6 October 2006NHPRC Electronic Records Symposium Developing the HIPAA-Aware EAD Finding Aid The...
-
Upload
gladys-nichols -
Category
Documents
-
view
215 -
download
0
Transcript of 6 October 2006NHPRC Electronic Records Symposium Developing the HIPAA-Aware EAD Finding Aid The...
6 October 2006 NHPRC Electronic Records Symposium
Developing the HIPAA-Aware EAD Finding Aid
The Concept of HIPAA AwarenessNancy McCallMichael Miers
Phoebe Evans LetochaKate Ugarte
Marjorie W. Kehoe
Johns Hopkins Medical Institutions
6 October 2006 NHPRC Electronic Records Symposium
What is HIPAA?Health Insurance Portability and Accountability
Act, 1996http://www.hhs.gov/ocr/hipaa/finalreg.html
First federal law on access and use of health information
First federal law to extend rights of privacy beyond file unit of medical record to individually identifiable health information in all types of file systems, documents, formats, and media
First federal law to extend rights of privacy beyond health information of living individuals to health information of decedents
6 October 2006 NHPRC Electronic Records Symposium
HIPAA Privacy Rulehttp://www.hhs.gov/ocr/hipaa/finalreg.html
• Privacy Rule regulates access to and use of individually identifiable health information in any format and medium
• Applies to individually identifiable health information of living individuals and decedents in perpetuity
6 October 2006 NHPRC Electronic Records Symposium
Research Agenda of the Johns Hopkins Team
Topic Implications of HIPAA Privacy Rule (PR) for development of privacy aware finding aid
Purpose Study PR compliance requirements for research and publication
Objective Develop HIPAA compliant guidelines for archival reference and research
Final Goal Integrate set of PR compliance standards into development of CDA/EAD finding aid
6 October 2006 NHPRC Electronic Records Symposium
Research Agenda of the Johns Hopkins Team
Methodologies
• “Learning-by-doing”
• Consultation with– Officials at Health and Human Services and Office of
Civil Rights – Experts in health law, privacy, IT security – Archivists and historians (SAA and AAHM membership)
• Search of literature
6 October 2006 NHPRC Electronic Records Symposium
Research Agenda of the Johns Hopkins Team
Major findings
• Privacy Rule provides viable and accountable controls for access and use of health information
⁻ Controls allow multiple modes of access for research ⁻ Controls for access protect individual privacy⁻ Controls allow publication of de-identified health
information
• Controls for publication of identifiable health information require authorization of subjects or legal representatives of subjects
• Controls for research adaptable to CDA/EAD finding aid • Controls for publication of de-identified health
information adaptable to CDA/EAD finding aid
6 October 2006 NHPRC Electronic Records Symposium
HIPAA Applies to Entities in both Public and Private Sectors
Health care providersHealth systems, hospitals, clinics, group practices, individual providers
Health care clearinghousesBilling services, community health
information systemsHealth plans
Group, individual health insurance, Medicare, Medicaid
6 October 2006 NHPRC Electronic Records Symposium
HIPAA Designation of Archives at Covered Entities
HIPAAHybrid entity
Covered entityCovered function
Archives
HIPAACovered entity
Covered function
Archives
HIPAA Hybrid entity
Non-covered entity
Non-covered function
Archives
6 October 2006 NHPRC Electronic Records Symposium
Designation of Archival/Manuscript Repositories at Covered Entities
• Confusion over designation– HIPAA applies only to institutional divisions designated as
covered functions of covered entities– Individual institutions are responsible for designating own
covered entities and covered functions– Criteria for designation is based on whether division/department
holds and transmits identifiable health information
• Lack of consistent interpretation of criteria for designation– Main source of confusion at institutional/repository levels over
criteria for protecting decedent and electronic health information
• Lack of awareness– Privacy Rule criteria for decedent and electronic health
information– Changing concepts of individual privacy in Information Age
6 October 2006 NHPRC Electronic Records Symposium
Health Privacy at Risk!
Repositories Unregulated by HIPAA have Limited Controls for Access and Use of Health Information
• Repositories Opted Out of HIPAA Hybrid Entities
• Repositories not subject to HIPAA– Wide range of public/private repositories
6 October 2006 NHPRC Electronic Records Symposium
Unregulated Repositories
Most unregulated repositories have limited controls on access and use of decedent health information
• Policies largely based on long-held legal principle that rights to privacy cease upon death
Some unregulated repositories are beginning to add HIPAA-like policies for access and use of decedent health information
• Growing awareness that decedent health information may be linked to the health status of living individuals
6 October 2006 NHPRC Electronic Records Symposium
Profession Must Come to Terms with Information Age
Benefits
Powerful new tools for converting archival documents into digital formats so that they may be made easily and widely accessible for research and publication
RisksWider accessibility via internet by a large body of new users introduces new sets of risks to privacy and intellectual property
6 October 2006 NHPRC Electronic Records Symposium
Forces Emerging for Greater Protection of Individual Privacy in
Information ResourcesGrowing awareness
Advances in technology bring new risks to personal privacyEthics, laws, and policy must be revised to address new risks
LegislationHIPAAGLBAFERPA
Options for Self-RegulationTim Berners-Lee and CSAILPORTIA ProjectTAMI
6 October 2006 NHPRC Electronic Records Symposium
Privacy Rule Controls for Protection of Privacy in Research
Access to de-identified health informationSet of 18 identifiers stripped from body of health information
• names• geographic subdivisions
smaller than a state• all elements of dates (except
year)• telephone numbers• facsimile numbers• electronic mail addresses• social security numbers• medical record numbers• health plan beneficiary
numbers• account numbers• certificate/license numbers
• vehicle identifiers and serial numbers
• device identifiers and serial numbers
• web universal resource locators (URLs)
• internet protocol (IP) address numbers
• biometric identifiers• full-face photographic images• Any other unique identifying
number, characteristic, or code, unless otherwise permitted by the Privacy Rule for re-identification
6 October 2006 NHPRC Electronic Records Symposium
Privacy Rule Controls for Protection of Privacy in
ResearchAuthorized access to identifiable health information
• Authorization by subject of health information• Authorization by legal representative of
subject of health information• Waiver of authorization from institutional
Privacy Board• Other allowed uses or disclosures
⁻ Limited data set⁻ Research on decedents⁻ Treatment, payment, and health care operations⁻ Health care emergencies
6 October 2006 NHPRC Electronic Records Symposium
Examples of De-identified Documents
6 October 2006 NHPRC Electronic Records Symposium
Examples of De-identified Documents
6 October 2006 NHPRC Electronic Records Symposium
Examples of De-identified Documents
6 October 2006 NHPRC Electronic Records Symposium
Examples of De-identified Documents
6 October 2006 NHPRC Electronic Records Symposium
Examples of De-identified Documents
6 October 2006 NHPRC Electronic Records Symposium
Examples of De-identified Documents
6 October 2006 NHPRC Electronic Records Symposium
Examples of De-identified Documents
6 October 2006 NHPRC Electronic Records Symposium
CDA/EAD Finding Aid to Serve as Main Portal for Access to Health
Information
Privacy Rule controls to embed in architecture of Finding Aid
• Protocols for de-identifying health information
• Protocols for authorizing access to identifiable health information– Links to forms for initiating interactive
adjudication processes
• Protocols for administering authorized access to identifiable health information
6 October 2006 NHPRC Electronic Records Symposium
HIPAA Privacy Rule Serves as Model for Archival Access
Policies
Repositories not regulated by HIPAA Self-regulate in the “spirit” of HIPAA
Regulated and unregulated repositories Join together to develop model of “best practices” for protection of individually identifiable health information in archival access and use
6 October 2006 NHPRC Electronic Records Symposium
HIPAA-Aware EAD Finding AidPrototype to Stimulate Development of
“Best Practices” Models
• Preserves intellectual integrity of information• Imposes legal/ethical safeguards on individually
identifiable health information• Introduces modes of accountability in access
and use of individually identifiable health information
• Promotes new opportunities across a wide array of disciplines for research, analysis, and publication of health information
6 October 2006 NHPRC Electronic Records Symposium
Promoting HIPAA Awareness to Archivists and Archival Patrons
Guiding Principle: do no harm to subjects of health information
• Controls for access serve as protectors of personal privacy
• Controls for authorizing access to identifiable health information are fair and reasonable
• Controls provide framework for administering access and use of health information
• Controls allow broad access for research
6 October 2006 NHPRC Electronic Records Symposium
HIPAA to Finding Aid
HIPAAPrivacy Rule
Covered EntityPrivacy Board
Covered FunctionArchives
ProcessingFinding
Aid
6 October 2006 NHPRC Electronic Records Symposium
References to HIPAA Legislation1996 Health Insurance Portability and Accountability ActPublic Law 104-191, Health Insurance Portability and Accountability Act (HIPAA) of 1996, 104th Congress – 21 August 1996 http://www.gpoaccess.gov/plaws/search.html
Administrative Simplification of HIPAAhttp://aspe.hhs.gov/admnsimp/pl104191.htm
2001 Privacy Rule of HIPAA - National Standards to Protect the Privacy of Personal Health Information. http://www.hhs.gov/ocr/hipaa/finalreg.html
Definitions of covered entity45CFR – Public WelfareSubtitle A – Department of Health and Human ServicesSubpart A – General Provisions – 45CFR 160.102, 160.103http://www.access.gpo.gov/nara/cfr/waisidx_01/45cfr160_01.html
Eighteen Identifiers45CFR – Public WelfareSubtitle A – Department of Health and Human ServicesSubpart 164 – Security and Privacy – 45CFR 164.514 (b)http://www.access.gpo.gov/nara/cfr/waisidx_01/45cfr164_01.html
Privacy Board Role45CFR – Public WelfareSubtitle A – Department of Health and Human ServicesSubpart 164 – Security and Privacy – 45CFR 164.512 (i)(B)http://www.access.gpo.gov/nara/cfr/waisidx_01/45cfr164_01.html
Definition of research45CFR – Public WelfareSubtitle A – Department of Health and Human ServicesSubpart 164 – Security and Privacy - 164.501 - “Research”http://www.access.gpo.gov/nara/cfr/waisidx_01/45cfr164_01.html
2003 Security Rule of HIPAA21 April 2005 – Deadline for compliancehttp://www.cms.hhs.gov/SecurityStandard/
2006 HIPAA Enforcement Rule - http://www.hhs.gov/ocr/hipaa/enforcerule06.htm
6 October 2006 NHPRC Electronic Records Symposium
References
Barth, Adam, Datta, Anupam, Mitchell, John C., & Helen Nissenbaum. Privacy and Contextual Integrity: Framework and Applications.http://www.adambarth.org/papers/barth-datta-mitchell-nissenbaum-2006.pdf#search=%22H.%20Nissenbaum%2C%20Privacy%20and%20Contextual%20Integrity%22 Berners-Lee, Tim. The MIT Computer Science and Artificial Intelligence Laboratory (CSAIL).http://www.csail.mit.edu/index.phphttp://www.w3.org/people/Berners-Lee/research.html Decentralized Information Group. TAMI (Transparent Accountable Datamining Initiative)http://dig.csail.mit.edu/TAMI/
Nissenbaum, Helen. “Privacy and Contextual Integrity”. Washington Law Review. Volume 79:119, 2004.
---. “Protecting Privacy in an Information Age: The Problem of Privacy in Public”. Law and Philosophy. Volume 17, Numbers 5-6 / November, 1998
NYU PORTIA - http://www.nyu.edu/projects/valuesindesign/nyuportia.html PORTIA – Privacy, Obligations, and Rights in Technologies of Information Assessment.http://crypto.stanford.edu/portia/ Stanford Computer Forum. PORTIA: Managing Sensitive Information in a Wired World.http://forum.stanford.edu/research/project.php?id=55
Workshop on Privacy and Accountability, 28-29 June 2006, Massachusetts Institute of Technology, MIT Stata Center (Building 32), 32 Vassar St., Cambridge, MA USA. Held in Classroom 144. Co-sponsored by PORTIA and TAMI projects