The Impact of HIPAA on access to Medical Archives: An Archivist’s Perspective

Presentation to American Association for the History of MedicineMay 10, 2014

Phoebe Evans LetochaAlan Mason Chesney Medical Archives

Johns Hopkins Medical Institutionspletocha@jhmi.edu

Patient Related Materials = Hidden Collections

• Fewer resources devoted to processing• Hidden to archivists as well as researchers because

not in catalogs• Lack of adequate description

HIPAA Background and Dates

• 1996 - Health Insurance Portability and Accountability Act (HIPAA) adopted by Congress

• April 14, 2003 - Privacy Rule of HIPAA goes into effect • July 2010 - OCR proposes changes to the Privacy Rule as a result of the HITECH

ACT• January 25, 2013 - OCR publishes its final rule to implement the privacy and

enforcement provisions of the HITECH Act and modifies the HIPAA Privacy, Security and Enforcement rules issued under HIPAA

• March 26, 2013 - Effective date• September 23, 2013 – Compliance date• September 23, 2014 – Deadline for covered entities revise existing Business

Associate Agreements

Who is covered by HIPAA and the changes in HIPAA?

• Covered Entity - A health plan, a health care clearinghouse, or a health care provider who transmits health information in electronic form in connection with a transaction for which HHS has adopted a standard.

• Business Associates of Covered Entities - A person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.

To what extent would archival repositories be considered part of covered entities or business associates of covered entities?

HIPAA places responsibility on individual institutions to determine designation of archives and other departments as part of • Covered entity• Covered function in hybrid entity• Non-covered function in hybrid entity• Non-covered entity• Business Associate of a covered entity• Sub-contractors of business associates of a covered entity

Other protections for health information

Repositories within HIPAA covered and non-covered entities must also:• Comply with state laws applying to medical records and health

information in holdings• Comply with the Federal Common Rule for Protection of Human

Subjects• Adhere to institutional requirements for protection of health

information• Observe donor agreements for protecting health privacy• Even if not subject to HIPAA, examine the ethical considerations related

to the access and use of health information

Definition: Protected Health Information • PHI is individually identifiable health information

transmitted or maintained in any form or medium (electronic, oral, or paper) by a covered entity or its business associates, excluding certain educational and employment records and excluding information on those individuals who have been deceased for longer than 50 years.

Set of 18 Identifiers that must be removed to de-identify health information

• names

• geographic subdivisions smaller than a state

• all elements of dates (except year)

• telephone numbers

• facsimile numbers

• electronic mail addresses

• social security numbers

• medical record numbers

• health plan beneficiary numbers

• account numbers

• certificate/license numbers

• vehicle identifiers and serial numbers

• device identifiers and serial numbers

• web universal resource locators (URLs)

• internet protocol (IP) address numbers

• biometric identifiers

• full-face photographic images

• Any other unique identifying number, characteristic, or code, unless otherwise permitted by the Privacy Rule for re-identification

Change in the Definition of Decedent PHI• Between April 14, 2003 and March 25, 2013, Protected Health

Information of decedents was defined as being protected by HIPAA in perpetuity.

• Starting March 26, 2013, PHI no longer includes health information of individuals who have been deceased for over 50 years, ie those who died before March 26, 1963.

• New definition lifts protection for individually identifiable health information of those known to be deceased for 50+ years.

• HHS declined to designate a date from record creation when records would be presumed to relate to individuals deceased 50+years.

Implications of Change in definition of PHIChange in definition allows greater access and use of health information that is no longer covered by HIPAA

• Option for repositories to develop less restrictive access policies for users requesting access to this material

• Ability for researchers to publish and use health information that is no longer protected

• Ability for archives to digitize and disseminate health information that is no longer protected, such as images

Is the information Individually Identifiable Health Information?[Health information containing any of the 18 specified HIPAA identifiers]

No

Yes

Legally permittedto disclose

Did the information come from a medical record?

Policy Considerations[ Should attempt to honor any limitations or refusal from a personal representative of which we are aware.]

[ Others?]

Is the individual deceased for more than 50 years?

Is the individual deceased for more than 50 years?

Legally permitted to disclose

HIPAA requirements to disclose

HIPAA requirements and Maryland Law

requirements to disclose

Meet Maryland law requirements

to disclose

No

Yes

No No YesYesDraft decision tree prepared 3/12/13 by Don Bradfield, Senior Counsel, Johns Hopkins Health System. Decisions are based on Maryland Law. Other state or local law could result in different decision process.

Archival examples: Patient Record Operative Note

• Operative Note created by Alfred Blalock, surgeon who treated this Blue Baby case.

• Patient has been deceased more than 50 years but record would be considered a medical record.

• While record is no longer protected by HIPAA, it still requires protection under state medical records statute and the redaction of personal identifiers.

• Removal of identifiers may have little impact on intellectual content

Information may still be protected by State Medical Records Statutes

HIPAA does not define the term “Medical Record”

Medical records traditionally include:• Unit medical record, whether paper or electronic, usually held by hospital medical

records office or other provider based centralized filing systems• Other records used to make health care decisions about the individual patient

Determining if information came from a medical record

Medical Records could also include:• Correspondence (including email) containing patient-provider or provider-provider

communications regarding care or treatment of specific patients• Research notes regarding treatment for specific patients• Patient diagnostic imagesGray areas may include:• Patient Logbooks• Patient Diagnostic Indices• Research records that include health information but were not used to make health

care decisions about individuals

Determining if an individual subject of PHI has been deceased for more than 50 years

Less than 70 years old

No

Not covered by HIPAA

Determine how old the subject would have been 50 years ago.

Individual is likely to have been alive 50 years ago.

Individual may have been alive 50 years ago.

Yes

Between 70 to 85 years old

Information about this individual is still likely protected by HIPAA

Is the death date known?

More than 50 years ago

Less than 50 years ago

Covered by HIPAA

Determine the age of the subject at the date of record creation.

Between 85 to 100 years old

Between 100 to 115 years old

Over 115 years old

Individual would have been deceased 50 years ago

Information about this individual is highly unlikely to be protected by HIPAA

Likelihood that the individual was alive 50 years ago decreases.

Information about this individual may still be protected by HIPAA

Individual unlikely to have been alive 50 years ago

Information about this individual is unlikely to be protected by HIPAA

Information about this individual is of decreased likelihood to be protected by HIPAA

Decision tree prepared by Phoebe Evans Letocha, Collections Management Archivist, Johns Hopkins Medical Institutions, 5/14/2013

Policy Considerations

•What level of risk is the repository willing to accept?•How sensitive is the information?•How will the information be used?•What is the risk of re-disclosure?

Risk of Non-Compliance

• Greater risk of regulatory scrutiny and fines for covered entities and their business associates

• Larger penalties and enforcement provision • Maximum fines can be up to $50,000 per violation per day, per patient, up to a maximum of

$1.5 million per year for the same violation• Amounts can increase with multiple violations

• 4 tiers of monetary penalties based on culpability levels:1. Reasonable diligence would not have revealed the violation2. Violation is due to reasonable cause, not willful neglect3. Violation is due to willful neglect that is corrected within 30 days4. Violation is due to willful neglect that is not corrected within 30 days

Access Anxiety as a barrier to research

What is Research?

Definition of Research under the HIPAA Privacy Rule and the Federal Common Rule

• A systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge.

Authorizations for access under the HIPAA Privacy Rule

• Individual authorizations – Subject of health information– Legal representative of subject of health information

• Institutional authorizations for research– Waivers issued by Privacy Board or IRB for research involving living individuals– Research on decedents– Review preparatory to research– Data use agreement for limited data sets

• Other allowable institutional uses or disclosures– Treatment, payment, and health care operations– Health care emergencies, law enforcement and government oversight

Privacy Board at JHMI

• Joint institutional board of The Johns Hopkins Hospital and the Johns Hopkins University schools of Medicine, Nursing, and Public Health for access to records, data, and information held by:– Alan Mason Chesney Medical Archives of the Johns Hopkins Medical Institutions– Health Information Management Division of The Johns Hopkins Hospital (for access to medical

records created more than 50 years ago)– Department of Art as Applied to Medicine

• Allows research using these institutional materials when it is legally and ethically responsible to do so

• Administered by the Medical Archives• Individuals both affiliated and not affiliated with Johns Hopkins are eligible to submit

applications.

Analysis of Privacy Board applications at Johns HopkinsApril 2003- April 2014

• 233 numbered cases • 200 approved (86% of all cases, 96% of reviewed cases)• 8 not approved • 25 application incomplete and not submitted for review (10%)• 80 cases requested access to patient related materials (34%)

– Requests for patient materials have increased since 2011 to 48% of all cases• Privacy board waivers have enabled the Medical Archives to provide access to

unprocessed collections

Obtaining authorization to publish

Protected Health Information• Institutions cannot authorize publication of PHI• Only individual subjects or their personal representatives can authorize publication• Difficulty in locating personal representatives of decedents Change in the Privacy Rule may allow publication of some health information without the need to obtain authorization• Information of individuals who have been deceased 50+ years• Information from medical records may still be governed by state laws• Redaction or de-identification may be necessary

Limitations of redaction

Patient RecordLogbook

• May diminish the research value of the document

Examples of De-identified Documents

Correspondence

• Redaction may diminish intellectual content of document

• Challenging due to free text structure

• Labor intensive and costly

Examples of De-identified Documents

Photographs

• Redaction may diminish content and aesthetic value of the image

Presenter

Phoebe Evans LetochaCollections Management Archivistpletocha@jhmi.edu

Alan Mason Chesney Medical Archives of the Johns Hopkins Medical Institutions

ALHHS HIPAA resource pagewww.alhhs.org