Get Up To Date On Details of New De-Identification Guidance & Other HIPAA Developments By Participating In 12/12 HIPAA Update Web Workshop
Health care providers, health plans, health care clearinghouses (covered entities) and their business associates and leadership should check and update their policies and practices for the de-identification of protected health information (PHI) in light of newly-released Guidance Regarding Methods for De-identification of Protected Health Information in Accordance With the Health Insurance Portability and Accountablity Act (HIPAA) Privacy Rule (Guidance) released by the Department of Health & Human Services (HHS) Office of Civil Rights yesterday (November 26, 2012).
Solutions Law Press, Inc. will host a one-hour, online HIPAA Update Workshop on the Guidance and other recent regulatory and enforcement developments under HIPAA for covered entities and their business associates on Wednesday, December 12 beginning at Noon Central Time. To register, see here.
PHI collected by health care providers, health plans, their management, sponsors, and vendors often includes a wealth of information valuable for use for functions unrelated to the HIPAA-covered functions and activities that leads covered entities or their business associates to collect or keep this data. While it might be tempting to repurpose this information for business planning and marketing purposes, covered entities and their business partners or associates frequently assume that covered entities and others that they deal with must take proper steps to that no PHI is used, accessed, disclosed or shared unless that action is allowed under the Privacy Rules, properly de-identified, or both.
When planning to rely upon the de-identification of PHI to engage in these activities, parties planning to rely upon HIPAA’s exception for de-identified PHI will want to consult new guidance just released by OCR about the de-identification requirements before moving forward. Existing Privacy Rules and the Guidance recognize two alternative methods that covered entities and their business can use to properly de-identify PHI for purposes of the HIPAA Privacy Rule.
OCR published the Guidance to help covered entities to understand what qualifies as de-identification, the general process by which de-identified information is created, and the options available for performing de-identification for purposes of the HIPAA Privacy Rule. The publication of this guidance was mandated as part of amendments to HIPAA enacted by Health Information Technology for Economic and Clinical Health (HITECH) Act included in the American Recovery and Reinvestment Act of 2009 (ARRA). Section 13424(c) of the HITECH Act requires the HHS to issue guidance on how best to implement the requirements for the de-identification of health information contained in the Privacy Rule.
De-identification & Its Rationale Under Privacy Rule
The Privacy Rule was designed to protect individually identifiable health information through permitting only certain uses and disclosures of PHI provided by the Rule, or as authorized by the individual subject of the information. However, in recognition of the potential utility of health information even when it is not individually identifiable, §164.502(d) of the Privacy Rule permits a covered entity or its business associate to create information that is not individually identifiable by following the de-identification standard and implementation specifications in Privacy Rule §164.514(a)-(b). These provisions allow the entity to use and disclose information that neither identifies nor provides a reasonable basis to identify an individual provided the Covered Entity can show that the PHI has been de-identified in accordance with either the Expert Determination Method or the Safe Harbor Method of the de-identification standard of the Privacy Rule and is not re-identified. Regardless of the method used to de-identify PHI, the Privacy Rule does not restrict the use or disclosure of de-identified health information, as it is no longer considered PHI and is not re-identified.
Privacy Rule De-Identification Implementation Standards Permit Alternative Methods of De-identification
Section 164.514(a) of the HIPAA Privacy Rule provides the standard for de-identification of protected health information. Under this standard, health information is not individually identifiable if it does not identify an individual and if the covered entity has no reasonable basis to believe it can be used to identify an individual. See Privacy Rule § 164.514.
Sections 164.514(b) and (c) of the Privacy Rule contain the implementation specifications that a covered entity must follow to meet the de-identification standard. As summarized in Figure 1, the Privacy Rule provides two methods by which health information can be designated as de-identified:
- The formal determination by a qualified expert in accordance with the Privacy Rule (Expert Determination Method); or
- The removal of specified individual identifiers as well as absence of actual knowledge by the covered entity that the remaining information could be used alone or in combination with other information to identify the individual (Safe Harbor Method).
In order for PHI to qualify as de-identified under the “Expert Determination Method, Privacy Rule § 164.514(b)(1) requires that a person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable:
- Applying such principles and methods, determines that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is a subject of the information; and
- Documents the methods and results of the analysis that justify such determination.
Alternatively, Privacy Rule § 164.514(b)(2) provides that PHI will qualify as de-identified under the Safe Harbor Method if:
- All of an extensive list of identifiers of the individual or of relatives, employers, or household members of the individual, are removed from the data; and
- The covered entity does not have actual knowledge that the information could be used alone or in combination with other information to identify an individual who is a subject of the information.
As long as the data is not re-identified, the Guidance indicates that a covered entity may prove fulfillment of the de-identification standard of Privacy Rule §164.514(a) by showing satisfaction of all applicable requirements of either method. Under the Privacy Rule, de-identified health information created following these methods is no longer protected by the Privacy Rule because it does not fall within the definition of PHI. Of course, de-identification leads to information loss which may limit the usefulness of the resulting health information in certain circumstances. Consequently, covered entities may wish to select de-identification strategies that minimize such loss.
Both alternatives for de-identification under the Privacy Rule require that covered entities and their business associates decide whether and how to keep the option for re-identification of PHI slated for de-identification and where applicable, appropriately manage the re-identification opportunity and data to avoid violation of the Privacy Rule.
According to the Privacy Rule, if a covered entity or business associate successfully undertook an effort to identify the subject of de-identified information it maintained, the health information now related to a specific individual would again be protected by the Privacy Rule, as it would meet the definition of PHI. Disclosure of a code or other means of record identification designed to enable coded or otherwise de-identified information to be re-identified is also considered a disclosure of PHI. In this regard, Privacy Rule §164.514(c) specifies that if the covered entity assigns a code or other means of record identification to allow information de-identified under this section to be re-identified by the covered entity, themeans of record identification is not derived from or related to information about the individual and is not otherwise capable of being translated so as to identify the individual; it can’t use elements of the protected PHI as the re-identification key,must safeguard the key, and can’t use or disclose the key or other re-identification tool for any other purpose.
Preparing For, Guiding & Documenting The De-identification Process For Defensibility
The Guidance stresses that importance of documentation for which values in health data correspond to PHI, as well as the systems that manage PHI and its risk of identification or re-identification in the de-identification process cannot be overstated.
The Guidance provides guidance to help guide covered entities and their business associates through the steps and analysis of using the Expert Determination versus Safe Harbor Method. A review of this Guidance makes clear that the design and administration of the de-identification process under either method requires careful and well-documented planning, analysis and implementation to fulfill and to keep the documentation that a covered entity or business associate might need to defend its decision to treat and use PHI as de-identified under the Privacy Rule against a potential audit or enforcement inquiry. The Guidance also seeks to further illuminate the requirements for effective de-identification through a series of questions and answers, supplemented by work flow and other charts, examples and other illustrations and tips on the proper use of each alternative Method and managing risks and the process associated with that Method. A Glossary of Terms also is shared. The discussion in the Guidance makes clear that covered entities and their businesses associates using either Method to de-identify PHI should be prepared to make a number of judgments about which Method to use, whether and how to make arrangements for re-identification, and how to properly manage the process to meet the requirements of the implementation standard and manage re-identification or other risks.
Register For 12/12 HIPAA Update Web Workshop To Catch Up On De-Identification Guidance & Other HIPAA & Texas HIPAA Regulatory & Enforcement Developments
Training and compliance mandates applicable to covered entities and their business associates under the newly strengthened Texas HIPAA law and HIPAA’s Privacy and Breach Notification Rules make it more important than ever that covered entities and their business associates get the timely training and other assistance needed to properly comply with requirements for the protection of PHI under the new Guidance and other HIPAA and Texas HIPAA mandates.
To aid in this process, Solutions Law Press, Inc. will host a 2012 HIPAA Update Web Workshop covering the new Guidance on de-identification and other regulatory and enforcement developments under HIPAA and the newly amended Texas HIPAA law on December 12, 2012 from 1:00 P.M.-2:00 P.M. Eastern | Noon – 1:00 P.M. Central | 11:00 A.M-Noon Mountain | 10:00A.M-11:00 A.M. Pacific Time.
Expanded health care privacy mandates of the Texas Medical Records Privacy Act that take effect September 1, 2012 and HIPAA regulations require covered entities and their business associates conduct training and take other steps to protect the privacy and security of PHI.
Complete HIPAA Training While You Catch Up On The Latest On HIPAA & Texas Medical Records Privacy Rules & Get Helpful Compliance And Risk Management Tips!
Health care providers, health plans, health care clearinghouses face new imperatives to strengthen their HIPAA and other procedures for handling protected health information and other sensitive information to manage expanding risks and responsibilities arising from evolving rules, expanding enforcement and oversight, and rising penalties and other liabilities.
Expanded health care privacy mandates of the Texas Medical Records Privacy Act that take effect September 1, 2012 and HIPAA regulations require covered entities and their business associates conduct training and take other steps to protect the privacy and security of personal health information (PHI) and certain other information.
The $4.3 million HIPAA Civil Monetary Penalty and growing list of $1 million plus resolution payments announced by the Office of Civil Rights coupled with its commitment to investigate all large breaches reported under the HITECH Act Breach Notification Rule and other stepped up enforcement and newly initiated audit activities send a clear signal that HIPAA-covered entities and their business associates face significant exposures for failing to appropriately manage their HIPAA and other responsibilities when handling protected health information. Meanwhile, Texas House Bill 300 has raised maximum state civil penalties for unlawful disclosures of Protected Health Information under the Texas Medical Records Privacy Act to from $5,000 to $1.5 million per year. Meanwhile HITECH Act amendments to HIPAA require covered entities provide notification of certain breaches while Texas House Bill 300 adds its own specific requirements to provide notice of certain breaches of computerized data containing sensitive personal information.
With Texas House Bill 300 expanding covered entities responsibilities and liabilities and OCR issuing new regulations and other guidance to implement amendments to the HIPAA Privacy & Security Standards and implement and enforce the HITECH Act Breach Notification Rule, health care providers, health plans and insurers, their brokers, third-party administrators, and other covered entities, as well as their business associates and employer and union clients must review and tighten their policies, practices, business associate and other contracts, and enforcement to manage HIPAA and other compliance and manage risks arising from the access, collection, use, protection and disclosure of PHI to meet expanding mandates and to guard against growing liability exposures under HIPAA and other federal and state laws.
Solutions Law Press, Inc. invites you to catch up on the latest on these and other key HIPAA requirements and enforcement and learn tips for managing risks and liabilities by participating in the “HIPAA Update Workshop” on Wednesday, December 12, 2012 via WebEx for a registration fee of $125.00.
Pre-approved for various types of continuing and professional education credit, the December 12, 2012 HIPAA Update Workshop will brief participants on the De-Identification Guidance as well as the latest on other regulatory and enforcement guidance under the HIPAA Privacy, Security and Breach Notification rules and guidance and share compliance and risk management lessons emerging from recent OCR enforcement and audit activities and other selected federal and state litigation and enforcement actions impacting the handling of protected health information. Among other things, the workshop will cover:
- The De-Identification Guidance just released by OCR on November 26, 2012;
- The latest HIPAA Privacy, Security & Breach Notification Guidance, Audits & Enforcement
- Highlights Texas House Bill’s Amendments To Texas Medical Records Privacy Law That Took Effect September 1, 2012
- Post HITECH Act Heightened Liability Risks: Audits, Civil Penalties, Criminal Penalties & State Lawsuits
- Expansion of HIPAA Responsibilities & Liabilities To Business Associates & What Covered Entities & Business Associates Should Do In Response
- HIPAA Data Breach Notification Requirements
- Practical Challenges & Strategies For Managing These Responsibilities
- Tips For Coordinating HIPAA & Other Federal & State Medical Privacy, Financial Information, Identity Theft & Date Security Compliance and Risk Management
- Practical Strategies For Monitoring & Responding To New Requirements & Changing Rules
- Participant Questions
About The Speaker
The workshop will be conducted by attorney Cynthia Marcotte Stamer. A Fellow in the American College of Employee Benefits Counsel, recognized in International Who’s Who, North Texas Health Care Compliance Professionals Association Vice-President and Board Certified in Labor & Employment Law, attorney Cynthia Marcotte Stamer has 25 years experience advising and representing private and public health care providers, employers, employer and union plan sponsors, employee benefit plans, associations, their fiduciaries, administrators, and vendors, group health, Medicare and Medicaid Advantage, and other insurers, governmental leaders and others on privacy and data security, health care, health and other employee benefit. employment, insurance and related matters. A well-known and prolific author and popular speaker, Ms. Stamer has worked extensively with heath care providers, health plans and other payers, health and insurance IT and data systems, and others on HIPAA and other privacy and data security concerns. She served as the scrivener for the ABA JCEB Agency Meetings with the Office of Civil Rights on HIPAA Privacy for the past two years. She presently serves as Co-Chair of the ABA RPTE Section Welfare Plan Committee, Vice Chair of the ABA TIPS Employee Benefit Committee, an ABA Joint Committee on Employee Benefits Representative, an Editorial Advisory Board Member of the Institute of Human Resources (IHR/HR.com) and Employee Benefit News, and various other publications. A primary drafter of the Bolivian Social Security privatization law with extensive domestic and international regulatory and public policy experience, Ms. Stamer also has worked extensively domestically and internationally on public policy and regulatory advocacy on HIPAA and other privacy and data security risks and requirements as well as a broad range of other health, employee benefits, human resources, insurance, tax, compliance and other matters and representing clients in dealings with OCR and other HHS agencies, as well as the Departments of Labor, Treasury, Federal Trade Commission, HUD and Justice, Congress and state legislatures, and various state attorneys general, insurance, labor, worker’s compensation, medical licensure and disciplinary and other agencies and regulators. A prolific author and popular speaker, Ms. Stamer regularly authors materials and conducts workshops and professional, management and other training on HIPAA and other privacy, health care, employee benefits, human resources, insurance and related topics for the ABA, Aspen Publishers, the Bureau of National Affairs (BNA), SHRM, World At Work, Government Institutes, Inc., the Society of Professional Benefits Administrators and many other organizations. Her insights on privacy and other matters are quoted in Modern Healthcare, HealthLeaders, Benefits, Caring for the Elderly, The Wall Street Journal and many other publications. She also regularly serves on the faculty and planning committees of a multitude of symposium and other educational programs. For more details about Ms. Stamer’s services, experience, presentations, publications, and other credentials or to ask about arranging counseling, training or presentations or other services by Ms. Stamer, see www.CynthiaStamer.com.
The Registration Fee is $125.00 per person. Registration Fee Discounts available for groups of three or more. Pre-payment required via website registration required via website PayPal. No checks or cash accepted. Persons not registered at least 48 hours in advance will only participate subject to system and space availability.
Continuing Education Credit
The HIPAA Update Workshop is approved to be offered for general certification credit by the State Bar of Texas, Texas Department of Insurance, HRCI and WorldAtWork education credit for the time period offered subject to fulfillment all applicable accrediting agency requirements, completion of required procedures. Note that the applicable credentialing agency retain the final authority to determine whether an individual qualifies to receive requested continuing education credit. Neither Solutions Law Press, Inc., the speaker or any of their related parties guarantees the approval of credit for any individual or has any liability for any denial of credit. Special fees or other conditions may apply. CANCELLATION & REFUND POLICY: In order to receive credit, cancellation (either fax or mail) must be received at least 48 hours in advance of the meeting and are subject to a $10.00 refund processing fee. Refunds will be made within 60 days of receipt of written cancellation notice.
About Solutions Law Press, Inc.™
Solutions Law Press, Inc.™ provides business and management information, tools and solutions, training and education, services and support to help organizations and their leaders promote effective management of legal and operational performance, regulatory compliance and risk management, data and information protection and risk management and other key management objectives. Solutions Law Press, Inc.™ also conducts and assist businesses and associations to design, present and conduct customized programs and training targeted to their specific audiences and needs. For additional information about upcoming programs, to explore becoming a presenting sponsor for an upcoming event, e-mail your request to info@Solutionslawpress.com These programs, publications and other resources are provided only for general informational and educational purposes. Neither the distribution or presentation of these programs and materials to any party nor any statement or information provided in or in connection with this communication, the program or associated materials are intended to or shall be construed as establishing an attorney-client relationship, to constitute legal advice or provide any assurance or expectation from Solutions Law Press, Inc., the presenter or any related parties. If you or someone else you know would like to receive future Alerts or other information about developments, publications or programs or other updates, send your request to firstname.lastname@example.org. If you would prefer not to receive communications from Solutions Law Press, Inc. send an e-mail with “Solutions Law Press Unsubscribe” in the Subject to email@example.com. CIRCULAR 230 NOTICE: The following disclaimer is included to comply with and in response to U.S. Treasury Department Circular 230 Regulations. ANY STATEMENTS CONTAINED HEREIN ARE NOT INTENDED OR WRITTEN BY THE WRITER TO BE USED, AND NOTHING CONTAINED HEREIN CAN BE USED BY YOU OR ANY OTHER PERSON, FOR THE PURPOSE OF (1) AVOIDING PENALTIES THAT MAY BE IMPOSED UNDER FEDERAL TAX LAW, OR (2) PROMOTING, MARKETING OR RECOMMENDING TO ANOTHER PARTY ANY TAX-RELATED TRANSACTION OR MATTER ADDRESSED HEREIN. If you are an individual with a disability who requires accommodation to participate, please let us know at the time of your registration so that we may consider your request.
©2012 Solutions Law Press, Inc. All Rights Reserved.