1 / 0

Privacy and Social/Behavioral Determinants Data

Privacy and Social/Behavioral Determinants Data. Deven McGraw JD, MPH. Overarching Considerations. Can health care providers collect, use and disclose this information – and if so, under what conditions/protections? (legal)

axelle
Download Presentation

Privacy and Social/Behavioral Determinants Data

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Privacy and Social/Behavioral Determinants Data

    Deven McGraw JD, MPH
  2. Overarching Considerations Can health care providers collect, use and disclose this information – and if so, under what conditions/protections? (legal) Should health care providers collect, use and disclose this information – and if so, under what conditions/protections? (ethical) Goals should be: (1) trusted data sharing ecosystem, and (2) ideally no surprises for patients (what would the reasonable person expect)
  3. Compliance with Law HIPAA will govern health care providers using Certified EHR Technology – sets requirements for identifiable health information. State laws also may apply – white paper will focus on HIPAA. Other laws may govern what personally identifiable information may be collected, used or shared by a government agency with a health care provider.
  4. HIPAA Does not place limits on the collection of identifiable health information by health care providers; instead, regulations govern how they use and disclose identifiable health information. Presentation focuses on HIPAA – but is not an exhaustive review of all of HIPAA’s provisions.
  5. Are SDH data “health information”? Broadly defined: Health information “relates to the past, present or future physical or mental health or condition of an individual; the provision of health care to an individual;” or payment for care. Health care “means care, services or supplies related to the health of an individual.” Includes, “but is not limited to,” preventive, diagnostic, therapeutic, rehabilitative, maintenance or palliative care, counseling service, assessment or procedure [w/r/t] the physical or mental condition, or functional status, of an individual or that affects the structure or function of the body…” If being collected in CERHT, harder to argue it’s not.
  6. HIPAA Permitted uses/disclosures of Identifiable Health Information Unambiguous: With the prior authorization (written, specific) of the individual. Opt-in. HIPAA provides for a number of categories of uses and disclosures permitted without the need to first obtain patient authorization – but less clear that these categories would encompass uses and disclosures of at least certain types of SDH information.
  7. TPO (Treatment, Payment, Operations) Treatment is “the provision, coordination or management of health care and related services by one or more health care providers,” including coordinating or managing health care with a third party.
  8. Operations Includes “population-based activities relating to improving health or reducing health care costs…case management and care coordination…contacting [providers] and patients with information about treatment alternatives…and related functions that do not include treatment.”
  9. Expressly permitted disclosures (1) Expressly required by law. To public health authorities “authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury or disability.” To public health or other authorities “authorized by law to receive reports of child abuse or neglect.” To report report abuse, neglect or domestic violence to an entity authorized by law to receive such reports. To certain entities/individuals for workplace safety matters. To avert a serious and imminent threat to health or safety.
  10. Definition of “Public Health Authority” Public health authority is an agency or authority of the [U.S.], a state or territory (or a political subdivision thereof), or an Indian tribe, “or a person or entity acting under grant of authority from or under contract with such public agency…that is responsible for public health matters as part of its official mandate.”
  11. Does this definition cover other SDH-related government agencies? Broad HIPAA definitions of health and health care suggest there might be room for this interpretation. But other parts of HIPAA cover the sharing of health information for “government benefit” programs. Note that definition of public health authority allows for others to act on behalf of those authorities.
  12. Expressly Permitted Disclosures (2) Health oversight activities Providers may disclose identifiable health information to a health oversight agency for health oversight activities authorized by law, including appropriate oversight of government benefit programs for which health information is relevant to beneficiary eligibility. Note this is for “oversight” – presumption is that applications for benefits will include an express authorization from patient to share any relevant information. Further note: government health plans may share information with other government public benefit programs if such sharing is expressly authorized by statute or regulation or if necessary to coordinate the programs or improve their administration and management
  13. Bottom Line(s) HIPAA may permit use and sharing of SDH data without prior written authorization of patient in some circumstances Note that HIPAA allows providers to seek consent for such uses and disclosures; because authorization is not required, could also use “opt-out” Prior written authorization provides clear authority under HIPAA.
  14. Other considerations Minimum necessary – applies to uses and disclosures except those for treatment. Don’t surprise the patient by collecting, using or sharing potentially sensitive data about her without her at least being aware of it And don’t bury information about such data collection, uses and disclosures in the standard HIPAA Notice of Privacy Practices.
  15. Other considerations (cont) Don’t collect data that isn’t going to be used Respect the potential sensitivity of the data Limit exposure to those with a need to know (role-based access controls, audits) Take precautions to avoid insensitivity (treating patients different due to SDH data) Note that the ability of CEHRT to segment sensitive data today does not exist in most widely used CEHRT
  16. Be aware of the Potential for law enforcement access – less protection than offered by original data source? Rights of minors Re-disclosure prohibitions on data covered by 42 CFR Part 2 (governing federally funded substance abuse treatment programs)
More Related