The Impact of HIPAA on access
to Medical Archives: An
Archivist’s Perspective
Presentation to American Association for the History of Medicine
May 10, 2014
Phoebe Evans Letocha
Alan Mason Chesney Medical Archives
Johns Hopkins Medical Institutions
pletocha@jhmi.edu
Patient Related Materials = Hidden Collections
• Fewer resources devoted to processing
• Hidden to archivists as well as researchers because
not in catalogs
• Lack of adequate description
HIPAA Background and Dates
• 1996 - Health Insurance Portability and Accountability Act (HIPAA) adopted by
Congress
• April 14, 2003 - Privacy Rule of HIPAA goes into effect
• July 2010 - OCR proposes changes to the Privacy Rule as a result of the HITECH
ACT
• January 25, 2013 - OCR publishes its final rule to implement the privacy and
enforcement provisions of the HITECH Act and modifies the HIPAA Privacy,
Security and Enforcement rules issued under HIPAA
• March 26, 2013 - Effective date
• September 23, 2013 – Compliance date
• September 23, 2014 – Deadline for covered entities revise existing Business
Associate Agreements
Who is covered by HIPAA and the changes in HIPAA?
• Covered Entity - A health plan, a health care clearinghouse, or a
health care provider who transmits health information in electronic
form in connection with a transaction for which HHS has adopted a
standard.
• Business Associates of Covered Entities - A person or entity that
performs certain functions or activities that involve the use or
disclosure of protected health information on behalf of, or provides
services to, a covered entity.
To what extent would archival repositories be considered part of
covered entities or business associates of covered entities?
HIPAA places responsibility on individual institutions to determine
designation of archives and other departments as part of
• Covered entity
• Covered function in hybrid entity
• Non-covered function in hybrid entity
• Non-covered entity
• Business Associate of a covered entity
• Sub-contractors of business associates of a covered entity
Other protections for health information
Repositories within HIPAA covered and non-covered entities must also:
• Comply with state laws applying to medical records and health
information in holdings
• Comply with the Federal Common Rule for Protection of Human
Subjects
• Adhere to institutional requirements for protection of health
information
• Observe donor agreements for protecting health privacy
• Even if not subject to HIPAA, examine the ethical considerations
related to the access and use of health information
Definition: Protected Health Information
• PHI is individually identifiable health information
transmitted or maintained in any form or medium
(electronic, oral, or paper) by a covered entity or its
business associates, excluding certain educational and
employment records and excluding information on
those individuals who have been deceased for longer
than 50 years.
Set of 18 Identifiers that must be removed to de-identify
health information
• names
• vehicle identifiers and serial numbers
• geographic subdivisions smaller than a
state
• device identifiers and serial numbers
• all elements of dates (except year)
• telephone numbers
• web universal resource locators (URLs)
• internet protocol (IP) address numbers
• facsimile numbers
• biometric identifiers
• electronic mail addresses
• full-face photographic images
• social security numbers
• Any other unique identifying number,
characteristic, or code, unless
otherwise permitted by the Privacy
Rule for re-identification
• medical record numbers
• health plan beneficiary numbers
• account numbers
• certificate/license numbers
Change in the Definition of Decedent PHI
• Between April 14, 2003 and March 25, 2013, Protected Health
Information of decedents was defined as being protected by HIPAA in
perpetuity.
• Starting March 26, 2013, PHI no longer includes health information of
individuals who have been deceased for over 50 years, ie those who
died before March 26, 1963.
• New definition lifts protection for individually identifiable health
information of those known to be deceased for 50+ years.
• HHS declined to designate a date from record creation when records
would be presumed to relate to individuals deceased 50+years.
Implications of Change in definition of PHI
Change in definition allows greater access and use of health
information that is no longer covered by HIPAA
• Option for repositories to develop less restrictive access policies
for users requesting access to this material
• Ability for researchers to publish and use health information that
is no longer protected
• Ability for archives to digitize and disseminate health information
that is no longer protected, such as images
Is the information Individually Identifiable Health Information?
[Health information containing any of the 18 specified HIPAA identifiers]
Yes
No
Did the information come from a medical record?
No
Legally permitted
to disclose
Draft decision tree prepared
3/12/13 by Don Bradfield,
Senior Counsel, Johns Hopkins
Health System. Decisions are
based on Maryland Law. Other
state or local law could result
in different decision process.
Yes
Is the individual deceased for
more than 50 years?
No
Yes
Legally
permitted
to disclose
HIPAA
requirements
to disclose
Is the individual deceased for
more than 50 years?
No
Yes
HIPAA requirements
and Maryland Law
requirements to
disclose
Meet Maryland
law requirements
to disclose
Policy Considerations
[ Should attempt to honor any limitations or refusal from a personal representative of which we are aware.]
[ Others?]
Archival examples: Patient Record Operative Note
• Operative Note created by Alfred
Blalock, surgeon who treated this Blue
Baby case.
• Patient has been deceased more than
50 years but record would be
considered a medical record.
• While record is no longer protected by
HIPAA, it still requires protection under
state medical records statute and the
redaction of personal identifiers.
• Removal of identifiers may have little
impact on intellectual content
Information may still be protected
by State Medical Records Statutes
HIPAA does not define the term “Medical Record”
Medical records traditionally include:
• Unit medical record, whether paper or electronic, usually held by hospital medical
records office or other provider based centralized filing systems
• Other records used to make health care decisions about the individual patient
Determining if information came from a medical record
Medical Records could also include:
• Correspondence (including email) containing patient-provider or provider-provider
communications regarding care or treatment of specific patients
• Research notes regarding treatment for specific patients
• Patient diagnostic images
Gray areas may include:
• Patient Logbooks
• Patient Diagnostic Indices
• Research records that include health information but were not used to make health
care decisions about individuals
Determining if an individual subject of PHI has been deceased for more than 50 years
Is the death date known?
Yes
Less than
50 years
ago
Covered by
HIPAA
No
Determine the age of the subject
at the date of record creation.
More than
50 years
ago
Determine how old the subject
would have been 50 years ago.
Less
than 70
years old
Not covered
by HIPAA
Individual is
likely to have
been alive
50 years
ago.
Decision tree prepared by Phoebe
Evans Letocha, Collections
Management Archivist, Johns Hopkins
Medical Institutions, 5/14/2013
Information
about this
individual is
still likely
protected by
HIPAA
Between
70 to 85
years old
Individual
may have
been alive
50 years
ago.
Information
about this
individual may
still be
protected by
HIPAA
Between
85 to 100
years old
Between
100 to 115
years old
Likelihood
that the
individual
was alive 50
years ago
decreases.
Individual
unlikely to
have been
alive 50
years ago
Information about
this individual is of
decreased
likelihood to be
protected by
HIPAA
Information
about this
individual is
unlikely to be
protected by
HIPAA
Over 115
years old
Individual
would have
been
deceased 50
years ago
Information
about this
individual is
highly unlikely
to be protected
by HIPAA
Policy Considerations
•What level of risk is the repository willing to accept?
•How sensitive is the information?
•How will the information be used?
•What is the risk of re-disclosure?
Risk of Non-Compliance
• Greater risk of regulatory scrutiny and fines for covered entities and their business
associates
• Larger penalties and enforcement provision
• Maximum fines can be up to $50,000 per violation per day, per patient, up to a maximum of
$1.5 million per year for the same violation
• Amounts can increase with multiple violations
• 4 tiers of monetary penalties based on culpability levels:
1.
2.
3.
4.
Reasonable diligence would not have revealed the violation
Violation is due to reasonable cause, not willful neglect
Violation is due to willful neglect that is corrected within 30 days
Violation is due to willful neglect that is not corrected within 30 days
Access Anxiety as a barrier to research
What is Research?
Definition of Research under the HIPAA Privacy Rule and the Federal Common Rule
• A systematic investigation, including research development, testing, and evaluation,
designed to develop or contribute to generalizable knowledge.
Authorizations for access under the HIPAA Privacy Rule
• Individual authorizations
– Subject of health information
– Legal representative of subject of health information
• Institutional authorizations for research
–
–
–
–
Waivers issued by Privacy Board or IRB for research involving living individuals
Research on decedents
Review preparatory to research
Data use agreement for limited data sets
• Other allowable institutional uses or disclosures
– Treatment, payment, and health care operations
– Health care emergencies, law enforcement and government oversight
Privacy Board at JHMI
• Joint institutional board of The Johns Hopkins Hospital and the Johns Hopkins
University schools of Medicine, Nursing, and Public Health for access to records,
data, and information held by:
– Alan Mason Chesney Medical Archives of the Johns Hopkins Medical Institutions
– Health Information Management Division of The Johns Hopkins Hospital (for access to medical
records created more than 50 years ago)
– Department of Art as Applied to Medicine
• Allows research using these institutional materials when it is legally and ethically
responsible to do so
• Administered by the Medical Archives
• Individuals both affiliated and not affiliated with Johns Hopkins are eligible to submit
applications.
Analysis of Privacy Board applications at Johns Hopkins
April 2003- April 2014
•
•
•
•
•
233 numbered cases
200 approved (86% of all cases, 96% of reviewed cases)
8 not approved
25 application incomplete and not submitted for review (10%)
80 cases requested access to patient related materials (34%)
– Requests for patient materials have increased since 2011 to 48% of all cases
• Privacy board waivers have enabled the Medical Archives to provide access to
unprocessed collections
Obtaining authorization to publish
Protected Health Information
• Institutions cannot authorize publication of PHI
• Only individual subjects or their personal representatives can authorize publication
• Difficulty in locating personal representatives of decedents
Change in the Privacy Rule may allow publication of some health information without
the need to obtain authorization
• Information of individuals who have been deceased 50+ years
• Information from medical records may still be governed by state laws
• Redaction or de-identification may be necessary
Limitations of redaction
Patient Record
Logbook
• May diminish the research value of
the document
Examples of De-identified Documents
Correspondence
• Redaction may diminish
intellectual content of
document
• Challenging due to free text
structure
• Labor intensive and costly
Examples of De-identified Documents
Photographs
• Redaction may diminish
content and aesthetic
value of the image
Presenter
Phoebe Evans Letocha
Collections Management Archivist
pletocha@jhmi.edu
Alan Mason Chesney Medical Archives
of the Johns Hopkins Medical Institutions
ALHHS HIPAA resource page
www.alhhs.org