320 likes | 432 Views
Practical Application of Privacy Law to Public Health. Denise Chrysler, JD, Director, Network for Public Health Law – Mid-States Region Carrie Waggoner, JD , Privacy Specialist, Office of Legal Affairs & FOIA, Michigan Department of Community Health
E N D
Practical Application of Privacy Law to Public Health Denise Chrysler, JD, Director, Network for Public Health Law – Mid-States Region Carrie Waggoner, JD, Privacy Specialist, Office of Legal Affairs & FOIA, Michigan Department of Community Health Brenda Lawson, RN, JD, Public Health Legal Advisor, Michigan Department of Community Health
Juggling competing interests • Protecting individual privacy • Protecting business reputation • Protecting business proprietary information • Protecting the public • Informing the public Michigan Premier Conference, 10/22/2014
The Fine Print This presentation is for informational purposes only. It is not intended as a legal position or advice from the speakers or their employers. For legal advice, attendees should consult with their own counsel. Michigan Premier Conference, 10/22/2014
Data and Health Information • Basic to public health practice • Essential to public health mission • Foundation for three Public Health Core Functions • Reflected in ten Essential Health Services • Must be addressed for Public Health Accreditation • Necessary for local public health to fulfill its responsibilities Michigan Premier Conference, 10/22/2014
So much data …. Michigan Premier Conference, 10/22/2014
Disease Surveillance Emergency Preparedness Vital Records Registries • Cancer • Birth defects • Traumatic injuries • Immunizations • Health alert networks • Volunteer registries • Vulnerable people registries • Birth records • Death records • Marriage records • Infectious disease reports • Syndromic surveillance • Hospital acquired infections Clinical Services • Child & maternal health • Immunization • Dental clinics • School-based clinics • FQHCs or CHCs Michigan Premier Conference, 10/22/2014
Screening WIC • Childhood lead screening • Newborn screening for metabolic diseases • Early hearing detection & intervention • Vision & hearing screening of school children Regulatory • Restaurant inspection reports • Septic, wells, other permits • Clean indoor air act • Burning ordinances • Asbestos contractors • Lead abatement contractors • Health facilities Health Plans • Medicaid • State Children’s Health Plan • County Health Plans Michigan Premier Conference, 10/22/2014
And growing …. • Amount of data • Sources of data • Data sharing partners • Ways to transfer and exchange • Linkages with other information • Creation integrated databases • Retention, reuse, and further sharing of the information • Creation of public datasets Michigan Premier Conference, 10/22/2014
So many laws …. Michigan Premier Conference, 10/22/2014
Federal laws (examples) • Family Educational Rights & Privacy Act (FERPA) • HIPAA Privacy and Security Regulations • 42 CFR Part 2 (substance abuse) • Public Health Services Act (Title X family planning) • Social Security Act (Medicare, Medicaid, SCHIP) • VA Claims Confidentiality Statute • WIC Regulations • Critical Infrastructure Information Act Michigan Premier Conference, 10/22/2014
Michigan laws (examples) • Public health laws (e.g., reporting requirements, communicable disease investigations, HIV/AIDS, vital records, registries, confidentiality) • Health information/medical records laws • Identity theft protection laws • Laws re livestock • Freedom of information Michigan Premier Conference, 10/22/2014
Risk of liability • Lawsuits • State Civil and Criminal Penalties • Benefits & Risks • The stakes are higher . . . Electronic Data Michigan Premier Conference, 10/22/2014
Risk of liability • Alaska Dept of Health & Social Services settles HIPAA security case for $1.7 million (electronic Medicaid information) • Skagit County, WA settles HIPAA case for $215,000 (county health dept information) Michigan Premier Conference, 10/22/2014
Skagit County (population 118,000) “This case marks the first settlement with a county government and sends a strong message about the importance of HIPAA compliance to local and county governments, regardless of size,” said Susan McAndrew, deputy director of health information privacy at the HHS Office for Civil Rights (OCR). “These agencies need to adopt a meaningful compliance program to ensure the privacy and security of patients’ information.” Michigan Premier Conference, 10/22/2014
Ultimate risk: losing community trust • Residents • Partners and stakeholders • Ammunition for opponents of government’s authority to obtain information about individuals without consent Michigan Premier Conference, 10/22/2014
New challenges from the way we communicate and work: • Bring your own device • Working remotely • Smart phones, tablets, laptops • Texting • Instant messaging Health IT.gov Your Mobile Device and Health Information Privacy and Security Michigan Premier Conference, 10/22/2014
Identifying Protected Health Information • The health department you work for provides primary care services through its community health center. • The information collected and maintained about individuals include their name, address, other demographic information, social security number, medical record number, employment information, emergency contact information, medical history, and other information about the primary care services provided. Michigan Premier Conference, 10/22/2014
Identifying Protected Health Information Michigan Premier Conference, 10/22/2014
Identifying Protected Health Information • Your health department also collects information for communicable disease and other public health surveillance activities. The information collected about individuals includes much of the same type of information collected in the community health center. • Is the information collected through surveillance activities protected health information? Michigan Premier Conference, 10/22/2014
De-identifiying Protected Health Information • If PHI is properly de-identified then it is no longer protected by HIPAA • De-identification exercise Michigan Premier Conference, 10/22/2014
De-identifying Protected Health Information Michigan Premier Conference, 10/22/2014
Reportable Diseases Michigan Premier Conference, 10/22/2014
Foodborne Illness • An elderly woman presents to the Emergency Department with complaints of abdominal pain, vomiting, and diarrhea for the past two days, which is getting worse • She lives in your county and reports that her symptoms started after eating a hamburger at a local restaurant • She is treated for dehydration and various lab tests are taken • Based on the clinical picture and preliminary test results, the ER physician has reason to believe the patient has been infected with a dangerous strain of E. coli and is ruling out Hemolytic Uremic Syndrome (HUS) as a diagnosis as well • The ER reports the disease to the local health department as required • The LHO In your county has received 2 other reports of E. coli 0157:H7 infection the same day and launches an investigation • The LHO begins requesting information about confirmed AND suspected cases from various sources Michigan Premier Conference, 10/22/2014
What Would You Do? • Can the LHO request information about suspected cases when investigating reported cases: • What If??? • A physician’s office that reported a confirmed case of E. coli infection refuses to provide medical information about other patients with suspected illness until a diagnosis is confirmed, citing confidentiality and HIPAA concerns---- • What would you do? Michigan Premier Conference, 10/22/2014
Confidentiality • Administrative Rule 325.181(2) establishes the confidentiality of information reported gathered in connection with an investigation: • “Medical and epidemiological information which identifies an individual AND which is gathered in connection with an investigation is confidential and is not open to public inspection without the individual’s consent . . . unless the public inspection is necessary to protect the public health as determined by the local health officer or director.” Michigan Premier Conference, 10/22/2014
HIPAA • What about HIPAA – does it apply to information provided to LHDs by covered entities for disease prevention and control purposes? Michigan Premier Conference, 10/22/2014
HIPAA • The Privacy Rule allows a covered entity to disclose an individual’s protected health information to public health authorities without the authorization of the individual. • 45 CFR §164.512(b) Michigan Premier Conference, 10/22/2014
Request for Records • You receive a request for all records from a person who identifies herself as the daughter of an individual who recently received health care services at your health department. The records you have about this individual include information that is protected by HIPAA. • What do you need to do to determine whether you can release the requested information to the individual’s daughter? • Authorization to disclose PHI? • Power of attorney? Other legal document? Michigan Premier Conference, 10/22/2014
Request for Records • What if the individual is deceased? • An authorization form, DPOA, guardianship is no longer effective when the individual is deceased • Consult with legal counsel/privacy officer to regarding whether another exception under HIPAA applies Michigan Premier Conference, 10/22/2014
Request for Records • What if the information requested also includes information on the individual’s HIV testing, care, and treatment? • Need to analyze whether disclosure can be made under MCL § 333.5131 Michigan Premier Conference, 10/22/2014
Request for Records • Your office is served with a subpoena for the records of an individual who received clinical services from your health department. The individual is a party to the lawsuit. The subpoena is from the other party. The subpoena requests any and all records about the individual. • Can you disclose the records? • Keep minimum necessary rule in mind Michigan Premier Conference, 10/22/2014
Thank you!Questions & Comments • Denise Chrysler, JD, Director, Network for Public Health Law, Mid-States Region • Carrie Waggoner, JD, Privacy Specialist, Office of Legal Affairs & FOIA, Michigan Department of Community Health • Brenda Lawson, RN, JD, Public Health Legal Advisor, Michigan Department of Community Health Michigan Premier Conference, 10/22/2014