A covered entity (e.g. LSUHSC-NO and its faculty, staff and students) may not use or disclose protected health information (PHI) about a patient without that patient's written authorization unless the use or disclosure falls under one of the exceptions.
Exceptions to HIPAA that apply to public health activities include but are not necessarily limited to:
In many instances, the School of Public functions as a public health authority of the state. The HIPAA regulations define a public health authority as an agency or authority that is responsible for public health matters as part of its official mandate of:
State laws governing the collection of health information by public health authorities pre-empt HIPAA requirements. However, it is important to note that state laws and the requirements of funding sources frequently include privacy protections very similar to HIPAA.
In addition to being a public health authority, LSUHSC-NO may be required to report information to other public health authorities. Examples of other public health authorities include but are not limited to:
Many states have laws requiring disclosures of protected health information. For example, information about a student's immunization status must be disclosed to the school in which they are enrolling. The PHI that may be disclosed is limited to what is required by the statute.
Other public health activities are considered essential and as such a patient's authorization is not required. These include:
When disclosing PHI for public health purposes, LSUHSC-NO is required to reasonably limit the information disclosed to the minimum necessary to accomplish the public health purpose. LSUHSC-NO may reasonably rely on a minimum necessary determination made by a public health authority in requesting PHI. LSUHSC-NO may develop for specific procedures that address the types and amounts of PHI disclosed for routine and recurring public health disclosures.
LSUHSC-NO is not required to make a minimum necessary determination if the public health disclosures are made pursuant to an individual’s authorization or for a disclosure that is required by other law.
An accounting is generally required for disclosures made without authorization, including public health purposes.
The required accounting for disclosures may be accomplished in different ways. Typically, LSUHSC-NO must provide the individual with an accounting of each disclosure by date, the PHI disclosed, the identity of the recipient of the PHI, and the purpose of the disclosure. However, where LSUHSC-NO has, during the accounting period, made multiple disclosures to the same recipient for the same purpose, the Privacy Rule provides for a simplified means of accounting. In such cases, the LSUHSC-NO need only identify the recipient of such repetitive disclosures, the purpose of the disclosure, and describe the PHI routinely disclosed. The date of each disclosure need not be tracked. Rather, the accounting may include the date of the first and last such disclosure during the accounting period, and a description of the frequency or periodicity of such disclosures. For example, the vast amount of data exchanged between LSUHSC-NO and public health authorities is made through ongoing, regular reporting or inspection requirements. A covered health-care provider may routinely report all cases of measles it diagnoses to the local public health authority. An accounting of such disclosures to a requesting individual would need to identify the local public health authority receiving the PHI, the PHI disclosed, the purpose of the disclosure (required for communicable disease surveillance), the periodicity (weekly), and the first and last dates of such disclosures during the accounting period (May 1, 2003 to June 1, 2003). Thus, LSUHSC-NO would not need to annotate each patient's medical record whenever a routine public health disclosure was made.Some public health activities fall under the definition of research.
Some public health activities that are initially public health practice may subsequently evolve into a research activity (e.g., an investigation to determine the cause of an outbreak that incorporates a research study evaluating the efficacy of a new drug to treat the illness). When that is the case, the disclosures may be made initially under the public health provisions of the Privacy Rule. But when the activity becomes an ongoing research activity, the entity should consider application of the relevant research disclosures provisions to continue to obtain information for this purpose. Moreover, there may be cases where the activity is both research and public health practice (e.g., an ongoing survey to monitor health conditions in the population, data from which can also be analyzed for research purposes). In those cases, disclosures may be made either under the research provisions or the public health provisions, as appropriate --- LSUHSC-NO need not comply with both sets of requirements.
When in doubt as to whether the public health activity undertaken is research, the LSUHSC-NO IRB must make a determination of whether the activity is human subjects research under the Common Rule and therefore fall under the research provisions of the Privacy Rule.
The following activities are not considered research:
Public health involves dealing with different types of data. HIPAA divides these different types of data into three groups:
Data can be de-identified by removing all direct and indirect identifiers (safe harbor method) or demonstrate statistically that it is highly improbable to identify an individual patient using the data in combination with publicly available information (statistical method).
Once the PHI is de-identified, the information is no longer subject to the HIPAA Privacy Rule and may be disclosed freely.
HIPAA provides that LSUHSC-NO may determine that health information is not individually identifiable if:
A person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable, applying such principles and methods, determines that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is the subject of the information; and that person documents the methods and results of the analysis that justify such determination.
The Office of Civil Rights of the U.S. Department of Health and Human Services has a guidance document that provides additional information on de-identification.
If you feel you need to utilize this option, you must contact the LSUHSC-NO Privacy Officer BEFORE any disclosure of information occurs.
LSUHSC-NO may assign a code or other means of record identification to allow de-identified information to be re-identified, as long as the code is not derived from, or related to, the removed identifiers. In order for such data to meet the criteria for de-identification LSUHSC-NO must keep the code confidential to prevent unauthorized disclosure of PHI. If the data is re-identified, the information once again becomes subject to all the requirements of the HIPAA Privacy Rule.
LSUHSC-NO’s HIPAA Policies and Procedures on De-identification of PHI are contained in Chancellor’s Memorandum (CM) 53 and may be found at:
LSUHSC-NO may disclose PHI in a limited data set (LDS) to a researcher who has entered into an appropriate “data use agreement”. The LDS must have all direct identifiers removed; they may still include information that could “indirectly” identify the subject using statistical methods.
LSUHSC-NO must condition the disclosure of the LDS on the execution of a “data use agreement.” The data use agreement must establish:
LSUHSC-NO’s HIPAA Policies and Procedures on Limited Data Sets and Data Use Agreements are contained in Chancellor’s Memorandum (CM) 53 and may be found at:
There are instances where public health activities require data that
includes identifiers. For example, the CDC may request information
regarding patients with a particular infection. When handling
identified health information, it is important to take all reasonable
steps to ensure the privacy and security of the information. Even if
the information is not subject to HIPAA regulations, there may be state
laws or other privacy and/or security requirements and such information
is still considered Protected or Restricted Information under PM-36.
Dr. Capaldi is designing a research study. While he has eliminated all other identifiers, he needs to retain the both the month and the year of the date of birth of the subjects in the study. Does that automatically mean his data can't be considered to be de-identified?
Hover your mouse over or tap your finger on the box below to see the right answer. (Tap on any picture to make the answer disappear.)
Under Louisiana law, LSUHSC-NO operates the Louisiana Tumor Registry (LTR), a public health authority which is not subject to HIPAA. Does this mean that the LTR does not have to protect the privacy of the patient information the LTR has in its possession?
Hover your mouse over or tap your finger on the box below to see the right answer. (Tap on any picture to make the answer disappear.)
If you have any questions, please contact the Office of Compliance Programs by: