Public Health Grand Rounds
HIPAA Privacy Rule:
Enhancing or Harming the Public's Health?
March 28, 2003

Program Notes

HIPAA Privacy Rule

• Restricts access to Protected Health Information (PHI)
• PHI is information containing personal identifiers
• Information becomes protected when stored or transmitted in any form

HIPAA Covered Entities

• Health plans
• Health care clearinghouses
• Health care providers

HIPAA Hybrid Entity

• Build firewall between covered and non-covered functions
• On covered side of firewall, agency required to comply with Privacy Rule
• On the non-covered side of the firewall, agency not required to comply with Privacy Rule applicable to covered entity.

HIPAA Privacy Rule
Permits disclosures of PHI to Public health authorities for public health purposes

Public Health Authority
Federal, tribal, state, or local public agency, or person or entity acting under a grant of authority from such public agency that is responsible for public health matters.

Privacy Rule on Research

• Generally requires authorization prior to use and disclosure of PHI
• Institutional Review Board or Privacy Board may grant a waiver of authorization
• Researcher may obtain limited data set without authorization

Key Lessons for HIPAA Privacy Rule

1. Applies only to covered entities
2. Health authorities should utilize hybrid entity status
3. Not an obstacle to exchange of PHI for public health purposes

Key Questions about HIPAA Privacy Rule

1. Who is covered under the Rule?
2. Who decides whether activities are covered functions?
3. What information is protected?
4. What does the Rule require you to do?
5. Does the Rule pre-empt your state or local privacy laws?