HIPAA
Health Insurance Portability and
Accountability Act
Lab Disclosures
March 29, 2004
UAB Health System
1
Education Objective





Review the HIPAA Privacy law segments most
applicable to lab disclosures.
Explain the UABHS Accounting of Disclosures
electronic and manual processes.
Distribute and explain a matrix of typical
disclosures.
Answer questions and de-mystify HIPAA privacy
regulations.
Provide resources to assist with future
questions.
2
HIPAA Privacy
Under the HIPAA Privacy Regulations:




PHI may be used for treatment, payment, &
healthcare operations (TPO).
PHI may be disclosed to other providers for
treatment.
PHI may be disclosed to other covered entities for
payment.
PHI may be disclosed to other covered entities that
have a relationship with the patient for certain
healthcare operations such as QI, credentialing and
compliance.
3
HIPAA Privacy
Other Permitted Uses & Disclosures
PHI my be used or disclosed without
authorization under the following
circumstances:
– Public health agencies for purposes such as
controlling or preventing disease or collecting
vital statistics, i.e. notifiable or communicable
diseases which must be reported to AL Dept. of
Public Health, PKU Information Reporting.
– Public health or government authorities for law
enforcement purposes, such as reporting on
victims of abuse, neglect or domestic violence.
4
HIPAA Privacy
Other Permitted Uses & Disclosures
– Health oversight agencies for activities authorized
by law, i.e. AQAF.
– Judicial and administrative proceedings, such as
compliance with a court order or subpoena.
– Law enforcement officials seeking information for
the purpose of identifying a suspect, witness, or
victim of a crime.
– Coroners, medical examiners, and funeral
directors to identify a deceased person or
determine a cause of death.
– Organ donation.
– Worker’s compensation.
5
HIPAA Privacy
Other Uses & Disclosures


Facility Directories– unless patient opts out, their
name, location and general medical condition may be
disclosed to those asking for patient, by name.
Individuals involved in care or payment for care– PHI
may be disclosed unless patient objects.
6
HIPAA Privacy
Marketing & Fundraising

Marketing
– Covered entities are prohibited from using or disclosing
PHI for marketing purposes without the patient’s
express authorization.
– Covered entities are prohibited from selling
patient/enrollee lists to third parties.
– Providers CAN communicate with patients about
treatment options or the covered entities’ own healthrelated products and services, common health care
communications- such as disease management,
wellness programs, prescription refill reminders and
appointment notifications, recommending alternative
treatments, therapies, or health-care products.

Fundraising- limited PHI may be used if patient told
how to opt out.
7
HIPAA Privacy
Incidental Uses and Disclosures


Uses and disclosures that are incidental to an
otherwise permitted use or disclosure may occur and
is not considered a violation of the Rule provided that
the covered entity meets reasonable safeguards and
minimum necessary requirements.
Waiting room sign-in sheets, patient charts at
bedside, physician conversations with patients in
semi-private room, and physicians conferring at
nurse’s stations.
8
HIPAA Privacy
Research


HIPAA regulations do not replace or reproduce other
federal regulations (e.g. 45 CFR 46, 21 CFR 56). All
existing regulations remain in force.
Unlike some other regulations, HIPAA applies
regardless of whether the research is funded by the
government.
9
HIPAA Privacy
Research


HIPAA preempts all less stringent state laws
regarding privacy of health information unless
specific requirements are met.
These requirements involve state mandated reporting
related to health, safety, or welfare, as well as
reporting that is necessary for a health plan to
conduct auditing procedures.
10
HIPAA Privacy
Research

Instructions for requesting an exemption - to follow
the state law instead of HIPAA - are given in Subpart
B (§160.201-205).
11
HIPAA Privacy
Research

Covered Entities are permitted to use or disclose PHI
for research if the IRB has approved the research
and one or more of the following conditions exist:
1. Patient Authorization
2. Decedent Research
3. Preparatory Research
4. Limited Data Set
5. IRB grants a waiver of required authorization.
12
Waiver of Authorization

The IRB may waive the authorization, if the reviewing
board finds that:
– The use or disclosure of PHI involves no more than
“minimal risk” to privacy.
– The proposed research could not practicably be
conducted without the waiver or alteration; and
– The research could not practicably be conducted
without access to and use of the PHI.
13
Research with Records of
Deceased Individuals

If a research subject is deceased, PHI may
be used or disclosed provided that the
researcher represents:
– The use or disclosure is sought solely for research on
PHI of decedents, and
– PHI for which use or disclosure is sought is necessary
for research purposes.

Upon request of the covered entity, the
researcher must provide documentation of
the death of the individual.
14
Reviews Preparatory to Research

A covered entity may use or disclose PHI for
reviews preparatory to research if it obtains
the following representations from the
researcher:
– Use and disclosure is sought solely to review PHI as
necessary to prepare a research protocol or for similar
purposes preparatory to research (e.g. recruitment);
– No PHI is removed from the covered entity by the
researcher in the course of review; and
– The PHI for which use or access is sought is
necessary for the research purpose.
– Look to institutional policy to see if IRB approval is
required.
15
De-Identification Standard



De-identified health information is health information
that does not identify an individual and for which
there is no reasonable basis that the information
could be used to identify an individual.
It is not considered individually identifiable
information.
There is no actual knowledge that the information
could be used to identify an individual.
16
De-Identification Standard (cont.)

The Privacy Rule does not apply to information that
has been de-identified under one or two standards
set forth in the Privacy Rule.
– Removal of 18 identifiers.
– Certification by a biostatistician that the method for
de-identifying the PHI has a “very small risk” that
the information could be used, alone or in
combination with other reasonably available
information, to identify an individual who is the
subject of the information.
17
De-Identification Standard (cont.)
Information is presumed to be de-identified, if the following
identifiers of the individual or of relatives, employers, or household
members of the individual, have been removed:
-Account numbers;
-Certificate/license numbers;
-Vehicle identifiers and serial
numbers, including license plate
numbers
-Device identifiers and serial numbers;
-Web Universal Resource Locator
(URL);
-Internet Protocol (IP) address
numbers;
-Biometric identifiers, including finger
and voice prints;
-Full face photographic images and
any comparable images; and
-Any other unique identifying number,
characteristic, or code, except as
allowed under the re-identification
specifications 164.514(c).
-Names;
-All geographic subdivisions smaller
than a State, including street
address, city, county, precinct, zip
code, and equivalent geocodes;
-All elements of dates (except year),
including birth date, admission &
discharge dates, date of death,
and all ages over 89 and all
elements of dates (including year)
indicative of such age;
-Telephone numbers;
-Fax numbers;
-Electronic mail addresses;
-Social security number;
-Medical record numbers;
-Health plan beneficiary numbers;
18
Limited Data Sets




Similar to de-identified data sets except certain direct
identifiers must be removed.
Can be used for research, public health, and health
care operations.
Limited Data Sets can include identifiers such as date
of birth, dates of hospital admissions and discharges,
and an individual’s residence by city, county, state,
and 5 digit zip codes.
Researcher may access and use the entire array of
PHI without authorizations or waivers of
authorizations.
19
Minimum Necessary Standard


When HIPAA permits use or disclosure of
PHI, providers should disclose or use only the
minimum necessary amount of PHI in order to
do their jobs.
Exceptions:
– Treatment
– Anything for which a patient authorization is
signed.
– Incidental disclosures.
– Disclosures required by law.
20
HIPAA PrivacyPatient Rights

Notice to Individuals of Information Practices.

Authorization.

Request Access.

Request Accounting for Uses and Disclosures.

Request Amendment and Correction (subject to
approval by the covered entity).

Request Confidential / alternate communication.

Request Restriction on use of PHI (subject to
approval by the covered entity).

Complaints.
21
What is an Accounting of
Disclosures?

Info. provided to the patient, upon request of certain
disclosures made by UAB/UABHS in the six years
prior to the date of the request, but not prior to April
14, 2003.
– Date of disclosure
– Name, address (if known) of entity/person receiving
PHI
– Brief description of PHI disclosed
– Purpose of disclosure or copy of request
22
Accounting of Disclosures

A covered entity must provide an accounting
to the individual of any research disclosure
made pursuant to an IRB.

No accounting is needed for disclosures
made pursuant to an Authorization.
23
Accountings of Disclosures are
not required for the following:










To carry out TPO,
PHI to individuals about themselves,
For facility directory purposes,
Incidental to an otherwise permitted use/disclosure,
To persons involved in the care of the pt.,
National security or intelligence purposes,
Correctional institutions or other law enforcement
officials,
For disclosures made prior to April 14, 2003,
Pursuant to a valid authorization,
For other such reasons as allowed under HIPAA.
24
Mandatory Reporting Involving
Protected Health Information
The state of Alabama requires reporting on the following:
– Births
– Infants of Unknown Parentage
– Fetal Deaths/Induced Termination of Pregnancy
– Deaths
– Notifiable Diseases & Health Conditions
– Infected Health Care Workers with HIV or Hepatitis B
– Head & Spinal Cord Injuries
– Confirmed Cancer Cases (Tumor Registry)
– Child Abuse or Neglect
– Protection of Aged or Disabled Adults
– Victims of Domestic Violence
25
UAB Health System
Types of Disclosures










Abuse, Neglect or Exploitation
Administrative Hearing
Adverse Outcomes
ACS Consultation/Verification Review of Trauma in
Hospitals
Audits
Autopsy Report
Billing Records/Reports
Birth Certificate (Vital Event)
Bureau of Health Care Information
Business Associates for Non - T.P.O.
26
UAB Health System
Types of Disclosures










Center for Disease Control
Civil/Criminal Investigation
Communicable Diseases
Complaint Investigation
Consultants/Contractors
Coroners/Medical Examiners
Court Order
Death Certificate (Vital Event)
Department of Justice
Department of Transportation (D.O.T.)
27
UAB Health System
Types of Disclosures










Drug Enforcement Agency (D.E.A.) - Narcotics
Reporting
Environmental Protection Agency (E.P.A.)
Federal Bureau of Investigation (F.B.I.)
Federal Emergency Management Agencies
(F.E.M.A.)
Food and Drug Administration Reporting (F.D.A.)
Funeral Homes
Government Required Disclosures, Not Otherwise
Specified
Immunization Records
Inspection
Insurance Reviewers (N.C.Q.A., etc.)
28
UAB Health System
Types of Disclosures











Law Enforcement (Aversion of Serious Threat)
Law Enforcement (Crime on Premises)
Law Enforcement (Suspicious Death, Location of
Suspect/Witness)
Law Enforcement (Victims of or Suspected Crime)
Law Enforcement (Wounds, Injuries)
Licensure/Disciplinary Action
Military Command Authorities
National Transportation Safety Board (N.T.S.B.)
National Trauma Data Bank
Neonatal Reporting to State
Occupations Safety and Health Administration
(O.S.H.A.)
29
UAB Health System
Types of Disclosures










Organ, Eye and Tissue Donation/Procurement
Paternity Testing/Affidavits
Peer Review (A.Q.A.F./Alabama Quality Assurance
Foundation)
Poison Control Center
Public Health Activities, Not Otherwise Specified
Public Health Authorities, Not Otherwise Specified
Registry: Birth Defects
Registry: Births
Registry: Burns and Trauma
Registry: Cancer/Tumor
30
UAB Health System
Types of Disclosures










Registry: Cardiac
Registry: Child Abuse or Neglect
Registry: Deaths
Registry: Eye Injury
Registry: Fetal Deaths
Registry: Head and Spinal Cord Injury
Registry: Hearing Screening
Registry: Infants of Unknown Parentage
Research (Preparatory, Decedent, or Requirements
for Authorization Waived)
Search Warrant
31
UAB Health System
Types of Disclosures







Subpoena
Summons
Surveys (CAP, CLIA, FDA, JCAHO)
Underage Pregnancy
Unlawful Disclosure Discovered Post-Release
Vendors
Workers' Compensation, if not related to TPO
32
Office of Civil Rights web-site

“FAQ’s” or Frequently
Asked Questions

Accounting of
Disclosures

Research
www.hhs.gov/ocr/hipaa
33
OCR Privacy FAQ’s

List of FAQ’s

Note multiple pages

Click on line item for
details
34
OCR Privacy FAQ’s

Review FAQ for
information as it
relates to Privacy
35
UABHS Accounting Tool

UAB Health System
utilizes one central
database for
maintaining accounting
of disclosures.
36
Manual Documentation of
Accounting of Disclosures
 All “AOD’s” must be manually logged since April 14, 2003, then entered into UABHS’ approved and specified software, when available.
Software
field
name
1.
Request
date
(document
received
date)
2.
MR#
Custom
Code (client
code)
3.
Service
Dates
(to/from)
4.
5.
Patient’s name Soc. Sec. #;
(first and last) Date of Birth
6.
Suspended
(Y/N); and
date range.
Limited use
of this field.
7. Disclosure
Date
(date info.
actually
released)
8.
Disclosed to:
Organization
Contact’s Name
Street Address, City,
State, Zip
9.
Type of
Disclosure
(see “Types”
table)
10.
Items
(list items
actually
disclosed)
11.
Media
(method of
disclosure)
12.
Employee
information
13.
Comments field
37
Miscellaneous


Reminder: HIPAA Privacy requirement
to maintain accounting of disclosures,
from April 14, 2003.
Questions?
38
For HIPAA questions or to report a
suspected HIPAA violation contact:
Carlos Brown,UAB Hospital
Corporate Compliance / Privacy Manager
934-2990
Sheila Moore
Institutional Review Board
934-3789
Linda Lum
Accounting of Disclosures
975-2622
llum@uabmc.edu
39