290 likes | 394 Views
Developing the HIPAA-Aware EAD Finding Aid. The Concept of HIPAA Awareness Nancy McCall Michael Miers Phoebe Evans Letocha Kate Ugarte Marjorie W. Kehoe Johns Hopkins Medical Institutions.
E N D
Developing the HIPAA-Aware EAD Finding Aid The Concept of HIPAA Awareness Nancy McCall Michael Miers Phoebe Evans Letocha Kate Ugarte Marjorie W. Kehoe Johns Hopkins Medical Institutions NHPRC Electronic Records Symposium
What is HIPAA?Health Insurance Portability and Accountability Act, 1996http://www.hhs.gov/ocr/hipaa/finalreg.html First federal law on access and use of health information First federal law to extend rights of privacy beyond file unit of medical record to individually identifiable health information in all types of file systems, documents, formats, and media First federal law to extend rights of privacy beyond health information of living individuals to health information of decedents NHPRC Electronic Records Symposium
HIPAA Privacy Rulehttp://www.hhs.gov/ocr/hipaa/finalreg.html • Privacy Rule regulates access to and use of individually identifiable health information in any format and medium • Applies to individually identifiable health information of living individuals and decedents in perpetuity NHPRC Electronic Records Symposium
Research Agenda of the Johns Hopkins Team Topic Implications of HIPAA Privacy Rule (PR) for development of privacy aware finding aid Purpose Study PR compliance requirements for research and publication ObjectiveDevelop HIPAA compliant guidelines for archival reference and research Final Goal Integrate set of PR compliance standards into development of CDA/EAD finding aid NHPRC Electronic Records Symposium
Research Agenda of the Johns Hopkins Team Methodologies • “Learning-by-doing” • Consultation with • Officials at Health and Human Services and Office of Civil Rights • Experts in health law, privacy, IT security • Archivists and historians (SAA and AAHM membership) • Search of literature NHPRC Electronic Records Symposium
Research Agenda of the Johns Hopkins Team Major findings • Privacy Rule provides viable and accountable controls for access and use of health information • Controls allow multiple modes of access for research • Controls for access protect individual privacy • Controls allow publication of de-identified health information • Controls for publication of identifiable health information require authorization of subjects or legal representatives of subjects • Controls for research adaptable to CDA/EAD finding aid • Controls for publication of de-identified health information adaptable to CDA/EAD finding aid NHPRC Electronic Records Symposium
HIPAA Applies to Entities in both Public and Private Sectors Health care providers Health systems, hospitals, clinics, group practices, individual providers Health care clearinghouses Billing services, community health information systems Health plans Group, individual health insurance, Medicare, Medicaid NHPRC Electronic Records Symposium
HIPAA Designation of Archives at Covered Entities HIPAA Hybrid entity Covered entity Covered function Archives HIPAA Covered entity Covered function Archives HIPAA Hybrid entity Non-covered entity Non-covered function Archives NHPRC Electronic Records Symposium
Designation of Archival/Manuscript Repositories at Covered Entities • Confusion over designation • HIPAA applies only toinstitutional divisions designated as covered functions of covered entities • Individual institutions are responsible for designating own covered entities and covered functions • Criteria for designation is based on whether division/department holds andtransmits identifiable health information • Lack of consistent interpretation of criteria for designation • Main source of confusion at institutional/repository levels over criteria for protecting decedent and electronic health information • Lack of awareness • Privacy Rule criteria for decedent and electronic health information • Changing concepts of individual privacy in Information Age NHPRC Electronic Records Symposium
Health Privacy at Risk! Repositories Unregulated by HIPAA have Limited Controls for Access and Use of Health Information • Repositories Opted Out of HIPAA Hybrid Entities • Repositories not subject to HIPAA • Wide range of public/private repositories NHPRC Electronic Records Symposium
Unregulated Repositories Most unregulated repositories have limited controls on access and use of decedent health information • Policies largely based on long-held legal principle that rights to privacy cease upon death Some unregulated repositories are beginning to add HIPAA-like policies for access and use of decedent health information • Growing awareness that decedent health information may be linked to the health status of living individuals NHPRC Electronic Records Symposium
Profession Must Come to Terms with Information Age Benefits Powerful new tools for converting archival documents into digital formats so that they may be made easily and widely accessible for research and publication Risks Wider accessibility via internet by a large body of new users introduces new sets of risks to privacy and intellectual property NHPRC Electronic Records Symposium
Forces Emerging for Greater Protection of Individual Privacy in Information Resources Growing awareness Advances in technology bring new risks to personal privacy Ethics, laws, and policy must be revised to address new risks Legislation HIPAA GLBA FERPA Options for Self-Regulation Tim Berners-Lee and CSAIL PORTIA Project TAMI NHPRC Electronic Records Symposium
Privacy Rule Controls for Protection of Privacy in Research Access to de-identified health information Set of 18 identifiers stripped from body of health information • names • geographic subdivisions smaller than a state • all elements of dates (except year) • telephone numbers • facsimile numbers • electronic mail addresses • social security numbers • medical record numbers • health plan beneficiary numbers • account numbers • certificate/license numbers • vehicle identifiers and serial numbers • device identifiers and serial numbers • web universal resource locators (URLs) • internet protocol (IP) address numbers • biometric identifiers • full-face photographic images • Any other unique identifying number, characteristic, or code, unless otherwise permitted by the Privacy Rule for re-identification NHPRC Electronic Records Symposium
Privacy Rule Controls for Protection of Privacy in Research Authorized access to identifiable health information • Authorization by subject of health information • Authorization by legal representative of subject of health information • Waiver of authorization from institutional Privacy Board • Other allowed uses or disclosures • Limited data set • Research on decedents • Treatment, payment, and health care operations • Health care emergencies NHPRC Electronic Records Symposium
Examples of De-identified Documents NHPRC Electronic Records Symposium
Examples of De-identified Documents NHPRC Electronic Records Symposium
Examples of De-identified Documents NHPRC Electronic Records Symposium
Examples of De-identified Documents NHPRC Electronic Records Symposium
Examples of De-identified Documents NHPRC Electronic Records Symposium
Examples of De-identified Documents NHPRC Electronic Records Symposium
Examples of De-identified Documents NHPRC Electronic Records Symposium
CDA/EAD Finding Aid to Serve as Main Portal for Access to Health Information Privacy Rule controls to embed in architecture of Finding Aid • Protocols for de-identifying health information • Protocols for authorizing access to identifiable health information • Links to forms for initiating interactive adjudication processes • Protocols for administering authorized access to identifiable health information NHPRC Electronic Records Symposium
HIPAA Privacy Rule Serves as Model for Archival Access Policies Repositories not regulated by HIPAA Self-regulate in the “spirit” of HIPAA Regulated and unregulated repositories Join together to develop model of “best practices” for protection of individually identifiable health information in archival access and use NHPRC Electronic Records Symposium
HIPAA-Aware EAD Finding AidPrototype to Stimulate Development of “Best Practices” Models • Preserves intellectual integrity of information • Imposes legal/ethical safeguards on individually identifiable health information • Introduces modes of accountability in access and use of individually identifiable health information • Promotes new opportunities across a wide array of disciplines for research, analysis, and publication of health information NHPRC Electronic Records Symposium
Promoting HIPAA Awareness to Archivists and Archival Patrons Guiding Principle: do no harm to subjects of health information • Controls for access serve as protectors of personal privacy • Controls for authorizing access to identifiable health information are fair and reasonable • Controls provide framework for administering access and use of health information • Controls allow broad access for research NHPRC Electronic Records Symposium
HIPAA to Finding Aid HIPAA Privacy Rule Covered Entity Privacy Board Covered Function Archives Processing Finding Aid NHPRC Electronic Records Symposium
References to HIPAA Legislation 1996 Health Insurance Portability and Accountability Act Public Law 104-191, Health Insurance Portability and Accountability Act (HIPAA) of 1996, 104th Congress – 21 August 1996 http://www.gpoaccess.gov/plaws/search.html Administrative Simplification of HIPAA http://aspe.hhs.gov/admnsimp/pl104191.htm 2001 Privacy Rule of HIPAA - National Standards to Protect the Privacy of Personal Health Information. http://www.hhs.gov/ocr/hipaa/finalreg.html Definitions of covered entity 45CFR – Public Welfare Subtitle A – Department of Health and Human Services Subpart A – General Provisions – 45CFR 160.102, 160.103 http://www.access.gpo.gov/nara/cfr/waisidx_01/45cfr160_01.html Eighteen Identifiers 45CFR – Public Welfare Subtitle A – Department of Health and Human Services Subpart 164 – Security and Privacy – 45CFR 164.514 (b) http://www.access.gpo.gov/nara/cfr/waisidx_01/45cfr164_01.html Privacy Board Role 45CFR – Public Welfare Subtitle A – Department of Health and Human Services Subpart 164 – Security and Privacy – 45CFR 164.512 (i)(B) http://www.access.gpo.gov/nara/cfr/waisidx_01/45cfr164_01.html Definition of research 45CFR – Public Welfare Subtitle A – Department of Health and Human Services Subpart 164 – Security and Privacy - 164.501 - “Research” http://www.access.gpo.gov/nara/cfr/waisidx_01/45cfr164_01.html 2003 Security Rule of HIPAA 21 April 2005 – Deadline for compliance http://www.cms.hhs.gov/SecurityStandard/ 2006 HIPAA Enforcement Rule - http://www.hhs.gov/ocr/hipaa/enforcerule06.htm NHPRC Electronic Records Symposium
References Barth, Adam, Datta, Anupam, Mitchell, John C., & Helen Nissenbaum. Privacy and Contextual Integrity: Framework and Applications. http://www.adambarth.org/papers/barth-datta-mitchell-nissenbaum-2006.pdf#search=%22H.%20Nissenbaum%2C%20Privacy%20and%20Contextual%20Integrity%22 Berners-Lee, Tim. The MIT Computer Science and Artificial Intelligence Laboratory (CSAIL). http://www.csail.mit.edu/index.php http://www.w3.org/people/Berners-Lee/research.html Decentralized Information Group. TAMI (Transparent Accountable Datamining Initiative) http://dig.csail.mit.edu/TAMI/ Nissenbaum, Helen. “Privacy and Contextual Integrity”. Washington Law Review. Volume 79:119, 2004. ---. “Protecting Privacy in an Information Age: The Problem of Privacy in Public”. Law and Philosophy. Volume 17, Numbers 5-6 / November, 1998 NYU PORTIA - http://www.nyu.edu/projects/valuesindesign/nyuportia.html PORTIA – Privacy, Obligations, and Rights in Technologies of Information Assessment. http://crypto.stanford.edu/portia/ Stanford Computer Forum. PORTIA: Managing Sensitive Information in a Wired World. http://forum.stanford.edu/research/project.php?id=55 Workshop on Privacy and Accountability, 28-29 June 2006, Massachusetts Institute of Technology, MIT Stata Center (Building 32), 32 Vassar St., Cambridge, MA USA. Held in Classroom 144. Co-sponsored by PORTIA and TAMI projects NHPRC Electronic Records Symposium