Ch. 4 Legal and Ethical Aspects of Cancer Registry Data (2)

Family Educational Rights and Privacy Act (FERPA)

One of the first federal laws to provide specific, statutory protection for patient privacy

Family Educational Rights and Privacy Act (FERPA)

Protects individual privacy from misuse of federal records

Family Educational Rights and Privacy Act (FERPA)

Allows persons to access their records

Family Educational Rights and Privacy Act (FERPA)

Allows federal agencies to collect, maintain, use, or disseminate any educational record containing personal information

FERPA established

The Privacy Protection Study Commission

The Privacy Protection Study Commission

Allows individuals to find out what information is collected, correct inaccurate information, and control disclosure of their information

Private Health Information (PHI)

Individually identifiable health information subject to regulatory protections of the Privacy Rule

Private Health Information (PHI)

eg. names, addresses, birthdates, SSN, phone numbers

Health Insurance Portability and Accountability Act (HIPAA)

Signed into law in 1996

Health Insurance Portability and Accountability Act (HIPAA)

Governs how PHI is used, who may use it, and the purpose for using it

Health Insurance Portability and Accountability Act (HIPAA)

Allows a covered entity to use or disclose PHI for various public health activities and purposes

Through HIPAA, the U.S. Department of Health and Human Services established

HIPAA Privacy Rule

HIPAA Privacy Rule

Protects all individually identifiable health information held or transmitted by a covered entity of its business associate

HIPAA Privacy Rule

Establishes national standards and allows the flow of health information

HIPAA Privacy Rule

Requires safeguards for PHI

HIPAA Privacy Rule

Sets limits and conditions on uses and disclosures made without an individuals authorization

HIPAA Privacy Rule

Gives patients the right to look at and obtain a copy of their health records

HIPAA Privacy Rule

PHI shall not be disclosed by covered entities without written, informed consent

HIPAA Privacy Rule

Applies to all PHI regardless of form

Health Information

Any information pertaining to the health or condition of an individual

Individually identifiable health information

Information that pertains to the provision of health care or demographic information

Covered entity

A healthcare plan, clearinghouse, or healthcare provider

Business Associate (BA)

A person or organization, not part of a covered entities workforce that performs functions involving PHI

Business Associate (BA)

eg. outside consultants, outside law firm, outside transcription service, “vendor” cancer registry staff

BA Agreement

Written agreement that identifies tasks for BA that involve PHI

BA Agreement

A hospital using non-employee vendors

HIPAA Security Rule

Establishes national standards to protect individual ePHI that is created, used, or maintained by a covered entity

HIPAA Security Rule

Specifies safeguards that covered entities and their business associates must implement

HIPAA Security Rule

Safeguards through administrative, physical, and technical

HIPAA Security Rule

Applies to electronic PHI

Encryption

Means of scrambling information that can only be unencrypted through an appropriate key or secure receiving app

Aggregate data

Data that do not contain any elements of PHI

Health Information Technology for Economic and Clinical Health (HITECH) Act

Promotes widespread adoption and interoperability of health information technology

HITECH Final Rule

Makes BA’s directly liable for compliance with certain aspects of HIPAA Rules

HITECH Final Rule

Increases limitations of use of PHI for fundraising and marketing

HITECH Final Rule

Gives authority to the Office of Civil Rights (OCR) to increase enforcement of HIPAA privacy violations

Breach

An impermissible use of disclosure under the Privacy Rule compromising the security or privacy of PHI