Developing the HIPAA-Aware EAD Finding Aid

6 October 2006 NHPRC Electronic Records Symposium

Developing the HIPAA-Aware EAD Finding Aid

The Concept of HIPAA AwarenessNancy McCallMichael Miers

Phoebe Evans LetochaKate Ugarte

Marjorie W. Kehoe

Johns Hopkins Medical Institutions


What is HIPAA?Health Insurance Portability and Accountability

Act, 1996http://www.hhs.gov/ocr/hipaa/finalreg.html

First federal law on access and use of health information

First federal law to extend rights of privacy beyond file unit of medical record to individually identifiable health information in all types of file systems, documents, formats, and media

First federal law to extend rights of privacy beyond health information of living individuals to health information of decedents


HIPAA Privacy Rulehttp://www.hhs.gov/ocr/hipaa/finalreg.html

• Privacy Rule regulates access to and use of individually identifiable health information in any format and medium

• Applies to individually identifiable health information of living individuals and decedents in perpetuity


Research Agenda of the Johns Hopkins Team

Topic Implications of HIPAA Privacy Rule (PR) for development of privacy aware finding aid

Purpose Study PR compliance requirements for research and publication

Objective Develop HIPAA compliant guidelines for archival reference and research

Final Goal Integrate set of PR compliance standards into development of CDA/EAD finding aid



Methodologies

• “Learning-by-doing”

• Consultation with– Officials at Health and Human Services and Office of

Civil Rights – Experts in health law, privacy, IT security – Archivists and historians (SAA and AAHM membership)

• Search of literature



Major findings

• Privacy Rule provides viable and accountable controls for access and use of health information

⁻ Controls allow multiple modes of access for research ⁻ Controls for access protect individual privacy⁻ Controls allow publication of de-identified health

information

• Controls for publication of identifiable health information require authorization of subjects or legal representatives of subjects

• Controls for research adaptable to CDA/EAD finding aid • Controls for publication of de-identified health

information adaptable to CDA/EAD finding aid


HIPAA Applies to Entities in both Public and Private Sectors

Health care providersHealth systems, hospitals, clinics, group practices, individual providers

Health care clearinghousesBilling services, community health

information systemsHealth plans

Group, individual health insurance, Medicare, Medicaid


HIPAA Designation of Archives at Covered Entities

HIPAAHybrid entity

Covered entityCovered function

Archives

HIPAACovered entity

Covered function

Archives

HIPAA Hybrid entity

Non-covered entity

Non-covered function

Archives


Designation of Archival/Manuscript Repositories at Covered Entities

• Confusion over designation– HIPAA applies only to institutional divisions designated as

covered functions of covered entities– Individual institutions are responsible for designating own

covered entities and covered functions– Criteria for designation is based on whether division/department

holds and transmits identifiable health information

• Lack of consistent interpretation of criteria for designation– Main source of confusion at institutional/repository levels over

criteria for protecting decedent and electronic health information

• Lack of awareness– Privacy Rule criteria for decedent and electronic health

information– Changing concepts of individual privacy in Information Age


Health Privacy at Risk!

Repositories Unregulated by HIPAA have Limited Controls for Access and Use of Health Information

• Repositories Opted Out of HIPAA Hybrid Entities

• Repositories not subject to HIPAA– Wide range of public/private repositories


Unregulated Repositories

Most unregulated repositories have limited controls on access and use of decedent health information

• Policies largely based on long-held legal principle that rights to privacy cease upon death

Some unregulated repositories are beginning to add HIPAA-like policies for access and use of decedent health information

• Growing awareness that decedent health information may be linked to the health status of living individuals


Profession Must Come to Terms with Information Age

Benefits

Powerful new tools for converting archival documents into digital formats so that they may be made easily and widely accessible for research and publication

RisksWider accessibility via internet by a large body of new users introduces new sets of risks to privacy and intellectual property


Forces Emerging for Greater Protection of Individual Privacy in

Information ResourcesGrowing awareness

Advances in technology bring new risks to personal privacyEthics, laws, and policy must be revised to address new risks

LegislationHIPAAGLBAFERPA

Options for Self-RegulationTim Berners-Lee and CSAILPORTIA ProjectTAMI


Privacy Rule Controls for Protection of Privacy in Research

Access to de-identified health informationSet of 18 identifiers stripped from body of health information

• names• geographic subdivisions

smaller than a state• all elements of dates (except

year)• telephone numbers• facsimile numbers• electronic mail addresses• social security numbers• medical record numbers• health plan beneficiary

numbers• account numbers• certificate/license numbers

• vehicle identifiers and serial numbers

• device identifiers and serial numbers

• web universal resource locators (URLs)

• internet protocol (IP) address numbers

• biometric identifiers• full-face photographic images• Any other unique identifying

number, characteristic, or code, unless otherwise permitted by the Privacy Rule for re-identification


Privacy Rule Controls for Protection of Privacy in

ResearchAuthorized access to identifiable health information

• Authorization by subject of health information• Authorization by legal representative of

subject of health information• Waiver of authorization from institutional

Privacy Board• Other allowed uses or disclosures

⁻ Limited data set⁻ Research on decedents⁻ Treatment, payment, and health care operations⁻ Health care emergencies


Examples of De-identified Documents


CDA/EAD Finding Aid to Serve as Main Portal for Access to Health

Information

Privacy Rule controls to embed in architecture of Finding Aid

• Protocols for de-identifying health information

• Protocols for authorizing access to identifiable health information– Links to forms for initiating interactive

adjudication processes

• Protocols for administering authorized access to identifiable health information


HIPAA Privacy Rule Serves as Model for Archival Access

Policies

Repositories not regulated by HIPAA Self-regulate in the “spirit” of HIPAA

Regulated and unregulated repositories Join together to develop model of “best practices” for protection of individually identifiable health information in archival access and use


HIPAA-Aware EAD Finding AidPrototype to Stimulate Development of

“Best Practices” Models

• Preserves intellectual integrity of information• Imposes legal/ethical safeguards on individually

identifiable health information• Introduces modes of accountability in access

and use of individually identifiable health information

• Promotes new opportunities across a wide array of disciplines for research, analysis, and publication of health information


Promoting HIPAA Awareness to Archivists and Archival Patrons

Guiding Principle: do no harm to subjects of health information

• Controls for access serve as protectors of personal privacy

• Controls for authorizing access to identifiable health information are fair and reasonable

• Controls provide framework for administering access and use of health information

• Controls allow broad access for research


HIPAA to Finding Aid

HIPAAPrivacy Rule

Covered EntityPrivacy Board

Covered FunctionArchives

ProcessingFinding

Aid


References to HIPAA Legislation1996 Health Insurance Portability and Accountability ActPublic Law 104-191, Health Insurance Portability and Accountability Act (HIPAA) of 1996, 104th Congress – 21 August 1996 http://www.gpoaccess.gov/plaws/search.html

Administrative Simplification of HIPAAhttp://aspe.hhs.gov/admnsimp/pl104191.htm

2001 Privacy Rule of HIPAA - National Standards to Protect the Privacy of Personal Health Information. http://www.hhs.gov/ocr/hipaa/finalreg.html

Definitions of covered entity45CFR – Public WelfareSubtitle A – Department of Health and Human ServicesSubpart A – General Provisions – 45CFR 160.102, 160.103http://www.access.gpo.gov/nara/cfr/waisidx_01/45cfr160_01.html

Eighteen Identifiers45CFR – Public WelfareSubtitle A – Department of Health and Human ServicesSubpart 164 – Security and Privacy – 45CFR 164.514 (b)http://www.access.gpo.gov/nara/cfr/waisidx_01/45cfr164_01.html

Privacy Board Role45CFR – Public WelfareSubtitle A – Department of Health and Human ServicesSubpart 164 – Security and Privacy – 45CFR 164.512 (i)(B)http://www.access.gpo.gov/nara/cfr/waisidx_01/45cfr164_01.html

Definition of research45CFR – Public WelfareSubtitle A – Department of Health and Human ServicesSubpart 164 – Security and Privacy - 164.501 - “Research”http://www.access.gpo.gov/nara/cfr/waisidx_01/45cfr164_01.html

2003 Security Rule of HIPAA21 April 2005 – Deadline for compliancehttp://www.cms.hhs.gov/SecurityStandard/

2006 HIPAA Enforcement Rule - http://www.hhs.gov/ocr/hipaa/enforcerule06.htm

http://www.gpoaccess.gov/plaws/search.html

http://www.hhs.gov/ocr/hipaa/finalreg.html

http://www.hhs.gov/ocr/hipaa/finalreg.html

http://www.access.gpo.gov/nara/cfr/waisidx_01/45cfr160_01.html

http://www.access.gpo.gov/nara/cfr/waisidx_01/45cfr160_01.html


References

Barth, Adam, Datta, Anupam, Mitchell, John C., & Helen Nissenbaum. Privacy and Contextual Integrity: Framework and Applications.http://www.adambarth.org/papers/barth-datta-mitchell-nissenbaum-2006.pdf#search=%22H.%20Nissenbaum%2C%20Privacy%20and%20Contextual%20Integrity%22 Berners-Lee, Tim. The MIT Computer Science and Artificial Intelligence Laboratory (CSAIL).http://www.csail.mit.edu/index.phphttp://www.w3.org/people/Berners-Lee/research.html Decentralized Information Group. TAMI (Transparent Accountable Datamining Initiative)http://dig.csail.mit.edu/TAMI/

Nissenbaum, Helen. “Privacy and Contextual Integrity”. Washington Law Review. Volume 79:119, 2004.

---. “Protecting Privacy in an Information Age: The Problem of Privacy in Public”. Law and Philosophy. Volume 17, Numbers 5-6 / November, 1998

NYU PORTIA - http://www.nyu.edu/projects/valuesindesign/nyuportia.html PORTIA – Privacy, Obligations, and Rights in Technologies of Information Assessment.http://crypto.stanford.edu/portia/ Stanford Computer Forum. PORTIA: Managing Sensitive Information in a Wired World.http://forum.stanford.edu/research/project.php?id=55

Workshop on Privacy and Accountability, 28-29 June 2006, Massachusetts Institute of Technology, MIT Stata Center (Building 32), 32 Vassar St., Cambridge, MA USA. Held in Classroom 144. Co-sponsored by PORTIA and TAMI projects

Developing the HIPAA-Aware EAD Finding Aid

Documents

Transcript of Developing the HIPAA-Aware EAD Finding Aid