Poking through the Privacy Rule

As many of us have (hopefully) completed our Security Rule (“SR”) Assessments and Remediation, the Privacy Rule (“PR”) requires significantly more thought and time, especially pursuant to the significant changes that are expected to be promulgated in 2021. Consider Subpart E — Privacy of Individually Identifiable Information. There are some who have questions about the differences between Personal Health Information (“PHI”) and Personally Identifiable Health Information (“PII”).

It is an oversimplification to claim that PII does not have any health information associated with it therefore, it may not require the same safeguards and protections as PHI. Because PII enables the identification of a particular person, it is equally dangerous in the hands of the “bad guys.” Components include things like name, address, license number, or address. Of course, this information can be extremely sensitive if it was in the hands of the wrong person (e.g., Cyber Security, Credit Card Theft). HHS Guidance on PII includes:

Any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means. Further, PII is defined as information: (i) that directly identifies an individual (e.g., name, address, social security number or other identifying number or code, telephone number, email address, etc.) or (ii) by which an agency intends to identify specific individuals in conjunction with other data elements, i.e., indirect identification. (These data elements may include a combination of gender, race, birth date, geographic indicator, and other descriptors). Additionally, information permitting the physical or online contacting of a specific individual is the same as personally identifiable information. This information can be maintained in either paper, electronic or other media.

Often the question is asked if PII should be treated in the same manner as PHI. Well, the answer is almost always yes. Consider that PII can also cause harm to individuals if it is disclosed to those who have no need for its access. All sensitive data, just like PHI, has a significant need for protection.

The Privacy Rule requires that PHI and PII are safeguarded by establishing (and implementing as needed) policies and procedures to restore any loss of data. Just like other HIPAA regulations, generally, you are not given the exact method(s) to accomplish and comply with the task at hand. Unlike the Security Rule, the PR is process and people-driven. What do I mean by that? Well, SR regulations typically have a technical means to the end. For example, The Contingency Framework includes backups, recovery, criticality lists, and other related data access methods. The PR requires more thought. For example, “How do I respond when I am asked for PHI from one of my Patients?”

Here is an instance of a Minor’s Parent who wants to access PHI for their son. Note that the question and answer come and go from person to person, and due diligence is performed to ensure that the correct authorization is utilized. Sally is at the Clinic’s office and wants to get a copy of her young son’s medical record. She asks the Receptionist for a copy and the Receptionist is unaware of the rules related to providing medical records. The receptionist asks a co-worker, and he/she does not know either. Since neither one of them are familiar with the Privacy Rule regulations related to disclosing records to the parent of a minor, they sought the guidance of the Clinic’s Compliance Department.

The Privacy Rule §164.502(G)(3)(i) Uses and disclosures of protected health information: general rules state that under the law, a parent guardian, or other person acting in loco parentis has authority to act on behalf of an individual who is an unemancipated minor AND the covered entity must treat this person as a personal representative.

However, if the minor has the authority to act as an individual related to health care service, the minor may consent not only to the health care service, and records are maintained but also the minor can request or deny access to the personal representative. So, in this case, either there was no denial of access to the parent, or Peter was an emancipated minor. However, in either case, staff must be trained in the regulations that govern the Privacy Rule and its future changes. Requires a bit of information, no?

Directly from the most prominent HIPAA authority, I know:

“After the HITECH Act and the Omnibus Rule, all the attention went to the HIPAA Security Rule, and rightfully so. But lost in all that is that the public policy reason for security is privacy. Privacy of confidential information including patient data, intellectual property, military defense secrets etc. The changes to the HIPAA Privacy Rule are a wakeup call to the healthcare industry, get your act together or be prepared to pay a price. Over the last year OCR has already shown a willingness to impose stiff CMPs for those organizations that fail to provide PHI in a timely manner to patients.

Something (or someone) snapped in Washington and came to the realization that without patient involvement we are never going to transition healthcare from a sickness system to a wellness system. Our current approach is unsustainable and will lead to disastrous unintended consequences. Witness the COVID pandemic. We have no way of knowing how often these will occur at this scale. OK, the Spanish Flu was about a hundred years ago but that is a single data point. What about Ebola, HIV, the return of malaria, etc., etc. These never reached the same scale, but they could have.

The reason for going into a public policy discussion is that if the law changes slow, healthcare, the most insular industry in the U.S., changes even slower. It is woefully unprepared for a shift to a consumer-centric orientation. Most compliance budgets are significantly underwater dealing with the current challenges, let alone something that shifts the paradigm right under its feet.”[i]

“Finally, minors often must rely on an adult—usually a parent—to make their health care decisions, or to exercise their rights to access PHI or authorize the disclosure of PHI.”[ii] Here is just one example of the complexity and processes associated with the existing PR.

However, PR compliance efforts may be severely impacted by changes in the future regardless of the Regime. There will be new regulations, changes to regulations, slightly modified regulations, and perhaps deleted ones. Each of these changes will require that organizations re-train their workers and put new policies and procedures in place to remain compliant with the regime.

We will be working on a new Privacy Assessment for Expresso as well as other HIPAA Survival Guide content/product updates. We plan to have an informative webinar on these HIPAA PR changes as well. We hope you will join us, so stay tuned for the webinar(s) on the forthcoming state and federal Privacy Rules!

And, by the way, due to the huge demand of last month's webinar "Privacy is dead, But Privacy Legislation Is NOT" (and the technical problems we experienced) we are redoing the webinar next Thursday, June 3, 2021, at 2:00 EST. You can register by below:

Register for the Free Webinar

[i] Carlos Leyva, https://www.dhirubhai.net/feed/update/urn:li:activity:6803779821756407808/

[ii] Responding to Requests for Minors’ Protected Health Information: Guidelines for N.C. Local Health Departments, Jill Moore UNC School of Government https://sph.unc.edu/wp-content/uploads/sites/112/2014/09/nciph-chrm-minorsconsent.pdf