Office of Compliance Programs

Revised: July 1, 2017

Public Health and HIPAA

• This presentation will address the HIPAA Privacy regulations as they effect the activities of the School of Public Health.
• It is imperative to comply with the HIPAA Privacy Rule in all aspects in order to ensure the public's trust and cooperation in School of Public Health activities.

HIPAA in a Nutshell

A covered entity (e.g. LSUHSC-NO and its faculty, staff and students) may not use or disclose protected health information (PHI) about a patient without that patient's written authorization unless the use or disclosure falls under one of the exceptions.

HIPAA Exceptions That Apply To Public Health

Exceptions to HIPAA that apply to public health activities include but are not necessarily limited to:

• Public Health Authority
• Disclosures to a Public Health Authority
• Disclosures Required by Law
• Other Public Health Activities

Public Health Authority

In many instances, the School of Public functions as a public health authority of the state. The HIPAA regulations define a public health authority as an agency or authority that is responsible for public health matters as part of its official mandate of:

• The United States,
• A State,
• A territory,
• A political subdivision of a State or territory,
• An Indian tribe,
• A person or entity acting under a grant of authority from or contract with such public agency including:
  • The employees or agents of such public agency or its contractors ; or
  • Persons or entities to whom it has granted authority, that is responsible for public health matters, as part of its official mandate.

State laws governing the collection of health information by public health authorities pre-empt HIPAA requirements. However, it is important to note that state laws and the requirements of funding sources frequently include privacy protections very similar to HIPAA.

Disclosures to a Public Health Authority

In addition to being a public health authority, LSUHSC-NO may be required to report information to other public health authorities. Examples of other public health authorities include but are not limited to:

• Federal
• Food and Drug Administration (FDA)
• The Centers for Disease Control and Prevention
• Occupational Safety and Health Administration (OSHA)
• State and Local
• Louisiana Department of Health
• New Orleans Health Department
• Parish Health Departments
  

Disclosures Required By Law

Many states have laws requiring disclosures of protected health information. For example, information about a student's immunization status must be disclosed to the school in which they are enrolling. The PHI that may be disclosed is limited to what is required by the statute.

Other Public Health Activities

Other public health activities are considered essential and as such a patient's authorization is not required. These include:

• Child abuse or neglect. LSUHSC-NO may disclose protected health information to report known or suspected child abuse or neglect, if the report is made to a public health authority or other appropriate government authority that is authorized by law to receive such reports.
• Quality, safety or effectiveness of a product or activity regulated by the FDA. LSUHSC-NO may disclose protected health information to a person subject to FDA jurisdiction, for public health purposes related to the quality, safety or effectiveness of an FDA-regulated product or activity for which that person has responsibility. Examples of purposes or activities for which such disclosures may be made include, but are not limited to:
  • Collecting or reporting adverse events (including similar reports regarding food and dietary supplements), product defects or problems (including problems regarding use or labeling), or biological product deviations;
  • Tracking FDA-regulated products;
  • Enabling product recalls, repairs, replacement or lookback (which includes locating and notifying individuals who received recalled or withdrawn products or products that are the subject of lookback); and
  • Conducting post-marketing surveillance.
• Persons at risk of contracting or spreading a disease. LSUHSC-NO may disclose protected health information to a person who is at risk of contracting or spreading a disease or condition if other law authorizes LSUHSC-NO to notify such individuals as necessary to carry out public health interventions or investigations.
• Workplace medical surveillance. A covered health care provider who provides a health care service to an individual at the request of the individual’s employer, or provides the service in the capacity of a member of the employer’s workforce, may disclose the individual’s protected health information to the employer for the purposes of workplace medical surveillance or the evaluation of work-related illness and injuries to the extent the employer needs that information to comply with federal or state workplace safety requirements. The information disclosed must be limited to the provider’s findings regarding such medical surveillance or work-related illness or injury. The covered health care provider must provide the individual with written notice that the information will be disclosed to his or her employer (or the notice may be posted at the worksite if that is where the service is provided).

Minimum Necessary

When disclosing PHI for public health purposes, LSUHSC-NO is required to reasonably limit the information disclosed to the minimum necessary to accomplish the public health purpose. LSUHSC-NO may reasonably rely on a minimum necessary determination made by a public health authority in requesting PHI. LSUHSC-NO may develop for specific procedures that address the types and amounts of PHI disclosed for routine and recurring public health disclosures.

LSUHSC-NO is not required to make a minimum necessary determination if the public health disclosures are made pursuant to an individual’s authorization or for a disclosure that is required by other law.

Accounting for Public Health Disclosures

An accounting is generally required for disclosures made without authorization, including public health purposes.

The required accounting for disclosures may be accomplished in different ways. Typically, LSUHSC-NO must provide the individual with an accounting of each disclosure by date, the PHI disclosed, the identity of the recipient of the PHI, and the purpose of the disclosure. However, where LSUHSC-NO has, during the accounting period, made multiple disclosures to the same recipient for the same purpose, the Privacy Rule provides for a simplified means of accounting. In such cases, the LSUHSC-NO need only identify the recipient of such repetitive disclosures, the purpose of the disclosure, and describe the PHI routinely disclosed. The date of each disclosure need not be tracked. Rather, the accounting may include the date of the first and last such disclosure during the accounting period, and a description of the frequency or periodicity of such disclosures. For example, the vast amount of data exchanged between LSUHSC-NO and public health authorities is made through ongoing, regular reporting or inspection requirements. A covered health-care provider may routinely report all cases of measles it diagnoses to the local public health authority. An accounting of such disclosures to a requesting individual would need to identify the local public health authority receiving the PHI, the PHI disclosed, the purpose of the disclosure (required for communicable disease surveillance), the periodicity (weekly), and the first and last dates of such disclosures during the accounting period (May 1, 2003 to June 1, 2003). Thus, LSUHSC-NO would not need to annotate each patient's medical record whenever a routine public health disclosure was made.

Other Public Health Issues That Are Not HIPAA Exceptions

Research

Some public health activities fall under the definition of research.

Some public health activities that are initially public health practice may subsequently evolve into a research activity (e.g., an investigation to determine the cause of an outbreak that incorporates a research study evaluating the efficacy of a new drug to treat the illness). When that is the case, the disclosures may be made initially under the public health provisions of the Privacy Rule. But when the activity becomes an ongoing research activity, the entity should consider application of the relevant research disclosures provisions to continue to obtain information for this purpose. Moreover, there may be cases where the activity is both research and public health practice (e.g., an ongoing survey to monitor health conditions in the population, data from which can also be analyzed for research purposes). In those cases, disclosures may be made either under the research provisions or the public health provisions, as appropriate --- LSUHSC-NO need not comply with both sets of requirements.

When in doubt as to whether the public health activity undertaken is research, the LSUHSC-NO IRB must make a determination of whether the activity is human subjects research under the Common Rule and therefore fall under the research provisions of the Privacy Rule.

The following activities are not considered research:

• Quality assessment and improvement activities, including outcomes evaluation, and development of clinical guidelines or protocols, fall under the category of health care operations provided the primary aim is not obtaining generalizable knowledge.
• Activities that aim primarily for generalizable knowledge of population health can fall into the category of public health activity.

Types of Data in Public Health

Public health involves dealing with different types of data. HIPAA divides these different types of data into three groups:

• De-identified data
• Limited Data Sets
• Data Sets with Direct Identifiers

De-identified Data

Data can be de-identified by removing all direct and indirect identifiers (safe harbor method) or demonstrate statistically that it is highly improbable to identify an individual patient using the data in combination with publicly available information (statistical method).

Once the PHI is de-identified, the information is no longer subject to the HIPAA Privacy Rule and may be disclosed freely.

Direct Identifiers

• Names
• Postal address information, other than town or city, State, and zip code
• Telephone numbers
• Fax numbers
• Electronic mail addresses
• Social Security numbers
• Medical records numbers
• Health plan beneficiary numbers
• Account numbers
• Certificate/license numbers
• Vehicle identifiers and serial numbers, including license plate numbers
• Device identifiers and serial numbers
• Web Universal Resource Locators (URLs)
• Internet Protocol (IP) address numbers
• Biometric identifiers, including finger and voice prints
• Full face photographic images and any comparable images
• Any other unique identifying number, characteristic, or code.

Indirect Identifiers

• All geographic subdivisions smaller than a state including street address, city, county, precinct, zip code, and their equivalent, except for the initial three digits of zip code, if according to the current publicly available data from the Bureau of Census;
• the geographical unit formed by combining all zip codes with the same initial three digits contains more than 20,000 people; and
• the initial three digits of a zip code for all such geographical units containing 20,000 or fewer people is changed to 000.
• All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death, and all ages over 89 and all elements of dates (including year) indicative of age, except that such ages and elements may be aggregated into a single category of age 90 or older.

Expert Determination Option

HIPAA provides that LSUHSC-NO may determine that health information is not individually identifiable if:

A person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable, applying such principles and methods, determines that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is the subject of the information; and that person documents the methods and results of the analysis that justify such determination.

The Office of Civil Rights of the U.S. Department of Health and Human Services has a guidance document that provides additional information on de-identification.

If you feel you need to utilize this option, you must contact the LSUHSC-NO Privacy Officer BEFORE any disclosure of information occurs.

Re-identification of Data

LSUHSC-NO may assign a code or other means of record identification to allow de-identified information to be re-identified, as long as the code is not derived from, or related to, the removed identifiers. In order for such data to meet the criteria for de-identification LSUHSC-NO must keep the code confidential to prevent unauthorized disclosure of PHI. If the data is re-identified, the information once again becomes subject to all the requirements of the HIPAA Privacy Rule.

LSUHSC-NO’s HIPAA Policies and Procedures on De-identification of PHI are contained in Chancellor’s Memorandum (CM) 53 and may be found at:

• Policy O: De-identification of Protected Health Information
• Policy O Attachment A: Request for De-identified Information
• Policy S Attachment D: Principal Investigator’s Request De-identification form for Approved Exempt Research

Limited Data Sets

LSUHSC-NO may disclose PHI in a limited data set (LDS) to a researcher who has entered into an appropriate “data use agreement”. The LDS must have all direct identifiers removed; they may still include information that could “indirectly” identify the subject using statistical methods.

Data Use Agreement

LSUHSC-NO must condition the disclosure of the LDS on the execution of a “data use agreement.” The data use agreement must establish:

• The permitted uses and disclosures of such information by the recipient, consistent with the purposes of research;
• Limit who can use or receive the data;
• Require the recipient to agree not to re-identify the data or contact the individuals.

LSUHSC-NO’s HIPAA Policies and Procedures on Limited Data Sets and Data Use Agreements are contained in Chancellor’s Memorandum (CM) 53 and may be found at:

• Policy N: Limited Data Set
• Policy N Attachment A: Limited Data Set Request and Data Use Agreement

Data Sets with Direct Identifiers

There are instances where public health activities require data that includes identifiers. For example, the CDC may request information regarding patients with a particular infection. When handling identified health information, it is important to take all reasonable steps to ensure the privacy and security of the information. Even if the information is not subject to HIPAA regulations, there may be state laws or other privacy and/or security requirements and such information is still considered Protected or Restricted Information under PM-36.

Scenario 1

Dr. Capaldi is designing a research study. While he has eliminated all other identifiers, he needs to retain the both the month and the year of the date of birth of the subjects in the study. Does that automatically mean his data can't be considered to be de-identified?

Hover your mouse over or tap your finger on the box below to see the right answer. (Tap on any picture to make the answer disappear.)

Scenario 2

Under Louisiana law, LSUHSC-NO operates the Louisiana Tumor Registry (LTR), a public health authority which is not subject to HIPAA. Does this mean that the LTR does not have to protect the privacy of the patient information the LTR has in its possession?

Hover your mouse over or tap your finger on the box below to see the right answer. (Tap on any picture to make the answer disappear.)

Getting Help

If you have any questions, please contact the Office of Compliance Programs by:

• Email: nocompliance@lsuhsc.edu
• Phone: 504-568-5135
• In Person: RCB, suite 807
• Website