Issue 6 - January 2003: HIPAA COMPLIANCE – SENDING SYNDROMIC SURVEILLANCE DATA TO PUBLIC HEALTH

________________________________________________________________________________

HIPAA COMPLIANCE – SENDING SYNDROMIC SURVEILLANCE DATA TO PUBLIC HEALTH

Knowing that the final HIPAA privacy regulations take effect on April 14, 2003, many facilities have asked what issues should be considered before sending patient information such as syndromic surveillance data to public health authorities. To address this question, let’s step back and look at HIPAA.

Overview
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) served a number of purposes, including health insurance portability between employers, health care fraud, administrative simplification, privacy and security issues.

It’s the privacy issues included in HIPAA Section 164 that are most relevant to this discussion. The law stated that the HHS Secretary must promulgate regulations if Congress did not enact legislation by August 1999. Congress did not act by the deadline, so the HHS secretary proposed a health information privacy rule on November 3, 1999. (1) The final (amended) rule was issued August 9, 2002 and takes effect on April 14, 2003.

Now some HIPAA definitions:
“Covered entities” are:
- Health care providers who transmit electronic health information
- Health plans
- Health care clearinghouses

“Protected health information” (PHI) is any information that could be used to identify an individual and is transmitted or maintained in any form, including verbal, paper or electronic medium.(1, 4)

De-identified information is not considered PHI. De-identified data does not contain any direct identifiers such as Patient Name, Address, Zip (first 3 digits allowed if population > 20,000), or Dates (e.g., birth dates, admission/discharge dates, etc). (1)

Sharing Data with Public Health
If a covered entity needs to share PHI with anyone, it is usually required to sign a formal “Business Associate Agreement” with the receiving party. However, public health authorities are given a special exemption. HIPAA permits disclosing PHI to a public health authority whenever it is required by law, or required for public health activities. In this case, neither patient consent nor a “Business Associate Agreement” is required.

What are “public health activities”?
HIPAA defines them as “preventing or controlling disease, injury, or disability, including but not limited to, the reporting of disease, injury, vital events…, and the conduct of public health surveillance, …investigations, and… interventions.” (1)

Data Type
In all cases, even for public health activities, the information disclosed should be the ‘minimum necessary’ to carry out its purpose, unless an appropriate qualified individual determines that the risk is small for identifying individuals. Covered entities may rely on the public officials to determine what data they need. (1)

Limited Data Set
In addition to the parameters for sharing hospital information with anyone, the HIPAA Final Privacy Rule also created a special mechanism for sharing information used for medical research, public health research, or quality improvement known as the “Limited Data Set”. (4)

To share the “Limited Data Set”, a covered entity must enter into a “Data Use Agreement” with the recipient. This agreement may be a formal contract, or a memorandum of understanding. (4) It should provide assurances of data security and specify that no attempt at re-identification or contact with an individual will be made. (1)

Identifiers that must be removed from a “Limited Data Set” are: Name, Street address, phone and fax numbers, e-mail address, SSN, Certificate/license numbers, vehicle identifiers and serial numbers, URLs and IP addresses, full face photos and other comparable images, medical records numbers, health plan beneficiary numbers, and other account numbers, device identifiers and serial numbers, and biometric identifiers. (4)

Identifiers which may be included in a “Limited Data Set” are: 5-digit zip code or any other geographical subdivision, such as State, county, city, precinct or equivalent. They may also include dates such as: admission, discharge, service date, date of death, as well as age. (4)

In conclusion
HIPAA provides several mechanisms by which health care facilities may provide public health with syndromic surveillance data. HIPAA does not supercede laws already present in all 50 states that permit sharing PHI data needed for disease control and prevention with public health entities. On the other hand, if the patient data will be used for research, but not “public health activities”, then “Limited Data Set” information may still be sent to the data collection center if a data set agreement is in place and direct individual identifiers have been removed. Therefore, when sending syndromic surveillance data, consider whether it is requested by and delivered directly to a public health agency or is it being received by a private vendor or research facility. If the data is not going directly to a public health authority, then a business associate agreement or limited data set agreement would be required.

(1) http://www.nyam.org/events/syndromicconference/presentationpdf/claire_broome.pdf
(2) http://www.hipaadvisory.com/news/NewsArchives/Stories/HHS080902.htm
(3) http://www.tdh.state.tx.us/hipaa/default.htm
(4) http://www.hhs.gov/ocr/hipaa/privrulepd.pdf

Back to the top