From the Newsletter of the Archivist and Librarians in the History of the Health Sciences
The Health Insurance Portability and Accountability Act of 1996: It’s Implications for History of Medicine Collections
By Stephen E. Novak
(Readers should be aware that the author is not a lawyer; in addition, lawyers at different institutions are interpreting HIPAA in various and sometimes contradictory ways. Any procedures you establish at your library or archives regarding HIPAA must be discussed first with your institution’s lawyers.)
HIPAA, the Health Insurance Portability and Accountability Act of 1996, is – to simplify a bit – a law designed to make it easier for Americans to obtain and retain health insurance. Among other things, HIPAA created for the first time federal guidelines for the protection of “personally identifiable health information” or as it is generally called “Protected Health Information” or PHI.
As a consequence of this, a provision of the Act required the Secretary of the Department of Health & Human Services to issue regulations governing the use of “individually identifiable health information” if Congress did not enact such a privacy rule within 3 years of the passage of HIPAA. Congress did not, so HHS published the first draft of the HIPAA “Privacy Rule” in Nov. 1999; it was issued in a “final” form in Dec. 2000; however, HHS proposed further modifications to the Rule in March 2002. These were published in their final form in August of that year. Date for compliance for most institutions was April 14, 2003. The regulations allow the Secretary of HHS to amend the Privacy Rule, though not more than once every 12 months - so the Rule is not locked in its present form forever and we will need to be aware of any changes that occur over the years.
The HIPAA Privacy Rule has led to significant changes in the way patient information is dealt with in hospitals, clinics, doctors’ offices, insurance companies and laboratories. Academic medical centers, in particular, with their large patient populations, extensive research involving human subjects, and dependence on federal dollars, have devoted significant resources in tight fiscal times to prepare for the compliance date. At Columbia, we’ve hired an experienced health care lawyer to be “Associate Vice President for HIPAA Compliance” to train all University employees who normally handle patient information. Anxiety about the Rule has led to overreaction, leading some hospitals to refuse to give out information about patients’ conditions - or even if they’ve been admitted! Both disclosures, by the way, are permitted under the HIPAA Privacy Rule.
HHS says it received over 63,000 public comments on the Privacy Rule while it was being formulated. It’s clear from reading the legislation that none of these comments were from archivists, librarians, manuscript curators or historians. While grappling with the Privacy Rule, it should be remembered that its underlying rationale appears to have been to protect personal health information from being improperly disclosed to insurance companies or employers. It is not a plot to bedevil archivists or to deny tenure to junior members of history departments. But because its basic orientation is the use of health care information in the world of hospitals and biomedical research, the Privacy Rule of HIPAA is not an exact fit for the types of research we deal with on a daily basis.
Nevertheless, while those of us who have patient information in our collections need to be aware of the implications of the HIPAA privacy regulations, we should not be unduly intimidated by them. We have, in fact, been dealing with these questions of access to patient information for many years. We’re sensitive to the issues of balancing the individual’s right to privacy with the need to make these records accessible for scholarly research. The difference now is that instead of policing ourselves, we must comply with specific legislation that specifies both civil and criminal penalties if our institutions are found in violation. Still, to paraphrase Mark Twain’s comments about the music of Wagner, HIPAA is “not as bad as it sounds.”
First, some definitions. What, or who, does the Privacy Rule cover? Well, mostly something called a “covered entity” which is defined as “health plans, health care clearinghouses and any health care provider (which can mean an individual, as well as an institution) who transmits health information in electronic form in connection with a transaction which HHS has adopted a standard.” An HHS publication is very clear about this:
“The Privacy Rule applies only to covered entities. Many organizations that use, collect, access, and disclose individually identifiable health information will not be covered entities, and thus, will not have to comply with the Privacy Rule.”
Ah, you think, I’m off the hook, I work for a University, not a health care provider. Not so fast. While the main mission of X University is education, it may be, in part, a health care provider. It may operate a hospital or, like Columbia - which does not actually own the hospital at Columbia-Presbyterian Medical Center - it may be responsible for the faculty practice plan.
If this is so, you are probably part of a “hybrid entity” defined as “a single legal entity that...performs business activities that include both covered and noncovered functions.” HHS goes on to say that the Privacy Rule generally only applies to those components of the hybrid entity that have been designated as “covered” (that is, those that have health care responsibilities), but that non-covered components of the institutions may be affected because the health care component is limited in how it can share patient information with the “non-covered” components. Columbia, for instance, considers itself a “hybrid entity.”
OK, so you’re neither a covered entity nor a hybrid one, can you happily ignore the HIPAA privacy rule? Well, maybe not. There is a third category affected by the Rule. These are defined as “business associates.” They are defined as “a person or entity who, on behalf of a covered entity, performs or assists in performance of a function or activity involving the use or disclosure of individually identifiable health information.” The HHS definition then goes on to identify some of those activities and they unlikely to be functions any of us here are performing - or at least I hope your fiscal situation hasn’t gotten so bad that your institution has you involved in “claims processing, utilization review, and quality assurance,” to quote the HHS definition. But just when you think you’re home free, HHS goes on to say that business associates are ALSO persons or entities performing “legal, actuarial, ... management, administrative or financial services to or for a covered entity where performing these services involves disclosure of individually identifiable health information...”
So, say your organization has no health care functions, but you’ve acquired the patient records of a hospital in your city, does that make you a business associate? - after all you’re storing them and administering them. You might be. Whether the HIPAA Privacy Rule applies retroactively to records created before it came into effect is unclear. At Columbia, our lawyers are assuming the Rule does apply retroactively and that, therefore, Archives & Special Collections functions as a business associate for those covered entities whose records we acquired in the past.
Beyond this, just before I left for Boston, I was told the University was thinking of designating the entire Library as having “covered” functions even though we have no health care responsibilities simply because Archives & Special Collections holds records with PHI. And you thought you were confused by HIPAA….
However your lawyers rule on the “retroactivity” of the Privacy Rule, it does appear certain that future acquisition of records containing PHI that were created by a covered institution will have to be regulated by a business associate agreement.
What records does the Privacy Rule apply to? It covers records containing “protected health information” better known as PHI, and defined as “individually identifiable health information, held or maintained by a covered entity or its business associates...that is transmitted or maintained in any form or medium.” Again, be aware that the Privacy Rule only applies to PHI held by a covered entity or its business associates. But also remember that a “covered entity” can be an individual physician whose PHI-laden records may be part of his or her papers that you now have.
Once you’ve determined that yes, your institution falls into one of the 3 categories regulated by the Privacy Rule, are you allowed to “disclose” PHI to researchers? Yes, research is a permitted use under the Rule and the Rule outlines when and how it is allowed.
There are several ways records containing PHI can be disclosed for research purposes. Let’s first consider access to records containing PHI of individuals who are alive or can be presumed to be alive.
The Privacy Rule allows use and disclosure of PHI of living individuals for research purposes by several methods of which I will discuss the three that will be most likely encountered in an archival setting. First, the covered entity may disclose PHI without restriction if it is de-identified. This requires the elimination of 18 elements from all the records to be used by a researcher. Some of the information to be removed is obvious: name, telephone number, social security number, etc. But also to be eliminated under the Privacy Rule are “all geographic subdivisions smaller than a state” including street or city, and date elements (except year) relating to admission and discharge, date of death and for PHI of those age 89 or over, even their birth year.
The incredible amount of labor needed to de-identify records - especially considering that much historical research involves large numbers of these records - makes this an unlikely option for most archival repositories holding PHI. Of course, if you receive records already de-identified you can be secure in the knowledge that they can be used for research purposes without any restrictions. But such denuded records will be such thin gruel for historical research I can’t imagine why anyone would want to.
The Privacy Rule also allows individuals to authorize a covered entity to disclose or use their PHI for research purposes. This provision may not be of much help to archivists and manuscript curators depending on how your institution reads the Rule. If you consider, as we do at Columbia, that the Privacy Rule applies retroactively to records created before the Rule went into effect there is a fairly obvious problem. First, these authorizations were only established as part of HIPAA (they are not the same things as Informed Consent agreements) so none of our records - all created before HIPPA - will have any such authorizations.
But even if they did, we’d still have difficulties because the Rule is clear that authorizations are valid only for a specific research study, not “to nonspecific research or to future, unspecified projects.” So, even if our successors 50 years from now receive the research records of a faculty member who did his research under the HIPAA Privacy Rule in 2005 and who at that time obtained individual authorizations, any researcher wanting to reuse those records for his or her own research would have to obtain another authorization from the individuals involved. This is unlikely to happen.
A third method of allowing use of PHI is by obtaining a waiver of authorization. A waiver allows PHI to be disclosed or used in a specific research project without authorization from the individuals whose PHI is involved. It may be a “full” or “partial” waiver. Waivers must be obtained from Institutional Review Boards (IRB) or Privacy Boards, the latter a new entity created in response to the HIPAA Privacy Rule. To issue a waiver the IRB or Privacy Board determines that the use or disclosure of PHI involves no more than “minimal risk” to the privacy of individuals because:
I should note that the HHS says the waiver should satisfy the criteria I’ve just listed “in whole or in part” so it appears the researcher would not have to address all of them. This appears to give us some wiggle room for allowing research use of records in our collections containing PHI.
But this route is not without its difficulties. While some archival repositories have always required researchers desiring to use patient records to go through the IRB, my impression has been that general practice up to now has been for the archivist to directly deal with researcher requests under an access policy devised by the archives. Having IRBs or Privacy Boards decide which archival research projects are allowable may significantly reduce access to and use of our collections. Remember, IRBs and Privacy Boards deal with biomedical research. Will they be able to judge the merits of research by historians and other humanistic scholars? At this point it’s impossible to tell, but it’s certainly a matter for concern. At the very least, we must educate ourselves as to how these Boards work as well as educating the members of the Boards about the use of archival materials in historical research.
At Columbia, fortunately, our HIPAA lawyer hopes to have me join the University’s new Privacy Board as a “member for archival requests” or if that’s not possible, make sure one of our physician-historians is appointed to the Board. Whoever it is, the Board will have someone who can explain and elucidate to the other Board member what historical research is and why it might in some cases need access to records containing PHI.
Requests for waivers of authorization for research in archival records with PHI held by Archives & Special Collections at Columbia will originate with the researcher coming to the Archives but the researcher can then complete the waiver request on-line and submit it electronically to the Privacy Board. How quickly the Board will pass on such requests is impossible to say at this point. It may depend on the volume of requests the Board receives, but in any case I suspect it will be slower than the procedure we have in place now.
Compared to research using the PHI of living individuals, the rules for research on PHI of decedents are simplicity itself. The Rule states that “to use or disclose PHI of the deceased for research, covered entities are not required to obtain Authorizations from the personal representative or next of kin, a waiver or an alteration of the Authorization or a data set agreement.” However, the covered entity must obtain from the researcher three things:
1) Oral or written representation that the use and disclosure is solely for research on the PHI of decedents
This is not very different from the access policies to patient records that many of us already have in place. The chief obstacle would seem to be documentation of the death of the individual. However, note the wording of that last clause: documentation of the death of the individual is “at the request of the covered entity.” If this is saying what I think it’s saying, it’s up to us to define “documentation of death.” This would eliminate the impossible task of having the researcher prove the death of each individual whose PHI is included in a hospital case book or a physician’s correspondence and allow us to define a date before which all individuals will be presumed dead.
And in fact, this is exactly what we at Columbia will be doing: for access to records containing PHI, “individuals will be presumed to be deceased 100 years after date of birth or date of record creation, whichever occurs first.” In practical terms this means that access to records in our possession that were created in 1902 or earlier will be permitted after applying to the Archives. For records less than 100 years old, the researcher will have to apply to the Privacy Board at Columbia for access - unless the researcher can provide proof of death of all the individuals whose records might be used in the course of research.
Unfortunately, I wasn’t able to have our form for Access to Protected Health Information approved by our lawyer before this meeting, so you should be aware that the sample I’ve distributed is still a draft. However, I don’t imagine it will be all that much different. I should note that it is closely modeled on the form in place at the archives of our sister institution, New York Weill Cornell Medical Center and I’d like to thank Jim Gehrlich, the Cornell Medical Archivist, for allowing me to use his form as a model.
One question about the Privacy Rule and records of decedents on which I have yet to get a clear answer is, does it allow us to let researchers use the names of decedents in published works? Will any historian ever again be able to write a book like Laurel Ulrich’s Midwife’s Tale? From my reading, the Privacy Rule may be, paradoxically, more lenient on this point than many of us are now, since it uses the death of the individual, not a fixed date, as the determinant for access to records. However, as of now I have not been able to get a ruling from our lawyer on whether my interpretation is correct.
Another aspect of the HIPAA Privacy Rule that should inform our thinking about access to PHI is that the enforcement mechanism will be complaint-driven. That is, someone who believes his or her privacy has been violated has to initiate a complaint with the HHS’s Office of Civil Rights. While we shouldn’t be planning our HIPAA compliance on the assumption we won’t be caught if we violate it, it does appear unlikely that HHS will audit covered entities for evidence of Privacy Rule violations. In short, we shouldn’t worry about HHS investigators swooping down on us and demanding to see our reference requests. We can be a little more relaxed about research use of PHI in our collections than might seem at first to be the case.
So what may be the effect of HIPAA Privacy Rule on archives in practical terms? It’s too early to tell how all the ramifications will play out, but my feeling is that we may be witnessing the emergence of a two-tier system of access to records containing PHI: older records where we can presume the individuals are deceased and access is regulated pretty much the way we’ve always done it; and more recent records where the presence of a substantial number of individuals who can be presumed to be living will take access decisions out of the hands of archivists and turn them over to IRBs or Privacy Boards.
There is another two-tier system that I’m concerned may emerge in the wake of HIPAA: between the major academic medical centers who have the resources to hire experts to deal with the complications of HIPAA, have IRBs or Privacy Boards, and have a commitment to research, and smaller medical institutions or non-medical institutions that have limited or no resources to deal with these issues and are not primarily research institutions or not primarily research institutions with a focus on the history of medicine (historical societies and government archives, for instance). For these, the solution to the question of historical research using records containing PHI may be to ban it altogether: it’s not part of their mission, it’s too complicated, they don’t have the legal or archival staff to deal with it.
More ominous still, I worry that the implications of the Privacy Rule will encourage institutions creating records with PHI to simply destroy them as soon as possible. Patient records in particular have always been vulnerable to destruction: they take up space and money - two things medical institutions never seem to have enough of - and after they are no longer being actively used for health care of biomedical research, administrators may find in HIPAA yet another reason to trash them. Whether the transition of the patient record from the traditional manila folder to digital form will retard or speed this destruction is too early to tell.
For the same reason, collecting institutions may think twice before accepting records with PHI. On the donor side, physicians donating records may purge them of everything - even correspondence existing outside patient records - that they think are covered by the Privacy Rule. Those records with PHI now held by archival repositories are no doubt safe, but a century from now I fear the raw data needed to document the history of health care in this country may end in the 1990s.
And finally, a modest proposal. To paraphrase Twain again: everybody talks about HIPAA but nobody does anything about it. The anxiety and uncertainly this legislation has raised in the historical and archival communities is in large part because we never made our concerns known to HHS. Perhaps it’s time we did. The Secretary of HHS, as I mentioned earlier, can amend HIPAA on an annual basis. This organization, the AAHM and the Society of American Archivists could - no, should - persuade the National Coordinating Committee for the Promotion of History that this is something on which they need to lobby HHS. At the very least, we might be able to obtain clarification of some of the murkier parts of HIPAA; at best, we might be able to alter or streamline some of the more burdensome parts of the legislation.
Links to Department of Health and Human Services Websites:
Publications available in PDF (all from HHS web sites)
Stephen Novak is the Head of Archives & Special Collections, Augustus C. Long Health Sciences Library, Columbia University