The Health Insurance Portability and Accountability Act (HIPPA)
Privacy Act Notice
The Privacy Act of 1974 requires that when we ask you for information we tell you our legal right to ask for the information, why we are asking you for it, and how it will be used. We must also tell you what could happen if we do not receive it and whether your response is voluntary, required to obtain a benefit, or mandatory. Our legal right to ask for the information is section 408 of the Employee Retirement Income Security Act (ERISA), 29 U.S.C. § 1108, which authorizes the Department to grant conditional exemptions from the prohibited transaction provisions of ERISA. The exemption that this relates to provides relief to responsible plan fiduciaries whose service provider failed to disclose to them certain required fee information. One of the conditions of the exemption requires that notice be provided to the Department and outlines the information to be included in the notice. We are asking you for information because the Fee Disclosure Failure Notice is one way you can provide this notice to the Department. If you do not provide the notice to the Department, you will not have met one of the conditions of the exemption and will not get the relief from the prohibited transaction. We do not sell the information we collect. The information that you provide will be used by the Department's Office of Enforcement to carry out the Department's responsibilities under ERISA and may be shared with other government agencies for their compliance purposes.
We use contractors to perform various website and database functions. When we do, we make sure that the agreement language with the contractor ensures the security, confidentiality and integrity of any personal information.
We may disclose to you and others the information you give us if authorized or required by Federal law, such as the Privacy Act. Also, if you provide false or fraudulent information, you may be subject to criminal prosecution. See section 1027, Title 18, U.S. Code (False statements and concealment of facts in relation to documents required by ERISA) and section 1001, Title 18, U.S. Code (Fraud and False Statements-Statements or entries generally). Other penalties may also apply.
We use contractors to perform various website and database functions. When we do, we make sure that the agreement language with the contractor ensures the security, confidentiality and integrity of any personal information.
We may disclose to you and others the information you give us if authorized or required by Federal law, such as the Privacy Act. Also, if you provide false or fraudulent information, you may be subject to criminal prosecution. See section 1027, Title 18, U.S. Code (False statements and concealment of facts in relation to documents required by ERISA) and section 1001, Title 18, U.S. Code (Fraud and False Statements-Statements or entries generally). Other penalties may also apply.
Protected Health Information
HIPAA ‘Protected Health Information': What Does PHI Include?HIPAA.com has received from its readers requests for information on topics related to HIPAA Administrative Simplification Privacy and Security Rules and to updates to those rules reflected in the HITECH Act provisions of the American Recovery and Reinvestment Act of 2009, signed by President Obama on February 17, 2009. Of particular interest to readers is: what exactly is protected health information(PHI)?
To get to protected health information, you have to examine two definitions that were in Section 1171 of Part C of Subtitle F of Public Law 104-191 (August 21, 1996): Health Insurance Portability and Accountability Act of 1996: Administrative Simplification. These statutory definitions are of health information and individually identifiable health information.
“Health information means any information, whether oral or recorded in any form or medium, that–
(A) is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and
(B) relates to the past, present, or future physical or mental health or condition of any individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual.”
“Individually identifiable health information is information that is a subset of health information, including demographic information collected from an individual, and:
(1) Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and
(2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and
(i) That identifies the individual; or
(ii) With respect to which there is a reasonable basis to believe the information can be used to identify the individual.”
Protected health information is defined in 45 CFR 160.103, where ‘CFR’ means ‘Code of Federal Regulations’, and, as defined, is referenced in Section 13400 of Subtitle D (‘Privacy’) of the HITECH Act.
“Protected health information means individually identifiable health information [defined above]:
(1) Except as provided in paragraph (2) of this definition, that is:
(i) Transmitted by electronic media;
(ii) Maintained in electronic media; or
(iii) Transmitted or maintained in any other form or medium.
(2) Protected health information excludes individually identifiable health information in:
(i) Education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g;
(ii) Records described at 20 U.S.C. 1232g(a)(4)(B)(iv); and
(iii) Employment records held by a covered entity in its role as employer.”
The HIPAA Privacy Rule covers protected health information in any medium while the HIPAA Security Rule covers electronic protected health information.
With those definitions in place, the question becomes: what elements comprise protected health information such that if they were removed, items (i) and (ii) of (2) in the definition ofindividually identifiable health information would not obtain. The answer is in the de-identification standard and its two implementation specifications of the HIPAA Privacy Rule [45 CFR 164.514]:
“(a) Standard: de-identification of protected health information. Health information [defined above] that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual is not individually identifiable health information.
(b) Implementation specifications: requirements for de-identification of protected health information. A covered entity may determine that health information is not individually identifiable health information only if:
(1) A person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable:
(i) Applying such principles and methods, determines that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is subject of the information; and
(ii) Documents the methods and results of the analysis that justify such determination; or
(2)
(i) The following identifiers of the individual or of relatives, employers, or household members of the individual, are removed:
(A) Names;
(B) All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Censue:
(1) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and
(2) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.
(C) All elements of dates (except year) for dates directly related to an individual, including birth date, admission date,, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;
(D) Telephone numbers;
(E) Fax numbers;
(F) Electronic mail addresses;
(G) Social security numbers;
(H) Medical record numbers;
(I) Health plan beneficiary numbers;
(J) Account numbers;
(K) Certificate/license numbers;
(L) Vehicle identifiers and serial numbers, including license plate numbers;
(M) Device identifiers and serial numbers;
(N) Web Universal Resource Locators (URLs);
(O) Internet Protocol (IP) address numbers;
(P) Biometric identifiers, including finger and voice prints;
(Q) Full face photographic images and any comparable images; and
(R) Any other unique identifying number, characteristic, or code, except as permitted by paragraph (c) of this section; and
(ii) The covered entity does not have actual knowledge that the information could be used alone or in combination with other information to identify an individual who is a subject of the information.
(c) Implementation specifications: re-identification. A covered entity may assign a code or other means of record identification to allow information de-identified under this section to be re-identified by the covered entity, provided that:
(1) Derivation. The code or other means of record identification is not derived from or related to information about the individual and is not otherwise capable of being translated so as to identify the individual; and
(2) Security. The covered entity does not use or disclose the code or other means of record identification for any other purpose, and does not disclose the mechanism for re-identification.”
With HHS’s release of the Interim Final Rule, ‘Breach Notification for Unsecured Protected Health Information,’ published in the Federal Register on Monday, August 24, 2009, note the following: “If information is de-identified in accordance with 45 CFR 164.514(b) [the first implementation specification, defined above], it is not protected health information, and thus, any inadvertent or unauthorized use or disclosure of such information will not be considered a breach for purposes of this subpart.” [74 Federal Register 42743]
To get to protected health information, you have to examine two definitions that were in Section 1171 of Part C of Subtitle F of Public Law 104-191 (August 21, 1996): Health Insurance Portability and Accountability Act of 1996: Administrative Simplification. These statutory definitions are of health information and individually identifiable health information.
“Health information means any information, whether oral or recorded in any form or medium, that–
(A) is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and
(B) relates to the past, present, or future physical or mental health or condition of any individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual.”
“Individually identifiable health information is information that is a subset of health information, including demographic information collected from an individual, and:
(1) Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and
(2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and
(i) That identifies the individual; or
(ii) With respect to which there is a reasonable basis to believe the information can be used to identify the individual.”
Protected health information is defined in 45 CFR 160.103, where ‘CFR’ means ‘Code of Federal Regulations’, and, as defined, is referenced in Section 13400 of Subtitle D (‘Privacy’) of the HITECH Act.
“Protected health information means individually identifiable health information [defined above]:
(1) Except as provided in paragraph (2) of this definition, that is:
(i) Transmitted by electronic media;
(ii) Maintained in electronic media; or
(iii) Transmitted or maintained in any other form or medium.
(2) Protected health information excludes individually identifiable health information in:
(i) Education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g;
(ii) Records described at 20 U.S.C. 1232g(a)(4)(B)(iv); and
(iii) Employment records held by a covered entity in its role as employer.”
The HIPAA Privacy Rule covers protected health information in any medium while the HIPAA Security Rule covers electronic protected health information.
With those definitions in place, the question becomes: what elements comprise protected health information such that if they were removed, items (i) and (ii) of (2) in the definition ofindividually identifiable health information would not obtain. The answer is in the de-identification standard and its two implementation specifications of the HIPAA Privacy Rule [45 CFR 164.514]:
“(a) Standard: de-identification of protected health information. Health information [defined above] that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual is not individually identifiable health information.
(b) Implementation specifications: requirements for de-identification of protected health information. A covered entity may determine that health information is not individually identifiable health information only if:
(1) A person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable:
(i) Applying such principles and methods, determines that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is subject of the information; and
(ii) Documents the methods and results of the analysis that justify such determination; or
(2)
(i) The following identifiers of the individual or of relatives, employers, or household members of the individual, are removed:
(A) Names;
(B) All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Censue:
(1) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and
(2) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.
(C) All elements of dates (except year) for dates directly related to an individual, including birth date, admission date,, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;
(D) Telephone numbers;
(E) Fax numbers;
(F) Electronic mail addresses;
(G) Social security numbers;
(H) Medical record numbers;
(I) Health plan beneficiary numbers;
(J) Account numbers;
(K) Certificate/license numbers;
(L) Vehicle identifiers and serial numbers, including license plate numbers;
(M) Device identifiers and serial numbers;
(N) Web Universal Resource Locators (URLs);
(O) Internet Protocol (IP) address numbers;
(P) Biometric identifiers, including finger and voice prints;
(Q) Full face photographic images and any comparable images; and
(R) Any other unique identifying number, characteristic, or code, except as permitted by paragraph (c) of this section; and
(ii) The covered entity does not have actual knowledge that the information could be used alone or in combination with other information to identify an individual who is a subject of the information.
(c) Implementation specifications: re-identification. A covered entity may assign a code or other means of record identification to allow information de-identified under this section to be re-identified by the covered entity, provided that:
(1) Derivation. The code or other means of record identification is not derived from or related to information about the individual and is not otherwise capable of being translated so as to identify the individual; and
(2) Security. The covered entity does not use or disclose the code or other means of record identification for any other purpose, and does not disclose the mechanism for re-identification.”
With HHS’s release of the Interim Final Rule, ‘Breach Notification for Unsecured Protected Health Information,’ published in the Federal Register on Monday, August 24, 2009, note the following: “If information is de-identified in accordance with 45 CFR 164.514(b) [the first implementation specification, defined above], it is not protected health information, and thus, any inadvertent or unauthorized use or disclosure of such information will not be considered a breach for purposes of this subpart.” [74 Federal Register 42743]
HIPAA and Same-sex Marriage: Understanding Spouse, Family Member, and Marriage in the Privacy Rule
Download a PDF copy
The HIPAA Privacy Rule contains several provisions that recognize the integral role that family members, such as spouses, often play in a patient’s health care. For example, the Privacy Rule allows covered entities to share information about the patient’s care with family members in various circumstances. In addition, the Privacy Rule provides protections against the use of genetic information about an individual, which includes certain information about family members of the individual, for underwriting purposes. This guidance addresses the effect of the 2013 Supreme Court decision regarding the Defense of Marriage Act (DOMA) on these provisions.
In United States v. Windsor, the Supreme Court held section 3 of DOMA to be unconstitutional. Section 3 of DOMA had provided that federal law would recognize only opposite-sex marriages. In light of the Windsor ruling, covered entities (and business associates, as applicable) must consider the following regarding lawfully married same-sex spouses and same-sex marriage.
At 45 CFR 160.103, the Privacy Rule includes the terms spouse and marriage in the definition of family member. Consistent with the Windsor decision, the term spouseincludes individuals who are in a legally valid same-sex marriage sanctioned by a state, territory, or foreign jurisdiction (as long as, as to marriages performed in a foreign jurisdiction, a U.S. jurisdiction would also recognize the marriage). The term marriageincludes both same-sex and opposite-sex marriages, and family member includes dependents of those marriages. All of these terms apply to individuals who are legally married, whether or not they live or receive services in a jurisdiction that recognizes their marriage.
The HIPAA Privacy Rule contains several provisions that recognize the integral role that family members, such as spouses, often play in a patient’s health care. For example, the Privacy Rule allows covered entities to share information about the patient’s care with family members in various circumstances. In addition, the Privacy Rule provides protections against the use of genetic information about an individual, which includes certain information about family members of the individual, for underwriting purposes. This guidance addresses the effect of the 2013 Supreme Court decision regarding the Defense of Marriage Act (DOMA) on these provisions.
In United States v. Windsor, the Supreme Court held section 3 of DOMA to be unconstitutional. Section 3 of DOMA had provided that federal law would recognize only opposite-sex marriages. In light of the Windsor ruling, covered entities (and business associates, as applicable) must consider the following regarding lawfully married same-sex spouses and same-sex marriage.
At 45 CFR 160.103, the Privacy Rule includes the terms spouse and marriage in the definition of family member. Consistent with the Windsor decision, the term spouseincludes individuals who are in a legally valid same-sex marriage sanctioned by a state, territory, or foreign jurisdiction (as long as, as to marriages performed in a foreign jurisdiction, a U.S. jurisdiction would also recognize the marriage). The term marriageincludes both same-sex and opposite-sex marriages, and family member includes dependents of those marriages. All of these terms apply to individuals who are legally married, whether or not they live or receive services in a jurisdiction that recognizes their marriage.
- The definition of a family member is relevant to the application of §164.510(b)Standard: Uses and disclosures for involvement in the individual’s care and notification purposes. Under certain circumstances, covered entities are permitted to share an individual’s protected health information with a family member of the individual. Legally married same-sex spouses, regardless of where they live, are family members for the purposes of applying this provision.
- The definition of a family member is also relevant to the application of §164.502(a)(5)(i), Use and disclosure of genetic information for underwriting purposes. This provision prohibits health plans, other than issuers of long-term care policies, from using or disclosing genetic information for underwriting purposes. For example, such plans may not use information regarding the genetic tests of a family member of the individual, or the manifestation of a disease or disorder in a family member of the individual, in making underwriting decisions about the individual. This includes the genetic tests of a same-sex spouse of the individual, or the manifestation of a disease or disorder in the same-sex spouse of the individual.
