Q.
Are hospitals required to comply with the HIPAA Privacy Rule?
A. Health care providers who transmit certain financial and administrative
health information electronically must comply with the Rule as of April
14, 2003. For example, if your hospital submits claims
electronically, it would be required to comply with the Rule.
Q.
Does the Privacy Rule allow my hospital to participate in this survey?
A. Yes. The Privacy Rule permits your hospital to make disclosures of
protected health information without patient authorization for public
health purposes and for research that has been approved by an
Institutional Review Board (IRB). This survey meets both of those
criteria. Click here to see the IRB approval letter for NHAMCS.
Q.
What is protected health information?
A. Protected health information includes all medical records and
other individually identifiable information used or disclosed by an entity
subject to the Privacy Rule. This would include directly
identifiable information such as patient names and other information such
as social security numbers that could be used to identify an individual.
Q. What
does my hospital have to do to participate and comply with the Privacy
Rule?
A. There are several things that would assure that your hospital is
in compliance with the Rule when participating in the survey. First,
the privacy notice that your hospital provides to your patients must
indicate that patient information may be disclosed for research or public
health purposes. Many of the model notices that have been
developed and made available by professional associations provide for
this.
Also,
we have provided and made available on our website the material that your
hospital may need to verify, under the requirements of the Privacy Rule,
that it is allowed to disclose to CDC/NCHS the information requested as
part of this survey. This includes the authority under which NCHS is
collecting this information and that the information being collected is
the minimum necessary.
Finally,
your hospital may need to keep track of disclosures made for this survey.
If we perform the abstraction, we will give you a document that contains
the information that you need to keep track of the disclosures. If
your staff does the abstracting of data from patient records and your
hospital accepts the data use agreement that we provide, it is not
required to account for the disclosures.
Q.
What is the data use agreement?
A. It is an agreement that describes how we may use the information
that your hospital provides to us. It was developed based on the
provision of the Privacy Rule that specified that if certain data elements
that are not directly identifiable (referred to as a limited data set)
were disclosed for research or public health purposes, these disclosures
could be made if the facility providing the data agreed to the elements of
the data use agreement. An advantage of this approach is that, since
we do not actually access identifiable information, your hospital is not
required to account for these disclosures.
Q.
Is there any other information that we need to assess to assure that our
hospital’s disclosure is authorized under the Privacy Rule?
A. No. The letter that
your hospital received requesting that your
hospital participate in this survey is from the Director of the National
Center for Health Statistics, which is part of CDC. The Privacy Rule
specifies that your hospital is allowed to disclose information requested
for public health purposes to public health agencies such as CDC without
patient authorization. The Rule also states that for research
projects you may rely on documentation that we have provided indicating
that an Institutional Review Board (IRB) has approved a waiver to allow
for disclosure without patient authorization of the information we are
requesting in this survey.
Q.
What demonstrates that you are a public health authority?
A. The survey is sponsored by the CDC/National Center for Health
Statistics. CDC is a public health authority whose mission is
to protect the health of the public. The letter that we sent asking
your facility to participate was sent on official CDC/NCHS letterhead and
described our authority to conduct this survey. That letter also
made clear that the U.S. Census Bureau is acting as our data collection
agent. Finally, the Census Bureau representative has an official
identification badge.
Q.
Why do we have to account for these disclosures?
A. Under the Privacy Rule, patients have a right to an accounting of
disclosures that have been made of their identifiable information for
various purposes, including disclosures for public health and research
purposes. We will provide you with the information your hospital
needs to accountfor the disclosures made as part of this survey. If
hospital staff do the abstracting of data from patient records, and your
hospital accepts the data use agreement that we provide, your hospital is
not required to account for the disclosures.
Q.
Do we need to worry about whether this is the minimum necessary
information for the purposes of the project?
A. No. The Privacy Rule specifies that in providing
information to public agencies, such as CDC, you may rely on our
representation that the request constitutes the minimum necessary
information required. This issue is also considered as part of the
Institutional Review Board (IRB) approval process, and the Privacy Rule
specifies that you may rely on the documentation of IRB approval that the
information requested is the minimum necessary for the research purpose.
Q. Do we have to have an Institutional Review Board (IRB) review this
research project?
A. No. For research projects, only one IRB must review the
project and CDC’s IRB (which has the authority to review such projects
under the Regulations for the Protection of Human Subjects) has done so.
We have the IRB approval letter that indicates that a waiver has been
approved by an IRB for this survey, and contains the documentation that is
required by the Privacy Rule. If you desire, your hospital’s IRB
may review the project as well.
Q.
What if we want our Institutional Review Board (IRB) to review this
project?
A. Your IRB could verify that the IRB approval letter we have
provided adheres to the requirements of the Privacy Rule, and NHCS could
send you a copy of the materials submitted to the IRB.
Q.
Is a business associate contract required for my hospital to disclose protected
health information to NCHS for the survey?
A. No. A business associate contract is needed only when a
person or entity is conducting a function or activity to help a provider
carry out its health care function. NCHS is not a business associate
of the provider. A business associate agreement is not required.
Q.
Where can we find the requirements of the Privacy Rule?
A. The entire text of the Privacy Rule can be found at http://www.hhs.gov/ocr/hipaa/finalreg.html.
The following parts of the rule were referred to above:
Disclosures
without patient authorization – 45 CFR 164.512
Disclosures
for public health activities – 45 CFR 164.512(b)
Disclosures
for research purposes – 45 CFR 164.512(i)
Limited
data set and data use agreement – 45 CFR 164.514(e)