The HIPAA Privacy Rule

The Health Privacy Rule of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) went into effect April 2003. This new rule protects the privacy and security of individual health data and establishes accountability and penalties for failing to use the rule to protect heath information privacy. The HIPAA Privacy Rule may impact the ability of CDR programs to obtain and use health data when individuals are not clear on HIPAA exemptions and permissible disclosures.

What is the HIPAA Privacy Rule?
The Health Privacy Rule of HIPAA was enacted into law to accomplish two major goals:

  1. To ensure health insurance coverage after leaving an employer.
  2. To improve the efficiency and effectiveness of health care-related electronic transactions.

Congress recognized that improvements in electronic transactions, with a shift away from paper records, had the potential to erode the privacy of personal medical information. They mandated the adoption of federal privacy protections for the acquisition, use and exchange of patient information.

The Department of Health and Human Services (DHHS) developed the Standards for Privacy of Individually Identifiable Health Information, better known as the HIPAA Privacy Rule. These are the first national standards to protect personal health information.

The Privacy Rule regulates how certain groups or persons, known in the rule as Covered Entities and their Business Associates can use and disclose individually identifiable health information, known as Protected Health Information, PHI. The Privacy Rule:

  • Gives patients more control over their own health information. Sets boundaries on the use and release of health records.
  • Establishes safeguards that most health care providers must achieve to protect health information.
  • Allows civil and criminal penalties to be imposed on covered entities that violate the rule.
  • Allows for disclosure of PHI for public health, safety and law enforcement purposes.
  • Enables patients to make informed choices and to know how, when and to whom their PHI is used.
  • Limits the release of PHI to the minimum necessary for the purposes of the disclosure.

Back to top

What are Covered Entities?
DHHS has authority to enforce the Privacy Rule only to Covered Entities and their Business Associates. There are extensive definitions for these terms in section 160.103 of the Privacy Rule, but a few examples will help you understand who might be members of each category.

Covered Entities include only:

  • Health Plans: An individual or group plan that provides or pays for the cost of medical care that includes the diagnosis, cure, mitigation, treatment or prevention of disease. Health plans include private and governmental organizations. Medicaid and Medicare are specifically named as health plans in the Privacy Rule, but most other health insurers will also be covered entities. For example, Blue Cross/ Blue Shield and Delta Dental are two large organizations that provide health plan coverage throughout large portions of the United States.
  • Health Care Clearinghouses: A public or private entity, including billing services, re-pricing companies or health information systems that processes non-standard data from another entity into standard transactions or data elements or vice versa. One common example would be a billing service company hired by a small physician’s office to conduct electronic billing on behalf of the physician.
  • Health Care Providers: Health care service providers or any other persons that furnish bills or are paid for health care that transmits health information in electronic form in connection with certain transactions. Health care providers would be physicians, dentists, nurses and other health care professionals. However, they are only covered entities if they use one or more of the electronic transactions being standardized by HIPAA. Examples of those transactions might include submitting claims and receiving payment electronically, checking a patient’s eligibility for health plan coverage or requesting a referral authorization from a patient’s health plan. The larger a health care organization is, the more likely it is to be using electronic transactions. Organizations like hospitals, large clinics, local public health departments and community mental health service programs are all likely to be covered entities.
  • Business Associates: Non-employee business associates whose relationships with covered entities require the sharing of protected health information. These may include accountants, billing companies, lawyers and other contractors. It is the responsibility of a covered entity to obtain written assurance that their business associates complies with the duties of the Privacy Rule.

Back to top

What is Protected Health Information?
For most practical purposes, PHI is any kind of health information that can be associated with a specific person and relates to the:

  • Past, present or future physical or mental health or condition of an individual.
  • Provision of health care to an individual.
  • Payment for provision of health care to an individual.
  • Transmission by or maintenance in, electronic media or any other form or medium.

You may be surprised to learn that the HIPAA Privacy Rule protects the privacy rights of deceased persons because in many other laws that is not the case. The representatives of deceased persons are those recognized under applicable laws as the executors, administrators or other persons with authority to act on behalf of the deceased individuals or of their estates. In most cases, this means that the default personal representative for purposes of a CDR case would be a parent or other legal guardian of the deceased child.

Another important principle embodied in the Privacy Rule is that those who do need access to PHI should only have access to the kinds and amounts of information that they actually need.

The Minimum Necessary Standard is found in section 164.502 (b)(1) and requires that a covered entity must make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure or request.   If requested, responsibility likely will fall on the CDR program to provide a justification for why certain kinds of data are needed and to ensure that only minimum PHI needed for effective reviews is requested from a covered entity.

De-identified Health Information requires no individual privacy protection and is not covered by the Privacy Rule, if it has been stripped of at least 18 identifiers, including zip codes and street addresses.

Back to top

Requirements of Covered Entities in the Privacy Rule
Covered entities must:

  • Notify individuals regarding their privacy rights and how their PHI is used or disclosed.
  • Adopt and implement internal privacy policies and procedures.
  • Designate an employee(s) to understand these policies and procedures.
  • Identify employees responsible for implementing the policies.
  • Establish requirements for dealing with business associates.
  • Have in place administrative, technical and physical safeguards to protect PHI.

Most CDR programs will not, by definition, be covered entities. But most CDR programs will want to access and use PHI related to children and their families and will need to obtain this information from a covered entity. Most covered entities will now be much more reluctant to readily share PHI with CDR because of their concern that they may be violating the Privacy Rule and thus be subject to criminal and civil penalties. Thus, many covered entities are responding to the Privacy Rule by clamping down on the flow of information to other organizations because they want to limit their risk of violating the Privacy Rule.

HIPAA may seem daunting and appear to present an impossible barrier to your team’s access to good case information. The burden will likely fall on your CDR program to identify if and how covered entities (usually hospitals, health care providers and EMS) can disclose PHI to your CDR team and to ensure that if you yourselves are covered entities or business associates, you abide by the rules. You will most likely have to educate a health provider that giving you case information for CDR is not prohibited by HIPAA.

There are strategies that you can use to work with HIPAA, rather than having HIPAA work against you. The following sections describe these. Make sure that you consult your agencies’ legal counsel to ensure that your strategies are in compliance with the law.

Back to top

Strategies to Obtain Protected Health Information
Congress recognized that individual privacy rights need to be balanced with essential public needs, such as public health, law enforcement and the protection of public safety. The Privacy Rule was not intended to impede access to care, prevent people from receiving appropriate treatment, discourage quality improvement initiatives in health care or prevent our ability to protect people in harm’s way. It simply was meant to ensure that the uses and disclosures of health information are justifiable, appropriate and respected patients’ rights to privacy.

The Privacy Rule describes how PHI can be shared for specific purposes without patient consent and what the responsibilities of covered entities are when sharing PHI for these purposes. A covered entity must be able, however, to point to a specific paragraph within the Privacy Rule that explicitly permits or requires a use or disclosure of PHI without first informing the patient and getting a signed authorization from the patient for each such use or disclosure.

Most of these exceptions are listed in section 164.512 of the Privacy Rule. Understanding these exceptions, both in terms of what they do and do not permit, is essential to developing a clear idea of how CDR will be affected in different states, communicating with concerned Covered Entities and ensuring CDR can continue effective reviews.

Your CDR program should assess the context within which you exist, which varies by state, then focus on learning how the Privacy Rule accommodates the chosen strategy.  In some cases, you may find that more than one approach could apply. Remember that you only need one of the exceptions to apply in order to make a particular use or disclosure of PHI legal under the Privacy Rule. So if at least one applies, CDR work can usually move forward. You should evaluate the options with an eye toward the fact that some exceptions are more restrictive than others and select the approach that best suits your situation.

Back to top

The following provides three strategies that may help you obtain the case information you need for quality reviews, within the context of the new HIPAA rules.

Example One: Child Death Review as a Public Health Activity The public health exception provides an excellent basis for the continuation of CDR activities if your CDR program operates within your public health agency, because PHI may be provided to a public health authority. The following quote from the preamble to the Privacy Rule is a DHHS response to a public comment they received on their draft of the Rule:

“Comment: One commenter remarked that our proposal may impede fetal/infant mortality and child death reviews. DHHS Response: The final rule permits a covered entity to disclose protected health information to a public health authority authorized by law to conduct public health activities, including the collection of data relevant to death or disease, in accordance with section 164.51.2(b). Such activities may also meet the definition of “health care operations.” We therefore do not believe this rule impedes these activities.”

Can your CDR Team use the public health exception? You should ensure that your CDR is under your public health authority and is a public health activity.  HIPAA describes a Public Health Authority to mean “an agency or authority of the United States, a State, a territory, a political subdivision of a State or territory or an Indian tribe or a person or entity acting under a grant of authority from or contract with such public agency, including the employees or agents of such public agency or its contractors or persons or entities to whom it has granted authority, that is responsible for public health matters as part of its official mandate.”

Second, you should ensure that your CDR is a public health activity. HIPAA states that “A covered entity may disclose protected health information for public health activities and purposes described in this paragraph to: a public health authority that is authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury or disability, including, but not limited to, the reporting of disease, injury, vital events such as birth or death and the conduct of public health surveillance, public health investigations and public health interventions; or, at the direction of a public health authority, to an official of a foreign government agency that is acting in collaboration with a public health authority; or a public health authority or other appropriate government authority authorized by law to receive reports of child abuse or neglect…”.

Using the public health activities exception requires demonstrating that CDR teams have statutory authority over this important public health issue. Some states have enacted statutes that explicitly establish CDR teams as a formal governmentally appointed task force or work group, through public health. Thus, by citing that legislation, you could meet the criteria for being a public health authority.

The second important criterion for invoking the public health activities exception is that the purpose for which the data are being disclosed must be a public health activity. You may show this, for example, if your CDR team’s goal is to improve the understanding of how and why children die, to demonstrate the need for and to influence policies and programs to improve child health, safety and protection and to prevent other child deaths.

This clearly indicates that CDR is designed to achieve a public health goal of preventing child deaths. Therefore, with this statement of purpose (or something similar from your own state), you could make a compelling argument that CDR meets the second criterion from the Privacy Rule’s public health activities exception. This means that team members who are also covered entities may be able to disclose protected health information to the CDR team for use in the review without obtaining authorization from the deceased child’s parents.

Back to top

Example Two: Child Death Review of Child Abuse and Neglect as a Public Health Activity Because significant portions of CDR cases are the result of abuse and neglect, this second example illustrates how to use a public health approach in these circumstances under HIPAA.

In the preamble to the Privacy Rule, DHHS adopted the stance that child abuse and neglect are public health matters, which means that the second criterion in the public health activities exception is automatically met for certain types of CDR cases. Thus, the public health activities exception allows covered entities to disclose PHI in order to report child deaths related to abuse and neglect to a government agency with authority over child abuse and neglect as permitted by section 164.512(b)(1)(ii), which is quoted above in the example one. Note here that your CDR team would still need to be part of a governmental agency, but the authorizing legislation can either grant specific authority over child abuse and neglect cases or meet the broader definition of a public health authority. Either one will suffice to permit invoking this exception. Thus, if the CDR team is part of such an agency, it can obtain the information it needs by showing covered entities its authorizing legislation and citing this specific paragraph from the Privacy Rule to defuse any concerns that HIPAA prevents such disclosures.

Back to top

Example Three: Child Death Review as a Law Enforcement Activity
Now suppose that for some reason the CDR team is not part of a government agency with a specific authority over either child abuse and neglect or public health. Perhaps it is a function performed by more traditional law enforcement officials. In this example, we assume that either the CDR team is composed of or it works closely with, law enforcement officials.As defined in section 164.501, law enforcement official means an officer or employee of any agency or authority of the United States, a State, a territory, a political subdivision of a State or territory or an Indian tribe, who is empowered by law to:

  • Investigate or conduct an official inquiry into a potential violation of law; or
  • Prosecute or otherwise conduct a criminal, civil or administrative proceeding arising from an alleged violation of law.

A covered entity that suspects a child death was caused by criminal conduct could disclose PHI to a law enforcement official to alert the official of the suspicious death. Such a disclosure would be permitted by section 164.512(f)(4) and would not require authorization from the deceased child’s parents. The covered entity could also respond to direct inquiries from the law enforcement officials by disclosing additional information about the victim as permitted by 164.512(f)(3)(ii). The official would first need to offer assurances that the information is necessary to determine if a crime has occurred, that immediate enforcement activity would be adversely affected by not getting authorization from a personal representative and that the disclosure is in the best interests of the victim (presumably, investigation and prosecution of a crime would meet this criterion). However, a covered entity must limit disclosures of PHI about the suspected perpetrator of the crime to the types of information listed in paragraph 164.512(f)(2)(i) and can only make these disclosures if the law enforcement official first requests such information for the purpose of identifying or locating a suspect, fugitive, material witness or missing person.

Finally, paragraph 164.512(f)(1)(ii) permits a covered entity to disclose information requested via a court order, a subpoena or administrative request issued according to a process authorized by law. In these instances, the disclosure must be limited to what is both specifically requested and relevant to a legitimate law enforcement inquiry and can only be made if de-identified information could not reasonably be used instead.

Overall, a CDR team composed of law enforcement officials would need to know when the PHI it needs can be obtained by making a direct request of a covered entity and when it would need to rely on a more formal process involving court orders and similar elements of due process.

Back to top

Conclusion: HIPAA Allows for Child Death Review
CDR team members should consult with their legal counsel regarding HIPAA. Although there are other Privacy Rule compliance issues that CDR team members may need to address (such as maintaining disclosure history records about what was disclosed to the CDR team), several options exist for teams conducting CDR without violating the Privacy Rule. Whether the CDR team is itself composed of covered entities or simply relies on obtaining information from covered entities, we believe that CDR activities can and should continue but that state-level laws will affect which strategy is most applicable to each program.

Back to top

Materials were adapted from:  Centers for Disease Control and Prevention.  HIPAA Privacy Rule and Public Health:  Guidance from CDC and the U.S. Department of Health and Human Services.  MMWR Supplemental.  May 2, 2003, Vol.52 and The Fetal and Infant Mortality Review Process:  The HIPAA Privacy Regulations, the National Fetal Infant Mortality Review Program, April 2003.  Steven Pierce, Privacy Officer for the National Center for Child Death Review, assisted in authoring this material.