electronic record and they must now track all
disclosures are permissive in nature. The vast disclosures. One common misconception, and
majority of listed uses and disclosures are abuse of privacy language, is the lumping of the
permitted. Information must be authorized by the terms “use” and “disclosure” together. The privacy
patient except where permitted by the rule. For professional must understand that the two terms
the privacy professional, this permissiveness means are not synonymous.
that a detailed analysis of the uses and disclosures
is necessary so that they may obtain authorization Valid Authorization. Unless the HIPAA Privacy
when necessary. A passing familiarity with this Rule has an exception, a client must provide a
concept is not sufficient. valid authorization for the use or disclosure of
Note: The changes that HITECH brought to Also note that the Security Rule is technologically
HIPAA lead the privacy professional to the neutral, outlining principles rather than single
conclusion that having adequate policies and solutions. This supports the flexibility of the rule.
procedures isn’t enough for compliance. It also
re-focuses on the CEs’ liability related to training These mandates link to the Privacy Rule. For
staff. While the individual may in theory be example, to protect against any “reasonably
responsible for any particular violation, the entity anticipated threat,” the privacy professional must
bears the brunt of investigation and penalties if help the security professional by ensuring desk
they cannot prove that they not only had policies top policies are implemented and monitored. It
and procedures in place, but that they trained would do no good to have a great authorization/
adequately. authentication electronic process for access to
electronic files if, at the desk level, the log on and
password for each person was retained on sticky
Breach Notification 17
health information in a manner not permitted • Internet IP Address Numbers
under subpart E of this part which compromises
the security or privacy of the protected health • Full face photographs or comparable images
information. For purposes of this definition,
• Biometric Identifiers (fingerprint, voice prints,
“compromises the security or privacy of the
retina scan, etc.)
protected health information” means poses a
significant risk of financial, reputational, or other • Any other unique number, characteristic or code
harm to the individual.
Unsecured Protected Health Information.
Note, a use or disclosure of protected health Protected health information that is not rendered
information that does not include any of the unusable, unreadable, or indecipherable to
following does not compromise the security or unauthorized individuals through the use of a
privacy of the protected health information: technology or methodology on the HHS Web site
(i.e., destroyed or encrypted).
• Name
Breach Notification 19
Secretary with notice annually. All notifications against workforce members who do not comply
of breaches occurring in a calendar year must with these policies and procedures.
be submitted within 60 days of the end of the
calendar year in which the breaches occurred. Breach Exceptions. Section 13400(1) of the Act
also includes three exceptions to the definition
• This notice must be submitted electronically. of ‘‘breach’’ that encompass situations Congress
A separate form must be completed for every clearly intended to not constitute breaches.
breach that has occurred during the calendar
year. The first regulatory exception covers any
unintentional acquisition, access, or use of
• If a covered entity that has submitted a breach protected health information by a workforce
notification form to the Secretary discovers member or person acting under the authority of
additional information to report, the covered a covered entity or a business associate, if such
entity may submit an additional form, checking acquisition, access, or use was made in good faith
the appropriate box to signal that it is an and within the scope of authority and does not
updated submission. result in further use or disclosure in a manner not
permitted under subpart E of this part. (Example.
Notification by a Business Associate. If a breach A billing employee receives and opens an e-mail
of unsecured protected health information containing protected health information about
occurs at or by a business associate, the business a patient which a nurse mistakenly sent to the
associate must notify the covered entity following billing employee. The billing employee notices
the discovery of the breach. A business associate that he/she is not the intended recipient, alerts
must provide notice to the covered entity without the nurse of the misdirected e-mail, and then
unreasonable delay and no later than 60 days from deletes it. The billing employee unintentionally
the discovery of the breach. To the extent possible, accessed protected health information to which he
the business associate should provide the covered was not authorized to have access. However, the
entity with the identification of each individual billing employee’s use of the information was done
affected by the breach as well as any information in good faith and within the scope of authority,
required to be provided by the covered entity in its and therefore, would not constitute a breach and
notification to affected individuals. notification would not be required, provided
the employee did not further use or disclose the
Burden of Proof. Covered entities and business
information accessed in a manner not permitted
associates have the burden of proof to demonstrate
by the Privacy Rule.)
that all required notifications have been provided
or that a use or disclosure of unsecured protected The second regulatory exception covers
health information did not constitute a breach. inadvertent disclosures from an individual who is
The covered entities must also comply with several otherwise authorized to access protected health
other provisions of the Privacy Rule with respect information at a facility operated by a covered
to breach notification. For example, covered entity or business associate to another similarly
entities must have in place written policies and situated individual at the same facility, if the
procedures regarding breach notification, must information is not further used or disclosed
train employees on these policies and procedures, without authorization. The statute also allows
and must develop and apply appropriate sanctions an exception for inadvertent disclosures of
Breach Notification 21
3 variations must be accounted for in the principal
control tool: the contract.
The privacy impact from vendors depends, too, Section 1—Pre Contract
on whether they just walk in and drop off a Assumptions
case of alcohol wipes, work on site extracting Developing the vendor relationship starts with the
information from an electronic health record for assumption that a contract will be used for most
quality assurance or provide legal services from vendors. Sometimes it will be your contract and
their home office in another state. The vendor sometimes it will be the vendor’s contract. Most
who is required to enter sensitive areas to provide legal counsels would prefer to be the contract
services or supplies requires a different level of originator, as the originator has substantially
privacy controls compared to the vendor who can more control of the relationship; but contract
do a drop and run from the loading dock. Another origination may be out of your hands. In either
vendor who provides services elsewhere and case, the pre-contract work is the beginning of
never comes on site has other privacy risks. The the relationship and needs to account for the
foreseeable privacy issues.
1 David Nelson is Privacy Officer for the County of San Diego While a bit simplistic, it needs to be said that
in California.
both parties to a contract should understand
Privacy is the framework we operate under, and The boilerplate is the part of the contract that
the laws and regulations tells us what we must has standard clauses that define all contractual
protect. Yet specific security features will usually relationships. The boilerplate may have
be the focus in a contract, as they support the indemnity clauses, insurance requirements, term
privacy mandates. Privacy tells us what to protect, and termination and anything that would be
and security tells us how to protect it. It could be considered a minimum standard in all contracts
said that all privacy mandates and standards are for your entity. Each entity has a slightly different
implemented through security measures. But some list of boilerplate clauses.
concepts, like HIPAA “minimum necessary,” do
To try and describe everything in a boilerplate
not always have a security solution. Contracts can
contract would be onerous. So for the boilerplate,
quote HIPAA, or other privacy laws, but unless
we must choose what is generally true for our
specific implementation steps are included, a gap
entity in most situations. Your counsel has
in understanding is created. Gaps equal increased
probably done this already. When a privacy item
risk.
This chapter provides an overview of the When we think about privacy in the context
ethical guidelines and United States regulations of research, we aren’t focusing on all types of
governing the privacy and confidentiality of research, but specifically on human subject research,
individually identifiable information in human which leads us to the other two terms, “research”
subject research. The chapter is organized into and “human subject.”
three parts:
Research. The Common Rule and HIPAA define
• Ethical codes governing research, “research” as “a systematic investigation, including
research development, testing and evaluation,
• Major regulations, and designed to develop or contribute to generalizable
knowledge.”3 Note that in this definition,
• Practical issues that come up in applying the “research” is not limited to human subject
regulations. research. FDA regulations do not define the term
“research,” but instead define the term “clinical
In addition, please see below for some basic
investigation” as “any experiment that involves a
definitions related to human subject research
test article [regulated by the FDA] and one or
privacy.
more human subjects…”4 A test article includes,
but is not limited to, drugs, devices, or biologicals.
Basic Definitions Human Subject. The Common Rule defines
The privacy professional should have an a “human subject” as “a living individual about
understanding of the following basic terms related whom an investigator…conducting research
to research privacy: Privacy, Confidentiality, obtains…[d]ata through intervention or
Research, and Human Subjects. interaction with the individual or,…[i]dentifiable
private information.” “Intervention” means
The terms “privacy” and “confidentiality” are physical procedures and manipulations of the
sometimes used in casual conversation to mean subject or their environment (such as a blood
the same thing, but it is important to distinguish draw), “interaction” means communication or
between them. The National Science Foundation interpersonal contact between an investigator
provides the following useful definitions: 2 and a subject, and “private information” means
information about behavior where the individual
can expect no observation or recording is taking
1 Rick King is the Compliance and Privacy Officer for place, and information provided for a specific
Massachusetts Eye and Ear Infirmary. purpose by an individual with a reasonable
2 Frequently Asked Questions and Vignettes, Interpreting the
Common Rule for the Protection of Human Subjects for Behavioral
and Social Science Research, Nov 13, 2008, The National Science 3 45 CFR 46.102(d), and 45 CFR 164.501.
Foundation, 9 Jan. 2011 http://www.nsf.gov/bfa/dias/policy/hsfaqs.
jsp#difference. 4 21 CFR 50.3(c).
In essence, PHI is the combination of past, PHI is thus used within a covered entity and
current or future information related to health, disclosed outside of a covered entity.
provision of care or payment, together with
individual identifiers including the following:49 Purpose Driven. HIPAA establishes rules about
how PHI may be used and disclosed. These rules
Names Social Security Device identifiers are purpose driven. In other words, what a covered
numbers and serial numbers
entity is allowed to do with PHI, and whether
All geographic Medical record Web Universal
subdivisions smaller numbers Resource Locators the use or disclosure requires written, oral or no
than a State (URLs)
authorization from the patient, depends on the
All elements of Health plan Internet Protocol
dates (except year) beneficiary numbers (IP) address
purpose of the use or disclosure.
including birth numbers
date, admission Generally (with certain exceptions for other
date, discharge date,
date of death; and special purposes), HIPAA permits the use and
all ages over 89
disclosure of PHI without a patient’s authorization
Telephone numbers Account numbers Biometric for purposes of:52
identifiers,
including finger
and voice prints • Treatment,
Fax numbers Certificate/license Full face
numbers photographic • Payment, and
images and any
comparable images
• Health Care Operations.
Electronic mail Vehicle identifiers Any other unique
addresses and serial numbers, identifying number,
including license characteristic, or Uses or disclosures of PHI for research purposes
plate numbers code
generally require an authorization from the
individual, with a few exceptions as more fully
Use and Disclosure. HIPAA makes a distinction described below.
between the use of PHI and the disclosure of PHI:
The purpose-driven nature of HIPAA can be
• Use of PHI is defined as “the sharing, challenging. A physician who provides treatment
employment, application, utilization, to patients may be accustomed to unlimited access
examination, or analysis of [PHI] within an to a patient’s PHI within a covered entity for
entity that maintains such information.”50 the purpose of providing treatment. However,
when that same physician wishes to use the
• Disclosure of PHI is defined as “the release, same PHI for purposes of research, the physician
transfer, provision of, access to, or divulging in must comply with the more stringent research
provisions of HIPAA. Similarly, a physician may
regularly disclose PHI to physicians outside of
48 45 CFR 164.103. For more detail regarding certain types of the covered entity for purposes of coordinating
individually identifiable health information that is not considered
PHI, please see the detailed definition of PHI in HIPAA. care for a patient. However, the same physician
49 This list of individual identifiers comes from 45 CFR 164.514,
which lists the identifiers that must be removed in order to de-
identify a data set. 51 45 CFR 164.103.
50 45 CFR 164.103. 52 45 CFR 164.502.
• The PHI is used preparatory to research, –– “End of research study” or “none” may be
used in authorizations for research or for a
• The PHI is for research on decedents, or
research database or repository, and
• The PHI is part of a limited data set.
• The signature of the individual and date.
In addition, HIPAA establishes special
In addition, a HIPAA authorization must include
requirements related to:
the following required statements:54
• A patient’s right to access his or her PHI
• The individual’s right to revoke the
obtained as part of a research study,
authorization in writing,
• Accounting for disclosures made for purposes of
• Any exceptions to the individual’s right to
research,
revoke the authorization and a description of
• Research databases and repositories, and how to revoke the authorization,
• “The use or disclosure of [PHI] involves no • A statement that the alteration or waiver of
more than a minimal risk to the privacy of authorization has been reviewed and approved
individuals, based on” an adequate: under either normal or expedited review
procedures.
–– “[P]lan to protect the identifiers from
improper use and disclosure,” An IRB must follow the requirements of the
Common Rule regarding full board or expedited
–– “[P]lan to destroy the identifiers at the review procedures. A privacy board must review
earliest opportunity” unless there is a proposed research at convened meetings with a
health or research jurisdiction to retain the majority of its members present, including one
identifiers, or retention is required by law, and non-affiliated member. Approvals must be made
by a majority of those present. Expedited reviews
–– Written assurance that PHI will not be may be made by the privacy board chair or a
reused or disclosed to any other person or designee as long as the research involves no more
entity, except as required by law, for research than minimal risk to privacy of the individuals’
oversight, or for other research permitted by PHI.67
HIPAA, and
Reviews Preparatory to Research. A covered
• The research could not practicably be conducted entity may allow a researcher to use PHI
without the: “preparatory to research” if the covered entity
obtains representations from the researcher that:68
–– Waiver or alteration, and
62 45 CFR 164.512(i)(1)(i)(B)(1).
63 45 CFR 164.512(i)(1)(i)(B)(2). 66 45 CFR 164.512(i)(2).
64 45 CFR 164.512(i)(1)(i)(B)(3). 67 45 CFR 164.512(i)(2)(iv)(C)
65 45 CFR 164.512(i)(2)(ii). 68 45 CFR 164.512(i)(1)(ii)
72 45 CFR 164.524.
73 45 CFR 164.524(a)(2)(iii).
74 45 CFR 164.528.
80 45 CFR 164.508(b)(3)(iii).
81 45 CFR 164.508(c)(1)(iv).
82 Modifications to the HIPAA Privacy, Security, and
Enforcement Rules Under the Health Information Technology 83 Modifications to the HIPAA Privacy, Security, and
for Economic and Clinical Health (HITECH) Act; Proposed Enforcement Rules Under the Health Information Technology
Rule, U.S. Department of Health and Human Services, Federal for Economic and Clinical Health (HITECH) Act; Proposed
Register / Vol. 75, No. 134, July 14, 2010, p. 40893. Rule, pp. 40892-40894.
CONFIDENTIALITY:
As required by the federal Health Insurance Portability and Accountability Act (HIPAA), [Covered
Entity] will take reasonable measures to safeguard the confidentiality of information that identifies you
and relates to your past, present, and future physical and mental health, and conditions (protected health
information) collected, used and shared as part of this research. As part of this study, we may collect, use
and share protected health information about you as specified in the accompanying Research HIPAA
Authorization Form.
Information derived from this study may be used for research purposes that may include publication and
teaching. However, information used for publication and teaching will not disclose your identity.
Because this research is regulated by the Food and Drug Administration (FDA), the FDA may
inspect records related to this research, which may include your protected health information or other
information about you derived or maintained as part of this study.
Required Elements:
If you sign this document, you give permission to [name or other identification of specific health care
providers (s) or description of classes of persons, e.g., all doctors, all health care providers] at [name of
covered entity or entities] to use or disclose (release) your health information that identifies you for
the research study described here:
[Provide a description of the research study, such as the title and purpose of the research.]
The health information that we may use or disclose (release) for this research includes [complete as
appropriate]:
[Provide a description of the information to be used or disclosed for the research project. This may
include, for example, all information in a medical record, results of physical examinations, medical
history, lab tests, or certain health information indicating or relating to a particular condition.]
The health information listed above may be used by and/or disclosed (released) to:
[Name or class of persons involved in the research; i.e., researchers and their staff*]
*Where a covered entity conducts the research study, the Authorization must list ALL names or other identification, or ALL
classes, of persons who will have access through the covered entity to the protected health information (PHI) for the research
study (e.g., research collaborators, sponsors, and others who will have access to data that includes PHI). Examples may
include, but are not limited to the following:
- Data coordinating centers that will receive and process PHI;
- Sponsors who want access to PHI or who will actually own the research data; and/or
- Institution Review Boards or Data Safety and Monitoring Boards.
If the research study is conducted by an entity other than the covered entity, the authorization need only list the name or
other identification of the outside researcher (or class of researchers) and any other entity to whom the covered entity is
expected to make the disclosure.
Optional Elements:
Examples of optional elements that may be relevant to the recipient of the protected health information:
• Your health information may be shared with a public health authority that is authorized by law to
collect or receive such information for the purpose of preventing or controlling disease, injury, or
disability, and conducting public health surveillance, investigations, or interventions.
• No publication or public presentation about the research described above will reveal your identity
without another authorization from you.
• If all information that does or can identify you is removed from your health information, the
remaining information will no longer be subj3ect to this authorization and may be used or disclosed
for other purposes.
• When the research for which the use or disclosure is made involves treatment and is conducted by
a covered entity: To maintain the integrity of this research study, you generally will not have access to
your personal health information related to this research until the study is complete. At the conclusion
of the research and at your request, you generally will have access to your health information that
[name of the covered entity] maintains in a designated record set, which means a set of data that
includes medical information or billing records used in whole or in part by your doctors or other
health care providers at [name of the covered entity] to make decisions about individuals. Access
to your health information in a designated record set is described in the Notice of Privacy Practices
provided to you by [name of covered entity]. If it is necessary for your care, your health information
will be provided to you or your physician.
• If you revoke this Authorization, you may no longer be allowed to participate in the research described
in the Authorization.
• You do not have to sign this Authorization, but if you do not, you may not receive research-related
treatment.
(When the research involves treatment and is conducted by the covered entity or when the covered
entity provides health care solely for the purpose of creating protected health information to disclose
to a researcher).
• You may change your mind and revoke (take back) this Authorization at any time. Even if you revoke
this Authorization, [name or class of persons at the covered entity involved in the research] may still
use or disclose health information they already have obtained about you as necessary to maintain the
integrity or reliability of the current research. To revoke this Authorization, you must write to: [name
of the covered entity (ies) and contact information].
(Where the research study is conducted by an entity other than the covered entity).
• You may change your mind and revoke (take back) this Authorization at any time. Even if you revoke
this Authorization, [name or class of persons at the covered entity involved in the research] may still
use or disclose health information they already have obtained about you as necessary to maintain the
integrity or reliability of the current research. Tor evoke this Authorization, you must write to: [name
of the covered entity (ies) and contact information].
(Where the research study is conducted by the covered entity).
This Authorization does not have an expiration date [or as appropriate, insert expiration date or event,
such as “end of the research study.”]
Printed name of participant or participant’s personal If applicable, a description of the personal representative’s
representative to sign for the participant authority
PROTOCOL TITLE:
PROTOCOL NUMBER:
PRINCIPAL INVESTIGATOR:
The word “you” means both the person who takes part in the research, and the person who gives
permission to be in the research. This form and the attached research informed consent form need to be
kept together. The words “we” and “[CE]” mean the [Covered Entity].
What protected health information about me will be collected, used and shared with others
during this research study?
For you to be in this research study, we need your permission to collect, use and share health information
that identifies you (your “health information”), which may include one or more of the following:
• Demographic information, such as, but not limited to, your name, date of birth, address and other
contact information such as telephone, fax, or e-mail address, gender, insurance information and Social
Security number,
• Information from your medical record, including your medical record number.
We will only collect, use and share information that is needed for the research.
• People at [CE] who conduct, supervise, administer, or otherwise help with the research, such as,
but not limited to, physicians, researchers, research support staff, the [IRB], and [CE] staff who are
involved in the administration of the research,
–– Administer,
–– Oversee or regulate,
–– Pay for, or
• Other external entities who provide services to support the research, such as, but not limited to,
laboratories and data analysis companies.
Some of these people may share your health information with someone else. If they do, the same laws
that [CE] must obey may not apply to those people, and may not protect your health information.
For how long will protected health information about me be collected, used or shared with
others?
If you sign this form, we will collect, use and share your health information until the end of this research
study, which may be after your direct participation in the research project ends.
Your health information may also be useful for other studies. We can only use the health information
collected for this research study again if the [IRB] gives us permission. The [IRB] may ask us to talk
to you again before using or sharing the health information collected for this research study for other
research purposes. However, if we meet certain requirements established by law, the [IRB] may also let
us use and share your health information collected for this research study for additional research without
talking to you again.
Health information collected as part of the research study that is also kept in your medical record for
treatment and billing purposes will be maintained, used and disclosed in accordance with the policies
and procedures of [CE], and laws and regulations applicable to medical records. As a patient of [CE],
and not as part of this research study, you will receive a copy of the [CE] Notice of Privacy Practices
which explains how [CE] may use and disclose health information kept in your medical record.
If you have any questions, please ask the researcher. The researcher will give you a signed copy of this
form.
The health information about ________________________ can be collected, used and shared by [CE]
for the research study described in this form and the attached informed consent form.
SIGNATURES:
____________________________________________ ___________________________________
Subject Date
OR, if applicable, signature of parent or individual authorized by the subject to make health care
decisions:
____________________________________________ ___________________________________
Parent/Court-appointed Guardian/Health Care Proxy Date
____________________________________________ ___________________________________
Print Name Relationship
PROTOCOL TITLE:
PROTOCOL NUMBER:
PRINCIPAL INVESTIGATOR:
This form and the attached informed consent form need to be kept together.
I authorize [Covered Entity] to disclose my protected health information (“PHI”) as more fully
described below, for the purpose of including my PHI in a research database or repository that will be
maintained outside of [Covered Entity] by the organization named below:
Name of organization:
__________________________________________________________________________________
My PHI included in the research database or repository may be used for future research as described
in the attached informed consent form. I understand that my PHI that is included in the research
database or repository will identify me, and that when it is used for future research it may or may not
include information that identifies me. Information that does not identify me is called “de-identified
information.”
I understand that organizations that use or receive my de-identified information from the research
database or repository for future research typically will not need to inform me, obtain my authorization,
or have a research Institutional Review Board review the proposed future research.
I understand that depending on the laws that apply to the organization that receives my PHI for
the research database or repository, if my PHI is used by that organization or disclosed to another
organization for future research, the organization that maintains the research database or repository may
or may not need to inform me, obtain my authorization, or have a research Institutional Review Board
review the proposed future research.
I understand that [Covered Entity] is required by law to reasonably safeguard my PHI, but that the
organization that will receive my PHI for the research database or repository may not be required to
follow the same laws, may not be required to protect my PHI, and may redisclose my PHI.
Personal Identifiers:
YES NO YES NO
YES NO YES NO
This authorization has no expiration date. However, I may revoke this authorization by providing a
written notice of revocation delivered to the Principal Investigator named on the first page of this
authorization at [address]. The revocation will be effective immediately upon the Principal Investigator’s
receipt of my written notice, except that the revocation will not have any effect on any use or disclosure
of my PHI made by [Covered Entity] based on this authorization before it receives my written notice of
revocation.
If I want to revoke my participation in the research database or repository, I will contact the organization
that maintains the research database or repository as identified in the attached research informed consent
form. I understand that typically a revocation will not have any effect on any use of my PHI maintained
in the research database or repository by the organization based on this authorization before it receives
my written notice of revocation.
____________________________________________ ___________________________________
Subject’s Printed Name Date of Birth
____________________________________________ ___________________________________
Subject’s Signature Date
OR, if applicable, signature of parent or individual authorized by the subject to make health care
decisions:
____________________________________________ ___________________________________
Parent/Court-appointed Guardian/Health Care Proxy Signature Date
____________________________________________ ___________________________________
Printed Name Relationship
PROTOCOL TITLE:
PROTOCOL NUMBER:
PRINCIPAL INVESTIGATOR:
This form and the attached informed consent form need to be kept together.
I authorize [Covered Entity] to use my protected health information (“PHI”) as more fully described
below, for the purpose of including my PHI in a research database or repository that will be maintained
by [Covered Entity].
My PHI included in the research database or repository may be used for future research as described
in the attached informed consent form. I understand that my PHI that is included in the research
database or repository will identify me, and that when it is used for future research it may or may not
include information that identifies me. Information that does not identify me is called “de-identified
information.”
I understand that if [Covered Entity] uses my de-identified information from the research database or
repository for future research typically it will not need to inform me, obtain my authorization, or have its
research Institutional Review Board review the proposed future research.
I understand that if [Covered Entity] uses my PHI for future research, [Covered Entity] will need to
inform me, obtain my authorization, or have a research Institutional Review Board review the proposed
future research.
Personal Identifiers:
YES NO YES NO
YES NO YES NO
I understand that I may refuse to sign this authorization and that such refusal will not affect my
treatment at [Covered Entity].
I may revoke my participation in the research database or repository by providing a written notice
of revocation delivered to the Principal Investigator named on the first page of this authorization at
[address]. The revocation will be effective immediately upon the Principal Investigator’s receipt of my
written notice, except that the revocation will not have any effect on any use of my PHI maintained in
the research database or repository by [Covered Entity] based on this authorization before it receives my
written notice of revocation.
____________________________________________ ___________________________________
Subject’s Printed Name Date of Birth
____________________________________________ ___________________________________
Subject’s Signature Date
OR, if applicable, signature of parent or individual authorized by the subject to make health care
decisions:
____________________________________________ ___________________________________
Parent/Court-appointed Guardian/Health Care Proxy Signature Date
____________________________________________ ___________________________________
Printed Name Relationship
Instructions: Use this form to track disclosures to an individual or entity outside of [CE] of PHI for
purposes of research where individual participant HIPAA authorization is not obtained. For example,
this form must be used when PHI is disclosed:
• Preparatory to Research
Patient Name
Medical Record Number
Date of Disclosure
Recipient Name
Recipient Address
Name of Research Protocol
or Activity
Description of Research
Protocol or Activity
Description of PHI Disclosed
Purpose of Disclosure
(may attach a copy of IRB
research approval)
Instructions: Use this form to track disclosures to an individual or entity outside of [CE] of PHI for
purposes of research where individual participant HIPAA authorization is not obtained. For example,
this form must be used when PHI is disclosed:
• Preparatory to Research
Purpose of Disclosure
(may attach a copy of IRB research approval)
Protected Health Information of the individual requesting an accounting of disclosures may or may not
have been disclosed for the research protocol or activity listed above.
If [CE] determines that it is reasonably likely that the Protected Health Information of the individual
requesting the accounting of disclosures was disclosed for the research protocol or activity listed above,
[CE] will, at the request of the individual, assist the individual in contacting the research sponsor and
the researcher.
Privacy compliance in a payor world requires Organizations are struggling to balance business
more of a focus on payment and operations versus goals with legal and regulatory requirements.
the treatment issues that are more prevalent The balance lies between the drive to more
in hospital and clinic settings. Such functions sophisticated use of data to provide better health
include areas such as explanation of benefits, care services with the fast-paced regulatory effort
underwriting, and claims data submission. There is to restrict use and disclosure of data. For health
also an intense focus on database information and plans, greater and more sophisticated use of data is
the appropriate use, collection and disclosure of a priority as the competition increases for market
information. An example of typical payor concerns share. Consumers and beneficiaries are asking
might be looking at the advantage of an all-payor for more personalized health care services and
database and the benefit of bringing transparency wanting electronic access to their medical records,
yet legislative and enforcement activity is focusing
1 Jennifer O’Brien is the Chief Medicare Compliance Officer on more stringent regulatory oversight.
for UnitedHealthcare Medicare and Retirement.
It is important to note that the minimum It is important to first define what constitutes
necessary standard does not apply to the marketing under the rule. The Privacy Rule defines
following: “marketing” as making “a communication about
a product or service that encourages recipients of
• Disclosures to or requests by a health care the communication to purchase or use the product
provider for treatment purposes. or service.” (45 CFR 164.501, 164.508(a)(3)). An
example of a marketing material that requires a
• Disclosures to the individual who is the subject
prior authorization from the individual would be
of the information.
a communication from a health plan promoting
• Uses or disclosures made pursuant to an an automobile insurance product by the same
individual’s authorization. company. Simply put, a covered entity may not sell
PHI to a business associate or any third party for
• Uses or disclosures required for compliance that party’s own purposes. Health plans also may
with the HIPAA Administrative Simplification not sell lists of consumers or beneficiaries to third
Rules. parties without first obtaining an authorization
from each person on the list. This part of the
• Disclosures to the Department of Health and definition has no exceptions. Another example of
Human Services (HHS) when disclosure of marketing that fits the above description would be
information is required under the Privacy Rule a health plan that sells a list of its members to a
for enforcement purposes. third party that sells blood glucose monitors. The
third party purchased the information with the
• Uses or disclosures that are required by other law.
intent to send the plan’s members brochures on
the benefits of purchasing and using the monitors.
Marketing and Health Plans This information cannot be sold without an
authorization from every member on the list.
Understanding the definition of “marketing”
under the HIPAA rule is important across the Once it is defined what marketing is, the next step
industry, but even more so with health plans, as is to identify and understand what marketing is
the marketing department of a health plan helps not. The Privacy Rule buckets exceptions to the
drive its sales which in turn drives revenue. There marketing rules in the following three areas: 45
are important controls under the HIPAA Privacy CFR 164.501, 164.508(a)(3)
Rule that address whether and how PHI may
be used and disclosed for marketing (45 CFR 1. Health-Related Products or Services—it is
164.501, 164.508(a)(3)). In general, a written not considered “marketing” if a health plan
authorization is needed in order to use PHI for communication describes a health-related
marketing. However, there are some exceptions product or service (or payment for such
that health plans need to be aware of and which product or service) that is provided by, or
may be important to a health plan’s mission of included in a plan of benefits of, the covered
ensuring consumers or beneficiaries are getting entity making the communication. This
includes communications about:
1 David Nelson is Privacy Officer for the County of San Diego 2 Joint Guidance on the Application of the Family Educational
in California. Rights and Privacy Act (FERPA) And the Health Insurance
Portability and Accountability Act of 1996 (HIPAA) To Student
Health Records.
There is another applicability wrinkle to the Note: Nursing Records. These records are
records for the private school. “Note that a private specifically considered part of the Educational
school is not made subject to FERPA just because Record. Nurses do not diagnose or treat in the
its students and teachers receive services from a medical sense.
local school district or State educational agency
Generally, applicability to FERPA is based on
that receives funds from the Department.”5
the institution receiving either federal funds
But you have to account for a student whose directly through a subcontract or federal funds
records are subject to FERPA, yet are out placed received by a student and used for payment of
at another institution. “For example, if a school educational services.
district places a student with a disability in a
private school that is acting on behalf of the Educational Record
school district with regard to providing services
According to CFR 34, 99.3 Definitions,
to that student, the records of that student are
Educational Records are: “(a) (1) directly
subject to FERPA, but not the records of the
related to a student; and (2) Maintained by an
other students in the private school.”6
educational agency or institution or by a party
acting for the agency or institution.” This narrows
3 34 CFR § 99 et al
the record set impacted by FERPA, and it seems
4 Joint Guidance on the Application of the Family Educational
Rights and Privacy Act (FERPA) And the Health Insurance straight forward, but we must be aware of any
Portability and Accountability Act of 1996 (HIPAA) To Student
Health Records. exceptions.
5 Joint Guidance on the Application of the Family Educational
Rights and Privacy Act (FERPA) And the Health Insurance The exempted record sets are:
Portability and Accountability Act of 1996 (HIPAA) To Student
Health Records.
6 Ibid. 7 34 CFR § 99 et al.
àà the study doesn’t permit identification of • For discipline records to the victim of a crime.
student/parent AND (Read 99.31 (a)(13))
àà the information is destroyed after the • For parent of student, under 21, who violates
study law or policy on alcohol consumption.
• To the Bureau of the Census for purposes of • To the Comptroller General or any of the
planning or carrying out a census or survey or Comptroller General’s authorized representatives,
related activity pursuant to the provisions of in the course of the performance of the duties of
Title 13. the General Accountability Office.
6. Periodic assessment and evaluation of the Hence, during the plan year, if there are changes,
overall process for effectiveness. management will understand the need for additional
resources or a change in focus in the plan as the
business environment and priorities may change.
Risk Assessment
As discussed in previous chapters of this book, there
are several ways in which risk assessments in these Developing the Plan
areas can be conducted. These include the use of: Risk assessments and prioritization are
important elements in the development of your
• focus groups to assist in the identification of risk‑based privacy auditing and monitoring plan.
risks; Considerations related to the plan should also
include:
• interviews of key leadership and the board;
Resource Planning
• surveys;
• Review of other business areas in the
• reviews of previous audit findings, external
organization which may be conducting an
audits conducted in the organization, and
audit or monitoring activity in the privacy area.
identifying what is occurring within the
If found, could you leverage this resource for
industry and the local market, etc.
assistance in completing the stated activity, or
Once privacy risks have been identified, a utilize their activity and integrate the results
prioritization process is needed to identify the into the overall plan?
likelihood of the risk occurring, the ability of
• Resources available to implement plan:
management to mitigate risk (i.e. are there
controls in place for the privacy risk, regardless of –– Do you have the appropriate resources for
the likelihood of those risks of occurring?), and the subject matter as needed within your
the impact of risk on the organization. department to implement the plan? (If not, is
there subject matter expertise somewhere else
It is important that senior leadership participate
in the organization?)
in, and agrees with, the determination of the
high-risk privacy priorities for the auditing and –– If subject matter requires outsourcing, budget
monitoring plan. This will ensure management considerations and overall privacy risk
buy-in and focus on privacy risk priorities. Also, priorities may need to be re-evaluated.
with managers involved at the development stage
of the plan, they will be educated as to the type of • Determination of the hours needed to
activities being planned and the resources needed complete the plan by considering the level of
to conduct these activities. Risk prioritization is complexity of potential scope. Considerations
a dynamic ongoing process and should include would include defining privacy auditing and
periodic reviews during the year to ensure that monitoring activities and whether they are
outcome- or process-oriented. Process activities
àà I f using a retrospective method of –– Trend and track data and identify themes
collecting data, it is important to identify and problem areas that need management
a milestone to use as a rationale for how attention.
far back to go, for example, new law,
new system, new business area, etc. This –– Assist management in identifying ways to
method is easier to use because of access monitor activity to assure corrective action is
to data. Sampling can be simpler with occurring.
this method, due to being able to see the
–– Have Compliance perform monitoring activity,
entire population and then being able to
where necessary, to keep communication and
define the sample set.
alignment of management activity in sync with
• Finalize the approach and attributes: privacy compliance.
–– Determine the sampling methodology • Determine the key points of activity that may
largely by considering the scope (purpose be provided to leadership and/or in reporting to
and goal) of your activity. For example, the the board.
sample used in self-reporting a privacy risk
The overall process of developing the auditing and
area to an outside enforcement agency may
monitoring privacy plan should be documented.
be predetermined by the precedent that the
This would include a description of how the risk
enforcement agency has set in industry;
assessment was conducted and the methodology
to determine if education is needed in the
for prioritization of privacy risks. Work papers to
privacy risk area, a small sample only may be
support the audit findings, reports and corrective
needed; i.e., you may want to just “probe” an
action plans should be documented and filed
area for a sense of compliance in that area.
appropriately. Prior to the audit activity, be sure to
–– Discuss your approach and risk priority with define and document what should be considered
legal to determine if attorney-client privilege as part of the work papers.
should be a consideration BEFORE starting
Remember to re-evaluate prioritization of risks
an audit in a sensitive area.
with leadership throughout the plan year and
–– Consider the audience frame of reference that adjust your plan accordingly. Evaluation of the
will receive the results of activity, and then overall effectiveness of the plan should be done
develop an appropriate format for reporting. annually. Questions to consider may include: