Health Care Privacy

Health Care Privacy
Compliance Handbook
Health Care Compliance Association

6500 Barrie Road, Suite 250
Minneapolis, MN 55435
888-580-8373 (p) | 952-988-0146 (f )
www.hcca-info.org
Health Care Privacy Compliance Handbook is published by the Health Care
Compliance Association, Minneapolis, MN.
Copyright © 2011 by the Health Care Compliance Association. All rights reserved.
No part of this publication may be reproduced or transmitted by any means,
electronic or mechanical, including photocopying and transmittal by fax, without
prior written permission of the Health Care Compliance Association.
ISBN: 978-0-9778430-6-0
This publication is designed to provide accurate, comprehensive and authoritative

information in regard to the subject matter covered. It is sold with the understanding
that the publisher is not engaged in rendering legal, accounting, or other professional
service and that the authors are not offering such advice in this publication. If legal
advice or other expert assistance is required, the services of a competent professional
should be sought.
Health Care Compliance Association

6500 Barrie Road, Suite 250
Minneapolis, MN 55435
888-580-8373 (p) | 952-988-0146 (f )
www.hcca-info.org
Health Care Privacy Compliance Handbook
CONTENTS
Contributors...................................................................................................................................................................iv
1 HIPAA Privacy and Security........................................................................................................................... 1

By David Nelson
2 Breach Notification................................................................................................................................................17
By John Falcetano
3 Vendor Relations and Privacy.......................................................................................................................22

By David Nelson
4 Human Research Privacy..................................................................................................................................31

By Rick King
5 Payor Privacy Issues...............................................................................................................................................69

By Jenny O’Brien
6 Federal Educational Rights and Privacy Act..................................................................................76

By David Nelson
7 The Federal Privacy Act of 1974.................................................................................................................82

By John Falcetano
8 Auditing and Monitoring for Privacy in Health Care...........................................................87

By Sheryl Vacca
Contributors
HCCA would like to thank the authors for their work in producing the book chapters.
John C. Falcetano, CHC-F, CIA, CCEP-F, CHRC, CHPC

Chief Audit and Compliance Officer
University Health Systems of Eastern Carolina
Greenville, NC
Rick King, CHPC, CIPP

Compliance and Privacy Officer
Massachusetts Eye and Ear Infirmary
Boston, MA
David Nelson, CHPC, CHRC, CISSP, CIPP/G

Privacy Officer
County of San Diego
San Diego, CA
Jennifer O’Brien, JD, CHC, CHPC

Chief Medicare Compliance Officer
UnitedHealthcare Medicare and Retirement
Minneapolis, MN
Sheryl Vacca, CHC-F, CCEP, CHRC, CHPC

Senior Vice President, Chief Compliance and Audit Officer
University of California
Oakland, CA
iv Health Care Privacy Compliance Handbook

1 The last element refers to the infamous
“Administrative Simplification,” provisions, and
that is where this chapter will focus.
HIPAA Privacy and NOTE: This chapter cannot incorporate all the
Security different state, local laws and legal mandates
in relation to HIPAA. However the privacy
By David Nelson, CHPC, CHRC, CIPP/G, CISSP1 professional should know where there is conflict
between the two, and when to document how
privacy will be supported.
Introduction
For non-fictional writing it is not thought
Intent
appropriate to address the reader directly. But
I must point out (wake up out there!) that this “It is the purpose of this subtitle to improve the
chapter outlines what is probably the single most Medicare program under title XVIII of the Social
important legislation to impact the health care Security Act, the Medicaid program under title XIX
privacy professional. Every discipline, whether of such Act, and the efficiency and effectiveness
accounting, journalism or candle making, has of the health care system, by encouraging the
one tool that forms the basis for all activities. development of a health information system
HIPAA created a national baseline for health through the establishment of standards and
care privacy and security. As our nation moves requirements for the electronic transmission of
toward electronic health care records and a way certain health information.” (Public Law 104-191)
of sharing health information locally, regionally
and nationally, it is incumbent on all health care So the government intends to improve health
privacy professionals to speak the same language. care programs through improved data flows.
A privacy professional must grasp firmly and hang The data flow will, of course, increase accuracy
on to HIPAA as the core academic discipline. if done consistently, by using national standards
for formats, specific transactions and an agreed
upon vocabulary. These standards ensure that
General HIPAA Privacy participatory entities are speaking the same
language in the same electronic way.
The Health Insurance Portability and Accountability
Act, HIPAA, was passed by Congress and signed The regulations also provide a rapid way to review,
into law in 1996; it has three basic purposes: cross reference and data mine for fraudulent
behavior.
• To make health insurance portable under
ERISA; Congress predicted accurately that the goals of
HIPAA could not be accomplished unless privacy
• To move health care onto a nationally
and security provisions were an integral element,
standardized electronic billing platform; and
thus creating a national health care privacy
• To prevent fraud, waste and abuse. baseline or “floor.” Many states had no privacy
rights for health care records, so the Privacy and
Security Rules were promulgated.
1 David Nelson, CHPC, CHRC, CIPP/G, CISSP, is Privacy
Officer for the County of San Diego in California.
HIPAA Privacy and Security 1

rehabilitation facility, home health agency, hospice
HIPAA Privacy and Security program….”
HIPAA resides in 45 CFR sections
164.102 through 164.534 and is broken The provider definition encompasses most of
into the following groups: what is considered traditional health care but it
is important to note that some non-traditional
Section One: 164.102 - 164.318 and things, like acupuncture or case management, may
164.530 - 164-534 Organizational be a health care service in some settings. Plus, just
Requirements
because an entity does not have a standing facility
Section Two: 164.500 - 164.514 Use and like a clinic, home health care for example, it is
Disclosure of Information not automatically ruled out as a provider under
the HIPAA definition.
Section Three: 164.520 - 164.528
Individual’s Rights and Penalties Health Plan. There are several named health
Section Four: Interaction with the plans in HIPAA, not surprisingly Medicaid and
HIPAA Security Rule Medicare, along with a general definition that
must be reviewed internally to see if health plan
activities exist.
Section One: Organizational
Requirements The term “health plan” means an individual or
group plan that provides, or pays the cost of,
To determine if an entity becomes subject to
medical care (as such term is defined in section
HIPAA, it is necessary to first compare the
2791 of the Public Health Service Act). The term
functions of the entity to the three principal types
includes the following, and any combination
of “covered entities” (CE), and second, determine
thereof:
if the entity electronically transmits one of the
nine defined “transactions.” • A group health plan (as defined in section
2791(a) of the Public Health Service Act), but
only if the plan:
Covered Entities: Provider, Health Plan,
Clearing House and Other Types –– has 50 or more participants (as defined in
Provider. A health care provider is defined as “a section 3(7) of the Employee Retirement
provider of services (as defined in section 1395x Income Security Act of 1974); or
(u) of title XIX), a provider of medical or other
–– is administered by an entity other than the
health services (as defined in section 1395x (s) of
employer who established and maintains the
title XIX), and any other person furnishing health
plan.
care services or supplies.” The full listing of health
care activities is at: www.law.cornell.edu/uscode/ • A health insurance issuer (as defined in section
html/uscode42/usc_sec_42_00001395---x000-.html . 2791(b) of the Public Health Service Act).
The 1395x(s) reference includes seventeen services • A health maintenance organization (as defined in
with dozens of subsets and clarifications, while section 2791(b) of the Public Health Service Act).
the 1395x(u) says “hospital, critical access hospital,
skilled nursing facility, comprehensive outpatient
2 Health Care Privacy Compliance Handbook

• Part A or Part B of the Medicare program elements of health information into standard data
under title XVIII. elements.
• The Medicaid program under title XIX.

Other HIPAA Entities: Hybrid, Business
• A Medicare supplemental policy (as defined in
Associate, Organized Health Care
section 1882(g)(1)).
Arrangement, Affiliated Covered Entity
• A long-term care policy, including a nursing Some business arrangements do not clearly fall
home fixed indemnity policy (unless the into the three definitions, but are intimately
Secretary determines that such a policy does not related to HIPAA-covered functions. To account
provide sufficiently comprehensive coverage of a for this, HHS included some definitions for
benefit so that the policy should be treated as a complex business relationships.
health plan).
Hybrid Entity. This is a single legal entity, where
• An employee welfare benefit plan or any other only some of its divisions or programs meet the
arrangement which is established or maintained CE definitions and is typical of large entities. For
for the purpose of offering or providing health example, a university that runs a community clinic.
benefits to the employees of 2 or more employers. The clinic information could easily be covered
by HIPAA, yet the educational records are not.
• The health care program for active military
The entity can self-declare itself a Hybrid CE
personnel under title 10, United States Code.
and then document which parts perform covered
• The veteran’s health care program under chapter functions and which ones do not.
17 of title 38, United States Code.
Note: One other element to be documented for
• The Civilian Health and Medical Program the Hybrid entity is where the PHI or IIHI flows
of the Uniformed Services (CHAMPUS), as out of the covered division into a support activity,
defined in section 1072(4) of title 10, United such as General Counsel or Auditing. These
States Code. divisions would never fit the definition of a CE
and do not electronically transmit PHI so may not
• The Indian Health Service Program under be covered in the purest form. But they are part of
the Indian Health Care Improvement Act (25 the same legal entity so the relationship and data
U.S.C. 1601 et seq.). flow should be documented.
• The Federal Employees Health Benefit Plan Organized Health Care Arrangement (OHCA).
under chapter 89 of title 5, United States Code. Typically an OHCA is a clinically integrated
care setting where individuals receive health care
Clearinghouse. This type of entity was included from more than one health care provider. The
so that those who provide electronic translations definition also applies when more than one CE
for health care entities have to live up to the same participate in care but hold themselves out to the
privacy and security standards. A clearinghouse public as participating in a joint arrangement. An
may be a public or private entity that processes OHCA must also participate in joint activities
or facilitates the processing of nonstandard data and do one of the following: utilization review;

quality assessment and improvement activities; or The BA relationship is defined where a separate
payment activities. legal entity uses or discloses Individually
Identifiable Information on behalf of the
An OHCA could be a group health plan, a CE. Usually, the BA relationship looks like
health insurance issuer or health maintenance claims processing, data analysis, billing,
organization (HMO) with respect to such a benefit management, quality assurance, quality
group health plan. But that classification is only improvement, practice management, legal,
in terms of PHI created or received that relates to actuarial, accounting, accreditation or other
individuals who are or who have been participants administrative services. This is not an exhaustive
or beneficiaries in such a group health plan. list of functions and the relationship should be
reviewed from the stand point of the information
Additionally, an OHCA could be a group health
handled: if it is identifiable information going
plan and one or more other group health plans
outside of your legal boundary, you are half way to
that are maintained by the same plan sponsor,
the BA relationship.
but only where PHI is created or received by
insurance issuers that relates to individuals who Federal Health and Human Services (HHS)
are or have been participants or beneficiaries in recognized that CEs frequently use contractors to
any of such group health plans. carry out parts of their business responsibilities.
This is especially true considering the move to
Affiliated Covered Entity. These are legally
electronic billing platforms. Even today, only the
distinct entities that share common control or
largest entities have enough resources to develop
common ownership and choose to designate
homegrown systems and keep IT staff in-house
themselves as one affiliated CE for the purposes
to support the systems. Additionally, HHS
of complying with the HIPAA Privacy standard.
recognized that other contractors might touch
Affiliated entities must meet the same requirements
health information, such as QA/QI, accounting
as a single CE, but this designation allows for
firms that provide billing services, or legal services.
things like the Notice of Privacy Practices and
Privacy Policies and Procedures to be held in One complaint about the 2000 Privacy Rule
common as long as they all agree to abide by them. BA requirement was the lack of penalties for
non-compliance. The CE is required to get the
Business Associates (BA). The BA is probably the
assurances, or establish the BA language. If the
most familiar business arrangement that an external
BA violated privacy, the investigation came
party would participate in with a HIPAA CE.
back to the CE. The only thing that would be
To ensure that HIPAA Covered Entities (CE) investigated was if the assurances were present.
pass through the privacy and security standards, The CE options would be to either terminate the
the concept of the Business Associate (BA) was contract or explain why they couldn’t terminate
added to the HIPAA Privacy Rule. A mandate the contract. Any federal penalties could only be
was placed on the CE to either get “assurances” levied against the CE. Levying penalties down-
for privacy and security standards from their stream is difficult for any entity.
business partners or to include a BA amendment
This weakness was corrected in 2010 by the
to a contract. The full BA requirements are listed
language in the Health Information Technology
in 164.314(a) and look remarkably like the
for Economic and Clinical Health (HITECH)
requirements of the CE for privacy and security.

Act. The BA is now responsible for their own • Eligibility for a health plan
violations to privacy and security regulations. The
mandate on the CE to establish assurances or • Health care payment and remittance advice
institute the BA language still exists, but the legal
• Health plan premium payments
liability for violations, and possible penalties, flow
directly to the entity that violates. • First report of injury
There is still much debate on how to perform due • Health claim status
diligence in knowing if a BA is abiding by the
Privacy Rule. • Referral certification and authorization.
NOTE: The BA language and amendments have There are HIPAA Transaction and Code Set
probably been over used. In the maturation of Rules that outline the formats and taxonomies for
the industry, the early stages were fraught with these transactions.
inserting BA language in everything. This was
reasonable, as the industry had no clear idea of
how penalties would work. Everyone was over Covered Data: Information, Health
cautious and leapt into BA language “just in Information, Individually Identifiable
case.” There were even legal debates over whose Health Information, and Protected Health
BA language to use and which party was the Information
BA. Sadly, many institutions did not fully grasp
the intent of the rule and applicability. This was Once it is determined that an entity meets the
understandable, as most health care entities HIPAA CE definition, the entity must identify
had only established privacy officers in 2002/3 what information is covered, “in any format,”
and, all too frequently, only as “other duties.” document where it resides, and how it utilizes the
Additionally, the requirement that they “use or information beyond the initial transaction.
disclose on behalf of the CE” caused debate. As an
It is important that a privacy program be based
industry, we have learned a lot since the Privacy
on the information, yet in many cases it is buried
Rule implementation. Risk aversion is now more
within larger data sets. The following graphic may
properly allocated where contracts are concerned
help.
and the early overzealousness is calming.

All Information

Transactions
Health Information
The second part is determined by comparing the
Individually Identifiable
entities’ electronic transmission and if they meet Health Information
any of the following:
Protected Health
Information
• Health claims or equivalent encounter

information
EPHI

• Health claims attachments
• Enrollment and disenrollment in a health plan

To put information in context, think of the where the information resides and what the use
HIPAA Rules as looking at increasingly smaller of the information is. This identification process
sets, or classifications, of information: plays a part in doing the Risk Analysis (RA). The
RA is required by the HIPAA Security Rule and
• All Information; Literally every piece of should not be skipped by the privacy professional,
information your entity has in its possession or just because the RA is a “security thing.”
has access too.
One thing to note is that if the EPHI and PHI
• Health Information; Every piece of health, and cannot be separated from the rest of information,
health related information. the entity may have to protect all information to
the same degree as the HIPAA data — or provide
• Individually Identifiable Health Information
greater protections if state law demands it.
(IIHI); Health information that identifies an
individual or can be used in combination with
other information to identify an individual. Definitions
• Protected Health Information (PHI): Health The following four definitions describe parts
information that is transmitted in one of the of the previous diagram followed by other data
covered HIPAA transactions. definitions that flow throughout the regulations.
• Electronically Protected Health Information Health Information. Health information is any

(EPHI): this is a subset that is covered by some information, whether oral or recorded in any form
specialized standards in the HIPAA Security or medium, that is created or received by a health
Rule. care provider, health plan, public health authority,
employer, life insurer, school or university, or
In the lower right corner of the graphic is the health care clearinghouse, and relates to the
electronically transmitted health information. past, present, or future physical or mental health
Frequently it is only a small part of all information or condition of an individual. This includes the
within an entity. But once the Health Information provision of health care to an individual, or the
is put into the covered transaction it becomes past, present, or future payment for the provision
EPHI. Now the paper intake form, elsewhere of health care to an individual.
in the diagram, is covered information because
it is “in any form,” even though not within the Individually Identifiable Health Information
transaction itself. This also applies to the paper (IIHI). Individually Identifiable Health
copies staff keeps in their desk “just in case,” or Information (IIHI) is information that is a subset
saved on a thumb drive, or printed and taken of health information, including demographic
into the field. Think of it as once tainted, it is all information collected from an individual
tainted. that is created or received by a health care
provider, health plan, employer, or health care
It is not important for the privacy professional to clearinghouse, and relates to the past, present,
sweat the chicken and egg question on whether or future physical or mental health condition of
the data or the transaction came first. Once an individual, the provision of health care to an
information has been determined to be covered by individual, or the past, present, or future payment
HIPAA, the privacy professional must ferret out or the provision of payment of health care to an

individual, and identifies the individual, or has a dates (including year) indicative of such age,
reasonable basis that can be used to identify the except that such ages and elements may be
individual. aggregated into a single category of age 90 or
older
Protected Health Information (PHI). Protected
Health Information is information that is • Telephone numbers
transmitted by electronic media, maintained in
electronic media, or transmitted or maintained • Fax numbers
in any other form or medium. PHI excludes
• Electronic mail addresses
IIHI in education records covered by the Family
Educational Rights and Privacy Act (FERPA), as • Social security numbers
amended, 20 U.S.C. 1232g; records described at
20 U.S.C. 1232g(a)(4)(B)(iv); and employment • Medical record numbers
records held by a CE in its role as employer.
• Health plan beneficiary numbers
Electronic Protected Health Information
(EPHI). EPHI is when IIHI is transmitted • Account numbers
by electronic media or maintained in electronic
• Certificate/license numbers
media.
• Vehicle identifiers and serial numbers, including
De-identified Information. A CE may use PHI
license plate numbers
to create information that is not IIHI, whether
or not the de-identified information is to be used • Device identifiers and serial numbers
by the CE. To be de-identified the data set must
exclude: • Web Universal Resource Locators (URLs)
• Names • Internet Protocol (IP) address numbers
• Geographic subdivisions smaller than a state, • Biometric identifiers, including finger and voice
except for the initial three digits of a zip code if, prints
according to the current publicly available data
from the Bureau of the Census: • Full face photographic images and any
comparable images; and
–– The geographic unit formed by combining
all zip codes with the same three initial digits • Any other unique identifying number,
contains more than 20,000 people; and characteristic, or code, except as permitted; and
–– The initial three digits of a zip code for all –– The CE does not have actual knowledge
such geographic units containing 20,000 or that the information could be used alone or
fewer people is changed to 000 in combination with other information to
identify an individual who is a subject of the
• All elements of dates (except year) for dates information.
directly related to an individual, including birth
date, admission date, discharge date, date of Limited data set. A CE may use or disclose a
death; and all ages over 89 and all elements of limited data set if the CE enters into a data use

agreement with the following direct identifiers Note: One of the proposed uses of De-Identified
of the individual or of relatives, employers, or and Limited Data Sets is to make them available
household members of the individual: for research purposes. However, combined with
publicly available information, especially in small
• Names; population centers, it may be possible to re-
identify the individual. This is of concern for the
• Postal address information, other than town or
privacy professional as this is a permissive use, yet
city, state, and zip code;
it may not be foolproof.
• Telephone numbers;
Unsecured PHI is: “PHI that is not secured by
• Fax numbers; a technology standard that renders protected
health information unusable, unreadable, or
• Electronic mail addresses; indecipherable to unauthorized individuals and is
developed or endorsed by a standards developing
• Social security numbers; organization that is accredited by the American
National Standards Institute.”
• Medical record numbers;
• Health plan beneficiary numbers;

Summary for Covered Entity (CE),
• Account numbers; Transactions and Covered Data
To be covered by HIPAA, an entity must meet
• Certificate/license numbers;
one of the definitions of a CE and then transmit
• Vehicle identifiers/serial numbers or license at least one of the covered transactions. This
plate numbers; combination of functions and data transmission
means the entity is subject to HIPAA.
• Device identifiers and serial numbers;
The reasonably competent privacy professional
• Web Universal Resource Locators (URLs); should have a good grasp of, and know instantly
where to look up, the types of covered entities, the
• Internet Protocol (IP) address numbers; types of covered transactions, and the type of data
that is covered.
• Biometric identifiers, including finger and voice
prints; and
• Full face photographic images and any

Section Two: Use & Disclosure
comparable images. (U&D), and Authorization
Due to the complexity of the Privacy Rule, this
Re-identification. A CE may assign a number section of the chapter could easily run twenty
for re-identification; however, the creation of or more pages, so by necessity it is summarized
the numbering system should not be based on where possible. While it is foundational to
the information and the CE is forbidden from know who and what is covered by HIPAA,
disclosing the re-identification scheme. the reasonably competent privacy professional
must know how the information can be
used or disclosed and the role authorization

plays. Without a good grasp of this complex Mandated Disclosures. There are two instances
framework, the privacy professional is at a serious where a CE must release information: to the
disadvantage in attempting to comply with the individual who is the subject of the information
legal mandates. (or their legal representative), and to the Secretary
of Health and Human Services.
U&D Framework The one exception to the mandate to release to

The rules pertaining to U&D are arranged in the clients is where the provider has determined
following sections of 45 CFR: that the information might cause harm to the
individual who is the subject of the information.
• 164.502 General Rules Most often this applies in either mental health
or behavioral health records. A CE’s policies and
• 164.504 Organizational Requirements procedures should follow the rule at “164.524(a)
Access of individuals to protected health
• 164.506 Consent for U&D to carry out
information” carefully.
treatment, payment, and health care operations
(TPO) Definitions.
• 164.508 U&D where authorization is required • “Use” is defined as the employment of

information internally in an organization. This
• 164.510 U&D requiring an opportunity for the
is interpreted to mean either inside the legal
individual to agree or to object
boundary of an entity or inside the HIPAA CE
• 164.512 U&D for which consent, an functions of a hybrid entity.
authorization, or opportunity to agree or object
• “Disclosure” happens when information leaves
is not required
the boundary of the legal entity or when it
• 164.514 Other requirements relating to U&D leaves the HIPAA CE functions in a hybrid
of protected health information. entity.
The following topics do not necessarily follow the WARNINGS: The 2000 implementation of
legal construct in order. This arrangement is done the Privacy Rule required that an entity track
so that it can be summarized. disclosures but exempted those for treatment,
payment, or health care operations (TPO). This
Permissiveness. It should be noted, and was reversed in HITECH for CEs that have an
committed to memory, that HIPAA uses and electronic record and they must now track all
disclosures are permissive in nature. The vast disclosures. One common misconception, and
majority of listed uses and disclosures are abuse of privacy language, is the lumping of the
permitted. Information must be authorized by the terms “use” and “disclosure” together. The privacy
patient except where permitted by the rule. For professional must understand that the two terms
the privacy professional, this permissiveness means are not synonymous.
that a detailed analysis of the uses and disclosures
is necessary so that they may obtain authorization Valid Authorization. Unless the HIPAA Privacy
when necessary. A passing familiarity with this Rule has an exception, a client must provide a
concept is not sufficient. valid authorization for the use or disclosure of

information. A valid authorization has ten specific Minimum Necessary. The concept of Minimum
requirements, each of which support the privacy of Necessary must be applied when requesting,
information through specific communication with using or disclosing information to limit protected
the individual. If any of the ten are missing, it is health information to the minimum necessary
deemed “invalid.” to accomplish the intended purpose of the use,
disclosure, or request. This concept does not apply
Note: It has long been the practice to get an to treatment uses and disclosures, disclosures
authorization to release information “just in case.” to the individual, disclosures per authorization,
This is now more difficult as the HIPAA Privacy disclosures made to the Secretary, or disclosures
Rule mandates that the form state a purpose that required by law.
is meaningful and specific. This combined with
the requirement of including a sunset date, or A CE may not use, disclose or request an entire
event, may mean that if you have limited purpose medical record, except when the entire medical
you will have to renew the authorization on its record is specifically justified as the amount that is
expiration. The industry, as a whole, is moving reasonably necessary to accomplish the purpose of
toward requiring an authorization when it is the use, disclosure, or request.
required.
Minimum necessary links to the Role Based
164.502 Use and Disclosure general rules. This Access process in the Security Rule. Only by
section contains some important definitions and identifying precisely how much information any
standards for the organization as a whole that particular individual needs to accomplish their
should be reflected in policy. role, can the security professional set content
filters in place to support the privacy concept.
• CE may not use or disclose PHI, except as Secondarily, by applying this concept, the
permitted or required… entity then has a measurement to support any
disciplinary process for unauthorized access. There
• Minimum necessary
are more detailed nuances on how to administer
• Uses and disclosures of PHI subject to an minimum necessary in 164.514 (d).
agreed upon restriction
Note: Minimum necessary actually aids
• Uses and disclosures of de-identified protected the privacy professional when developing
health information communication routes inside and outside the
organization. The privacy professional’s main task
• Disclosures to BAs is to reduce risk by ensuring that privacy rights
are not violated. Proposed projects have to justify
• Deceased individuals why they want information sent, or why access is
allowed, based on the use or disclosure but limited
• Personal representatives
to the minimum necessary. These concepts make
• Confidential communications operations scalable, which is supported by HIPAA
and the associated rules.
• Uses and disclosures consistent with notice
• Disclosures by whistleblowers and workforce

member crime victims.

Summary of Uses and Disclosures that Do the protected health information of a deceased
Not Require Authorization individual. However, decedent information can
be released to coroners or medical examiners.
Most of these instances that do not require An entity can release a decedent’s information
authorization are self explanatory. Remember that for research if the CE first obtains, from the
these are permissive and not a mandate to release researcher, a representation that the use or
information. So you MAY use or disclose without disclosure sought is solely for research on the
authorization for: protected health information of decedents.
• Treatment 164.510 Opportunity for the individual to
agree or to object to the use or disclosure.
• Payment
There are two specific instances where a CE
• Business operations must seek permission from the individual if
they want to use or disclose PHI. The first is
• Research (under certain circumstances) “facility directories,” and the second is “uses and
disclosures for involvement in the individual’s care
• As required by law and notification purposes.” The first instance is
easy to understand, with a caveat for emergency
• To avert a serious threat to health or safety
circumstances where the CE has to ask when
• Workers compensation reasonably practicable, for example when the
patient becomes conscious. The second instance
• Public health activities is more difficult, as it deals with family and
friends notification of the patient’s condition.
• Reporting abuse, neglect or domestic violence This typically bumps up against state law, so some
work must be done by the privacy professional to
• Health oversight activities
account for both legal frameworks.
• Organ and tissue donation
• Lawsuits and disputes Uses and Disclosures that Require an

Authorization
• Law enforcement
Psychotherapy Notes/Records. A valid
• Specialized government functions. authorization is required for Psychotherapy notes
(except for TPO including the entity’s internal
Note: Care should be taken, as some of these training program) and Marketing.
permissive uses or disclosures have conditions
attached that have to be met to be permissive.
For example, for research there are specialized Valid Authorizations
conditions that must be met. It is still permissible A valid authorization must contain seven elements
under HIPAA to use or disclose for research as and four statements:
long as the conditions are met.
• A specific and meaningful description of the
Deceased Individuals. A CE must comply with information to be disclosed, including specific
the requirements of this subpart with respect to records and service dates;

• A specific division is identified as the one been over-collecting authorizations. There are
authorized to disclose the medical record; two big down falls to this over-collection process.
First, the entity must track the expiration date
• The name or other specific identification of the for renewals. Second, there is a debate about
person(s) or entity(ies) to whom disclosure can using the information for any other purpose
be made; than what is stated on the authorization. If the
authorization says the purpose is “treatment” and
• A statement of the purpose of the requested
the entity wishes to avail itself of a permitted use
disclosure (which may be “at the request of the
(for example research or law enforcement to locate
client”), including any limitations on the use of
missing persons), since it is not treatment, they
the information;
must question whether they are in breach of what
• An expiration date or a valid expiration event they agreed with the client was the only purpose.
AND check that the date has not passed nor
has the expiration event occurred;
Section Three: Patient Rights and
• A signature dated by client or client’s authorized Penalties
personal representative. If signed by the The HIPAA Privacy Rule instituted many rights
authorized personal representative, a description regarding the individual health care record. Again,
of such representative’s authority to act for the these are just the summary of the rights and there
client is provided; are details that have to be worked out at the entity
level to ensure compliance.
• A statement of client’s right to revoke the
authorization, exceptions to this right, and a
description of how to revoke: Rights
• A statement that treatment, payment, Request for Restrictions. A patient has the
enrollment or eligibility for benefits may NOT right to request restrictions on the U&D of
be conditioned upon signing the authorization; information, even for the TPO exception. The
entity must determine if the request is reasonable,
• A statement regarding the potential that if they can accommodate the request, and then
the information disclosed pursuant to the must abide by any agreed upon restrictions.
authorization may be re-disclosed by the
recipient and, if so, it may no longer be Request for Confidential Communication.
protected by a federal confidentiality law; The patient may request other communication
channels not typical for the entity, such as email,
• A statement that the person signing the or meeting in off-site locations. If reasonable, the
authorization has the right to (or will receive) a entity should consider complying. However, it is a
copy of the authorization. request, and if the entity determines that it would
have to go to extraordinary lengths to comply,
Note: Just as with the BA language in contracts, they may refuse or seek an alternative.
CEs are moving toward only collecting an
authorization where required. With the Access and Copy Information. Patients are
permissiveness of the TPO exception, many entitled to a copy of, or access to, the information
organizations have discovered that they have in the designated record set.

HITECH extended the requirements for covered to comply or protect information adequately.
entities that manage protected health information Additionally, under the HITECH upgrades to
via electronic health records (EHRs). CEs must penalties, those subject to the penalties include an
provide the patient (or individuals or entities individual, not just the CE.
authorized by the patient, such as doctors and
personal health record services) with an electronic The updated penalties breakdown is:
copy of their file. There is no mandate on the type
• Violations where the offender didn’t realize he
of electronic access.
or she violated the Act and would have handled
Request to Amend. The client has the right the matter differently if known:
to request an amendment to their designated
–– $100 fine for each violation,
record set if they determine it may be inaccurate.
The patient may be the only one to bring to the –– Total not to exceed $25,000 for the calendar
provider’s attention that something in the record year.
is not accurate. However, it is only a request. If
the provider determines the record to be accurate, • Violations due to reasonable cause, but not
they can deny the request. In turn, the client has “willful neglect”:
the right to ask that their statement of inaccuracy
be placed in the file. Considering medical identity –– $1,000 fine for each violation,
theft and patient safety, this requirement has
–– Total not to exceed $100,000 for the calendar
become a more important client right than when
year.
first written in 2000.
• Violations due to willful neglect that the
Right to an Accounting of Disclosures. Patients
organization ultimately corrected:
are entitled to know the identity of to whom
information is disclosed, and the purpose of the –– $10,000 fine for each violation,
disclosure, so an entity must keep track of all
disclosures. –– Total not to exceed $250,000 for the calendar
year.
Notice of Privacy Practice. A HIPAA CE must
provide a Notice of Privacy Practice (NPP). • Violations of willful neglect that the
This statement provides the rules of the road on organization did not correct:
how an entity will use and disclose information.
These are the policies and procedures (P&P) –– $50,000 fine for each violation,
that support the privacy and security of the
–– Not to exceed $1,500,000 for the calendar
information and the entity’s commitment to the
year.
individual.
One other big change is that the HITECH Act
also allows states’ attorneys general to levy fines
Penalties
and seek attorney’s fees from covered entities.
While the original impetus of HHS was to get Plus, state courts now have the ability to award
entities to be compliant with HIPAA as of 2010, costs, which they were previously unable to do.
they have started to issue penalties for failures

Mandated Reporting of Breaches and Section Four: Interaction with the
Individual Notification Security Rule
This requirement not only imposes an Security is how things are protected, while privacy
organizational response, but also implies a client tells us what to protect. While this topic seems
right. The regulations require HIPAA CEs to reside squarely in the information technology
to promptly notify individuals of a breach of domain, the privacy professional must understand
unsecured PHI, as well as the HHS Secretary and where privacy interacts to ensure security.
the media in cases where a breach affects more
than 500 individuals. Breaches affecting fewer Again, this is a section worthy of many pages
than 500 individuals are reported to the HHS of detailed outlines, but it is summarized to
Secretary on an annual basis. Notification to the encapsulate. Generally the Security Rule says an
individual is waived if the entity can determine entity must:
the following: “an unauthorized use or disclosure
• Ensure the confidentiality, integrity, and
of protected health information is considered a
availability (CIA) of all electronic protected
breach only if the use or disclosure poses some
health information (EPHI) the CE creates,
harm to the individual...”
receives, maintains, or transmits
In addition, the regulations also require business
• Support CIA through Administrative, Technical
associates of covered entities to notify the covered
and Physical safeguards
entity of breaches at or by the business associate.
• Protect against any reasonably anticipated
Note: While in the HIPAA Security Rule,
threats or hazards to the security or integrity of
discussed below, “encryption” is classified as
such information
addressable, HITECH elevated its importance,
because if information is encrypted and breached, • Protect against any reasonably anticipated uses
in theory no harm can come to the individual or disclosures of such information that are not
who is subject of the information. Encryption for permitted or required
information in transit and at rest is becoming a
standard. • Ensure compliance by the workforce.
Note: The changes that HITECH brought to Also note that the Security Rule is technologically
HIPAA lead the privacy professional to the neutral, outlining principles rather than single
conclusion that having adequate policies and solutions. This supports the flexibility of the rule.
procedures isn’t enough for compliance. It also
re-focuses on the CEs’ liability related to training These mandates link to the Privacy Rule. For
staff. While the individual may in theory be example, to protect against any “reasonably
responsible for any particular violation, the entity anticipated threat,” the privacy professional must
bears the brunt of investigation and penalties if help the security professional by ensuring desk
they cannot prove that they not only had policies top policies are implemented and monitored. It
and procedures in place, but that they trained would do no good to have a great authorization/
adequately. authentication electronic process for access to
electronic files if, at the desk level, the log on and
password for each person was retained on sticky

notes on the monitor. The privacy professional –– The CE’s technical infrastructure, hardware,
would identify this as a vulnerability in their and software security capabilities
portion of the Security Risk Analysis (RA) and
implement a mitigation scheme (audit by walking –– The costs of security measures
around, probably).
–– The probability and criticality of potential risks
HIPAA CEs are granted flexibility in the to electronic protected health information.
approach for security implementation:
For the most part, although not exclusively, the
• Covered entities may use any security privacy professional coordinates the administrative
measures that allow the CE to reasonably and safeguards to meet the security professional who is
appropriately implement the standards and in charge of this IT infrastructure. This process is
implementation specifications. generally limited to policies and procedures. This
is where privacy must bridge the two disciplines.
• In deciding which security measures to use, a
CE must take into account the following factors: There are eighteen security standards and thirty-
six implementation specifications. The outline
–– The size, complexity, and capabilities of the CE below and on the following page is from page
8380 of the 2003 February Federal Register:
Appendix A to Subpart C of Part 164—Security Standards: Matrix

ADMINISTRATIVE SAFEGUARDS
Standards Sections Implementation Specifications: (R)=Required, (A)=Addressable
Security Management Process 164.308(a)(1) Risk Analysis (R)
Risk Management (R)
Sanction Policy (R)
Information System Activity Review (R)
Assigned Security Responsibility 164.308(a)(2) (R)
Workforce Security 164.308(a)(3) Authorization and/or Supervision (A)
Workforce Clearance Procedure (A)
Termination Procedures
Information Access Management 164.308(a)(4) Isolating Health care Clearinghouse Function (R)
Access Authorization (A)
Access Establishment and Modification (A)
Security Awareness and Training 164.308(a)(5) Security Reminders (A)
Protection from Malicious Software (A)
Log-in Monitoring (A)
Password Management (A)
Security Incident Procedures 164.308(a)(6) Response and Reporting (R)
Contingency Plan 164.308(a)(7) Data Backup Plan (R)
Disaster Recovery Plan (R)
Emergency Mode Operation Plan (R)
Testing and Revision Procedure (A)
Applications and Data Criticality Analysis (A)
Evaluation 164.308(a)(8) (R)
Business Associate Contracts and 164.308(b)(1) Written Contract or Other Arrangement (R)
Other Arrangements

PHYSICAL SAFEGUARDS
Facility Access Controls 164.310(a)(1) Contingency Operations (A)
Facility Security Plan (A)
Access Control and Validation Procedures (A)
Maintenance Records (A)
Workstation Use 164.310(b) (R)
Workstation Security 164.310(c) (R)
Device and Media Controls 164.310(d)(1) Disposal (R)
Media Re-use (R)
Accountability (A)
Data Backup and Storage (A)
TECHNICAL SAFEGUARDS (SEE § 164.312)

Access Control 164.312(a)(1) Unique User Identification (R)
Emergency Access Procedure (R)
Automatic Logoff (A)
Encryption and Decryption (A)
Audit Controls 164.312(b) (R)
Integrity 164.312(c)(1) Mechanism to Authenticate Electronic Protected Health Information (A)
Person or Entity Authentication 164.312(d) (R)
Transmission Security 164.312(e)(1) Integrity Controls (A)
Encryption (A)
Things like “sanction policy” and the three Summary

implementation specifications under workforce
If the purpose of HIPAA is to improve the
security as well as contingency planning and several
effectiveness of our health care system through
other specifications, should easily be recognizable to
encouraging the development of a health
the privacy professional as points of coordination.
information system, then the privacy professional’s
Note: Both “addressable” and “required” must be purpose is to support that goal through
reviewed for applicability. In either case, the CE understanding the specific privacy mandates that
must document why or why not the specifications must be implemented within an organization.
need not be addressed or document alternative It is not enough to just say, “because HIPAA
mitigations that the CE has in place. Addressable said so;” the privacy professional must constantly
does not mean it can be ignored. be educating, creating buy-in from executive
management and coordinating with others in
the organization to create unified policies and
procedures that support the confidentiality of
information. In turn, this effort supports the
integrity of data and makes the data available
where it should be.

2 Limited Data Set. PHI that excludes 16 specific
identifiers as defined in the HIPAA Privacy Rule,
but includes zip codes, geographical codes, dates
Breach Notification of birth, other date information, and any other
code.
By John Falcetano, CHC-F, CCEP-F, CHRC,
CHPC1 Organized Healthcare Arrangement. A clinically
integrated care setting in which individuals
The Health Information Technology for typically receive health care from more than one
Economic and Clinical Health (HITECH) Act provider.
was enacted on February 17, 2009 as Title XIII
of Division A and Title IV of Division B of the Unauthorized. An impermissible use or disclosure
American Recovery and Reinvestment Act of of PHI under the HIPAA Privacy Rule (subpart
2009 (ARRA) (Pub. L. 111–5). Subtitle D of E of 45 CFR part 164).
the HITECH Act (the Act), entitled ‘‘Privacy,’’
among other provisions, requires HHS to issue Unauthorized Access. The inappropriate viewing
interim final regulations for breach notification by of a patient’s medical or financial information
entities subject to the Health Insurance Portability without a direct need for diagnosis, treatment,
and Accountability Act of 1996 (HIPAA) payment, or other lawful use.
and their business associates. Similar breach
Unsecured Protected Health Information.
notification provisions implemented and enforced
PHI that is not secured through the use of a
by the Federal Trade Commission (FTC), apply
technology or methodology (such as encryption
to vendors of personal health records and their
or destruction of data) that renders PHI unusable,
third party service providers, pursuant to section
unreadable, or indecipherable to unauthorized
13407 of the HITECH Act.
persons.
Protected Health Information (“PHI”).

Key Definitions Individually identifiable health information that is
In order to understand the Breach Notification (i) transmitted by electronic media; (ii) maintained
requirement, it is important to understand the in any medium such as magnetic tape, disc, optical
following definitions: file; or (iii) transmitted or maintained in any other
form or medium (including but not necessarily
Access. The ability or means necessary to read, limited to paper, voice, Internet, or facsimile).
write, modify, communicate, or otherwise use
data/information. Workforce Member. Employees, volunteers,
students, medical residents, trainees, and other
Authorized Person. An individual authorized persons whose conduct, in the performance of
by the entity or the entity’s Business Associate work for an entity, is under the direct control of
to acquire, access, or use Protected Health the entity, whether or not they are paid by the
Information (“PHI”) that is within the individual’s entity (including medical residents).
scope of employment.
Breach (as defined in HITECH 164.402). The
1 John Falcetano is Chief Audit and Compliance Officer for
acquisition, access, use, or disclosure of protected
the University Health System of East Carolina.
Breach Notification 17
health information in a manner not permitted • Internet IP Address Numbers
under subpart E of this part which compromises
the security or privacy of the protected health • Full face photographs or comparable images
information. For purposes of this definition,
• Biometric Identifiers (fingerprint, voice prints,
“compromises the security or privacy of the
retina scan, etc.)
protected health information” means poses a
significant risk of financial, reputational, or other • Any other unique number, characteristic or code
harm to the individual.
Unsecured Protected Health Information.
Note, a use or disclosure of protected health Protected health information that is not rendered
information that does not include any of the unusable, unreadable, or indecipherable to
following does not compromise the security or unauthorized individuals through the use of a
privacy of the protected health information: technology or methodology on the HHS Web site
(i.e., destroyed or encrypted).
• Name
• Date of Birth or any other date smaller than a

year
How It Works
Breach Notification. Following a breach of
• Any elements of dates smaller than a year (i.e., unsecured protected health information, covered
date of admission, discharge, death, etc.) entities must notify affected individual(s), the
Secretary of Health and Human Services (HHS)
• Zip Code
and in certain instances, the media. In addition,
• Medical Record Number business associates must notify covered entities
that a breach has occurred.
• Device Identification Numbers
Individual Notification. In the event of a breach,
• Social Security Number the notification must include the following
information:
• Any geographic subdivision smaller than a state
• Phone Numbers Content of Notification

• Fax Numbers • Brief description of what happened and when it
happened, to include the date of the breach and
• E-mail Addresses the date it was discovered.
• Health Plan Beneficiary Number • Description of the types of unsecured PHI

involved in the breach (example: the individual’s
• Any other Account Number social security number, date of birth, etc.)
• Certificate/License Numbers • Steps individuals should take to protect

themselves from potential harm as a result of
• Vehicle Identifiers
the breach.
• WEB URLs

• Brief description of what the involved covered Media Notice. If the breach affects more than 500
entity is doing to investigate the breach, residents of a State or jurisdiction, in addition to
mitigate losses, and protect against any further notifying the affected individuals, notice must be
breaches. provided to prominent media outlets serving the
State or jurisdiction. In most instances, a press
• Contact procedures for individuals to ask release would be provided by the covered entity
questions or learn additional information. to appropriate media outlets serving the affected
area. Media notification must be provided without
Individual breach notification must occur without
unreasonable delay and in no case later than 60
unreasonable delay, but not longer than 60 days
days following the discovery of a breach and must
from the date the breach is discovered. A breach
include the same information required for the
is considered to be “discovered” when at least one
individual notice.
employee of the entity (other than the person
responsible for the breach) knows or reasonably Notice to the HHS Secretary. The breach
should know of the breach. notification interim final rule requires covered
entities to provide the Secretary with notice
Covered entities are required to notify affected
of breaches of unsecured protected health
individuals following the discovery of a breach
information (45 CFR 164.408). The number of
of unsecured protected health information. The
individuals affected by the breach determines
covered entities must provide the individual notice
when the notification must be submitted to the
in written form by first-class mail. It is permissible
Secretary.
to provide the notice by e-mail if the affected
individual has agreed to receive such notices
electronically. Breaches Affecting 500 or More Individuals
If the covered entity has insufficient or out- • If a breach affects 500 or more individuals, a
of-date contact information for 10 or more covered entity must provide the Secretary with
individuals, the covered entity must provide notice of the breach without unreasonable delay
substitute individual notice by either posting the and in no case later than 60 days from discovery
notice on the home page of its web site or by of the breach. This notice must be submitted
providing the notice in major print or broadcast electronically.
media where the affected individuals likely reside.
• If a covered entity that has submitted a breach
If the notice is provided via web posting or major
notification form to the Secretary discovers
print or broadcast media, the notice must include
additional information to report, the covered
a toll-free number for individuals to contact the
entity may submit an additional form, checking
covered entity to determine if their protected
the appropriate box to signal that it is an
health information was involved in the breach.
updated submission.
If the covered entity has insufficient or out-
of-date contact information for fewer than 10
Breaches Affecting Fewer than 500
individuals, the covered entity may provide
substitute notice by an alternative form of written, Individuals
telephone, or other means. • For breaches that affect fewer than 500
individuals, a covered entity must provide the
Secretary with notice annually. All notifications against workforce members who do not comply
of breaches occurring in a calendar year must with these policies and procedures.
be submitted within 60 days of the end of the
calendar year in which the breaches occurred. Breach Exceptions. Section 13400(1) of the Act
also includes three exceptions to the definition
• This notice must be submitted electronically. of ‘‘breach’’ that encompass situations Congress
A separate form must be completed for every clearly intended to not constitute breaches.
breach that has occurred during the calendar
year. The first regulatory exception covers any
unintentional acquisition, access, or use of
• If a covered entity that has submitted a breach protected health information by a workforce
notification form to the Secretary discovers member or person acting under the authority of
additional information to report, the covered a covered entity or a business associate, if such
entity may submit an additional form, checking acquisition, access, or use was made in good faith
the appropriate box to signal that it is an and within the scope of authority and does not
updated submission. result in further use or disclosure in a manner not
permitted under subpart E of this part. (Example.
Notification by a Business Associate. If a breach A billing employee receives and opens an e-mail
of unsecured protected health information containing protected health information about
occurs at or by a business associate, the business a patient which a nurse mistakenly sent to the
associate must notify the covered entity following billing employee. The billing employee notices
the discovery of the breach. A business associate that he/she is not the intended recipient, alerts
must provide notice to the covered entity without the nurse of the misdirected e-mail, and then
unreasonable delay and no later than 60 days from deletes it. The billing employee unintentionally
the discovery of the breach. To the extent possible, accessed protected health information to which he
the business associate should provide the covered was not authorized to have access. However, the
entity with the identification of each individual billing employee’s use of the information was done
affected by the breach as well as any information in good faith and within the scope of authority,
required to be provided by the covered entity in its and therefore, would not constitute a breach and
notification to affected individuals. notification would not be required, provided
the employee did not further use or disclose the
Burden of Proof. Covered entities and business
information accessed in a manner not permitted
associates have the burden of proof to demonstrate
by the Privacy Rule.)
that all required notifications have been provided
or that a use or disclosure of unsecured protected The second regulatory exception covers
health information did not constitute a breach. inadvertent disclosures from an individual who is
The covered entities must also comply with several otherwise authorized to access protected health
other provisions of the Privacy Rule with respect information at a facility operated by a covered
to breach notification. For example, covered entity or business associate to another similarly
entities must have in place written policies and situated individual at the same facility, if the
procedures regarding breach notification, must information is not further used or disclosed
train employees on these policies and procedures, without authorization. The statute also allows
and must develop and apply appropriate sanctions an exception for inadvertent disclosures of

protected health information from a person who is a covered entity or business associate has a good
authorized to access protected health information faith belief that the unauthorized person to whom
at a covered entity or business associate to another the disclosure of protected health information
person authorized to access protected health was made would not reasonably have been able
information at the same covered entity, business to retain the information. (Example: A covered
associate, or organized health care arrangement in entity, due to a lack of reasonable safeguards,
which the covered entity participates. (Example: sends a number of explanations of benefits
A physician who has authority to use or disclose (EOBs) to the wrong individuals. A few of the
protected health information at a hospital by EOBs are returned by the post office, unopened,
virtue of participating in an organized health care as undeliverable. In these circumstances, the
arrangement with the hospital is similarly situated covered entity can conclude that the improper
to a nurse or billing employee at the hospital.) addressees could not reasonably have retained
the information.) It is important to note that if
The final regulatory exception to breach covers EOBs were not returned as undeliverable and that
the unauthorized person to whom protected the covered entity knows they were sent to the
health information has been disclosed and who wrong individuals, it should be treated as potential
would not reasonably have been able to retain breaches.
the information. This includes situations where
3 variations must be accounted for in the principal
control tool: the contract.
Vendor Relations Disclaimer. This chapter is not a legal treatise

on contracts, but simply intended to help the
and Privacy privacy professional who may have only limited
contract experience to focus on the construction
By David Nelson, CHRC, CHPC CISSP, CIPP/G1 of a contract and the issues that may arise in the
vendor relationship. This chapter should help the
privacy professional understand how to fit privacy
Introduction concerns into the contract. Your counsel may have
Vendors play a critical function in aiding health an opinion that varies on contract construction
care entities to deliver services. The vast array and the usefulness of some ideas expressed here.
of what vendors might supply ranges from vital You should consult with your counsel and follow
services such as physicians, temp nurses, billing their advice.
or research services right down to educational
This chapter will focus on suggested privacy
pamphlets, paperclips and jugs of water for
controls that could be put in place in the contract
coolers. The range of services, between relatively
and the purpose those controls serve in developing
simple to extremely complex, is reflected in the
and maintaining vendor relations. Some pitfalls
portrayal of the business relationship.
will be identified and guidelines will be provided
But problems can arise when products aren’t for how to design the relationship (contract),
delivered in a timely fashion, the wrong quality of monitor it while in process, and then close it so
product is delivered or additional requested items that both parties are confident that delivery met
are provided but with exorbitant additional fees expectations.
attached, or our clients’ privacy rights are violated.
The privacy impact from vendors depends, too, Section 1—Pre Contract
on whether they just walk in and drop off a Assumptions
case of alcohol wipes, work on site extracting Developing the vendor relationship starts with the
information from an electronic health record for assumption that a contract will be used for most
quality assurance or provide legal services from vendors. Sometimes it will be your contract and
their home office in another state. The vendor sometimes it will be the vendor’s contract. Most
who is required to enter sensitive areas to provide legal counsels would prefer to be the contract
services or supplies requires a different level of originator, as the originator has substantially
privacy controls compared to the vendor who can more control of the relationship; but contract
do a drop and run from the loading dock. Another origination may be out of your hands. In either
vendor who provides services elsewhere and case, the pre-contract work is the beginning of
never comes on site has other privacy risks. The the relationship and needs to account for the
foreseeable privacy issues.
1 David Nelson is Privacy Officer for the County of San Diego While a bit simplistic, it needs to be said that
in California.
both parties to a contract should understand

that the other party is subject to varying laws Consider:
and regulations. In short, each party needs to
understand that the other must live up to certain • Access into your building
legal mandates. The reasonably competent privacy
• Where the contractor can go while in the
professional should understand both parties’ legal
building
mandates. This may mean the health care privacy
professional will have to go outside of their • Where the contractor is forbidden to go
comfort zone (HIPAA, 42 CFR Part 2…) and
learn the basics of other privacy laws (SOX, GLB, • Information the contractor should have access
FTC Red Flags…). to
• What the contractor can do with information

Section 2—Mutual Understanding
• What the contractor cannot do with
The first piece to grasp is that contracts are about information.
creating mutual understanding. This concept is
vitally important, as all parts of the contract are Each of these represents a risk to the privacy
put in place to enhance understanding, which profile. We express our expectations of vendors
supports a successful business relationship. The and the possible impact to our privacy program
contract is not just another business hurdle. through our contract language.
Contracts will incorporate many parts of your
business operations and how they interact with Keeping all this in mind, no one wants a nine-
your contractors. For example, topics like risk hundred-page contract. The privacy professional
management, IT implementations, strategic must ensure that the contract supports the
planning, business continuity, and accounting privacy profile. In order to make the concepts of
requirements are just some of the issues that may contracting more understandable, the document
have to be addressed in a contract. Implementing can be separated into two parts. The first part is
appropriate contractual measures mandates referred to as the boilerplate and the second part
mutual understanding. contains any specifics that must be accounted for.
Privacy is the framework we operate under, and The boilerplate is the part of the contract that
the laws and regulations tells us what we must has standard clauses that define all contractual
protect. Yet specific security features will usually relationships. The boilerplate may have
be the focus in a contract, as they support the indemnity clauses, insurance requirements, term
privacy mandates. Privacy tells us what to protect, and termination and anything that would be
and security tells us how to protect it. It could be considered a minimum standard in all contracts
said that all privacy mandates and standards are for your entity. Each entity has a slightly different
implemented through security measures. But some list of boilerplate clauses.
concepts, like HIPAA “minimum necessary,” do
To try and describe everything in a boilerplate
not always have a security solution. Contracts can
contract would be onerous. So for the boilerplate,
quote HIPAA, or other privacy laws, but unless
we must choose what is generally true for our
specific implementation steps are included, a gap
entity in most situations. Your counsel has
in understanding is created. Gaps equal increased
probably done this already. When a privacy item
risk.
Vendor Relations and Privacy 23

must be detailed because the implementation vendor. Too often contractors in the “partnership”
must be supported in a particular way, we come to situation believe themselves to be indispensable
the privacy clauses. to your organization with inalienable rights. They
can become hostile when relegated, appropriately,
A note of caution: while boilerplate is in theory to their role or called to task when they violate
a designation for all contracts, you should ensure regulations that your entity must abide by and
that each of the boilerplate clauses is appropriate. were notated in the contract.
For example, you may have a HIPAA Business
Associate (BA) language clause as part of your A weak privacy profile characteristic that shows
boilerplate or optional addendum. One item up in contracts is when the contract says “fully
that is usually included in the BA language HIPAA compliant” either as a claim by the
is the client’s right to request a copy of their contractor or as a mandate from the contract
information. In some contractual relationships, originator. Does the statement mean anything
like contracted QA/QI activity, the contractor in relationship to their role? Does it mean they
would never supply a copy of a record to the client are, or are to be, complaint with 5010 format?
because they have no relationship to the client. Will they do a full-blown risk analysis for their
The client access section should probably be cut. product in your environment? Can they capture
Contracts are about mutual understanding and disclosures electronically? Vendors may have done
having language that does not apply detracts from everything possible from their end to be HIPAA
the understanding. It would not be appropriate compliant, but until they account for your business
to say “just ignore what doesn’t apply,” as the operations it is just a marketing phrase. On the
contractor may apply the same caveat to critical opposing side, the phrase has doubtful value as a
portions of the contract. mandate without describing exactly what it means
for your vendor. Undefined phrases about the
The second part of the contract could be privacy compliance are dangerous, as they lead to
considered adjustable and contains those clauses misunderstanding and that leads to increased risk.
that change or are added for the specific contract.
While sometimes only a few clauses are in this Achieving mutual understanding is the goal and
section, like scope of activities and pay schedule, it takes work on both parties’ behalf to ensure the
this part of the contract is where the privacy expectations meet delivery.
professional can clearly outline privacy impacts
from the vendor’s services.
Section 3—Role of Vendors
Another concern in your relationship to the
Each vendor has a specific role in relation to
vendor is that vendors are not “partners” in
the organization. So each role has a part in
your enterprise. This is true regardless of what
maintaining the privacy of information within the
the contract states they will provide, if you pay
entity. The roles vary from a direct service provider,
them or they pay you. Ethically a separation
to ancillary service providers, to research services,
must be made so that this separation is clear to
to QA/QI to housecleaning. But these vendor
both parties. If the vendor is treated as a partner,
relationships should not detract from your privacy
deferred to as if they are a partner, referred to as a
program.
partner, it could lead to tensions in relations as the
expectation of a partner is different than those of a

While the role of the vendor must be defined, greater meaning. Like the role definition above,
it must also show how they interact with your criticality should be part of the risk analysis so
privacy profile. If you clearly define what you can account for it in your contract. You may
constitutes interaction with your privacy profile, not have performed, or been part of the process of
then you can state what part the vendor role plays developing the risk analysis in the past, but this
in that profile. This step is actually a part of a risk is an opportunity to document and incorporate
analysis (or privacy gap analysis), where you define privacy concerns in relation to your critical
your critical services, the delivery of services and services.
what types of privacy risks are associated with that
particular service delivery. In light of the HIPAA requirement at 164.314
(a)(1)(A) that for a serious breach by your vendor
Some privacy exposures to consider: you “Terminate the contract or arrangement,
if feasible; or (B) If termination is not feasible,
• Physical risks, many not apparent to those who report the problem to the Secretary” it would
work in offices not co-located with the service seem important to document in advance that
delivery site the vendor is critical to your service delivery. A
privacy violation by a critical vendor means you
• Things like extra water bottles that are stored in
must justify why you continue to use their services
sensitive areas such as the medical records room
in spite of the violation. If you have to report the
• Copier repair folks that must come into the vendor to the Secretary for a privacy breach, the
back office where a lot of client information is vendor shouldn’t be surprised.
still on paper (thus the copier)
As part of managing your vendor relationship,
• Maintenance personnel who have access 24/7 criticality plays a part in business continuity
without oversight planning. If your expectations during a business
outage (truck parked in the lobby) or a disaster
• Contracted application development that has an (wild fire) are that the vendor continues to
electronic “back door” in the application so that deliver services, so that you may continue to
the tech guru can get to the code deliver critical services, the vendor needs to know
your expectations from the front end of the
• Other risks that may not occur to those who are relationship. Plus you need to ask if they have
intimately involved with your setting. the capacity. This becomes really important if
your contractor has to supply others who may be
Privacy Officers or those responsible for privacy,
subject to the same disaster.
must continually look for interaction with vendors
and their impact to the privacy profile.
Section 5—Contract
Section 4—Criticality “If I have to go into court and explain to the
judge what the contract means, I haven’t done my
Once a clear understanding of the role of a vendor
job.” This advice came from Stephen Nocita, an
is established, then the criticality of their support
attorney in Northern California, and it stands the
function can be incorporated. If the service or
test of time. The principal tool, and foundation, for
items supplied by the vendor are critical to the
success of your entity, the relationship takes on

establishing and controlling the relationship with I. Agreement (Offer & Acceptance)
vendors is the contract.
The agreement is what drives the contract. This is
A contract is an exchange of promise, services where the parties agree exactly what is going to
for money, with a specific remedy for breach be delivered and what is going to be accepted in
of contract. Being clear about contractual return for the deliverance.
expectations keeps the vendor relationship healthy.
The agreement should specifically describe the
Whether you are writing a contract or receiving a deliverables. If it is important that a specific brand,
contract, knowing what the separate clauses of the quality, size, range of sizes or other particular is
contract stand for is paramount in maintaining critical, you must make that clear in the offer.
vendor relations. One note here is that if you are Most entities can relate to the experience of
not the contract originator, you may have some receiving some contracted element and upon
additional difficulties accounting for a privacy reflection think “I didn’t know they even made
requirement that may not apply to the vendor. these so cheap!” Living with some variation is not
For example, a large photocopier vendor would impossible, but if it is critical, get it described in
not have reason to be subject to HIPAA, yet the the agreement.
memory chip of the copier holds images that may
Once you have a thorough description of what
be a part of the designated record set. Getting
you are contracting for, you need to explain the
language into the vendor’s contract to wipe the
basis for payment. Having specific milestones,
memory may be a point of negotiation.
whether they are hours, packages, counts of client
To keep this simple, there are some basic key contacts or donuts, is important so that payment
elements to contracts. has a measure. Later, deliverables will give a basis
for remedies for non-performance.
I. Agreement (Offer and Acceptance)
II. Capacity to contract II. Capacity to contract

The capacity to contract is the piece that points
III. Consideration
to the capacity (ability) to perform either end of
IV. Legal purpose the contract. Not only must the offeror be able to
provide the remuneration, the contractor must be
V. Legality of form able to perform the contractual duties. A contract
for the rebuild of the USS Midway, paying some
VI. Intention to create legal relations thirty billion dollars, to my neighbor Bob who
does small engine repair is futile, as neither party
VII. Consent to contract
actually has capacity to fulfill the contract. If
VIII. Mistakes, undue influence, parties are to understand the agreement, knowing
misrepresentation, duress. the other’s capacity may be required. Contracts
or Requests for Proposals can ask for proof in the
form of Single Audits from prior years, financial
statements to address capacity or bios of staff that
will perform critical services.

One issue that comes up with information V. Legality of form
technology vendors is that some very useful
Contracts must be written in a certain way,
products may be coming out of new companies
and this legal formatting is where your counsel
with innovative ideas. Having some assurance
provides an invaluable service. They are aware of
that the company will be financially stable for the
the kinds of contracts in your jurisdiction that
duration is sometimes an un-resolvable problem.
require special wording or clauses. For privacy,
Reputable firms should have no objection to
this is important because many states have, or are
providing some form of assurance, other than
instituting, language that affects you and your
that the information is sensitive and should be
subcontractors and requires defined measures be
declared confidential in the agreement.
in place regarding the privacy of information.
The HIPAA Business Associate language, or
III. Consideration assurances, is one federal example on the legality
of form.
The consideration is the remuneration part. If
Bob does the rebuild, what am I giving him
in “consideration” for his services? It could be VI. Intention to contract
money, physical objects, services, promised actions,
It should be clear in a clause whether the parties
abstinence from a future action and much more.
intend to be “legally bound” by the contract. This
The range of considerations can be extensive and
requirement is important, as it links any legal
complex, but must be defined.
mandate for privacy down to the contract and
makes the parties “legally bound” to abide by
IV. Legal purpose those mandates. An argument of one party that
could come back after an unfortunate event might
Simplistically, you can’t write a contract to break
be “that doesn’t apply to me.” This argument
the law or write a contract to go around a legal
would be quickly dismissed as the party intended
mandate. This requirement becomes important
to contract with you, if you state it in the contract.
for privacy in vendor relations because if you
have a mandate that you must not do something, Along with the intent to contract comes any
you can’t just contract around the mandate and inclusion of third parties. Many contracts don’t
hire a vendor to provide the forbidden service. involve a third party and have a statement about
For example, HIPAA says that use of PHI for “no third party” involvement. Some contracts
marketing products not directly related to the allow the principal contractor to use a third party
services provided without an authorization from (subcontractor), but the contract should state that
the client is prohibited. If I provide immunization the responsibility for performance still resides
services for travelers, and I am a HIPAA- with the principal contractor.
covered entity, I can’t contract with Harry’s email
spamming service to contact my clients about For example, you may contract with a major
my neighbor Bob’s small engine repair. This company to maintain the perimeter and firewall of
would be an attempt to contract around my legal your IT environment. They may in turn contract
responsibilities. with another vendor for an Intrusion Detection
System. This subcontract does not change the
principal contractor’s responsibility for the
security, and the principal must pass down any

specific mandates that might affect their duty to of this clause as the speed limits and associated
you. By including language that indicates that the penalties. If your vendor is intent on committing
“intention to contract” applies to subcontractors, business mayhem, nothing will stop them;
who must be identified or approved by the however, if the consequences are listed clearly, at
principal, you reduce risk and enhance your least they know the cost in advance. Privacy issues
privacy profile. should always be kept in mind in the remedies
clause, as privacy regulations can have substantial
penalties.
VII. Consent to contract
The consent to contract clause ensures that the For example, if a vendor accidentally faxes ten
individual who signs the contract has the legal pages of a client record to the wrong party, it
right to contract for the entity. Requirements could be classified as a “mistake” and have a
of CFO, CEO or Board signatures to contracts low impact. Yet if they lose a flash drive with
are used so that this hurdle is overcome and ten thousand clients’ names, addresses, dates of
the question is always: how high up in the birth and SSNs, it is no longer a simple mistake.
organization? Usually the answer is dependent The possible penalties assessed by enforcement
on the commitment required to the entire authorities, not to mention any class action suit
organization. If either end of the contract seems to that comes out of it, could be substantial.
commit all, or most, of an entity’s resources to the
Undue influence can be thought of as an ethical
contract relationship, the signature should come
lapse where someone exerts either their authority,
from somewhere near the top of the organization.
or an existing relationship, on the contract
For example, if a contract requires that your entity
deliverables. Undue influence can also show up on
file a Federal Wide Assurance (FWA) for your
oversight boards who are typically filled with local
part in a research project, all research within your
movers and shakers but are making decisions for
entity must now live up to the Office of Health
the business they oversee. Sometimes they fail to
Research Protection (OHRP) standards. This is
abstain from voting when the decision process is
a big commitment, and the contract and FWA
about contracting with their own companies or
should be signed by someone with authority to
companies where they have investments.
commit your entity.
Be wary of any contract that seems to ask for

Section 6—Privacy Concerns/
signatures at levels that do not correspond to the
level of risk associated with the contract.
Solutions
The best way to set privacy concerns in perspective
is to start with legal requirements. Look for laws
VIII. Mistakes, undue influence, and regulations that apply to your entity, or apply
misrepresentation, duress to any data the vendor may be interacting with,
The goal of this clause is to ensure that you and and then decide what you must pass down to the
your vendor are prepared for what will happen vendor directly. The HIPAA Business Associate
when things go horribly wrong. Each of the terms (BA) language is an example.
above has a particular meaning, but the point of
If you are a HIPAA-covered entity and your
putting in the clause is to point out in advance
vendor is going to handle your PHI on your
actions that will be considered unacceptable. Think

behalf, doing something you would have had legal way to declare them a business associate, as
to do, they are your BA. The Privacy Rule, and they do not meet the federal definition. Another
HITECH revisions, mandate that you get example that may apply to you is if the vendor’s
assurances from the vendor that they will protect home office is in another state, then laws on
the information and use it only in the contracted your home turf may not occur to them. The “all
way or any other legal purpose that applies to applicable laws” language is weak at best and can
them. The BA language must be in the vendor be down right hazardous and expensive at worst.
contract if you cannot get assurances any other
way. Some vendors, particularly those providing If you intend for a law to apply to the relationship
cloud computing storage services, have elaborate with your vendor, say so. If it applies to you, apply
security profiles that could meet the HIPAA BA the mandates to your vendor but don’t claim that
assurances. the law applies to them. In the example of the
non-business associate, you could just change
Another example is the 42 CFR Part 2 mandate the term business associate to “contractor” and
for federally funded alcohol drug programs. You use the same language. Now, it is a performance
have to have controls that ensure that any vendor measure. In stating which laws you are referring
who has access to your electronic information to, it becomes very specific. If the vendor cannot
will protect it. It is required of you to require it abide by the law, or the business language, they
of your vendor. By starting with legal mandates, should tell you up front. One way to catch this
it narrows down your privacy concerns and then legal interface is by putting all your requirements
you can focus on things that might be important in your request for proposal, if you use one.
to privacy where no legal mandate exists. These
can be thought of as moral concerns, many of
which would also be considered common sense. Section 7—Enforcement
For example, if you allow a vendor to enter Usually, this is the least favorite topic for most
information into your non-HIPAA-covered contract managers. However, if the relationship
database, you should be sure to outline exactly is to be successful, a clear picture of expectations
how the entity can access and use the data and and outcomes is necessary. In the event that the
define any secondary purposes, even though it is principal has to enforce a contract, and there
not subject to HIPAA. is no contract reference in place, the vendor is
taken by surprise. Privacy enforcement should
Some contracts have language that is so vague it
not be a surprise, and if adequately spelled out in
could be interpreted in a wide variety of ways. For
the contract, along with possible outcomes from
example, it has been customary to put in a clause
contract violation, even the worst scenario of
that reads: vendor must abide by all applicable
privacy violation becomes less brutal.
laws. This seems straight forward until you
consider that some of the laws that apply to you Be wary, as politics can play a significant role
and your data may not apply to the vendor. You in enforcement. Having to enforce a contract
may be a HIPAA-covered entity, where they may for non-performance can be tricky where
not. If they are doing something that has nothing integrated communities exist. Your director sits
to do with your PHI, they are not a business on their board of directors, use to work for them,
associate, but they may be on site where your has many friends at their company… It is not
PHI data is on every screen and desk. There is no politically palatable to have to hold funds back

as an enforcement action when the contractor enforce good privacy habits. The diminishment,
comes up short on performance. It is guaranteed over time, of percentages reviewed is based on an
to embarrass your director and you may be acceptable rate of completion of forms. Anytime
blamed for failure to get mutually understandable the ratio of completed acceptable forms does
language in the contract. Political acumen should not meet expectations, increase the rate of forms
be the watchword in close-knit communities; monitored.
ensure that you have added enough enforcement
language for non-performance so you can say, “I In turn, your audit criteria for the contract should
am so sorry, but we clearly outlined this in the be directly linked to monitoring and can be
contract.” If your director can fall back on the detailed in relationship to the percentages. Did
same contract language, they too will “be sorry,” they get all of the Authorizations for Release for a
but support enforcement. research project? Did they fax summary insurance
in-take sheets to the wrong hospital with names,
Once the front end scope and performance SSN, DOB and address? Did they have a rogue
measures are in place, you have the basis for employee that stole an unencrypted laptop with
enforcement. The response to contract violations tens of thousands of client’s PHI? Your contract,
always goes back to scope and performance. If with performance measures and associated audit
delivery must be timely, if quantity is critical, if criteria, should clearly lay out how you will
quality is critical, if vendor availability is critical, enforce the contract.
the contract becomes critical and the scope should
reflect it. Penalties for non-performance can be For privacy, probably the single largest concern
scaled to criticality. is a data breach and if notification of clients and/
or the federal/state/local government is required.
Monitoring an audit criteria, where critical By putting language in the contract that, in
privacy issues exist, can telegraph compliance in effect, says each party is responsible for their own
advance and support enforcement on the back mistakes and that the vendor is required to tell you
end. Auditing is probably one of the most effective if they make a mistake, you reduce your mitigation
enforcement tools, as it can put you on site, in risks. In conjunction with proper language, a clear
their shop, in their books. definition of “data breach” should be included. It
should define any kind of unauthorized access, not
To guide the vendor relationship, new contracts just electronic breach.
should have early-on monitoring criteria that
can diminish as performance is corroborated. For
example, if an authorization to release information Summary
is required by an IRB for research, an auditor can
Too often the vendor relationship can sour
start at the end of the first month of research by
because of miscommunication before, during
reviewing fifty percent of the forms, the second
or after delivery commencement. The litany of
month, twenty-five percent, the third month, ten
reasons for bad vendor relations is extensive. But
percent, then ten percent of the sixth, ninth and
with a little foresight about contract construction,
twelfth months. The average comes out at about
site visits, monitoring and audit criteria, the worst
nine and one half percent of all forms, which
pitfalls can be avoided and confidentiality can be
may be high, but regardless of the percentages,
accounted for throughout the relationship.
the relationship is driven from the beginning to

4 Privacy “refers to persons; and to their interest in
controlling the access of others to themselves.”
Human Research Privacy Confidentiality “refers to data; and to the

agreements that are made about ways in which
By Rick King, CHC, CHPC, CIPP1 information is restricted to certain people.”
This chapter provides an overview of the When we think about privacy in the context
ethical guidelines and United States regulations of research, we aren’t focusing on all types of
governing the privacy and confidentiality of research, but specifically on human subject research,
individually identifiable information in human which leads us to the other two terms, “research”
subject research. The chapter is organized into and “human subject.”
three parts:
Research. The Common Rule and HIPAA define
• Ethical codes governing research, “research” as “a systematic investigation, including
research development, testing and evaluation,
• Major regulations, and designed to develop or contribute to generalizable
knowledge.”3 Note that in this definition,
• Practical issues that come up in applying the “research” is not limited to human subject
regulations. research. FDA regulations do not define the term
“research,” but instead define the term “clinical
In addition, please see below for some basic
investigation” as “any experiment that involves a
definitions related to human subject research
test article [regulated by the FDA] and one or
privacy.
more human subjects…”4 A test article includes,
but is not limited to, drugs, devices, or biologicals.
Basic Definitions Human Subject. The Common Rule defines
The privacy professional should have an a “human subject” as “a living individual about
understanding of the following basic terms related whom an investigator…conducting research
to research privacy: Privacy, Confidentiality, obtains…[d]ata through intervention or
Research, and Human Subjects. interaction with the individual or,…[i]dentifiable
private information.” “Intervention” means
The terms “privacy” and “confidentiality” are physical procedures and manipulations of the
sometimes used in casual conversation to mean subject or their environment (such as a blood
the same thing, but it is important to distinguish draw), “interaction” means communication or
between them. The National Science Foundation interpersonal contact between an investigator
provides the following useful definitions: 2 and a subject, and “private information” means
information about behavior where the individual
can expect no observation or recording is taking
1 Rick King is the Compliance and Privacy Officer for place, and information provided for a specific
Massachusetts Eye and Ear Infirmary. purpose by an individual with a reasonable
2 Frequently Asked Questions and Vignettes, Interpreting the
Common Rule for the Protection of Human Subjects for Behavioral
and Social Science Research, Nov 13, 2008, The National Science 3 45 CFR 46.102(d), and 45 CFR 164.501.
Foundation, 9 Jan. 2011 http://www.nsf.gov/bfa/dias/policy/hsfaqs.
jsp#difference. 4 21 CFR 50.3(c).
Human Research Privacy 31

expectation that it will not be made public (such • Good science,
as a medical record).5
• The limitation of risks and harm to subjects, and
The FDA defines a “human subject” as “an making sure that risks taken are commensurate
individual who is or becomes a participant in with the potential benefit of research,
research, either as a recipient of the test article
[or] as a control. A subject may be either a healthy • Both the investigator’s and the participant’s
human or a patient.”6 ability to end an individual’s participation in a
trial, and
HIPAA does not define “human subject,” but its
requirements related to research apply only to • An investigator’s ability to end a trial.
protected health information (PHI), which is
Written before today’s widespread concern about
health information that can identify an individual
privacy and confidentiality, neither the Nuremberg
(and will be discussed more fully below).7 Of
Code nor the Belmont Report explicitly reference
note, while the Common Rule definition of
privacy or confidentiality. However, we can
“human subject” refers to living individuals, and
understand in today’s information-based society
the FDA definition implies that participants are
how the concepts of obtaining informed consent
alive, in general, HIPAA also applies to the PHI
from research participants, and making sure
of deceased individuals.8 (There are, however,
that risks taken in research are commensurate
some provisions that provide some flexibility for
to the potential benefit of the research, do relate
the PHI of deceased individuals used in research
to privacy and confidentiality. In particular,
which also will be discussed more fully below).
we understand the importance of informing
research participants about how their individually
Ethical Codes Governing Research identifiable information will be collected, used,
disclosed and protected, and obtaining their
Three ethical codes: the Nuremberg Code, the consent to use their information. In addition, the
Belmont Report and the Declaration of Helsinki design of research studies must take into account,
provide both an historical context and an ethical and provide adequate protections against, the
framework from which to understand the specific financial, reputational or other risks of individually
U.S. regulations that apply to research privacy. identifiable information being breached or
inappropriately used or disclosed.
The codes address broad themes related to the
ethical conduct of research, such as: The Declaration of Helsinki, while first developed
in 1964, is a code for the ethical conduct of
• Obtaining individual consent of research
research and has been updated to reflect the
participants,
privacy and confidentiality concerns related to
• Respect for human subjects, the conduct of research in today’s society. Brief
summaries of the three codes are found below.
• Social justice,
5 45 CFR 46.102(f). Nuremberg Code

6 21 CFR 50.3(g).
In 1947, the Counsel for War Crimes included
7 45 CFR 160.103.
as part of their verdict in the trial of doctors who
8 45 CFR 164.502(f).

were involved in Nazi human experimentation determined that where research is taking place,
the Directives for Human Experimentation, which three basic ethical principles need to be followed
is known as “The Nuremberg Code.”9 The to protect human subjects:
code covers ten points, three of which include
the following concepts that are relevant to a • Respect for Persons. This principle relates to the
discussion of privacy: individual autonomy of each person, notes that
some individuals have “diminished autonomy,”
• Consent, and that those with diminished autonomy must
be adequately protected.
• Avoiding all unnecessary physical and mental
suffering and injury, and • Beneficence. This principle relates to doing
no harm, maximizing possible benefits, and
• Ensuring that the degree of risk to be minimizing possible harms.
taken never exceeds that determined by the
humanitarian importance of the problem to be • Justice. This principle relates to the selection
solved by the experiment. of research participants to assure that research
does not inappropriately take advantage of
disadvantaged populations.
Belmont Report
In 1979, following the discovery of ethical The report expanded upon these ethical principles,
lapses in medical research in the U.S., such as and applied them in three areas:
the 1932 -1972 Tuskegee syphilis study (where
• Informed consent,
African-American men with syphilis were not
informed of their diagnosis and were denied • Assessment of risk and benefits, and
medically appropriate treatment),10 the National
Commission for the Protection of Human • Selection of subjects.
Subjects of Biomedical and Behavioral Research,
published Ethical Principles and Guidelines for the Practical concepts that are identified in the report
Protection of Human Subjects of Research,11 which that relate to a discussion of privacy in research
is known as the “Belmont Report,” based on the include the notion of requiring informed consent
conference center where it was in part developed.12 from research participants, and that the informed
consent process provide participants with
The Belmont Report identified the difference sufficient information about the study so that they
between medical practice and research, and can “understand clearly the range of risk and the
voluntary nature of participation.”13 Furthermore,
9 Directives for Human Experimentation, National Institutes of
Health, Office of Human Subjects Research, 9 Jan. 2011, the report identifies that a review committee
http://ohsr.od.nih.gov/guidelines/nuremberg.html. should determine whether the risks to participants
10 “Tuskegee syphilis experiment,” Wikipedia, the free in a study are justified.
encyclopedia, 9 Jan. 2011, http://en.wikipedia.org/wiki/Tuskegee_
Syphilis_Study.
11 The Belmont Report, Ethical Principles and Guidelines for the
Protection of Human Subjects of Research, April 18, 1979,
The National Commission for the Protection of Human Subjects
of Biomedical and Behavioral Research, 9 Jan. 2011,
http://ohsr.od.nih.gov/guidelines/belmont.html.
12 “Belmont Report,” Wikipedia, the free encyclopedia, 9 Jan.
2011, http://en.wikipedia.org/wiki/Belmont_Report. 13 Belmont Report, Part C.1.

Declaration of Helsinki research may be done only after consideration
and approval of a research ethics committee.”17
A third ethical code governing research is the
World Medical Association Declaration of Helsinki,
Ethical Principles for Medical Research Involving Major Regulations
Human Subjects. The Declaration of Helsinki
was adopted by the World Medical Association The four principal United States regulations
(WMA) in Helsinki, Finland in 1964, and has governing the privacy and confidentiality of
been amended at subsequent WMA General individually identifiable information in research
Assemblies through 2008.14 The WMA is an discussed below are:
international association of physicians, and the
• Protection of Human Subjects, also known as the
Declaration of Helsinki states that it applies to
Common Rule (45 CFR 46, Subpart A)
physicians engaged in research regardless of the
legal or regulatory frameworks that may apply in • FDA regulations on the Protection of Human
the jurisdictions where their research is carried out. Subjects and Institutional Review Boards (21
CFR 50 and 56),
The current version of the Declaration of Helsinki
is comprised of 35 paragraphs, including the • HIPAA Privacy Rule (45 CFR 160 and 164), and
following three that directly relate to privacy:
• Public Health Service Act Certificates of
• “It is the duty of physicians who participate Confidentiality (301(d), 42 U.S.C. 241(d)).
in medical research to protect the life, health,
dignity, integrity, right to self-determination,
privacy, and confidentiality of personal Regulatory “Who’s Who”
information of research subjects.”15 All four regulations are overseen by offices or
operating divisions of the Department of Health
• “Every precaution must be taken to protect
and Human Services as noted in the chart below.
the privacy of research subjects and the
confidentiality of their personal information and
to minimize the impact of the study on their
physical, mental and social integrity.”16
• “For medical research using identifiable human

material or data, physicians must normally seek
consent for the collection, analysis, storage and/
or reuse. There may be situations where consent
would be impossible or impractical to obtain
for such research, or would pose a threat to the
validity of the research. In such situations, the Common Rule
The Protection of Human Subjects regulation
14 World Medical Association Declaration of Helsinki, Ethical
Principles for Medical Research Involving Human Subjects, Oct. was first published in 1974, and was updated in
22, 2008, World Medical Association, 9 Jan. 2011, http://www.
wma.net/en/30publications/10policies/b3/17c.pdf.
15 Declaration of Helsinki, 11.
16 Declaration of Helsinki, 23. 17 Declaration of Helsinki, 25.

1981 in response to the Belmont Report.18 The Applicability
regulation contains Subparts A through E as
The Common Rule “applies to all research
follows:
involving human subjects conducted, supported
• Subpart A: Basic HHS Policy for Protection of or otherwise subject to regulation by any federal
Human Research Subjects, department or agency” 23 that has adopted the
Common Rule. The Common Rule addresses
• Subpart B: Additional Protections for Pregnant requirements to protect human subjects in general,
Women, Human Fetuses and Neonates with only a subsection of the rule addressing
Involved in Research, privacy and confidentiality requirements. In
addition, the Common Rule “requires compliance
• Subpart C: Additional Protections Pertaining to with pertinent federal laws or regulations which
Biomedical and Behavioral Research Involving provide additional protections for human
Prisoners as Subjects, subjects.”24 Each institution engaged in research
that is subject to federal regulation must provide
• Subpart D: Additional Protections for Children
a written assurance of compliance with the
Involved as Subjects in Research, and
Common Rule, which may be filed centrally with
• Subpart E: Registration of Institutional Review the HHS Office for Human Research Protections
Boards. (OHRP).25
In 1983 the President’s Commission for the Study

of Ethical Problems in Medicine and Biomedical Institutional Review Boards
and Behavioral Research issued “Implementing The Common Rule requires human subject
Human Research Regulations: The Adequacy research to be reviewed by Institutional Review
and Uniformity of Federal Rules and of Their Boards (IRB). IRBs must perform both an initial
Implementation” (the Commission Report), which review of proposed research and then conduct
concluded that 45 CFR 46, Subpart A is the continuing reviews not less than once a year. The
benchmark policy for federal agencies.19 In 1991, rule establishes the following criteria that must be
Subpart A was adopted by 16 federal agencies and met in order for an IRB to approve research:26
became known as the Common Rule.20 Today,
the Common Rule applies to 18 agencies, one of • Risks to subjects are minimized,
which is HHS.21 Subparts B through E are not
• Risks to subjects are reasonable in relation to
part of the Common Rule.22
anticipated benefits,
• Selection of subjects is equitable,

18 Erin D Williams, Federal Protection for Human Research
Subjects: An Analysis of the Common Rule and Its Interactions • Informed consent is sought from each
with FDA Regulations and the HIPAA Privacy Rule, 2005, prospective subject or their legally authorized
Congressional Research Service, The Library of Congress,
11, 18 Dec. 2010 http://www.policyarchive.org/handle/10207/ representative,
bitstreams/2435.pdf.
19 Williams, 15. 23 45 CFR 46.101(a).
20 Williams, 15. 24 45 CFR 46.101(e).
21 Williams, Summary. 25 45 CFR 46.103.
22 For a complete history of the Common Rule see Williams. 26 45 CFR 46.111.

• Informed consent is appropriately documented, General Requirements for Informed Consent
• When appropriate, the research plan makes The Common Rule also establishes requirements
adequate provisions for monitoring data to for the process of obtaining, the content, the
ensure the safety of subjects, documentation, and the waiver of informed
consent.28
• When appropriate, there are adequate
provisions to protect the privacy of subjects and In general, the Common Rule requires that
to maintain the confidentiality of data, and investigators provide subjects with “sufficient
opportunity to consider whether or not to
• When some or all of the subjects are likely to participate” in the study, and that consent is
be vulnerable to coercion or undue influence, obtained under circumstances that “minimize the
additional safeguards have been included in the possibility of coercion or undue influence.”29 The
study to protect the rights and welfare of these Common Rule also requires that the informed
subjects. consent use language understandable to the
subject, and specifies that the informed consent
While the rule makes IRBs directly responsible may not waive the subject’s legal rights or “release
for assuring that human subject research studies the investigator, sponsor, institution or its agents
adequately protect the privacy of subjects and the from liability for negligence.”30
confidentiality of data, the rule does not provide
any additional detail on the standards that an The Common Rule establishes the following
IRB should follow in order to do so. Typically, an basic elements that must be part of an informed
IRB will require information on what personally consent:31
identifiable information will be collected, used
and disclosed as part of the study, and how that • A statement that the study involves research, its
information will be safeguarded, as part of a purpose, the duration of subject’s participation,
human subject research study’s application for a description of procedures to be followed, and
approval. In addition, at least for organizations identification of experimental procedures,
that are subject to HIPAA, IRBs will expect
• A description of reasonably foreseeable risks or
applicants to comply with HIPAA and to follow
discomforts,
the organization’s HIPAA policies and procedures
for both privacy and security, which are discussed • A description of benefits to subject or others,
more fully below.
• A disclosure of alternative treatments available,
It should be noted that the Common Rule also if any,
confers on IRBs the authority to suspend or
terminate their approval of research.27 Therefore, • “A statement describing the extent, if any, to
if a human subject research study fails to which confidentiality of records identifying the
appropriately protect privacy and confidentiality, subject will be maintained,”
the IRB may halt the study.
28 45 CFR 46.116 – 117.
29 45 CFR 46.116.
30 45 CFR 46.116.
27 45 CFR 46.113. 31 45 CFR 46.116(a).

• If the research involves more than minimal the Common Rule requires that the study tell
risk, an explanation of any compensation and subjects who or what institutions will have access
medical treatment that are available for injuries, to their personal information, but doesn’t require
a study to outline for subjects specifically what
• A contact for questions and to report injury, and information or types of information about the
subject will be collected, used or disclosed, or
• A statement that participation is voluntary, and
how the information will be protected, though
that the subject may discontinue participation in
such additional information may be provided. As
the study with no loss of benefits to which the
discussed in the section on HIPAA below, for
subject is otherwise entitled.
research being conducted by organizations covered
The Common Rule also establishes the following by HIPAA, the HIPAA authorization will
additional elements of informed consent:32 require more explicit communication regarding
information to be used or disclosed for research
• A statement that a particular treatment or purposes.
procedure that is part of the study may involve
unforeseeable risks to the subject,
IRB Alterations or Waivers
• Circumstances under which the investigator The Common Rule allows an IRB to alter
may terminate the subject’s participation, requirements of the informed consent procedure
or content or to waive obtaining informed consent
• Additional costs to the subject that may result
if the:33
from participation,
• Research involves no more than minimal risk to
• Consequences of subject’s decision to withdraw
the subjects,
from research and procedures for orderly
termination by the subject, • Waiver will not adversely affect the rights and
welfare of the subjects,
• A statement that significant new findings
developed during the research that may relate • Research could not practicably be carried out
to the subject’s willingness to participate in the without the waiver or alteration, and
study will be provided to the subject, and
• Whenever appropriate, subjects will be given
• The approximate number of subjects in the study. pertinent information after participation.
Of note is that while the IRB must determine The Common Rule also provides for the waiver or
in its review of a human subject research study alteration of informed consent for public benefit
that there are “adequate provisions to protect programs research.34
the privacy of subjects and to maintain the
confidentiality of data,” the Common Rule only
requires that the informed consent form provided
to subjects include information about “the
extent, if any, to which confidentiality of records
identifying the subject will be maintained.” Thus
33 45 CFR 46.116(d).
32 45 CFR 46.116(b). 34 45 CFR 46.116(c).

Documentation of Informed Consent Common Rule Privacy Summary
The Common Rule specifies that informed The Common Rule’s privacy requirements can be
consent must be documented by a written summarized in the following four points:
consent form approved by the IRB and signed
by the subject or their legal representative.35 The • The IRB must determine whether there are
informed consent form also may be read to the adequate provisions to protect the privacy of
subject, and then signed, as long as the subject has subjects and to maintain the confidentiality of
had the chance to read the form.36 Alternatively, data,
the required elements of an informed consent may
• The informed consent form must state the
be presented orally to a subject, and a short form
extent, if any, to which confidentiality of records
written consent signed by the subject. In this case,
identifying the subject will be maintained,
a written summary of the oral presentation must
be approved by the IRB, and the presentation • The IRB may waive or alter the process or
must be witnessed. The presenter must sign the content requirements for informed consent, and
written summary of the oral presentation; the
witness must sign the written summary and the • Documentation of informed consent may be
short form consent, and the subject must also be waived in limited, minimal risk situations.
provided a copy of the written summary.37
In instances where an IRB has not waived the FDA Regulations

requirement to obtain informed consent, the IRB
There are two primary FDA regulations governing
may nonetheless waive the requirement that the
research privacy, which are Protections of Human
investigator obtain signed consent if either:
Subjects (21 CFR 50), which was first published
• The “only record linking subject and the research in 1980, and Institutional Review Boards (21 CFR
would be the consent document and the 56), which was first published in 1981. In 1991,
principal risk would be potential harm resulting the FDA regulations were largely harmonized
from a breach of confidentiality.”38 In this case, with the Common Rule.40
each subject should be asked whether they wish
to have documentation linking them to the study Applicability
and the subject’s wishes should govern.
The FDA regulations apply to clinical
• The “research presents no more than minimal investigations regulated by the FDA, involving:
risk of harm to subjects and involves no
procedures for which written consent is • Drugs,
normally required outside of the research
• Biologicals,
context.”39
• Medical devices,
35 45 CFR 46.117(a).
36 45 CFR 46.117(b)(1).
40 Bonnie M. Lee, Comparison of FDA and HHS Human
37 45 CFR 46.117(b)(2). Subject Protection Regulations, 2000, United States Food
38 45 CFR 46.117(c)(1). and Drug Administration, 18 Dec. 2010, http://www.fda.
gov/ScienceResearch/SpecialTopics/RunningClinicalTrials/
39 45 CFR 46.117(c)(2). EducationalMaterials/ucm112910.htm.

• Human food additives, the Common Rule waiver conditions could not
be met in FDA regulated research.44
• Color additives, and
Please see the FDA document Comparison of FDA
• Electronic products. and HHS Human Subject Protection Regulations,
prepared by Bonnie M. Lee, FDA, 2000 for an
These items are referred to as “test articles.”41 As a
excellent cross walk between the Common Rule
reminder, “clinical investigations” as defined by the
and FDA regulations.
FDA involve research studies that involve “a test
article and one or more human subjects.”42
Sample Informed Consent Confidentiality
Privacy Differences from the Common Rule Language
Because the FDA regulations were harmonized The language used in informed consent forms
with the Common Rule, their requirements related to privacy and confidentiality will vary
are largely the same. Differences arise in a few depending on the organization. HIPAA-covered
instances due to the nature of FDA regulated entities may include HIPAA authorization
clinical investigations. Privacy differences between language in the informed consent document, or
the two rules are as follows: may reference a separate HIPAA authorization.
Entities that are not covered entities under
• Informed consent must include a “statement HIPAA may have very minimal statements that
describing the extent, if any, to which strictly comply with the Common Rule and FDA
confidentiality of records identifying the subject regulations, or may choose to provide significant
will be maintained and that notes the possibility detail on the use or disclosure of subjects’
that the Food and Drug Administration may information. A sample of informed consent
inspect the records.”43 confidentiality language for use by a HIPAA-
covered entity that is using a separate HIPAA
• FDA regulations do not allow an IRB to waive authorization form is attached as Attachment
documentation of informed consent where A. Many organizations publish their informed
the informed consent form would be the only consent forms on-line, which can provide helpful
link between the subject and the research. examples as well.45
This makes sense, since the type of research
where the only link between the subject and
the research is the informed consent form
and the only risk to the subject is a breach of 44 Lee.
confidentiality is unlikely to be the case where 45 Template Informed Consent forms can be found on-line for
most major research hospitals/universities. Below are links to
the research involves a test article. four:
Johns Hopkins Medicine: http://www.hopkinsmedicine.org/bin/f/f/
• There is no ability for an IRB to alter or waive hipaaconsentform.doc,
the requirements for informed consent, since Partners Healthcare: http://healthcare.partners.org/phsirb/irbforms/
Consent_Templates_and_Instructions/PHS_Research_Consent_
Form_General_2.2010.doc,
41 21 CFR 50.3(j). University of Alabama at Birmingham: http://www.uab.edu/irb/

forms/sample-consent-form.doc,
42 21 CFR 50.3(c).
University of Louisville: http://louisville.edu/research/
43 21 CFR 50.25(a)(5). humansubjects/applying-to-the-irb/bio-icf1_GINA_1-5-10.doc.

HIPAA Privacy Rule regulations are focused on the conduct of research
and incorporate requirements related to privacy,
The Health Insurance Portability and
HIPAA is focused on the privacy of PHI and
Accountability Act of 1996 (HIPAA) led to the
incorporates requirements related to research.
development by the Secretary of Health and
Human Services (HHS) of regulations governing Covered entities under HIPAA include entities
both the privacy and security of protected that are a:
health information. The HIPAA Administrative
Simplification Regulations contain the content • Health plan,
known as the “Privacy Rule” in 45 CFR 160 –
General Administrative Requirements, and in 45 • Health care clearinghouse, or
CFR 164, Subpart E – Privacy of Individually
• Health care provider who transmits any health
Identifiable Health Information, which became
information in electronic form in connection
effective on April 14, 2003, and established
with a transaction covered by HIPAA.47
significant requirements on the use of protected
health information for research purposes. The
Health Information Technology for Economic HIPAA Ground Rules
and Clinical Health (HITECH) Act, which
Before discussing the specifics of HIPAA related
came into law in February, 2009 resulted in the
to research, it is important to review a few
release by HHS of the Breach Notification for
important definitions (PHI, use and disclosure), and
Unsecured Protected Health Information; Interim
the purpose-driven nature of HIPAA.
Final Rule, which became effective September 23,
2009 (and which due to its “interim” status may be PHI. The information that is governed by
subject to change). In addition, HHS has issued HIPAA is protected health information, which
Modifications to the HIPAA Privacy, Security, and is generally defined as individually identifiable
Enforcement Rules Under the Health Information health information that includes “demographic
Technology for Economic and Clinical Health information collected from an individual, and:
(HITECH) Act; Proposed Rule, on July 14, 2010,
which is not yet effective as of this writing and is (1) Is created or received by a health care
subject to change. This section will refer to all of provider, health plan, employer, or health care
the above generally as “HIPAA.”46 clearinghouse; and
(2) Relates to the past, present, or future physical

Applicability or mental health or condition of an individual;
HIPAA applies to protected health information the provision of health care to an individual;
(PHI) maintained by covered entities, and or the past, present, or future payment for the
contains specific requirements related to the provision of health care to an individual; and
use of PHI by a covered entity for research
(i) That identifies the individual; or
purposes. While the Common Rule and FDA
(ii) With respect to which there is
46 For a general overview of HIPAA and research, see the a reasonable basis to believe the
document “Research” on the Health and Human Services, Office
for Civil Rights website: “Research,” April 3, 2003, United States
Department of Health and Human Services, 5 Feb. 2011, www.
hhs.gov/ocr/privacy/hipaa/understanding/special/research/index.html. 47 45 CFR 160.103.

information can be used to identify the any other manner of information outside the
individual.”48 entity holding the information.”51
In essence, PHI is the combination of past, PHI is thus used within a covered entity and
current or future information related to health, disclosed outside of a covered entity.
provision of care or payment, together with
individual identifiers including the following:49 Purpose Driven. HIPAA establishes rules about
how PHI may be used and disclosed. These rules
Names Social Security Device identifiers are purpose driven. In other words, what a covered
numbers and serial numbers
entity is allowed to do with PHI, and whether
All geographic Medical record Web Universal
subdivisions smaller numbers Resource Locators the use or disclosure requires written, oral or no
than a State (URLs)
authorization from the patient, depends on the
All elements of Health plan Internet Protocol
dates (except year) beneficiary numbers (IP) address
purpose of the use or disclosure.
including birth numbers
date, admission Generally (with certain exceptions for other
date, discharge date,
date of death; and special purposes), HIPAA permits the use and
all ages over 89
disclosure of PHI without a patient’s authorization
Telephone numbers Account numbers Biometric for purposes of:52
identifiers,
including finger
and voice prints • Treatment,
Fax numbers Certificate/license Full face
numbers photographic • Payment, and
images and any
comparable images
• Health Care Operations.
Electronic mail Vehicle identifiers Any other unique
addresses and serial numbers, identifying number,
including license characteristic, or Uses or disclosures of PHI for research purposes
plate numbers code
generally require an authorization from the
individual, with a few exceptions as more fully
Use and Disclosure. HIPAA makes a distinction described below.
between the use of PHI and the disclosure of PHI:
The purpose-driven nature of HIPAA can be
• Use of PHI is defined as “the sharing, challenging. A physician who provides treatment
employment, application, utilization, to patients may be accustomed to unlimited access
examination, or analysis of [PHI] within an to a patient’s PHI within a covered entity for
entity that maintains such information.”50 the purpose of providing treatment. However,
when that same physician wishes to use the
• Disclosure of PHI is defined as “the release, same PHI for purposes of research, the physician
transfer, provision of, access to, or divulging in must comply with the more stringent research
provisions of HIPAA. Similarly, a physician may
regularly disclose PHI to physicians outside of
48 45 CFR 164.103. For more detail regarding certain types of the covered entity for purposes of coordinating
individually identifiable health information that is not considered
PHI, please see the detailed definition of PHI in HIPAA. care for a patient. However, the same physician
49 This list of individual identifiers comes from 45 CFR 164.514,
which lists the identifiers that must be removed in order to de-
identify a data set. 51 45 CFR 164.103.
50 45 CFR 164.103. 52 45 CFR 164.502.

must also comply with the more stringent research The core elements and requirements of a HIPAA
provisions of HIPAA in order to disclose the authorization are the following:53
same PHI to an external physician for research
purposes. • A description of the PHI to be used or
disclosed,
HIPAA Research Requirements • The person or class of persons who are

authorized to make the use or disclosure,
Under HIPAA, the use and disclosure of PHI for
research purposes is permitted if: • The person or class of persons to whom the
authorized use or disclosure may be made,
• An authorization is obtained from the
individual, • A description of the purpose of the use or
disclosure,
• An IRB or privacy board has documented
an alteration or waiver of an individual • An expiration date or event for the
authorization, authorization
• The PHI is used preparatory to research, –– “End of research study” or “none” may be
used in authorizations for research or for a
• The PHI is for research on decedents, or
research database or repository, and
• The PHI is part of a limited data set.
• The signature of the individual and date.
In addition, HIPAA establishes special
In addition, a HIPAA authorization must include
requirements related to:
the following required statements:54
• A patient’s right to access his or her PHI
• The individual’s right to revoke the
obtained as part of a research study,
authorization in writing,
• Accounting for disclosures made for purposes of
• Any exceptions to the individual’s right to
research,
revoke the authorization and a description of
• Research databases and repositories, and how to revoke the authorization,
• Data breaches. • The ability or inability to condition treatment,

payment, enrollment or eligibility for benefits
Each of the above topics is discussed in more on the individual’s authorization, and
detail below.
• The potential for PHI disclosed pursuant to
Research Authorizations. Under HIPAA, the authorization to be subject to re-disclosure
unless an exception discussed below applies, a by the recipient and to be no longer subject to
covered entity must obtain a patient’s written HIPAA.
authorization to use or disclose the patient’s PHI
for research purposes.
53 45 CFR 164.508(c)(1).
54 45 CFR 164.508(c)(2).

Finally, HIPAA establishes the following • Attachment D is a HIPAA research
additional rules related to authorizations: authorization form used by the author for a
research database or repository where the PHI
• They must be written in plain language,55 will be held by an entity outside of a covered
entity, and
• The covered entity must provide the subject
with a signed copy of the authorization,56 • Attachment E is a HIPAA research
authorization form used by the author for a
• Research authorizations may be combined with
research database or repository where the PHI
“any other type of written permission for the
will be held by a covered entity.
same research study,”57 which typically would be
the informed consent required by the Common Many organizations publish their HIPAA
Rule and FDA regulations, and authorization forms on-line, which can provide
helpful examples as well.60
• A covered entity may condition the provision of
research-related treatment on the provision of Alteration or Waiver of Authorization. A
an authorization by a patient.58 covered entity may use or disclose PHI for
research purposes without an individual’s HIPAA
Sample Research Authorizations. As with
authorization, or using a HIPAA authorization
informed consents, the language used in HIPAA
that is modified to not contain all the required
research authorizations will vary depending on
elements of a valid HIPAA authorization, if either
the organization and type of research-related
an IRB or a privacy board approves the alteration
use or disclosure. Sample HIPAA authorization
or waives the requirement for an authorization.61
forms are attached at the end of this chapter as
While the composition and proper functioning
Attachments B, C, D and E.
of an IRB is established by the Common Rule,
• Attachment B is a sample HIPAA research privacy boards were established by HIPAA as
authorization form provided by the National an IRB alternative whose function is limited
Institutes of Health,59 to approving alterations or waivers of HIPAA
authorizations. A privacy board:
• Attachment C is a generic HIPAA research
authorization form used by the author for a • “Has members with varying backgrounds
simple organization, and assumes that the and appropriate professional competency as
research is being conducted by the covered necessary to review the effect of the research
entity that holds the research subject’s PHI,
60 Sample HIPAA Authorization forms used for research can
be found on-line for most major research hospitals/universities.
Below are links to two:
• University of Louisville: http://louisville.edu/research/
55 45 CFR 164.508(c)(3). humansubjects/ongoing-forms/HIPAA%20RA%20DB%202-16-
56 45 CFR 164.508(c)(4). 09%20FINAL.doc. This authorization is designed for a very
complex organization and anticipates that PHI sought for
57 45 CFR 164.508(b)(3). research may be requested from organizations that are not part of
the researcher’s covered entity.
58 45 CFR 164.508(b)(4)(i).
• University of Alabama at Birmingham: http://www.uab.edu/irb/
59 “HIPAA Authorization for Research,” July 1, 2004, U.S. forms/sample-consent-form.doc. This is a brief authorization at the
Department of Health and Human Services, National Institutes end of an extensive informed consent form.
of Health, 26 Dec. 10, http://privacyruleandresearch.nih.gov/
authorization.asp. 61 45 CFR 164.512(i)(1)(i).

protocol on the individual’s privacy rights and Alterations or waivers must be documented by
related interests;”62 the IRB or privacy board, and the documentation
must identify the board that provided the
• “Includes at least one member who is not alteration or waiver and include:66
affiliated with the covered entity, not affiliated
with any entity conducting or sponsoring the • The date of action by the board,
research, and not related to any person who is
affiliated with any of such entities; and”63 • A statement that the alteration or waiver criteria
were met,
• “Does not have any member participating in a
review of any project in which the member has a • A description of the PHI for which access or
conflict of interest.”64 use the board determined was necessary for the
research,
The criteria established by HIPAA for an
alteration or waiver of authorization are the • A signature of the approving board’s chair or
following: 65 other designated member, and
• “The use or disclosure of [PHI] involves no • A statement that the alteration or waiver of
more than a minimal risk to the privacy of authorization has been reviewed and approved
individuals, based on” an adequate: under either normal or expedited review
procedures.
–– “[P]lan to protect the identifiers from
improper use and disclosure,” An IRB must follow the requirements of the
Common Rule regarding full board or expedited
–– “[P]lan to destroy the identifiers at the review procedures. A privacy board must review
earliest opportunity” unless there is a proposed research at convened meetings with a
health or research jurisdiction to retain the majority of its members present, including one
identifiers, or retention is required by law, and non-affiliated member. Approvals must be made
by a majority of those present. Expedited reviews
–– Written assurance that PHI will not be may be made by the privacy board chair or a
reused or disclosed to any other person or designee as long as the research involves no more
entity, except as required by law, for research than minimal risk to privacy of the individuals’
oversight, or for other research permitted by PHI.67
HIPAA, and
Reviews Preparatory to Research. A covered
• The research could not practicably be conducted entity may allow a researcher to use PHI
without the: “preparatory to research” if the covered entity
obtains representations from the researcher that:68
–– Waiver or alteration, and
–– Access to and use of the PHI.
62 45 CFR 164.512(i)(1)(i)(B)(1).
63 45 CFR 164.512(i)(1)(i)(B)(2). 66 45 CFR 164.512(i)(2).
64 45 CFR 164.512(i)(1)(i)(B)(3). 67 45 CFR 164.512(i)(2)(iv)(C)
65 45 CFR 164.512(i)(2)(ii). 68 45 CFR 164.512(i)(1)(ii)

• The use or disclosure is solely to review PHI “as on behalf of the covered entity to obtain their
necessary to prepare a research protocol or for Authorizations.”
similar purposes preparatory to research,”
• “In addition, a covered health care provider
• No PHI “is to be removed from the covered may discuss treatment alternatives, which may
entity by the researcher in the course of the include participating in a clinical trial, with the
review,” and patient as part of the patient’s treatment or the
covered entity’s health care operations.”
• The PHI sought “is necessary for the research
purposes.” Decedents. In general, the requirements of
HIPAA apply to the PHI of decedents. However,
Interestingly, “preparatory to research” is not a covered entity may allow a researcher to use, or
defined in the Privacy Rule, other than the may disclose to a researcher, PHI of decedents if
statement above that it involves using or the covered entity obtains from the researcher:70
disclosing PHI “as necessary to prepare a research
protocol or for similar purposes preparatory to • “Representation that the use or disclosure
research.” sought is solely for research on the PHI of
decedents;”
The document Clinical Research and the HIPAA
Privacy Rule, by the NIH, provides some useful • “Documentation, at the request of the covered
detail to provide more context about the scope entity, of the death of such individuals, and”
of uses of PHI “preparatory to research,” and
how PHI may be appropriately used to recruit • “Representation that the [PHI] for which
potential research subjects:69 use or disclosure is sought is necessary for the
research purposes.”
• “Under the ‘preparatory to research’ provision,
covered entities may use and disclose PHI to Note that a researcher can also access the PHI of
researchers to aid in study recruitment.” In decedents through other means as well, such as
general, covered entities may allow a researcher obtaining the authorization of the decedent’s legal
to identify, but not contact, potential study representative or through a waiver of HIPAA
participants, however, authorization granted by an IRB or a privacy
board.
• “If the researcher is a workforce member of
a covered entity, the researcher may contact Limited Data Sets. A covered entity may use or
the potential study participant, as part of the disclose a limited data set for research purposes
covered entity’s health care operations, for the (as well as for public health and health care
purposes of seeking Authorization,” and operations). In order to do so, the covered entity
must enter into a data use agreement with the
• “Alternatively, the covered entity may contract researcher or entity conducting the research that:71
with a business associate—who may be a
researcher—to assist in contacting individuals • Establishes permitted uses and disclosures of
the PHI,
69 “Clinical Research and the HIPAA Privacy Rule,”
Publication Number 04-5495, February 2004, U.S. Department 70 45 CFR 164.512(i)(1)(iii).
of Health and Human Services, National Institutes of Health, 27
Dec 10, http://privacyruleandresearch.nih.gov/clin_research.asp. 71 45 CFR 164.514(e).

• Establishes who is permitted to use or receive The practical effect of a limited data set is that it
the data set, allows a researcher to use more detailed address
information and full dates, which would otherwise
• Provides that the recipient will: not be available for use in a fully de-identified
data set.
–– Not use or further disclose the PHI other
than as permitted by the agreement or as Access to Research PHI. HIPAA establishes a
required by law, patient’s right to access PHI.72 However, a covered
entity may temporarily suspend a patient’s access
–– Use appropriate safeguards to prevent the
to PHI that was created or obtained by a covered
use or disclosure of the PHI other than as
health care provider in the course of research
provided for under the data use agreement,
that includes treatment as long as the research
–– Report to the covered entity any is in progress. In order to suspend the patient’s
unauthorized use of the PHI, access to the research-related PHI, the patient
must have agreed to the suspension of their right
–– Ensure its agents and subcontractors agree to access their research-related PHI when they
to the same restrictions as the recipient consented to participate in the research study. The
regarding the use or disclosure of the PHI, provider must also inform the patient that their
and right to access their PHI will be reinstated upon
completion of the research.73
–– Not identify the PHI or contact the
individuals. Accounting of Disclosures of PHI. HIPAA
requires covered entities to be able to provide
Limited data sets exclude the following direct patients with an accounting of disclosures of
identifiers: PHI about them.74 HIPAA excludes from the
Names Medical record Web Universal accounting requirement certain disclosures, which
numbers Resource Locators include but are not limited to, disclosures made
(URLs)
pursuant to a patient’s authorization, and those
Postal address Health plan Internet Protocol
information, other beneficiary numbers (IP) address made as part of a limited data set. As a result,
than town or city, numbers
state and zip code disclosures of PHI for research purposes other
Telephone numbers Account numbers Biometric than those made with the patient’s authorization
identifiers, or as part of a limited data set are subject to the
including finger
and voice prints accounting requirement and must be tracked
Fax numbers Certificate/license Full face by the covered entity. Thus, research-related
numbers photographic
images and any disclosures of PHI that will need to be tracked
comparable images include disclosures that are made preparatory
Electronic mail Vehicle identifiers
addresses and serial numbers,
including license
plate numbers
Social Security Device identifiers
numbers and serial numbers
72 45 CFR 164.524.
73 45 CFR 164.524(a)(2)(iii).
74 45 CFR 164.528.

to research75 or pursuant to a waiver of an • The date or period of time that the disclosures
authorization by an IRB or privacy board. Note occurred or may have occurred, and the last date
that the accounting and tracking requirements the PHI was disclosed, and
apply only when PHI is disclosed. Therefore, if
PHI is used within the covered entity preparatory • The name, address, and telephone number of the
to research, or is used within the covered entity sponsor and researcher receiving the PHI.
pursuant to an IRB or privacy board waiver of a
In addition, an accounting provided to a patient
HIPAA authorization, such use does not need to
using the format for research disclosures affecting
be included in an accounting provided to a patient
50 or more people must include a statement that
and does not have to be tracked.
the PHI “may or may not have been disclosed for
The tracking noted above can be accomplished a particular protocol or other research activity.”77
using the covered entity’s normal procedures for Furthermore, “if it is reasonably likely that the
tracking disclosures of PHI. However, HIPAA [PHI] of the individual was disclosed for such
permits covered entities to use an alternate research protocol or activity, the covered entity
method to track disclosures of PHI for research shall, at the request of the individual, assist in
purposes where the disclosure is for 50 or more contacting the entity that sponsored the research
individuals. Where this is the case, the accounting and the researcher.”78
does not have to be completed individual by
Attachments F and G at the end of the chapter
individual, but may instead be completed once for
contain sample forms that may be used to track
the research study.
and account for individual disclosures of PHI
Accountings (and thus the information that must for research purposes, and for research-related
be tracked) for research disclosures affecting disclosures of PHI for 50 or more individuals.
50 or more people must include the following
Research Databases and Repositories. HIPAA
information:76
permits the use and disclosure of PHI for research
• The name of the protocol or other research databases and repositories with individual
activity, authorization or an IRB or privacy board waiver.
However, covered entities should take care when
• A description and purpose of the research and obtaining authorizations or waivers for the disclosure
the criteria for selecting particular records for of PHI to research databases and repositories.
disclosure,
Where a research protocol involves treatment,
• A description of the type of PHI disclosed, HIPAA permits conditioning that treatment upon
obtaining a research HIPAA authorization from
the individual.79 However, (as of the date of this
writing—see the section below on the Proposed
Rule) HIPAA prohibits combining authorizations
75 While PHI accessed preparatory to research may not leave a for multiple purposes where treatment is
covered entity, if the researcher who is accessing the PHI at the
covered entity is not part of the covered entity’s workforce, and
is not accessing the PHI as a business associate to the covered
entity, the access of the PHI by the researcher is still a disclosure, 77 45 CFR 164.528(b)(4)(i)(F).
even though the PHI is not being removed from the covered
entity. 78 45 CFR 164.528(b)(4)(ii).
76 45 CFR 164.528(b)(4). 79 45 CFR 164.508(b)(4)(i).

conditioned upon signing an authorization.80 or repository to which the PHI is disclosed is
HIPAA also requires that each purpose for maintained by an entity that is not a covered entity,
which PHI will be used or disclosed be included then the HIPAA requirements for approvals of
in an authorization.81 The conduct of a research subsequent use of the PHI would not apply.
study and the development or maintenance of a
research database or repository are considered two Proposed Rule. The Modifications to the
separate purposes under HIPAA. Therefore, an HIPAA Privacy, Security, and Enforcement Rules
authorization for a research database or repository Under the Health Information Technology for
may not be combined with an authorization for Economic and Clinical Health (HITECH) Act;
a research protocol which conditions treatment Proposed Rule, published July 14, 2010 contains
upon signing an authorization. Two separate two provisions specific to research.83 The first is
HIPAA authorizations must be used. a proposal to amend 164.508(b)(3)(i) and (iii) to
allow a covered entity to combine conditioned
In addition, HIPAA requires that each purpose and unconditioned research components, such as a
for which PHI will be used or disclosed must be treatment-related study and research databases or
included in an authorization. The Department repositories. The second is a request for comments
of Health and Human Services (again, as of this on whether to permit an authorization to be
writing) has interpreted this requirement “to not research-study specific, i.e., combine current
require that authorizations for research be study and future research. Should this be permitted,
specific.”82 Therefore, a HIPAA authorization a covered entity would be able to obtain in one
obtained from a person to use or disclose their authorization an individual’s permission to use
PHI for a research database or repository that or disclose their PHI to a research database or
also indicates that the PHI will be used for repository, and then for the PHI in the database
“future research” is sufficient to authorize the or repository to be used for subsequent research
use or disclosure of the PHI for the database without obtaining additional HIPAA approval.
or repository, but is not sufficient to then use or
disclose the PHI from the database or repository Data Breaches. While responding to data
for a particular future study by a HIPAA-covered breaches is not the subject of this chapter, privacy
entity. Either a HIPAA authorization that is professionals should note that PHI used for
specific to the study that will use or disclose the research that is the subject of a data breach is
PHI stored in the database or repository must subject to the Breach Notification for Unsecured
be obtained, or the use or disclosure of the PHI Protected Health Information; Interim Final
must be made in another manner that complies Rule, which became effective September 23, 2009.
with HIPAA, such as a disclosure preparatory to In addition, research data may also include state
research, an IRB or privacy board waiver, the use regulated personally identifiable information (PII)
or disclosure of PHI for research on decedents, or and be subject to state data breach notifications.
through a limited data set. If the research database
80 45 CFR 164.508(b)(3)(iii).
81 45 CFR 164.508(c)(1)(iv).
82 Modifications to the HIPAA Privacy, Security, and
Enforcement Rules Under the Health Information Technology 83 Modifications to the HIPAA Privacy, Security, and
for Economic and Clinical Health (HITECH) Act; Proposed Enforcement Rules Under the Health Information Technology
Rule, U.S. Department of Health and Human Services, Federal for Economic and Clinical Health (HITECH) Act; Proposed
Register / Vol. 75, No. 134, July 14, 2010, p. 40893. Rule, pp. 40892-40894.

Certificates of Confidentiality Application
The final area of regulation related to research Now that we have reviewed the ethical guidelines
privacy that we will discuss involves certificates and United States regulations governing the
of confidentiality. The Public Health Service Act, privacy and confidentiality of individually
“Protection of privacy of individuals who are identifiable information in research, let’s discuss
research subjects,” states: some practical issues that come up in applying the
regulations.
The Secretary may authorize persons
engaged in biomedical, behavioral, clinical,
or other research … to protect the privacy What’s Research?
of individuals who are the subject of such
The definition of “research” under both the
research by withholding from all persons not
Common Rule and HIPAA is “a systematic
connected with the conduct of such research
the names or other identifying characteristics
investigation, including research development,
of such individuals. Persons so authorized to testing and evaluation, designed to develop or
protect the privacy of such individuals may contribute to generalizable knowledge.”86 Research
not be compelled in any Federal, State, or organizations may determine that a “systematic
local civil, criminal, administrative, legislative, investigation…designed to develop generalizable
or other proceedings to identify such knowledge” does not apply to certain activities
individuals.84 involving very small numbers of individuals, such
as three to five patients. These activities may be
The Office for Human Research Protections called “case reviews” or “case reports.” Typically, a
(“OHRP”) has issued Guidance on Certificates case report is intended to be used to share medical
of Confidentiality85 that indicates that certificates information with, or to provide education to, other
of confidentiality are issued by the National providers. Unlike research, it is not designed to
Institutes of Health, though the protection answer a specific question. Case reports typically
offered by the certificates of confidentiality involve retrospective medical record reviews and
is not limited to federally funded research. the only interaction with the patient has been for
Obtaining a certificate of confidentiality is not a purposes of treating the patient, and not for the
requirement. Instead, it is an additional safeguard purpose of gathering research data. Since case
that researchers may put in place to protect reviews are not considered “research” they won’t
the confidentiality of the personal information fall under the Common Rule, and may not require
obtained through human subject research, and IRB review.87
may be of particular interest for research involving
sensitive diagnoses or populations. So how should case reports be handled under
HIPAA? Since they are not considered “research,”
86 45 CFR 46.102(d), and 45 CFR 164.501.

87 For examples of case report guidance or policy, see the
following: “Guidance for Investigators HIPAA Requirements for
84 42 U.S.C. §241(d). Case Reports,” October 2006, The Johns Hopkins University, The
Johns Hopkins Hospital, and Johns Hopkins Health System, 5
85 “Guidance on Certificates of Confidentiality,” February 25, Feb. 2011, http://www.hopkinsmedicine.org/institutional_review_
2003, Office for Human Research Protections (OHRP), 9 Jan. board/hipaa_research/hipaa_case_reports.html, and “Medical Case
2011 http://dhhs.gov/ohrp/policy/certconf.html. See also the NIH Report Policy,” June 11, 2010, University of Louisville, 5 Feb.
Certificates of Confidentiality Kiosk web page, 9 Jan. 2011, 2011, http://louisville.edu/research/humansubjects/research-related-
http://grants.nih.gov/grants/policy/coc/index.htm. policies/medical-case-report-policy.html.

what are they, and what are the requirements Preparatory to Research
to appropriately use PHI for this purpose?
The Common Rule and HIPAA differ from
Case report activity involves sharing medical
each other regarding the concept of the use or
knowledge, improving quality, and providing
disclosure of PHI “preparatory to research.”
education, and therefore generally will fall
HIPAA clearly permits the use of PHI
under the HIPAA definition of health care
preparatory to research, such as the review of
operations which includes: “(1) Conducting
medical records to recruit potential subjects for
quality assessment and improvement activities,
a research study, without an authorization or a
including outcomes evaluation and development
waiver from an IRB or privacy board. However, no
of clinical guidelines, provided that the obtaining
such carve-out exists within the Common Rule,
of generalizable knowledge is not the primary
thus activities that are preparatory to research
purpose of any studies resulting from such
fall squarely within the definition of research
activities; population-based activities relating
and require IRB review and approval, and either
to improving health or reducing health care
signed informed consent forms or an IRB waiver
costs, [and] protocol development…”88 and “(2)
of informed consent.
Reviewing the competence or qualifications of
health care professionals, evaluating practitioner
and provider performance, health plan Subject Recruitment
performance, conducting training programs
Privacy professionals may find a need to educate
in which students, trainees, or practitioners in
researchers about acceptable practices for
areas of health care learn under supervision
identifying and recruiting research subjects under
to practice or improve their skills as health
HIPAA.
care providers, training of non-health care
professionals, accreditation, certification, licensing, Acceptable methods of identification and
or credentialing activities.”89 As a result, the recruitment of subjects include:
PHI may be used within the covered entity for
the purpose of preparing a case report without • A researcher within a covered entity accessing
obtaining a HIPAA authorization (and exchanged medical records of patients to identify subjects
for this purpose with another covered entity who and contacting the patients, or exchanging
also has a relationship with the patient). Often information about eligible patients with other
a case report will be presented or published workforce members within the covered entity
outside of the covered entity. If the case report who then contact the patients. This complies
does not contain any of the 18 identifiers that with the rules related to the use of PHI
cause medical information to be considered PHI preparatory to research and for health care
under HIPAA, the case report is considered de- operations.
identified, and its presentation or publication does
not require a HIPAA authorization. If the case • A researcher informing physicians who are not
report contains PHI, then a HIPAA authorization part of the researcher’s covered entity about a
would be required in order for it to be presented research study, which the external physician
or published outside of the covered entity. then brings to the attention of his or her patient,
together with information allowing the patient
to contact the researcher directly. The patient in
88 45 CFR 164.501.
89 45 CFR 164.501.

this instance is making a self disclosure to the • Safeguards that will be used to protect both data
researcher. collected within the covered entity when in use
and at rest, and when in transit outside of the
Non-acceptable methods of identification and covered entity.
recruitment of subjects include:
Based on the information above, the IRB will
• A researcher informing physicians who are not want to assess if adequate HIPAA safeguards
part of the researcher’s covered entity about a (including those specified by the HIPAA Security
research study, for which the external physician Rule and the interim final Data Breach Rule,
then provides the researcher with eligible where applicable) are in place.
patient information without obtaining a waiver
or authorization. The external physician is In addition, as part of their provisions to maintain
disclosing PHI in this instance without meeting confidentiality of data, researchers will often
HIPAA requirements. represent in applications to their IRB that
research data will be identified only with a study
• A researcher contacting an external physician code, and will not be stored with individual
with eligible patient information taken from identifiers. Where this is the case, the IRB will
a shared electronic medical record, requesting want to assess whether adequate protections are in
the external physician to encourage their place to prevent the co-mingling of research data
patient to participate in a study. The researcher and individual identifiers that have been pledged
is disclosing PHI outside of his or her covered to be kept separate. If in reality the research data
entity for a research purpose without meeting identified by study codes is stored electronically
HIPAA requirements. This can be particularly in a location (such as a computer hard drive or
challenging for physician/researchers who a network folder) to which individuals have the
are accustomed to being able to freely access same access rights as the file containing the key
and disclose PHI for treatment purposes about linking the study codes to individual identifiers,
patients who are treated by both entities. then the confidentiality protections intended to
be provided by the study code are not actually in
place.
IRB Determination of Adequate
Protections
The Common Rule requires that IRBs determine Coordinating the ICF and HIPAA
that adequate provisions are in place to protect Authorization
the privacy of subjects and to maintain the For many research studies, the Common Rule
confidentiality of data. To do so, IRBs must gather requires that individual informed consent be
the necessary information from researchers as part obtained from research participants. Similarly,
of research protocol applications, including, but HIPAA generally requires patient authorization
not limited to the following information: for the use or disclosure of PHI for research
purposes. HIPAA allows, but does not require, the
• Data being used or disclosed as part of the
authorization for a research study to be combined
protocol,
with the informed consent form in one document.
• Data flows inside and outside of the covered Whether the two documents are merged or not
entity, and

will vary on the practices of each IRB or covered the question of what is meant by the word
entity. “practicably.” “Practicably” means “feasible”
or “capable of being done.” It does not mean
Whether merged or not, it is important to assure “convenient.” Therefore, an IRB or privacy
that the language in the two documents (or two board may not grant a waiver of HIPAA
sections of one document) are consistent, and do authorization simply because obtaining individual
not contain contradictory statements. For example, authorizations would not be convenient. There
an informed consent form should not state that must be a more material impediment to obtaining
“no PHI will be removed from the covered entity” the authorization.
while the HIPAA authorization language states
that “your PHI may be disclosed to the external In considering whether obtaining an authorization
sponsor of the study.” Confronted with such is practicable, it is reasonable to ask if subjects
contradictory language, a research participant or are able to be identified as eligible for a study
regulator may find that the narrower promise of before or at the time of their individual interaction
confidentiality should apply. One way to reduce with a health care provider who is sufficiently
the potential for contradictory confidentiality knowledgeable about a protocol to screen for
statements is to limit any claims of confidentiality inclusion criteria. If so, then it is unlikely that
in the informed consent form to a statement that it would not be practicable for the researcher to
data will be used and disclosed as described in the obtain a HIPAA authorization.
HIPAA authorization form.
In an effort to assure potential participants that Multiple Approaches Provide Flexibility

their individually identifiable information will Finally, it is important for a privacy professional
be kept confidential, researchers may at times to keep in mind that HIPAA provides more than
include well meaning, but overly ambitious or one way to appropriately use and disclose PHI for
vague statements in informed consent forms, research.
like “all data will be kept confidential.” Such
statements are best avoided since they may be For example, a researcher who is not part of a
misleading to participants. The reality for most covered entity may agree to de-identify PHI after
human subject research protocols is that a team of receipt from a covered entity. The covered entity
internal, and sometimes external, individuals must may disclose PHI to the researcher in this case
have access to individually identifiable data in with any of the following:
order to conduct the research and administer the
financial, administrative, and oversight functions • A business associate agreement where the
necessary for the appropriate conduct of research. researcher agrees to de-identify the information
The HIPAA authorization should identify each of received from the covered entity prior to using it
these functions accordingly. to conduct research,
• An IRB partial waiver of authorization, or

Waiver Criteria
• Individual authorizations.
HIPAA allows individual authorizations to be
waived when the research could not practicably
be conducted without the waiver. This raises

Another example is that a covered entity may Conclusion
disclose PHI to a researcher for research on
This chapter has focused on the ethical rules and
decedents with any of the following:
United States regulations regarding the privacy
• Representations that subjects are deceased, of individually identifiable information in human
subject research. These rules and regulations have
• An IRB waiver of authorization, or developed significantly in the period since the
Second World War, and have become increasingly
• Authorizations from the legal representatives of sophisticated over time, reflecting the increased
the deceased. awareness of risks to individual privacy and to
the confidentiality of individually identifiable
Being sufficiently familiar with HIPAA to
information. While it is important for privacy
identify various options for appropriately using
professionals to understand the ethical principles
or disclosing PHI for research will enable the
that govern research, and to know how the
privacy professional to find the most operationally
Common Rule and FDA regulations require the
efficient means to enable research while protecting
protection of privacy and confidentiality, it is
PHI.
imperative that privacy professionals have a strong
knowledge of HIPAA, in particular, in order to
assure the adequate protection of PHI in research.

Appendix A
Sample Confidentiality Statements
Covered Entity Informed Consent Form
CONFIDENTIALITY:
As required by the federal Health Insurance Portability and Accountability Act (HIPAA), [Covered
Entity] will take reasonable measures to safeguard the confidentiality of information that identifies you
and relates to your past, present, and future physical and mental health, and conditions (protected health
information) collected, used and shared as part of this research. As part of this study, we may collect, use
and share protected health information about you as specified in the accompanying Research HIPAA
Authorization Form.
Additional Statements to Use When Applicable:

Publication and Teaching:
Information derived from this study may be used for research purposes that may include publication and
teaching. However, information used for publication and teaching will not disclose your identity.
FDA Regulated Research:
Because this research is regulated by the Food and Drug Administration (FDA), the FDA may
inspect records related to this research, which may include your protected health information or other
information about you derived or maintained as part of this study.

Appendix B
Sample Authorization Language for Research Uses and Disclosures of
Individually Identifiable Health Information by a Covered Health Care
Provider90
Authorization to Use or Disclose (Release) Health Information

that Identifies You for a Research Study
Required Elements:
If you sign this document, you give permission to [name or other identification of specific health care
providers (s) or description of classes of persons, e.g., all doctors, all health care providers] at [name of
covered entity or entities] to use or disclose (release) your health information that identifies you for
the research study described here:
[Provide a description of the research study, such as the title and purpose of the research.]
The health information that we may use or disclose (release) for this research includes [complete as
appropriate]:
[Provide a description of the information to be used or disclosed for the research project. This may
include, for example, all information in a medical record, results of physical examinations, medical
history, lab tests, or certain health information indicating or relating to a particular condition.]
The health information listed above may be used by and/or disclosed (released) to:
[Name or class of persons involved in the research; i.e., researchers and their staff*]
*Where a covered entity conducts the research study, the Authorization must list ALL names or other identification, or ALL
classes, of persons who will have access through the covered entity to the protected health information (PHI) for the research
study (e.g., research collaborators, sponsors, and others who will have access to data that includes PHI). Examples may
include, but are not limited to the following:
- Data coordinating centers that will receive and process PHI;
- Sponsors who want access to PHI or who will actually own the research data; and/or
- Institution Review Boards or Data Safety and Monitoring Boards.
If the research study is conducted by an entity other than the covered entity, the authorization need only list the name or
other identification of the outside researcher (or class of researchers) and any other entity to whom the covered entity is
expected to make the disclosure.
90 Reprinted with permission, National Institutes of Health. Source: http://privacyruleandresearch.nih.gov/authorization.asp

[Name of covered entity] is required by law to protect your health information. By signing this
document, you authorize [name of covered entity] to use and/or disclose (release) your health
information for this research. Those persons who receive your health information may not be required by
Federal privacy laws (such as the Privacy Rule) to protect it and may share your information with others
without your permission, if permitted by laws governing them.
Optional Elements:
Examples of optional elements that may be relevant to the recipient of the protected health information:
• Your health information will be used or disclosed when required by law.
• Your health information may be shared with a public health authority that is authorized by law to
collect or receive such information for the purpose of preventing or controlling disease, injury, or
disability, and conducting public health surveillance, investigations, or interventions.
• No publication or public presentation about the research described above will reveal your identity
without another authorization from you.
• If all information that does or can identify you is removed from your health information, the
remaining information will no longer be subj3ect to this authorization and may be used or disclosed
for other purposes.
• When the research for which the use or disclosure is made involves treatment and is conducted by
a covered entity: To maintain the integrity of this research study, you generally will not have access to
your personal health information related to this research until the study is complete. At the conclusion
of the research and at your request, you generally will have access to your health information that
[name of the covered entity] maintains in a designated record set, which means a set of data that
includes medical information or billing records used in whole or in part by your doctors or other
health care providers at [name of the covered entity] to make decisions about individuals. Access
to your health information in a designated record set is described in the Notice of Privacy Practices
provided to you by [name of covered entity]. If it is necessary for your care, your health information
will be provided to you or your physician.
• If you revoke this Authorization, you may no longer be allowed to participate in the research described
in the Authorization.
Please note that [include the appropriate statement]:
• You do not have to sign this Authorization, but if you do not, you may not receive research-related
treatment.
(When the research involves treatment and is conducted by the covered entity or when the covered
entity provides health care solely for the purpose of creating protected health information to disclose
to a researcher).

• [Name of covered entity] may not condition (withhold or refuse) treating you on whether you sign
this Authorization.
(When the research does not involve research-related treatment by the covered entity or when
the covered entity is not providing health care solely for the purpose of creating protected health
information to disclose to a researcher)
Please note that [include the appropriate statement]:
• You may change your mind and revoke (take back) this Authorization at any time. Even if you revoke
this Authorization, [name or class of persons at the covered entity involved in the research] may still
use or disclose health information they already have obtained about you as necessary to maintain the
integrity or reliability of the current research. To revoke this Authorization, you must write to: [name
of the covered entity (ies) and contact information].
(Where the research study is conducted by an entity other than the covered entity).
• You may change your mind and revoke (take back) this Authorization at any time. Even if you revoke
this Authorization, [name or class of persons at the covered entity involved in the research] may still
use or disclose health information they already have obtained about you as necessary to maintain the
integrity or reliability of the current research. Tor evoke this Authorization, you must write to: [name
of the covered entity (ies) and contact information].
(Where the research study is conducted by the covered entity).
This Authorization does not have an expiration date [or as appropriate, insert expiration date or event,
such as “end of the research study.”]
Signature of participant or participant’s personal Date

representative
Printed name of participant or participant’s personal If applicable, a description of the personal representative’s
representative to sign for the participant authority

Appendix C
Sample Research HIPAA Authorization Form
PROTOCOL TITLE:
PROTOCOL NUMBER:
PRINCIPAL INVESTIGATOR:
The word “you” means both the person who takes part in the research, and the person who gives
permission to be in the research. This form and the attached research informed consent form need to be
kept together. The words “we” and “[CE]” mean the [Covered Entity].
What is the purpose of using and sharing my protected health information?

We are asking you to take part in the research study described in the attached informed consent form.
We need to be able to collect, use and share your protected health information in order for you to
participate in this research study.
What protected health information about me will be collected, used and shared with others
during this research study?
For you to be in this research study, we need your permission to collect, use and share health information
that identifies you (your “health information”), which may include one or more of the following:
• Demographic information, such as, but not limited to, your name, date of birth, address and other
contact information such as telephone, fax, or e-mail address, gender, insurance information and Social
Security number,
• The results of medical tests, questionnaires and interviews, and
• Information from your medical record, including your medical record number.
We will only collect, use and share information that is needed for the research.
Who will use or share protected health information about me?

We may use and share your health information with:
• People at [CE] who conduct, supervise, administer, or otherwise help with the research, such as,
but not limited to, physicians, researchers, research support staff, the [IRB], and [CE] staff who are
involved in the administration of the research,

• Other researchers and their support staff outside of [CE], and
• People outside of the [CE] who:
–– Administer,
–– Oversee or regulate,
–– Pay for, or
–– Work with us on the research.
• Other external entities who provide services to support the research, such as, but not limited to,
laboratories and data analysis companies.
Some of these people may share your health information with someone else. If they do, the same laws
that [CE] must obey may not apply to those people, and may not protect your health information.
For how long will protected health information about me be collected, used or shared with
others?
If you sign this form, we will collect, use and share your health information until the end of this research
study, which may be after your direct participation in the research project ends.
Your health information may also be useful for other studies. We can only use the health information
collected for this research study again if the [IRB] gives us permission. The [IRB] may ask us to talk
to you again before using or sharing the health information collected for this research study for other
research purposes. However, if we meet certain requirements established by law, the [IRB] may also let
us use and share your health information collected for this research study for additional research without
talking to you again.
Health information collected as part of the research study that is also kept in your medical record for
treatment and billing purposes will be maintained, used and disclosed in accordance with the policies
and procedures of [CE], and laws and regulations applicable to medical records. As a patient of [CE],
and not as part of this research study, you will receive a copy of the [CE] Notice of Privacy Practices
which explains how [CE] may use and disclose health information kept in your medical record.
Can I change my mind?

If you change your mind later and do not want us to collect, use or share your health information, you
need to send a letter to the researcher listed on the attached informed consent form. The letter needs to
say that you have changed your mind and do not want the researcher to collect, use and share your health
information. In this case, we may continue to use and share the information we have already collected
about you, but we won’t collect any further information about you for the research study.

Summary of privacy rights:
If you sign this form, you are giving us permission to collect, use and share your health information. If
you decide not to sign this form, you cannot be in the research study. You need to sign this form and
the attached informed consent form in order to participate in the research study. Whatever decision you
make about this research study will not affect your access to medical care.
If you have any questions, please ask the researcher. The researcher will give you a signed copy of this
form.
SIGNATURE, DATE, AND IDENTITY OF PERSON SIGNING
The health information about ________________________ can be collected, used and shared by [CE]
for the research study described in this form and the attached informed consent form.
SIGNATURES:
____________________________________________ ___________________________________
Subject Date
OR, if applicable, signature of parent or individual authorized by the subject to make health care
decisions:
____________________________________________ ___________________________________
Parent/Court-appointed Guardian/Health Care Proxy Date
____________________________________________ ___________________________________
Print Name Relationship

Appendix D
Authorization to Disclose Protected Health Information for Research
Databases and Repositories Outside of [Covered Entity]
PROTOCOL TITLE:
PROTOCOL NUMBER:
This form and the attached informed consent form need to be kept together.
I authorize [Covered Entity] to disclose my protected health information (“PHI”) as more fully
described below, for the purpose of including my PHI in a research database or repository that will be
maintained outside of [Covered Entity] by the organization named below:
Name of organization:
__________________________________________________________________________________
My PHI included in the research database or repository may be used for future research as described
in the attached informed consent form. I understand that my PHI that is included in the research
database or repository will identify me, and that when it is used for future research it may or may not
include information that identifies me. Information that does not identify me is called “de-identified
information.”
I understand that organizations that use or receive my de-identified information from the research
database or repository for future research typically will not need to inform me, obtain my authorization,
or have a research Institutional Review Board review the proposed future research.
I understand that depending on the laws that apply to the organization that receives my PHI for
the research database or repository, if my PHI is used by that organization or disclosed to another
organization for future research, the organization that maintains the research database or repository may
or may not need to inform me, obtain my authorization, or have a research Institutional Review Board
review the proposed future research.
I understand that [Covered Entity] is required by law to reasonably safeguard my PHI, but that the
organization that will receive my PHI for the research database or repository may not be required to
follow the same laws, may not be required to protect my PHI, and may redisclose my PHI.

The information that I authorize to be disclosed is listed below. Check “Yes” or “No” for each item:
Personal Identifiers:
YES NO YES NO
Name Medical record number
Initials Insurance number
Address elements (other than state) Account numbers
Date of birth Certificate/license numbers
Age over 89 years Device identifiers and serial numbers

Dates of admission, treatment, Vehicle identification numbers and license
discharge or death plate numbers
Telephone Web universal resource locators (URLs)
Fax Internet protocol (IP) address numbers
E-mail address Biometric identifiers
Social Security number Full face photograph or comparable images
Other (list here):
Health and Other Information:
YES NO YES NO
Age Test results and reports
Sex Genetic test results
Race Photographs or images
Diagnosis Discharge summary
Drug or device used Length of stay
History and physical Location of service
Clinic/office notes Health care providers
Operative or procedure reports Billing or charge information
Other (list below) Questionnaire results

I understand that I may refuse to sign this authorization and that such refusal will not affect my
treatment at [Covered Entity].
This authorization has no expiration date. However, I may revoke this authorization by providing a
written notice of revocation delivered to the Principal Investigator named on the first page of this
authorization at [address]. The revocation will be effective immediately upon the Principal Investigator’s
receipt of my written notice, except that the revocation will not have any effect on any use or disclosure
of my PHI made by [Covered Entity] based on this authorization before it receives my written notice of
revocation.
If I want to revoke my participation in the research database or repository, I will contact the organization
that maintains the research database or repository as identified in the attached research informed consent
form. I understand that typically a revocation will not have any effect on any use of my PHI maintained
in the research database or repository by the organization based on this authorization before it receives
my written notice of revocation.
[Covered Entity] will give me a signed copy of this form.
Signature, Date, and Identity of Person Signing
____________________________________________ ___________________________________
Subject’s Printed Name Date of Birth
____________________________________________ ___________________________________
Subject’s Signature Date
decisions:
____________________________________________ ___________________________________
Parent/Court-appointed Guardian/Health Care Proxy Signature Date
____________________________________________ ___________________________________
Printed Name Relationship

Appendix E
Authorization to Use Protected Health Information for Research
Databases and Repositories Maintained by [Covered Entity]
PROTOCOL TITLE:
PROTOCOL NUMBER:
This form and the attached informed consent form need to be kept together.
I authorize [Covered Entity] to use my protected health information (“PHI”) as more fully described
below, for the purpose of including my PHI in a research database or repository that will be maintained
by [Covered Entity].
My PHI included in the research database or repository may be used for future research as described
in the attached informed consent form. I understand that my PHI that is included in the research
database or repository will identify me, and that when it is used for future research it may or may not
include information that identifies me. Information that does not identify me is called “de-identified
information.”
I understand that if [Covered Entity] uses my de-identified information from the research database or
repository for future research typically it will not need to inform me, obtain my authorization, or have its
research Institutional Review Board review the proposed future research.
I understand that if [Covered Entity] uses my PHI for future research, [Covered Entity] will need to
inform me, obtain my authorization, or have a research Institutional Review Board review the proposed
future research.
The information that I authorize to be used is listed below.

Check “Yes” or “No” for each item:
Personal Identifiers:
YES NO YES NO
Name Medical record number
Initials Insurance number
Address elements (other than state) Account numbers
Date of birth Certificate/license numbers
Age over 89 years Device identifiers and serial numbers

Dates of admission, treatment, Vehicle identification numbers and license
discharge or death plate numbers
Telephone Web universal resource locators (URLs)
Fax Internet protocol (IP) address numbers
E-mail address Biometric identifiers
Social Security number Full face photograph or comparable images
Other (list here):
Health and Other Information:
YES NO YES NO
Age Test results and reports
Sex Genetic test results
Race Photographs or images
Diagnosis Discharge summary
Drug or device used Length of stay
History and physical Location of service
Clinic/office notes Health care providers
Operative or procedure reports Billing or charge information
Other (list below) Questionnaire results
I understand that I may refuse to sign this authorization and that such refusal will not affect my
treatment at [Covered Entity].

This authorization has no expiration date. However, I may revoke this authorization by providing a
written notice of revocation delivered to the Principal Investigator named on the first page of this
authorization at [address]. The revocation will be effective immediately upon the Principal Investigator’s
receipt of my written notice, except that the revocation will not have any effect on any use of my PHI
made by [Covered Entity] based on this authorization before it receives my written notice of revocation.
I may revoke my participation in the research database or repository by providing a written notice
of revocation delivered to the Principal Investigator named on the first page of this authorization at
[address]. The revocation will be effective immediately upon the Principal Investigator’s receipt of my
written notice, except that the revocation will not have any effect on any use of my PHI maintained in
the research database or repository by [Covered Entity] based on this authorization before it receives my
written notice of revocation.
[Covered Entity] will give me a signed copy of this form.
Signature, Date, and Identity of Person Signing
____________________________________________ ___________________________________
Subject’s Printed Name Date of Birth
____________________________________________ ___________________________________
Subject’s Signature Date
decisions:
____________________________________________ ___________________________________
Parent/Court-appointed Guardian/Health Care Proxy Signature Date
____________________________________________ ___________________________________
Printed Name Relationship

Appendix F
SAMPLE:
Tracking Form for Accountings of Research Disclosures
(Fewer than 50 Individuals)
Instructions: Use this form to track disclosures to an individual or entity outside of [CE] of PHI for
purposes of research where individual participant HIPAA authorization is not obtained. For example,
this form must be used when PHI is disclosed:
• Preparatory to Research
• Pursuant to an IRB Waiver of HIPAA Authorization
Patient Name
Medical Record Number
Date of Disclosure
Recipient Name
Recipient Address
Name of Research Protocol
or Activity
Description of Research
Protocol or Activity
Description of PHI Disclosed
Purpose of Disclosure
(may attach a copy of IRB
research approval)

Appendix G
SAMPLE:
Tracking Form for Accountings of Research Disclosures
(50 or More Individuals)
Instructions: Use this form to track disclosures to an individual or entity outside of [CE] of PHI for
purposes of research where individual participant HIPAA authorization is not obtained. For example,
this form must be used when PHI is disclosed:
• Preparatory to Research
• Pursuant to an IRB Waiver of HIPAA Authorization
Number of Individuals Affected by Disclosure
Date or Date Range of Disclosure
Research Sponsor Name
Research Sponsor Address
Research Sponsor Telephone
Recipient Researcher Name
Recipient Researcher Address
Recipient Researcher Telephone
Name of Research Protocol or Activity
Description of Research Protocol or Activity
Purpose of the Research
Criteria for Selection of Particular Records
Description of PHI Disclosed
Purpose of Disclosure
(may attach a copy of IRB research approval)
Protected Health Information of the individual requesting an accounting of disclosures may or may not
have been disclosed for the research protocol or activity listed above.
If [CE] determines that it is reasonably likely that the Protected Health Information of the individual
requesting the accounting of disclosures was disclosed for the research protocol or activity listed above,
[CE] will, at the request of the individual, assist the individual in contacting the research sponsor and
the researcher.

5 to the health care market and balancing that
with the increased privacy risks and concerns of
individuals.
Payor Privacy Issues Additional focus areas within the payor world,
By Jennifer M. O’Brien, JD, CHC, CHPC1 includes the need to have solid processes around
verbal consent. There is little face-to-face
interaction with consumers and beneficiaries.
Introduction As a result, verifying the identity of individuals
is important in ensuring that the appropriate
There are great challenges in managing privacy
information is shared. There are also a number
compliance risks for all health care businesses. In
of marketing considerations that a health plan
fact, data privacy and security are significant issues
needs to be aware of related to value-added
in virtually every deal or decision made by large
services. And finally, the volume and quantity
and small health care companies across the nation.
of claims processed everyday is very high. As a
While the requirements of the privacy laws are
result, an inadvertent error can potentially trigger
typically the same regardless of whether the
burdensome mandatory disclosure obligations and
company operates as a hospital, clinic, health plan,
impact many individuals.
or sells durable medical equipment, the challenges
and risk differ.
This chapter focuses on health plan privacy issues.

Background
The objectives of the chapter are: 1) to provide a There is no federal Constitutional right to privacy.
better understanding of basic consumer privacy That being said, the focus on privacy rights and
issues related to health plans; 2) to provide an the call for more stringent laws has increased with
overview of payor privacy issues and the proper the advance of technology. The result has been the
collection, use, and disclosure of consumer adoption of a number of federal and state laws,
information; and 3) considerations related to industry commitments and an increased consumer
marketing and health plan communication of expectation that information will be appropriately
products and services. safeguarded.
Privacy compliance in a payor world requires Organizations are struggling to balance business
more of a focus on payment and operations versus goals with legal and regulatory requirements.
the treatment issues that are more prevalent The balance lies between the drive to more
in hospital and clinic settings. Such functions sophisticated use of data to provide better health
include areas such as explanation of benefits, care services with the fast-paced regulatory effort
underwriting, and claims data submission. There is to restrict use and disclosure of data. For health
also an intense focus on database information and plans, greater and more sophisticated use of data is
the appropriate use, collection and disclosure of a priority as the competition increases for market
information. An example of typical payor concerns share. Consumers and beneficiaries are asking
might be looking at the advantage of an all-payor for more personalized health care services and
database and the benefit of bringing transparency wanting electronic access to their medical records,
yet legislative and enforcement activity is focusing
1 Jennifer O’Brien is the Chief Medicare Compliance Officer on more stringent regulatory oversight.
for UnitedHealthcare Medicare and Retirement.
Payor Privacy Issues 69

The increased consumer and regulatory focus to do so may impact an individual’s ability to
has resulted in greater attention given to ensure obtain employment, education, insurance, credit
appropriate resources are in place to support privacy and/or other necessities.
compliance efforts. It is important that a health
plan develop a practical approach to safeguarding An example of this is where a health plan
the privacy of information. Implementing delegates a function to a vendor but fails to ensure
processes and supplying resources that ensure the vendor has conducted background checks on
total compliance with all privacy laws comes at a its employees. Fast forward two to three months
huge cost and would consume all of a health plans’ to when the plan is suddenly getting calls from
resources. An effective and efficient way to address members that their identity has been stolen. An
this challenge is to develop a process within the investigation confirms an employee of the vendor
privacy compliance program that assesses risk stole the identities. The vendor’s employee is
tolerance, as data privacy issues are part of the arrested and upon review it is discovered that the
majority of transactions and decisions made within employee had a criminal record that would have
a health plan’s day-to-day business. been identified if a background check would have
been performed. The organization’s failure to
In response to the above challenges, health plans demonstrate appropriate oversight over the vendor
are working to build best practices within privacy raises the liability of the employer in this situation.
compliance programs. Plans are recognizing
the value in making the best use of data and The second principle involves the impact to the
promoting privacy as a core value. Those health organization. Privacy breaches have an adverse
plans that focus on this have been most successful impact on organizations in a variety of ways.
because of the effort to integrate privacy Having a robust privacy compliance program
compliance into every day business decisions. sends a strong message to customers and members
Another critical factor in being successful is that there is a strong commitment to protecting
whether or not the effort is supported by the personal information. Additionally, the ability
organization’s leaders. A supportive tone at the to demonstrate an effective privacy compliance
top means there is recognition that safeguarding program can mitigate the amount of penalties
data is good business practice … not just another and/or fines a health plan might have to pay in the
compliance initiative. event of a privacy breach. In many cases a health
plan may be more concerned about the negative
impact a privacy breach will have on their business
Basic Consumer Principles Related and reputation than the fine or penalty itself.
to Health Plans There is also the internal cost of disruption for
correcting process failures as well as the personal
There are two main principles related to health
liability of the employer, contractors and others.
plan privacy compliance. The first involves the
impact to the individuals the health plan serves.
Within a health plan there are consumers and Privacy vs. Security
beneficiaries of the health plan services. An
While privacy compliance is much broader
organization must be able to demonstrate a
than what is in the Health Insurance Portability
commitment to membership and customers to
and Accountability Act (HIPAA) regulations,
exercise sound ethical perspectives when collecting,
it is important to be able to articulate the
using, and disclosing personal information. Failure

difference between HIPAA privacy and HIPAA and protection of ePHI from unauthorized access,
security issues to employees and ensure each are whether external or internal, stored or in transit.
independently addressed. Privacy and security are
distinct, but related. Other federal privacy laws that health plans should
be aware of include substance abuse confidentiality
HIPAA privacy focuses on the right of an (42 CFR Part 2), the Genetic Information
individual to control the use of his or her Nondiscrimination Act (GINA - 26 USC 9832),
information. It is also responsive to the the Family Educational Rights and Privacy Act
expectation individuals have that sensitive or (FERPA) (20 U.S.C. § 1232); Gramm–Leach–
confidential information a health plan has Bliley Act of 1999 (GLB – 15 USC 6801), the
about their personal life is only available to Federal Trade Commission Act (FTC – 15 USC
the appropriate persons. Protected Health 41) and the Federal Privacy Act (5 USC 552a).
Information (PHI) should not be used or divulged This is not an exhaustive list and it will continue
by others against their wishes. PHI is defined as to grow along with the regulations being adopted
“individually identifiable information” (including around privacy on a state-by-state basis.
demographics) that relate to a health condition,
the provision of health care, or the payment for
such care (45 C.F.R. § 160.103). It includes Collection, Use and Disclosure
information in any form or medium (e.g. oral, Health plans must have solid processes in place
written or electronic communications. An example to respond to requests for information and to
of PHI would be someone’s name and health determine whether such a request is permitted.
information (e.g. Jane Doe has diabetes). It could The HIPAA rule allows for some uses and
also include the date of service and/or diagnosis. disclosure of PHI and ePHI for treatment,
The Privacy rule covers the confidentiality of payment and health care operations (TPO)
PHI in all formats including electronic, paper (45 CFR 164.506). Each of these areas will be
and oral. Confidentiality is an assurance that discussed in detail below, but it is important
the information will be safeguarded from to note that if a use and/or disclosure are not
unauthorized disclosure. permitted, then the information can only be
shared with documented permission and by
HIPAA Security refers to the methods used to the direction of the individual. The individual
protect all sensitive and confidential information can request that their personal information be
that is stored at a health plan or in the custody of shared with a third party who is a designated
those who contract with the health plan. Security representative of the individual (e.g. a spouse
defines how to ensure the confidentiality, integrity or parent). Another key provision related to the
and availability of electronic PHI (ePHI). EPHI collection, use and disclosure is the minimum
is individually identifiable information that is necessary rule, which is also discussed in detail
transmitted by, or maintained in, electronic media below (45 CFR 164.502(b), 164.514(d)). Both
(e.g. hard drive, digital memory card). It does not regulators and health plans continue to monitor
include a fax or voicemail, since the information the implementation and execution of these
exchange did not exist in electronic form before it provisions to ensure the regulation does not
was transmitted. The security rule also focuses on adversely impact timely access to quality care.
administrative, technical and physical safeguards

Treatment, Payment, Health Care Operations above). This is a key protection provision of the
(TPO). According to the Privacy Rule, HIPAA Privacy Rule that requires that a health
“Treatment” includes the provision, coordination, plan or health plan employee must not collect, use
or management of health care and related services or disclose more personal information than what
among health care providers or by a health care is needed to accomplish the task. An example
provider with a third party, consultation between relevant to a health plan includes searching for
health care providers regarding a patient, or the or requesting data whereby an employee may not
referral of a patient from one health care provider access any record for which they do not have a
to another. As stated above, this would be the designated work task (e.g. clinical case records of a
small bucket for a health plan. Examples of where public official, neighbor, family member). Another
it may be applicable include coordination of care example is the information a health plan shares
efforts and referrals (45 CFR 164.501). with a vendor or delegated entity. The health plan
should exclude any data not required to perform
Under the Privacy Rule, “Payment” includes the task (e.g. claims analysis). And finally, when
activity undertaken by the health plan to obtain involved in a Provider Billing Dispute, the health
premiums, to fulfill responsibility for the provision plan may need to share claims data, including the
of benefits under the health plan, and to obtain Medicare number and treatment information.
or provide reimbursement for the provision of The health plan should make sure processes
health care. Some examples of payment activities are in place to verify the address and send the
applicable to a plan include but aren’t limited to, information in an encrypted format.
determining eligibility or coverage under a plan
and adjudicating claims, risk adjustments, billing The minimum necessary standard is derived
and collection activities, and utilization review from confidentiality codes and practices in
activities (45 CFR 164.501). common use today. When educating and training
employees on this standard as part of a privacy
And finally, the Privacy Rule defines “Health compliance program, it is important to emphasize
care operations” as activities compatible with and the competing interests at stake. The competing
directly related to conducting quality assessments interests include the need to ensure practices
and improvement activities for the health plan that protect PHI are in place, versus the need to
as well as case management, coordination of maintain a “reasonableness” standard. Employees
care activities and credentialing. Underwriting, must receive ongoing education to ensure
insurance rating and other activities related to the they understand they must not use or disclose
creation, renewal, or replacement of a contract information that is not necessary to satisfy a
of health insurance or health benefits are also request or carry out a particular function. The
considered health care operations. Conducting caveat for this practice is that the health plan is
or arranging for a medical review, legal services held to a standard of needing to take reasonable
and auditing functions, such as fraud and abuse steps to limit the use, disclosure and requests for
detection, are also activities that allow for use and PHI. Definitions of what constitutes “reasonable”
disclosure by the health plan (45 CFR 164.501). vary and are a bit subjective, which makes this
an even more critical area for education and
Minimum Necessary Rule. There is a caveat to
discussion within an organization. Additionally,
collecting, using and disclosing information that is
health plans should develop and implement
known as the “Minimum Necessary Rule.” (cited
policies and procedures appropriate for its own

organization that reflect its business practices and important information that relates to quality-of-
the actions of its employees. care issues.
It is important to note that the minimum It is important to first define what constitutes
necessary standard does not apply to the marketing under the rule. The Privacy Rule defines
following: “marketing” as making “a communication about
a product or service that encourages recipients of
• Disclosures to or requests by a health care the communication to purchase or use the product
provider for treatment purposes. or service.” (45 CFR 164.501, 164.508(a)(3)). An
example of a marketing material that requires a
• Disclosures to the individual who is the subject
prior authorization from the individual would be
of the information.
a communication from a health plan promoting
• Uses or disclosures made pursuant to an an automobile insurance product by the same
individual’s authorization. company. Simply put, a covered entity may not sell
PHI to a business associate or any third party for
• Uses or disclosures required for compliance that party’s own purposes. Health plans also may
with the HIPAA Administrative Simplification not sell lists of consumers or beneficiaries to third
Rules. parties without first obtaining an authorization
from each person on the list. This part of the
• Disclosures to the Department of Health and definition has no exceptions. Another example of
Human Services (HHS) when disclosure of marketing that fits the above description would be
information is required under the Privacy Rule a health plan that sells a list of its members to a
for enforcement purposes. third party that sells blood glucose monitors. The
third party purchased the information with the
• Uses or disclosures that are required by other law.
intent to send the plan’s members brochures on
the benefits of purchasing and using the monitors.
Marketing and Health Plans This information cannot be sold without an
authorization from every member on the list.
Understanding the definition of “marketing”
under the HIPAA rule is important across the Once it is defined what marketing is, the next step
industry, but even more so with health plans, as is to identify and understand what marketing is
the marketing department of a health plan helps not. The Privacy Rule buckets exceptions to the
drive its sales which in turn drives revenue. There marketing rules in the following three areas: 45
are important controls under the HIPAA Privacy CFR 164.501, 164.508(a)(3)
Rule that address whether and how PHI may
be used and disclosed for marketing (45 CFR 1. Health-Related Products or Services—it is
164.501, 164.508(a)(3)). In general, a written not considered “marketing” if a health plan
authorization is needed in order to use PHI for communication describes a health-related
marketing. However, there are some exceptions product or service (or payment for such
that health plans need to be aware of and which product or service) that is provided by, or
may be important to a health plan’s mission of included in a plan of benefits of, the covered
ensuring consumers or beneficiaries are getting entity making the communication. This
includes communications about:

–– The entities participating in a health care the vendor uses the PHI only for communication
provider network or health plan network; activities intended by the health plan.
replacement of, or enhancements to, a
health plan; and Marketing is a complex area with quite a bit
of scrutiny. An excellent resource to use when
–– Health-related products or services attempting to understand the practical application
available only to a health plan enrollee of the Privacy Rule, whether it is the marketing,
that add value to, but are not part of, a minimum necessary rule or any other provision, is
plan of benefits. For example, a health the “Frequently Asked Questions” section of the
plan may inform members about its U.S. Department of Health and Human Services
own products and services in situations website (www.hhs.gov/ocr/privacy/hipaa/faq/index.
such as communications describing a html).
Medicare supplement plan to individuals
approaching Medicare eligibility.
Summary
2. Treatment Purposes—it is not considered
In summary, the focus on sensitive information by
“marketing” if a health care provider
advocacy groups and legislative leaders continues
contacts an individual as part of its
to increase with the outcome of the adoption
treatment plan. This area is not as
of more federal and state laws and regulations.
applicable to health plans and has more
The public and political pressures are driven by
impact on pharmacies or health care
headlines about privacy breaches, which mean
providers. For example, a pharmacy may
regulatory scrutiny and enforcement will increase.
mail a prescription refill reminder to a
An example of this increase is the expansion of
patient without obtaining a patient’s
the American Recovery and Reinvestment Act of
authorization.
2009, (ARRA), which resulted in more rigorous
3. Case Management or Care standards when it comes to PHI.
Coordination—it is not considered
A privacy program is essential in helping a health
marketing if the communication involves
plan identify the key compliance principles. This
sharing a medical record of a patient to
can be accomplished by asking critical questions,
determine which program best fits the
such as:
patient’s needs. An example of this would
be a social worker contacting nursing • What data are being collected?
homes and sharing the patient’s medical
record in an effort to transfer a patient • Who is collecting the data?
from the hospital to the nursing home.
• Are employees aware of and following the
Additional factors should be considered minimum necessary rule?
when reviewing exceptions to the marketing
requirements. One factor is that the activity must • How is the information being used?
otherwise be permissible under the Privacy Rule.
• What type of monitoring and auditing is in
Another factor to keep in mind for the health plan
place to ensure policies and procedures are being
when using vendors or delegates is to ensure that
followed?
a business associate agreement is in place and that

Health plans must also be committed to educating Chapter Bibliography
and informing employees, senior management and
U.S. Department of Health and Human Services
the board on the key compliance risks identified as
Health Information Privacy website:
well as what is being done to address those risks.
www.hhs.gov/ocr/privacy/
A compliance oversight committee consisting of
management should also play a role in assessing • Minimum Necessary Rule:
the risk and setting risk tolerance for the health www.hhs.gov/ocr/privacy/hipaa/understanding/
plan. Additionally, an organization should focus coveredentities/minimumnecessary.html
on ensuring there is consistency across the
organization on how employees are disciplined • Treatment, Payment Healthcare Operations:
when a privacy breach is discovered. www.hhs.gov/ocr/privacy/hipaa/understanding/
coveredentities/usesanddisclosuresfortpo.html
This chapter began with a discussion about the
challenges in managing privacy compliance risks • Marketing:
and ultimately ends with the same message. A www.hhs.gov/ocr/privacy/hipaa/understanding/
key, however, to mitigating the risks is to integrate coveredentities/marketing.html
an effective and efficient privacy compliance
program that aligns with the health plan’s business • Frequently Asked Questions:
priorities and holds business leaders accountable www.hhs.gov/ocr/privacy/hipaa/faq/index.html
and responsible for safeguarding individuals’
information. Once this is accomplished, the other
core elements needed for an effective privacy
program are not more easily attainable, but more
readily sustainable.

6 be placing artificial barriers to the legitimate use
of information.
Federal Educational This outline will put FERPA in a simple context:
Rights and Privacy Act • Who does FERPA apply to?
• What information is covered?

By David Nelson, CHRC, CHPC CISSP, CIPP/G1
• What information is excluded?
Introduction • What are the mandates and client rights?

For the average health care privacy professional,
The outline of CFR 34 Part 99 citations is
the Federal Educational Rights and Privacy Act,
attached at the end of this chapter.
FERPA, is generally one of the more obscure laws.
Compared to the eight hundred pound gorilla of
HIPAA, 42 CFR Part 2 for SAMSHA records Who Does FERPA Apply To
or the many state laws, FERPA is relegated to a
minor role unless you are in the educational setting. (20 U.S.C. § 1232g; 34 CFR Part 99).
FERPA applies to educational agencies
But ignorance of FERPA does a disservice to
and institutions that receive funds under
individuals, when the safest fall back is to deny any
any program administered by the U.S.
access or worse fail to abide by a federal mandate.
Department of Education. This includes
Most privacy professionals will run into the safe virtually all public schools and school
harbor of “It is forbidden” if in doubt, similar to the districts and most private and public
great HIPAA information seizure back in ’03. postsecondary institutions, including medical
and other professional schools.2
This chapter is designed to give a general outline
of the most important parts of FERPA. If you While this quote seems to put the applicability
have mastered any other health care privacy laws, of the act into a simple framework, it should
many of the pieces of FERPA will look familiar; be pointed out that “any program” encompasses
however, never assume one substitutes for another. nearly three hundred federal educational
programs. Careful research should be done to
Health care privacy professionals have to be
determine if federal Department of Education
aware that this federal act is in the educational
program funds actually are available to an
arena and outside of our normal comfort zone.
institution. Additionally the “availability of funds”
If the privacy professional lives in an educational
criterion is defined in the Act and should be
institution with the actual delivery of health care,
reviewed thoroughly. In short FERPA:
or works with local government or public health,
just having a passing acquaintance is not sufficient …considers funds to be made available (if ),
to ensure compliance. After all, we are here to
deliver exceptional health care and we should not
1 David Nelson is Privacy Officer for the County of San Diego 2 Joint Guidance on the Application of the Family Educational
in California. Rights and Privacy Act (FERPA) And the Health Insurance
Portability and Accountability Act of 1996 (HIPAA) To Student
Health Records.

1) provided to the agency or institution by The Act says: “(d) If an educational agency or
grant, cooperative agreement, contract, sub- institution receives funds under one or more
grant, or subcontract; or of the programs covered by this section, the
regulations in this part apply to the recipient as a
2) provided to students attending … and
whole, including each of its components (such as a
the funds may be paid to the agency or
department within a university).”7
institution by those students for educational
purposes, such as … Pell Grant Program and
But what if the medical clinic for a university is
the Guaranteed Student Loan Program....3
contracted out, none of the health care records
Another thing to account for is, “Private and are available to the department that holds the
religious schools at the elementary and secondary official educational record and the records are only
level generally do not receive funds from the used for treatment? The clinic isn’t necessarily
Department of Education and are, therefore, considered a division of the university, as it is a
not subject to FERPA.”4 Please note I have stand alone and a part that does not provide any
emphasized “generally,” as it will always be educational services. So while the Act applies to
important to check for the federal funds and not the whole institution, as privacy professionals in
rely only on the private or religious affiliation to heath care, we must look to exclude these records
make the FERPA applicability decision. to protect the client’s privacy.
There is another applicability wrinkle to the Note: Nursing Records. These records are
records for the private school. “Note that a private specifically considered part of the Educational
school is not made subject to FERPA just because Record. Nurses do not diagnose or treat in the
its students and teachers receive services from a medical sense.
local school district or State educational agency
Generally, applicability to FERPA is based on
that receives funds from the Department.”5
the institution receiving either federal funds
But you have to account for a student whose directly through a subcontract or federal funds
records are subject to FERPA, yet are out placed received by a student and used for payment of
at another institution. “For example, if a school educational services.
district places a student with a disability in a
private school that is acting on behalf of the Educational Record
school district with regard to providing services
According to CFR 34, 99.3 Definitions,
to that student, the records of that student are
Educational Records are: “(a) (1) directly
subject to FERPA, but not the records of the
related to a student; and (2) Maintained by an
other students in the private school.”6
educational agency or institution or by a party
acting for the agency or institution.” This narrows
3 34 CFR § 99 et al
the record set impacted by FERPA, and it seems
4 Joint Guidance on the Application of the Family Educational
Rights and Privacy Act (FERPA) And the Health Insurance straight forward, but we must be aware of any
Health Records. exceptions.
5 Joint Guidance on the Application of the Family Educational
Rights and Privacy Act (FERPA) And the Health Insurance The exempted record sets are:
Health Records.
6 Ibid. 7 34 CFR § 99 et al.
Federal Educational Rights and Privacy Act 77

• personal reminder notes Mandates
• law enforcement records There are several mandates in using data, but
probably the most relevant one to the privacy
• staff employment records maintained only for professional is the requirement to provide an
employment purposes Annual Notice to the parents, guardian or eligible
student. CFR 34, 99.7 requires that the notice
–– employment records of students who are only be provided and that the notice state the client’s
employed because they are students are NOT rights. In short, the client may:
excepted
• Inspect or review the record set
• students 18 years old or attending post
secondary, made by a recognized professional, • Seek amendments to flawed records
and used only for treatment or only released
for treatment where treatment does not include • File a complaint
remedial education services
The content of the actual notice has some required
• Information about the individual who is no mandates. They are:
longer a student is also excepted.
• Disclosures requiring authorization.
This is a general summary of the highlights; the
• Procedures to inspect and/or amend the record
act goes into more detail.
• Identification of whom the institutions declare
Is it any wonder many educational institutions just
“school officials”
claim any record they have is covered by FERPA?
Many health care providers have done this to the • Provision of notice “by any reasonable means,”
detriment of the individuals who are the subject in a manner that is language sensitive, and
of the record. Compliance is easy when it all falls “effectively” notifies disabled students/parents.
into one pot; however, if the privacy professional
is to do the job successfully for the benefit of the In health care, we are accustomed to watching
subject of the information, they should create a those clients who are approaching the age of
matrix. List all records maintained on one axis majority, as the communication with parents may
and the applicable laws on the other axis. These change. Sometimes the change is uncomfortable
intersection points guide the privacy professional for the parents and guardians. FERPA is much
in applying relevant legal mandates. Additionally the same, but uses the term “Eligible Student,”
this matrix outlines what the institution may do, and it has an added twist. “Eligible student
may not do, and permissive uses and disclosures of means a student who has reached 18 years of age
information. or is attending an institution of postsecondary
education.” This affects how records are handled
Educational records are those used for and incorporates all of the prodigies who go off to
educational purpose, including nursing college at ages under the traditional age of consent.
records, but generally not medical or
psychological records used for treatment. There are some exceptions in access to the record
for the eligible student, such as their parent’s
financial information or what teachers wrote

in their letters of recommendation. But those Entities that are covered by FERPA are
exceptions are permissive; the institution can required to provide an annual notice of
decide if it wants to release such information to information to parents, legal guardians or
them or not. eligible students of their rights and how to
express those rights within the entity.
Really nothing is unique here, and most of the
mandates look familiar to privacy professionals, as
we have other health care laws that mirror these Authorization
client rights. However, these records are held in an FERPA lists the uses and disclosures for when an
educational setting. authorization is required. Additionally it lists what
the authorization form must contain. Then at
Once we have the notification firmly in our
99.31, it tells us which uses and disclosures do not
minds, we move onto some of the more important
require the authorization. This is probably the least
detailed parts of FERPA. The data authorization
pleasant part of the chapter to read, as it is not
requirements are probably the most important to
conversational. We will start with the exceptions,
understand for the privacy professional. FERPA,
keeping in mind that all other instances would
unlike HIPAA, starts out by declaring when an
require authorization.
authorization8 is required to release information.
This becomes important, because when you Authorization is not required:
have created a matrix of which law(s) apply, you
will be able to advise staff how they can use the • For use for legitimate educational purposes;
information they have. This is the most intensive
part of working as privacy professional, as it • To release to officials where student seeks to
expands the matrix of records and laws to account enroll;
for what you must do, what you may not do and
• To release to an authorized rep of
what you are permitted to do with the information.
–– the U.S. Comptroller General, the Attorney
Note: Staff turnover, innovative programs and the
General, or the Secretary of Education,
knowledge that the data is in-house drives folks to
want to use and disclose in ways that continually –– state or local educational authorities;
change. These new data uses all too often only
come to the privacy professional’s attention long –– to determine financial eligibility for
after the project has been started. This timing gap
can lead to hostility when the message we have àà the amount of aid
to deliver is “Hmmm, unfortunately that is not
àà the conditions of aid or
a legal use of the information.” Having a good
working relationship with program managers and àà to enforce terms and condition of aid
your IT gurus, who hear things early, can help
preclude last-minute melt downs. • To state/local officials, specifically to:
–– Juvenile Justice (but state can limit these

8 The author, for clarity and realizing this information is
for those working in health care not education, reserves the disclosures)
term “consent” for the consent to treat and uses the term
“authorization” for any reference to permission to use or disclose
information.

–– organizations conducting studies on behalf • For health or safety issue (subject to 99.36)
of school to develop, validate or administer
predictive tests • For directory information (designated set of
limited information)
–– administer student aid programs or
• Parent of student who is not eligible
–– improve instruction (details 99.31 (a)(6))
But only if: • To the eligible student
àà the study doesn’t permit identification of • For discipline records to the victim of a crime.
student/parent AND (Read 99.31 (a)(13))
àà the information is destroyed after the • For parent of student, under 21, who violates
study law or policy on alcohol consumption.
• To accrediting organizations for accreditation In general, authorization to release

educational records is required for uses
• To parents of dependent students for IRS beyond educational purpose.
purposes
• For Judicial Order or lawful (legal subpoena): Summary

While FERPA seems relatively simple in
–– May disclose for Judicial Order or subpoena comparison to HIPAA, the privacy professional
only if reasonable effort to notify must account for its unique characteristics. Only
by incorporating them into the arsenal the privacy
àà Unless for compliance with request from
professional wields can we serve our constituency.
àà Federal Grand Jury

Appendix A
CFR 34 Part 99 Citations
99.1 To which educational agencies or institutions do these regulations apply?

99.2 What is the purpose of these regulations?
99.3 What definitions apply to these regulations?
99.4 What are the rights of parents?
99.5 What are the rights of students?
99.7 What must an educational agency or institution include in its annual notification?
99.8 What provisions apply to records of a law enforcement unit?
99.10 What rights exist for a parent or eligible student to inspect and review education records?
99.11 May an educational agency or institution charge a fee for copies of education records?
99.12 What limitations exist on the right to inspect and review records?
99.20 How can a parent or eligible student request amendment of the student’s education records?
99.21 Under what conditions does a parent or eligible student have the right to a hearing?
99.22 What minimum requirements exist for the conduct of a hearing?
99.30 Under what conditions is prior consent required to disclose information?
99.31 Under what conditions is prior consent not required to disclose information?
99.32 What recordkeeping requirements exist concerning requests and disclosures?
99.33 What limitations apply to the redisclosure of information?
99.34 What conditions apply to disclosure of information to other educational agencies or institutions?
99.35 What conditions apply to disclosure of information for federal or state program purposes?
99.36 What conditions apply to disclosure of information in health and safety emergencies?
99.37 What conditions apply to disclosing directory information?
99.38 What conditions apply to disclosure of information as permitted by state statute adopted after November 19,
1974, concerning the juvenile justice system?
99.39 What definitions apply to the nonconsensual disclosure of records by postsecondary educational institutions in
connection with disciplinary proceedings concerning crimes of violence or non-forcible sex offenses?
99.60 What functions has the Secretary delegated to the office and to the Office of Administrative Law Judges?
99.61 What responsibility does an educational agency or institution have concerning conflict with state or local laws?
99.62 What information must an educational agency or institution submit to the office?
99.63 Where are complaints filed?
99.64 What is the complaint procedure?
99.65 What is the content of the notice of complaint issued by the office?
99.66 What are the responsibilities of the office in the enforcement process?
99.67 How does the Secretary enforce decisions?

7 resident status. The Act does not apply to
corporations.
The Federal Privacy Act Records

of 1974 The Privacy Act defines a “record” as any type of
information that includes a person’s “name, or the
By John Falcetano1 identifying number, symbol, or other identifying
particular assigned to the individual, such as a
finger or voice print or a photograph.”2
Introduction
The Privacy Act of 1974 was created in response
to the government creating and using computer System of Records
databases. There was concern that the use of The Act often refers to a “system of records.” A
the databases might infringe on an individual’s system of records is a group of records under the
privacy rights. The Act requires the government control of a federal agency from which personal
to show any records kept on individuals to those information “is retrieved by the name of the
individuals. In addition, the Act also places individual or by some identifying number, symbol,
restrictions on how the government can share the or other identifying particular assigned to the
information with other individuals and agencies. individual.”3 Just the “ability to retrieve” is not
enough, actual retrieval is required. Any retrieval
by “personal identifier” that is linked or linkable to
Application an individual requires advance public notice before
The Privacy Act only applies to certain federal the federal agency begins to collect personal
government agencies and includes the Executive information for a system of records. A System of
Branch, the Military, independent regulatory Records Notice (SORN) must be published in
agencies, and corporations that are government- the Federal Register. The SORN must outline the
controlled. Some examples include Indian administrative, technical and physical safeguards
Health Services, Veterans Administration and for protecting the Personally Identifiable
the Centers for Medicare and Medicaid Services. Information (PII) being collected, such as role-
The Privacy Act does not cover either houses of based access, training and audit logs.
Congress. Section 7 of the Act, concerning limits
on the Social Security Number, applies to federal, Databases may contain personally identifiable
state, and local governments. information, but if the records are not retrieved,
the databases are exempt from the provisions of
the Privacy Act.
Protection
The Privacy Act requires any agency to give an
The Act protects citizens and aliens that have
individual access to any records they might have
been lawfully admitted for permanent residence
about an individual. The individual should be
but does not apply to aliens without permanent
allowed to review the record, and make copies of
2 5 U.S.C. §552a (a).

1 John Falcetano is Chief Audit and Compliance Officer for
the University Health System of East Carolina. 3 5 U.S.C. §552a (a).

it. The individual can request amendments to the whom records are maintained in the system; the
record if the record is incomplete or in error. The categories of records maintained in the system;
agency has 10 business days to respond, either by each routine use of the records contained in the
amending the record or by telling the person why system, including the categories of users and the
they will not make the change. The agency must purpose of such use; the policies and practices of
provide the individual the contact information the agency regarding storage, irretrievability, access
necessary if they want to talk to a higher official controls, retention, and disposal of the records;
concerning the refusal. the title and business address of the agency official
who is responsible for the system of records;
The individual has the right to appeal, and the the agency procedures whereby an individual
agency has thirty business days to complete a can be notified at the individual’s request if the
review of the refusal. The thirty-day limit can be system of records contains a record pertaining to
extended for “good cause.” If the amendment is the individual; the agency procedures whereby
still refused, the individual can file a statement an individual can be notified at the individual’s
explaining why the individual disagrees and the request how the individual can gain access to any
statement must be included with any copies of the record pertaining to the individual contained in
record that it discloses going forward. the system of records, and how the individual can
contest its contents; and the categories of sources
of records in the system.
Public Notice Requirements
Agencies must publish the details of all their
systems of records in the Federal Register. The Limitations on Data Collection
publication must cover intended uses of the The Act places limitations on data collection.
system, and allow for interested persons to submit Section 7 of the Privacy Act says that no federal,
written data, views, or arguments to the agency. state, or local government agency can require
Any time that an agency wishes to establish someone to give out their Social Security Number
or significantly change a system of records, it in order for the individual to receive any right,
must also notify in advance the Committee benefit, or privilege provided by law. However, this
on Government Operations of the House of section does not apply to any disclosure that is
Representatives, the Committee on Governmental “required by a federal statute,” or that is being used
Affairs of the Senate, and the Office of in a system of records that existed before January
Management and Budget. These bodies will then 1, 1975. The government agency must tell the
evaluate the probable or potential effect of the individual how the Social Security Number will be
proposal on the rights of individuals. used, if the disclosure is mandatory or voluntary,
and what laws give the agency the authority to
The Act requires prior notice. Privacy Act
request the Social Security Number.
Statements are required for collection of
information from individuals that will be saved in Agencies have limits on the information they
a system of records. A Notice of Privacy Practices may collect about individuals. Agencies must only
(NoPP) is provided to individuals that describe retain “relevant and necessary” information; collect
use and disclosure practices. The Privacy Act information to the greatest extent practical from
Statement must indicate the name and location the individual when the information may result
of the system; the categories of individuals on in an adverse determination about the individual’s
The Federal Privacy Act of 1974 83

rights, benefits or privileges under a Federal • To a recipient who has provided the agency with
program; maintain all records used in agency advance adequate written assurance that the
determinations about an individual with “such record will be used solely as a statistical research or
accuracy, relevance, timeliness and completeness reporting record, and the record is to be transferred
as is reasonably necessary to assure fairness;”4 in a form that is not individually identifiable.
and maintain no record, describing how any
individual exercises rights guaranteed by the • To the National Archives and Records
First Amendment, unless expressly authorized by Administration as a record which has sufficient
statute or by the individual, or unless needed for a historical or other value to warrant its continued
law enforcement activity. preservation by the United States Government
or for evaluation by the Archivist of the United
States or the designee of the Archivist to
Limits on Agency Data Sharing determine whether the record has such value.
One of the most important aspects of the Privacy • To another agency or to an instrumentality of
Act is that it restricts the sharing of information any governmental jurisdiction within or under
between government agencies. Generally the Act the control of the United States for a civil or
prohibits federal agencies from disclosing personal criminal law enforcement activity if the activity
records about an individual; protects records is authorized by law, and if the head of the
including those that contain any information agency or instrumentality has made a written
that would identify an individual, such as the request to the agency which maintains the
individual’s name, Social Security Number or record specifying the particular portion desired
fingerprints. Generally, the Act does not allow and the law enforcement activity for which the
disclosure to any person or to another agency. record is sought.
The Privacy Act prohibits agencies from running • To a person pursuant to a showing of
matching programs on systems of records, unless compelling circumstances affecting the health
there is a written agreement between the agencies. or safety of an individual if upon such disclosure
There are however exceptions. An agency is notification is transmitted to the last known
permitted to disclose records about individuals address of such individual.
to persons within the agency that collected the
records who have a need for the record to perform • To either House of Congress, or, to the extent
their duties, and an agency is also permitted to of matter within its jurisdiction, any committee
disclose such records to comply with Freedom or subcommittee thereof, any joint committee
of Information Act (FOIA). Some of the others of Congress or subcommittee of any such joint
include the following: committee.
• To the Bureau of the Census for purposes of • To the Comptroller General or any of the
planning or carrying out a census or survey or Comptroller General’s authorized representatives,
related activity pursuant to the provisions of in the course of the performance of the duties of
Title 13. the General Accountability Office.
• Pursuant to the order of a court of competent

jurisdiction.
4 5 U.S.C. §552a (e).

• To a consumer reporting agency in accordance 2. The disclosure is made under the Freedom of
with section 3711(e) of Title 31. Information Act;
3. The disclosure is for a “routine use;”

Data Minimization Requirements
4. The disclosure is to the Census Bureau for the
An agency should maintain only the minimum purposes of a census survey;
amount of information that is relevant and
necessary to accomplish its purposes. The agency 5. The disclosure is to someone who has
must collect as much data as practical from the adequately notified the agency in advance that
individual if the information collected might have the record is to be used for statistical research
an adverse effect upon an individual. The agency or reporting, and the record is transferred
must tell the individual what law or executive order without individually identifying data;
authorized the agency to collect the information;
the routine uses to which the data may be put; and 6. The disclosure is to the National Archives
the effects that might result from the individual and Records Administration as a record of
not providing the information requested. historical value;
7. The disclosure is to an agency “of any

Routine Use governmental jurisdiction within or under
the control of the United States for a civil or
“Routine Use” is defined as “the use of such record
criminal law enforcement activity,” and if the
for a purpose which is compatible with the purpose
record is provided in response to a written
for which it was collected.”5 It is important to note
request by the head of the agency;
that a routine use does not have to be a purpose
identical to the purpose for which the record was 8. The disclosure is made where there are
collected, only a compatible purpose. The Act “compelling circumstances” affecting
simply requires that the routine uses be stated in the someone’s health or safety, and the person
Federal Register. Uses and disclosures made from whose health or safety is affected is sent a
systems of records “outside” of the federal agency notification of the disclosure;
(and without individual consent) are permitted if
one of the agency’s “routine uses” applies. 9. The disclosure is made to Congress, or any
committee or subcommittee within Congress;
Disclosure Requirements 10. The disclosure is made to the Comptroller

General in the course of the duties of the
Agencies may only disclose information if it has
General Accounting Office;
permission from the individual or if it can meet
one of the twelve following conditions: 11. The disclosure is made pursuant to a court
order;
1. The disclosure is to an agency employee who
normally maintains the record and needs it in 12. The disclosure is made to a consumer
the performance of duty; reporting agency in accordance with 31
U.S.C. 3711(e).
5 5 U.S.C. §552a (a).
The Federal Privacy Act of 1974 85

Law Enforcement Penalties for Non-Compliance
The Act has an exception for “law enforcement The Act provides for both civil and criminal
purposes.” This allows law enforcement to do their penalties. If an agency refuses to amend an
job and law enforcement agencies can exempt individual’s record upon request, the individual
themselves from many of the Privacy Act’s can sue in civil court to have the record amended.
requirements. There are some specific areas of The court can award attorney’s fees and other
the Privacy Act that law enforcement cannot be litigation costs, to be paid by the United States.
exempt from. Law enforcement cannot disclose
personally identifiable information unless they If an agency refuses to allow an individual access
have consent or the disclosure is one of the twelve to the individual’s records, the court can make
allowed disclosures under the Act listed above. the United States pay for reasonable attorney’s
The law enforcement agency also must publish fees. If an agency has violated any other section
the existence and character of its database in of the Act, and it is determined that the violation
the Federal Register, including routine uses, is “intentional or willful,” the court can make the
data storage policies, and contact information United States pay to the individual actual damages
for the official responsible for the system. Law suffered as a result of the violation. The minimum
Enforcement agencies must also still abide by individual recovery is $1,000 plus costs and
fair information practices, meaning that they reasonable attorney’s fees.
must ensure reasonable accuracy, completeness,
Any officer or employee of a government agency
timeliness and relevance of records; they must
that is found guilty of knowingly and willfully
make reasonable efforts to tell an individual when
disclosing personally identifiable information, will
their records have been disclosed due to a court
be guilty of a misdemeanor and fined a maximum
order or a subpoena; and they must establish
of $5,000. If any agency employee or official
appropriate rules of conduct and safeguards to
willfully maintains a system of records without
protect the privacy and security of the information.
disclosing its existence and relevant details as
specified above can be fined a maximum of $5,000.
Audit Trails The same misdemeanor penalty (and $5,000
maximum fine) can be applied to anyone who
Agencies must also keep accurate accounts of knowingly and willfully requests an individual’s
when and to whom it has disclosed personal record from an agency under false pretenses.
records for five years, or the lifetime of the
record, whichever is longer. This includes contact
information for the person or agency that
requested the personal records. Unless the records
were shared for law enforcement purposes, the
accounts of the disclosures should be available to
the data subject upon request.

8 and monitoring activities for privacy are not
duplicated in the privacy and organization’s overall
compliance plan. There may be other functions
Auditing and Monitoring that might not be represented on the senior
leadership team with whom you will want to
for Privacy in Health Care consider discussing these activities as well.
By Sheryl Vacca1 Processes for establishing the privacy risk-based

auditing and monitoring plan should include
performing a risk assessment, prioritizing those
Executive Summary—Key Steps risks identified and then developing the plan.
• Agree on a common framework for the risk- If privacy is part of the overall comprehensive
based auditing and monitoring program. compliance plan, then it would be considered
in the risk prioritization and ranking for the
• Assess privacy risks across the enterprise and compliance plan. The overall goal of the plan
then prioritize them by looking at the likelihood is to perform periodic audits and monitors to
of occurrence and impact for the organization. determine compliance with respect to applicable
regulatory and legal requirements, organizational
• Develop a risk-based auditing and monitoring policies and/or laws. An additional goal of
plan or integrate into current compliance plan the plan should be to provide assurance that
from the identified privacy risk priorities. management controls are in place for the
detection and/or prevention of noncompliant
• Assure that a management action plan is
behavior. Additionally, risk-based auditing and
developed to mitigate risks and/or resolve risks
monitoring should include mechanisms to
in a timely manner.
determine that management has implemented
• Assess auditing and monitoring process for corrective action through an ongoing
effectiveness. performance management process to address any
noncompliance with privacy.
Getting Started Once the common framework for the risk-based

auditing and monitoring program has been
In designing the privacy risk-based auditing and
established, six key tasks must be performed:
monitoring activities, it is important to work
closely with the organization’s senior leadership 1. Assessment and prioritization of privacy risks,
and the board, or committee of the board, to conducted enterprise-wide;
gain a clear understanding of auditing and
monitoring expectations and how these activities 2. Development of a risk-based auditing and
can be leveraged together to help minimize monitoring plan;
and mitigate privacy risks for the organization.
These discussions should also include discussions 3. Implementation of the plan;
with the organization’s compliance officer to
4. Execution of a corrective action plan
assure that resources are leveraged and auditing
developed by management to mitigate risks
1 Sheryl Vacca is the Senior Vice President and Chief and/or resolve risks;
Compliance and Audit Officer for the University of California.
Auditing and Monitoring for Privacy in Health Care 87

5. Re-auditing/validation and/or monitoring for previous prioritization, when applied in real time,
resolution and/or mitigation of risks; is still applicable for the risk.
6. Periodic assessment and evaluation of the Hence, during the plan year, if there are changes,
overall process for effectiveness. management will understand the need for additional
resources or a change in focus in the plan as the
business environment and priorities may change.
Risk Assessment
As discussed in previous chapters of this book, there
are several ways in which risk assessments in these Developing the Plan
areas can be conducted. These include the use of: Risk assessments and prioritization are
important elements in the development of your
• focus groups to assist in the identification of risk‑based privacy auditing and monitoring plan.
risks; Considerations related to the plan should also
include:
• interviews of key leadership and the board;
Resource Planning
• surveys;
• Review of other business areas in the
• reviews of previous audit findings, external
organization which may be conducting an
audits conducted in the organization, and
audit or monitoring activity in the privacy area.
identifying what is occurring within the
If found, could you leverage this resource for
industry and the local market, etc.
assistance in completing the stated activity, or
Once privacy risks have been identified, a utilize their activity and integrate the results
prioritization process is needed to identify the into the overall plan?
likelihood of the risk occurring, the ability of
• Resources available to implement plan:
management to mitigate risk (i.e. are there
controls in place for the privacy risk, regardless of –– Do you have the appropriate resources for
the likelihood of those risks of occurring?), and the subject matter as needed within your
the impact of risk on the organization. department to implement the plan? (If not, is
there subject matter expertise somewhere else
It is important that senior leadership participate
in the organization?)
in, and agrees with, the determination of the
high-risk privacy priorities for the auditing and –– If subject matter requires outsourcing, budget
monitoring plan. This will ensure management considerations and overall privacy risk
buy-in and focus on privacy risk priorities. Also, priorities may need to be re-evaluated.
with managers involved at the development stage
of the plan, they will be educated as to the type of • Determination of the hours needed to
activities being planned and the resources needed complete the plan by considering the level of
to conduct these activities. Risk prioritization is complexity of potential scope. Considerations
a dynamic ongoing process and should include would include defining privacy auditing and
periodic reviews during the year to ensure that monitoring activities and whether they are
outcome- or process-oriented. Process activities

take fewer resources, less skill, and less time • privacy rights,
than outcomes-oriented activities.
• disclosures,
• Projected timeframes for completion of the
proposed audits and/or monitors. • use of information in research,
• Flexibility incorporated into the plan to address • notifications, etc.

changes in privacy risk priorities and possibly
unplanned privacy compliance risks/crises which
may need an immediate audit or monitoring to
Execution of the Privacy Auditing
occur. and Monitoring Plan—Making It
Happen
The process of risk assessment continues through Each activity should have a defined framework
the execution of the privacy plan. Risk-based which will provide management with an
auditing and monitoring is ongoing and dynamic understanding of the overall expectations and
with the needs of the organization. approach as you execute the plan. The framework for
your activities should include the following actions:
Privacy risks which could be included in auditing
and monitoring activities: • Set the purpose and goal for the activity (audit
and/or monitoring):
• types of incidences; i.e., theft, loss, fraud and
security and related mitigating activity to resolve –– Identify the scope from the purpose or goal,
the matter, but make sure that it is objective, measurable,
and concise.
• compliance with HIPAA/HITECH
requirements, –– Identify where else activity may be occurring
and collaborate on an efficient and effective
• appropriate execution of BAAs,
approach to address the risk.
• fundraising and marketing and use of patient
–– Before conducting activities in privacy high-
information,
risk priority areas, it is important to consider
• breach notification process, whether legal advice may be needed in
establishing the approach to activity.
• access to information,
• Conduct initial discussion with the business
• unprotected ePHI or other sensitive area for input related to privacy audit attributes,
information on mobile devices and laptops, timing, and process:
• enforcement of sanctions around inappropriate –– Concurrent vs. retrospective method of

use, collecting data may be determined at this
point. (Concurrent is “real time” and before
• encryption status, the end point of what you are looking at has
occurred. Retrospective is after the end point
• education,
has occurred; i.e., form signed, disclosure
made, etc.)

àà If using concurrent method of collecting • Conduct the activity.
data, it is important to remember that
because this is real time information, the • Identify preliminary findings and observations.
sample size may be difficult to obtain in a
• Provide an opportunity for findings and
timely manner, so consideration will need
observations to be validated by the business area.
to be given as to the amount of time the
audit or monitor may take. Additionally, • Finalize the report in the format approved.
business disruption may occur with this
type of methodology. However, this is one • Ensure that your processes for following up with
of the best ways to encourage behavior management on their corrective action are in
change, as it is happening in “real time.” place.
àà I f using a retrospective method of –– Trend and track data and identify themes
collecting data, it is important to identify and problem areas that need management
a milestone to use as a rationale for how attention.
far back to go, for example, new law,
new system, new business area, etc. This –– Assist management in identifying ways to
method is easier to use because of access monitor activity to assure corrective action is
to data. Sampling can be simpler with occurring.
this method, due to being able to see the
–– Have Compliance perform monitoring activity,
entire population and then being able to
where necessary, to keep communication and
define the sample set.
alignment of management activity in sync with
• Finalize the approach and attributes: privacy compliance.
–– Determine the sampling methodology • Determine the key points of activity that may
largely by considering the scope (purpose be provided to leadership and/or in reporting to
and goal) of your activity. For example, the the board.
sample used in self-reporting a privacy risk
The overall process of developing the auditing and
area to an outside enforcement agency may
monitoring privacy plan should be documented.
be predetermined by the precedent that the
This would include a description of how the risk
enforcement agency has set in industry;
assessment was conducted and the methodology
to determine if education is needed in the
for prioritization of privacy risks. Work papers to
privacy risk area, a small sample only may be
support the audit findings, reports and corrective
needed; i.e., you may want to just “probe” an
action plans should be documented and filed
area for a sense of compliance in that area.
appropriately. Prior to the audit activity, be sure to
–– Discuss your approach and risk priority with define and document what should be considered
legal to determine if attorney-client privilege as part of the work papers.
should be a consideration BEFORE starting
Remember to re-evaluate prioritization of risks
an audit in a sensitive area.
with leadership throughout the plan year and
–– Consider the audience frame of reference that adjust your plan accordingly. Evaluation of the
will receive the results of activity, and then overall effectiveness of the plan should be done
develop an appropriate format for reporting. annually. Questions to consider may include:

• Do I want the evaluation done independent of independent review be conducted periodically to
the privacy compliance function: assess the effectiveness of your privacy auditing
and monitoring efforts. This will provide the board
–– Is this something that needs additional and senior leadership with necessary information
credibility with stakeholders to provide to support improvements in the program.
information for future planning; i.e., return
on investment of program, number of In summary, effectiveness in the development
resources needed, etc.? and execution of the privacy risk-based auditing
and monitoring plan will be determined by the
–– Is there a need for outside benchmarking integrity and characteristics of the overall auditing
that an independent party could provide and monitoring process. The steps include:
better than internally?
1. Define scope and assumptions;
–– Is a stakeholder challenging your viewpoint
of accomplishments for the privacy 2. Develop review criteria;
compliance program, etc.?
3. Determine methodology;
• If there is no question that a self-review could
be done, the following questions might be 4. Conduct audit or monitoring activity;
included in the evaluation:
5. Document findings and observations;
–– Was the plan fully executed?
6. Obtain management response for
–– Were appropriate resources utilized for the remediation of risk;
plan’s execution?
7. Assure management remediation resolves
–– Were the activities conducted in a timely and/or mitigates risk;
manner?
8. Finalize report and corrective action plan;
–– Did the plan “make a difference” in regard
9. Re-audit, monitor or validate that
to the overall organization’s strategy and
management has mitigated the risk.
business or at least from a compliance
perspective? Effective audit and monitoring activities will assist
in the identification of weaknesses in controls,
–– Did the plan reach the goal of detecting,
management’s action to correct those weaknesses,
deterring and/or preventing non compliance
and follow up to ensure that timely mechanisms
related to privacy risks from occurring?
have been put in place to strengthen controls for
Annual evaluations may be conducted through mitigating the privacy risks. Additionally, privacy
self reviews or independently by a third party risks will be detected, deterred and/or prevented
not involved in the privacy compliance function, with effective auditing and monitoring activities.
i.e., peer review conducted with other privacy
compliance officers from other organizations,
external consultants, etc. While self reviews are
less resource-intensive, it is recommended that an

Health Care Privacy

Uploaded by

Copyright:

Available Formats

You might also like

Health Care Privacy

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Health Care Privacy

Uploaded by

Copyright:

Available Formats

Health Care Privacy

Health Care Compliance Association

This publication is designed to provide accurate, comprehensive and authoritative

Health Care Compliance Association

1 HIPAA Privacy and Security........................................................................................................................... 1

3 Vendor Relations and Privacy.......................................................................................................................22

4 Human Research Privacy..................................................................................................................................31

5 Payor Privacy Issues...............................................................................................................................................69

6 Federal Educational Rights and Privacy Act..................................................................................76

7 The Federal Privacy Act of 1974.................................................................................................................82

8 Auditing and Monitoring for Privacy in Health Care...........................................................87

John C. Falcetano, CHC-F, CIA, CCEP-F, CHRC, CHPC

Rick King, CHPC, CIPP

David Nelson, CHPC, CHRC, CISSP, CIPP/G

Jennifer O’Brien, JD, CHC, CHPC

Sheryl Vacca, CHC-F, CCEP, CHRC, CHPC

iv Health Care Privacy Compliance Handbook

HIPAA Privacy and Security 1

2 Health Care Privacy Compliance Handbook

• The Medicaid program under title XIX.

HIPAA Privacy and Security 3

4 Health Care Privacy Compliance Handbook

• Health claims attachments

• Enrollment and disenrollment in a health plan

HIPAA Privacy and Security 5

• Electronically Protected Health Information Health Information. Health information is any

6 Health Care Privacy Compliance Handbook

• Names • Internet Protocol (IP) address numbers

HIPAA Privacy and Security 7

• Health plan beneficiary numbers;

• Full face photographic images and any

8 Health Care Privacy Compliance Handbook

U&D Framework The one exception to the mandate to release to

• 164.508 U&D where authorization is required • “Use” is defined as the employment of

HIPAA Privacy and Security 9

• Disclosures by whistleblowers and workforce

10 Health Care Privacy Compliance Handbook

• Lawsuits and disputes Uses and Disclosures that Require an

HIPAA Privacy and Security 11

12 Health Care Privacy Compliance Handbook

HIPAA Privacy and Security 13

14 Health Care Privacy Compliance Handbook

Appendix A to Subpart C of Part 164—Security Standards: Matrix

HIPAA Privacy and Security 15

TECHNICAL SAFEGUARDS (SEE § 164.312)

Things like “sanction policy” and the three Summary

16 Health Care Privacy Compliance Handbook

Protected Health Information (“PHI”).

• Date of Birth or any other date smaller than a

• Phone Numbers Content of Notification

• Health Plan Beneficiary Number • Description of the types of unsecured PHI

• Certificate/License Numbers • Steps individuals should take to protect

18 Health Care Privacy Compliance Handbook

20 Health Care Privacy Compliance Handbook

Vendor Relations Disclaimer. This chapter is not a legal treatise

22 Health Care Privacy Compliance Handbook

• What the contractor can do with information

Vendor Relations and Privacy 23

24 Health Care Privacy Compliance Handbook

(2) Relates to the past, present, or future physical