Protected Health Information in University Archives

Hiding Information or Providing Access in Archives (HIPAA)

Erik Moore, Project ArchivistUniversity of Minnesota

Project Background

Academic Health Center History Project (Univ. of MN)– What is the history of the AHC?– What is needed to tell it?

Goals– To identify, collect, and make available the institutional and

historical documentation of the AHC– Ensure that this documentation is preserved– Follow professional standards and local, state, & federal policies

What is the Privacy Rule?

Is short for the regulation “Standards for Privacy of Individually Identifiable Health Information” [45 CFR 160 & 164] the companion piece to the Health Insurance Portability & Accountability Act (HIPAA) of 1996

The purpose of the Privacy Rule is to establish minimum standards for safeguarding the privacy of individually identifiable health information or PHI (Protected Health Information)

Meant to protect privacy of people during the course of care or when seeking access to insurance

What is the Privacy Rule?

Establishes 18 elements that are considered identifiable pieces of information including name, address, most dates, SSN, URLs, IP addresses, biometrics & full face photos, and all other unique identifiers

Applies to all instances of PHI in any format or context regardless of when it was created including “incidental exposures.”

Quick Definitions

A Covered Entity is a health plan, health care clearinghouse, or a health care provider who transmits health information in electronic form in connection with a covered transaction. They can be institutions, organizations, or persons. The Privacy Rule applies to all covered entities.

A Hybrid Entity is a single institution that performs functions that are both covered and non-covered under the Privacy Rule and can separate the health care components from non health care components within the entity. The Privacy Rule only applies to the covered components or areas for which they have oversight.

A Business Associate is a separate entity contracted to provide some of the functions of a covered entity including the handling of PHI.

Key Points Regarding HIPAA

The Privacy Rule in HIPAA applies only to covered entities; it does not apply to all persons or institutions that collect individually identifiable health information. – Federal agencies are exempt such as NIH’s Library of Medicine.

Other non covered institutions may also be exempt.

The Privacy Rule in HIPAA pertains only to PHI created or collected by a covered entity. Personal health information created or collected by a non-covered entity does not have to comply with the Privacy Rule.– Letters written by doctors to patients are covered. Letters written

by patients to health professionals are not.

Key Points Regarding HIPAA

The Privacy Rule does not "pass through" its requirements to business associates; instead, it requires, typically by contract, satisfactory assurances to the safeguarding of information. – A business associate contracted to handle a function of a covered

entity (e.g. records management) is subject to the contract, not the Privacy Rule.

– A covered entity is not responsible for any violations a business associate may incur.

– The contract cannot allow the business associate to use or disclose PHI for its own purposes.

Key Points Regarding HIPAA

De-identified health information is not PHI and thus not protected by the Privacy Rule.– Providing access to a document without any of the 18 PHI

elements is not a violation of the Privacy Rule.

Enforcement of the Privacy Rule is complaint driven. Covered entities will not be periodically audited or monitored. – There is a level of risk management involved in allowing access to

collections that contain or could potentially contain PHI. However, a “don’t ask, don’t tell” policy is not a legitimate professional response.

The University of Minnesota

The University of Minnesota is designated as a hybrid entity and has designated the health care components of the University that are covered by the Privacy Rule.

The Academic Health Center (AHC) is a covered entity component of the University of Minnesota.

The University Archives, a unit of the University Libraries, is a non-covered entity component of the University of Minnesota and is not subject to the Privacy Rule.

The University of Minnesota

If the University Archives is not a covered entity, what is the level of access?– The Archives are subject to University wide policy for protecting

privacy which is more stringent than HIPAA – University policy does not differentiate between covered and non

covered components– Policy mirrors the Privacy Rule by releasing health information for

research if a waiver is obtained, IRB approval is granted, information is de-identified, or if it is part of a limited data set

– Limited models for operation of university archives with PHI

Non covered archives should look toward covered & exempt archives as guide– The Alan Mason Chesney Medical Archives at Johns Hopkins– Archives & Special Collections at Columbia University Medical

Center– NIH’s National Library of Medicine

HIPAA and Archival Work: Traditional Approaches

Restrict access to only covered entity personnel/IRB approved research– Material that comes from a covered entity would only be available

to that covered entity and its associates. Additional access may be provided via application through the Institutional Review Board or Privacy Board.

Item level processing until the collection is either cleared or flagged as containing PHI– Labor intensive process that would be reserved for high priority

collections.

Review/redacting of materials at the time of research request– Labor intensive process that would involve staff reviewing

collections on an as needed basis. Potential for error.

HIPAA and Archival Work: Alternative Approaches

The Business Associate Model– If archives are Business Associates, would we be limited in

providing access to only the covered entity? Can a Business Associate model exist within a hybrid entity? No clear answer from HHS.

Providing Access with Provisions– Burden is on the researcher to comply with the Privacy Rule. Use

provisions ask researchers not to record or publish incidental PHI found within archival materials. Doing so would result in loss of research privileges and/or a report to the journal or professional society.

HIPAA and Archival Work: Alternative Approaches

Online Access and EAD Finding Aids– The HIPAA Compliant Finding Aid (NHPRC Electronic Records

Fellowship, N. McCall & C. Arnott Smith) brings together two XML standards EAD & CDA (Clinical Document Architecture) in electronic health records

– Comparison with historic medical records and current electronic templates are consistent

“More Product, Less Process” Method– If our own benchmarks (and those of our granting agencies) are on a

trend away from item level work, how will we know if collections contain PHI?

– MPLP and the Privacy Rule are both risk management methods – look to formulate a bridge between the two

Archivists & HIPAA

Boundaries of use under the Privacy Rule will be determined by our own actions. Like copyright, if we do not exercise the rights provided we will see them recede rather than expand.– Items marked with a © may actually be public domain– Question everything labeled as having a protected status– Users are increasingly liable for copyright

Stephen Novak reminds us that we do have a voice in how these materials are handled within our own archives.– Secretary of HHS can amend HIPAA each year– Stephen Novak & Nancy McCall’s testimony to the National

Committee on Vital & Health Statistics– Establish limits for the passage of time and incidental exposures

Archivists & HIPAA

In absence of guidelines, look for precedents– The Privacy Rule [45 CFR 164.501] defines research as “a

systematic investigation, including research development, testing, and evaluation, designed to develop or contribute to generalizable knowledge”

– In regards to IRBs and oral history, HHS does not equate human subject research with historical research stating:

While historians reach for meaning that goes beyond the specific subject of their inquiry, unlike researchers in the biomedical and behavioral sciences they do not reach for generalizable principles of historical or social development, nor do they seek underlying principles or laws of nature ... Historians explain a particular past; they do not create general explanations about all that has happened in the past, nor do they predict the future.

– Is the answer to the way we manage the collections in the definition of research?

References & Resources

Catherine Arnott Smith & Nancy McCall, “Developing the HIPAA-Aware Finding Aid” NHPRC Electronic Records Research Fellowship Program 2005-2006. Accessed 13 March 2007. http://www.library.vcu.edu/tml/speccoll/mccall-poster.pdf.

Lesley Brunet, “Documenting Cancer Medicine and Science at The University of Texas M.D. Anderson Cancer Center” Archival Elements (2006). Accessed 3 April 2007. http://www.archivists.org/saagroups/sthc/aelements2006.html.

Timothy Ericson & Jodi Koste “Letter from SAA to HHS Secretary Tommy Thompson Regarding HIPAA” The Watermark 27 (Winter 2003-04). Accessed 7 February 2007. http://www.library.ucla.edu/libraries/biomed/alhhs/lettertommythompson.html.

Nancy McCall, “The Impact of the HIPAA Privacy Rule on the Ability to Access and Utilize Archives” Testimony of Nancy McCall. Panel 3--Decedent Health Information, Subcommittee on Privacy and Confidentiality, National Committee on Vital and Health Statistics. Accessed 13 March 2007. http://www.ncvhs.hhs.gov/050111p6.pdf.

References & Resources

Stephen E. Novak, “The Health Insurance Portability and Accountability Act of 1996: It’s Implications for History of Medicine Collections” The Watermark 26 (Summer 2003). Accessed 30 March 2007. http://www.library.ucla.edu/libraries/biomed/alhhs/articlehealthinsuranceportability.html.

_____, Testimony of Stephen Novak. Panel 3--Decedent Health Information, Subcommittee on Privacy and Confidentiality, National Committee on Vital and Health Statistics. Accessed 13 March 2007. http://www.ncvhs.hhs.gov/050111p5.htm.

Oral History Association, “Institutional Review Boards and Human Subjects Research.” Accessed on 3 April 2007. http://omega.dickinson.edu/organizations/oha/mem_li.html.

US Department of Health & Human Services, Protecting Personal Health Information in Research: Understanding the HIPAA Privacy Rule. Accessed 30 March 2007. http://privacyruleandresearch.nih.gov/pdf/HIPAA_Booklet_4-14-2003.pdf.

References & Resources

US Department of Health & Human Services, National Institutes of Health, National Library of Medicine, “Access to Health Information of Individuals.” Accessed 30 March 2007. http://www.nlm.nih.gov/hmd/manuscripts/phi.pdf.

US Department of Health & Human Services, Office for Civil Rights, “Standards for Privacy of Individually Identifiable Health Information.” Accessed 30 March 2007. http://www.hhs.gov/ocr/hipaa/finalmaster.html.

University of Minnesota, “Academic/Administrative Policy 2.10.1.: Administration & Oversight for Protection of Individual Health Information (HIPAA).” Accessed 30 March 2007. http://www.fpd.finop.umn.edu/groups/ppd/documents/policy/hippaindinfopol.cfm.

See also the Science, Technology & Health Care Roundtable (STHC) and the Archivists and Librarians in the History of the Health Sciences (ALHHS) “HIPAA Resource Page.” Accessed 7 February 2007. http://www.library.vcu.edu/tml/speccoll/hipaa.html.