HIPAA for Cancer Educators: Are You Correctly Using PHI?
- First Online:
- Cite this article as:
- Searson, S., Hicks, J., Cole, J. et al. J Canc Educ (2010) 25: 83. doi:10.1007/s13187-009-0017-x
- 37 Views
Privacy and confidentiality policies and practices, including Health Insurance Portability and Accountability Act (HIPAA) policies, may vary from institution to institution because they are developed to be institution-specific. HIPAA privacy and security regulations represent the minimum standards, and the expectation is that institutions will develop policies and practices that are reasonable and appropriate for their institution. These privacy and information security safeguards impact the use of sensitive and protected data often used by cancer educators. Therefore, it is important for cancer educators to be familiar with the policies, rules, and guidelines their institution has developed to comply with HIPAA. However, despite institutional differences, certain principles related to the confidentiality, protection, and uses of a patient’s health information remain consistent. HIPAA provides two sets of regulations that directly impact the work of many cancer educators: privacy and information security. The HIPAA Privacy Rule includes some security requirements, and HIPAA Security Regulations were designed to ensure privacy of the patient’s protected health information (PHI). This paper focuses primarily on the privacy factors.
The Health Insurance Portability and Accountability Act (HIPAA) became law on August 21, 1996, and has many goals: to make health insurance more portable, health care more efficient and cost-effective, and the sharing of patients’ health information more confidential and secure. The HIPAA Privacy Rule, which went into effect on April 14, 2003, focuses on how organizations subject to the Privacy Rule, called HIPAA-covered entities, can use or disclose its patients’ health information, called “protected health information [1, p1].” It establishes, at the federal level, the first comprehensive minimum standards for protecting the privacy of health information [2, p1]. The goal of the Privacy Rule is to assure that protected health information (PHI) is properly protected while providing high-quality health care and ensuring the public’s health. It attempts to strike a balance by permitting designated important uses of PHI while protecting the privacy of the people whose PHI is used [1, p1]. The HIPAA Privacy Rule includes about 180 references to the concept that HIPAA-covered entities should employ “reasonable” privacy policies, procedures, and practices . Although a bevy of activities surrounded HIPAA’s introduction and effective dates, little has been written about the implications of HIPAA’s Privacy Rule for cancer-education programs.
Because increased scrutiny is being given to privacy issues, it is important to understand how the HIPAA regulations impact cancer-education programs. Under HIPAA, an individual’s personal health information can be used for cancer-education purposes. However, certain conditions and appropriate safeguards must be in place as HIPAA mandates privacy and security safeguards regarding the use of patients’ health information by cancer-education programs provided in a HIPAA-covered entity.
Before HIPAA, the confidentiality of a patient’s health information involved a “patchwork” of federal and state laws and regulations, professional codes of ethics, standards of practice, and the policies of individual institutions . HIPAA provides a broad definition and scope regarding a patient’s health information. PHI includes all oral, written, and electronically maintained information that is created or received by a health care provider, a health plan, or a health care clearinghouse. PHI includes that information related to an individual’s past, present, or future physical or mental health condition or the past, present, or future payment for the provision of health care [5, p1:9]. In essence, PHI is not the actual medical data of an individual but rather those data elements that can be used to identify an individual when combined with medical data, such as a medical diagnosis or medical condition, of that individual.
All geographic subdivisions smaller than a state, including street address, city, county, precinct, zip code, and equivalent geocodes
All elements of dates (except year) for dates directly related to an individual, including birth date, admission and discharge dates, date of death, and all ages over 89 and all elements of dates (including year) indicative of such age
Electronic mail addresses
Social security numbers
Medical record numbers
Health plan beneficiary numbers
Vehicle identifiers and serial numbers, including license plate numbers
Device identifiers and serial numbers
Web universal resource locators (URLs)
Internet protocol (IP) address numbers
Biometric identifiers, including fingerprints and voiceprints
Full-face photographic images and any comparable images
Any other unique identifying number, characteristic, or code, unless otherwise permitted by the Privacy Rule for re-identification (164.514(c)) .
Many of the identifiers listed above are included as necessary measures to ensure patient privacy protections. Name, address, social security number, birth date, and account numbers are logical pieces of information to keep private and secure as these data can easily identify an individual. However, it may not be immediately evident why certain other data elements are included. Could the serial number or license plate number from an individual’s vehicle identify that individual? Why include the serial number from a pacemaker implanted into a cardiovascular patient or from surgical steel used to set a patient’s broken ankle? These data elements represent small puzzle pieces that could be investigated and added to other information to identify a patient. Using or maintaining PHI is not to be confused with using or maintaining a patient’s medical record. The data being used or stored must be reviewed in light of these 18 PHI data elements. One of the data elements listed above combined with a medical condition or diagnosis equals PHI. For example, presenting information from a database entitled “Former Patients with Lymphoma” (reference to a diagnosis) that includes the patients’ names (PHI data element) is considered PHI. Therefore, patient information in the database must be used and disclosed by cancer educators only as the HIPAA Privacy Rule permits.
An individual who is authorized to access PHI is considered a “user” of PHI. Persons that access PHI for permitted health care activities under HIPAA, such as health care delivery, clinical decision making, financial purposes, and quality assessment, are “primary users” of PHI. “Secondary users” of PHI may be involved in a variety of activities such as marketing, fundraising, public health, and education [5, p1:10]. Cancer educators are primarily identified as secondary users of PHI. However, covered entities must take specific steps to ensure that both primary and secondary users protect PHI and remain in compliance with the HIPAA regulations and their own institution-specific policies.
The first requirement that must be met by all users of PHI in a covered entity is training. Every member of the workforce of the covered entity must successfully complete the institution’s HIPAA training. The workforce includes employees, students, trainees, and volunteers. The Privacy Rule sets the foundation or floor for privacy protection. Therefore, covered entities are free to establish more stringent policies and procedures as long as the HIPAA requirements are met as the minimum [2, p3]. The training must provide general information about the HIPAA privacy and security regulations as well as how each institution specifically decides to comply with these regulations through their unique policies, procedures, and practices regarding the use of PHI. The training informs the users of their responsibilities to safeguard the privacy and security of PHI as they perform their job duties in accord with institution-specific standards.
HIPAA’s Privacy Rule states that PHI may be used and disclosed for treatment, payment, and health care operations. This means that PHI may be used and disclosed to other health care providers for treating the patient and with other covered entities for payment for the health care provided to a patient. Health care operations is defined as “any of the following activities of the covered entity to the extent that the activities are related to covered functions: …(2)…conducting training programs in which students, trainees, or practitioners in areas of health care learn under supervision to practice or improve their skills as health care providers.” [45 CFR 164.501] Cancer-education programs or training programs for medical students, nursing students, residents, and other health professions students are considered a part of health care operations . The HIPAA Privacy Rule allows students training in health professions and those supervising their clinical practice to have access to patients’ information under certain conditions. Students participating in clinical education experiences in a covered entity must be trained in and comply with that entity’s HIPAA policies, standards, and procedures.
An essential HIPAA principle that is central to the use or disclosure of PHI by cancer educators is the “minimum necessary standard,” which serves as a key protection criterion of the HIPAA Privacy Rule [2, p6]. When HIPAA permits use or disclosure of PHI, the minimum necessary standard requires that providers disclose or use only the minimum PHI necessary to perform their duties or for training and educational purposes. If the PHI is to be used for treatment, then clinicians and students in training can access PHI, up to and including, the complete medical record [5, p6:36]. However, if the PHI is to be used outside of the clinical setting for other educational or scholarly purposes, then the use of PHI requires closer examination. Because of the minimum necessary standard, access to information does not mean that cancer educators have permission to use or share all of a patient’s PHI in every situation.
Cancer educators must understand what activities or functions are permitted by HIPAA in each of their user roles. For any given task ask yourself, “Are you serving as a clinician providing treatment?” “Are you preparing a lecture to further your students’ knowledge of cancer?” “Are you asking students to give a case report?” A patient’s PHI can be viewed and used in a clinical setting by those who are assisting with or learning how to provide health care to patients. However, the patient’s PHI cannot automatically be included in oral or written reports to colleagues, classes, or seminars if these persons receiving the PHI are not directly involved in the health care provided to the patient.
Anonymous data: health information that has never been labeled with patient identifiers
Anonymized data: health information in which the identifiers are removed so there is no means to re-identify the patients
De-identified data: health information in which all 18 identifiers have been removed, but there is a means for re-identifying patients if the need developed .
Important cancer messages can be shared for education purposes without jeopardizing the privacy and confidentiality of the patient. By de-identifying cancer patients’ information, patient-specific identifiers are not presented or discussed. Health information that does not identify a patient is not considered PHI so that information used in an educational activity is not subject to the HIPAA Privacy Rule [5, p6:24].
If for the purpose of the educational or scholarly activity, a cancer educator needs to present specific patient information, including some of the data elements considered PHI, then the patient must authorize the use of their PHI. If a patient who, according to HIPAA, is in control of his or her medical information, signs an authorization allowing their personal health information to be used for a case, presentation, or topic of class review, then cancer educators are permitted to use the PHI. The authorization form used must be a valid form that complies with HIPAA regulations, and it must be written in plain language. A signed HIPAA-compliant authorization allows the cancer educator to use the patient’s information as prescribed in the authorization. Under HIPAA, authorization forms should be reviewed and approved in accord with institutional policies and procedures [1, p9].
In summary, HIPAA requires all members of the workforce of a HIPAA-covered entity to successfully complete the HIPAA training designed for the covered entity. HIPAA permits cancer educators to use PHI when working with their colleagues and students in the clinical setting, although the minimum necessary standard must be followed. To use PHI outside the clinical setting, cancer educators must determine how much, if any, PHI is required for the intended purpose. The most appropriate presentation format may be anonymous or de-identified data. However, if some PHI is required for the cancer-education activity, then each patient must sign a HIPAA-compliant authorization.
Protecting and respecting the privacy of patients is the purpose of the HIPAA Privacy Rule. It is the responsibility of all users of PHI, whether primary or secondary, to protect the privacy and security of our patients and their PHI. The HIPAA regulations allow the use of PHI for cancer-educational purposes, but only in accordance with mandated privacy and security safeguards.
This article is presented to provide general information. The contents should not be considered legal advice.