Issue Brief: Health Information Portability and Accountability Act

SAA POSITION

SAA supports all efforts to strengthen the Health Information Portability and Accountability Act (HIPAA) to:

• Redefine “Protected Health Information” (PHI) to balance privacy and access concerns regarding access to PHI about individuals whose death dates are not known.
• Allow access to PHI for family members doing medical genealogy research.
• Clarify which archival repositories holding health-care-related holdings are subject to Business Associate Agreements and provide guidelines for them.
• Revise the Privacy Rule so that previously published individually identifiable information and photographs are not considered PHI.
• Support efforts to standardize PHI definitions and requirements in state law and regulation based on federal rules and regulations, with the goal of creating a single, nationally recognized standard regarding PHI.

SAA will:

• Work with the Council of State Archivists to advocate for standardization of state medical record statutes that would bring them in line with federal regulations.
• Encourage the development of standardized best practices by archivists working within Covered Entities.
• Encourage interested SAA Sections and Roundtables to advocate for these changes in partnership with scholarly associations representing researchers.
• Encourage interested SAA Sections and Roundtables to survey repositories documenting the health fields regarding researcher experiences in applying to Institutional Review Boards and Privacy Boards for access to protected holdings.

THE ISSUES

Several issues are in need of resolution.

At the Federal Level:

• SAA applauds the change in the definition of Protected Health Information (in conjunction with adoption of the Final Rule in 2013) to exclude information on individuals who have been deceased for 50 years or longer. SAA notes, however, that it is not always practical  to determine whether the individual(s)  has been deceased for 50 years or longer.
• Current rules continue to leave unclear access to PHI for family members conducting medical genealogy research. The change in the Rule allowed Covered Entities to disclose a decedent’s PHI to family members involved in the care of a patient, but appears to be limited to information involving the period immediately pre- and post-death.  Unresolved is the question of whether disclosures are permitted to family members for medical genealogy requests during the period from death to 50 years after death, when a personal representative would be required to authorize the disclosures.
• Under the 2013 amendments to the Privacy Rule, archival repositories could be subject to Business Associate Agreements if they have health-care-related holdings that originated from a Covered Entity or a former member of its workforce – even if those collections were acquired before the HIPAA Privacy Rule went into effect. This means that many repositories that previously were not subject to the Privacy Rule are now or might be covered. What constitutes a “Business Associate” is not clear.
• A question remains as to whether PHI that was published (for example, photos of patients in hospital annual reports or patient data in medical journal articles) before HIPAA went into effect is still considered PHI and restricted under the Privacy Rule.

At the State Level: State medical records statutes differ from the federal law and state records laws vary widely. States tend to place restrictions on records, whereas HIPAA protects information. The definition of the “medical record” varies from state to state, is vague in some cases, and can encompass documents outside of the unit medical record. The period of protection also varies widely. When a state law is more restrictive than HIPAA, the more restrictive rule prevails.

At the Institutional Level: The Privacy Rule is interpreted differently by different institutions. Archival repositories must follow the policies and protocols set by their parent institutions, which may or may not be Covered Entities under HIPAA.  Parent institutions take a range of approaches, and thus policies and procedures vary widely from repository to repository. This situation confuses researchers and makes it difficult for the archives community to develop standardized practices.  The recent change in the Privacy Rule continues to allow a Covered Entity to set policies that are more restrictive than HIPAA.  As is the case with state medical records laws, the more restrictive rule prevails.

To address these issues, SAA will:

1. Advocate for further changes in HIPAA at the federal level in the following areas:

• In cases in which the date of death is unknown, the federal government should broaden the definition of PHI to exclude information 150 years after the date of record creation.  Adding this new provision would balance privacy and access concerns and address the challenge of whether archivists could provide access to records that contain health information about individuals whose death dates are not known.  In all but a very small fraction of cases, the individuals involved will have been deceased for at least 50 years.
• The HIPAA Privacy Rule should be modified/clarified to allow access to PHI for family members conducting medical genealogy research. Family members seeking medically necessary information in the file of a deceased relative should be given access to the file, regardless of other HIPAA regulations.  SAA should work with genealogy groups on this issue.
• HIPAA should be modified to make clear the extent to which archival repositories that are not part of Covered Entities, and that have health-care-related holdings, are subject to Business Associate Agreements. SAA supports the development of guidelines, similar to those of the Covered Entity Decision Charts (see http://www.cms.gov/Regulations-and-Guidance/HIPAA-Administrative-Simplification/HIPAAGenInfo/Downloads/CoveredEntitycharts.pdf), for a repository to determine whether it is a Business Associate under HIPAA.
• The HIPAA Privacy Rule should be modified to make it clear that individually identifiable information and photographs that have appeared in publications or other public venues are not considered PHI under the Privacy Rule.

2.  Work with the Council of State Archivists (COSA) to advocate for changes in state medical record statutes to bring them in line with federal regulations to allow for standardization.

3. Encourage archivists working within HIPAA Covered Entities to develop a set of standardized “best practices” to share at the national level. Archivists working within Covered Entities should have available to them standard protocols that could be presented to the HIPAA compliance officers at their parent institutions as the nationally accepted procedures for handling PHI in archival collections.

4. Encourage interested SAA Sections and Roundtables to advocate for these changes, in partnership with interested scholarly associations representing researchers, such as the American Association for the History of Medicine, and with citizen groups such as genealogists.

5. Encourage interested SAA Sections and Roundtables to survey repositories documenting the history of the health fields regarding the experiences of researchers in applying to Institutional Review Boards and Privacy Boards for access to protected holdings.

BACKGROUND

The Health Information Portability and Accountability Act (HIPAA) was adopted by Congress in 1996.  The U. S. Department of Health and Human Services developed the proposed Privacy Rule in 2002, and it went into effect on April 14, 2003.

The HIPAA Privacy Rule is intended to protect the privacy rights of individuals, and it defines certain elements of information as Protected Health Information (PHI). Thus the rule governs access to information rather than access to records. It is the first comprehensive federal law on access to and use of health information; the first general federal medical privacy law to extend rights of privacy beyond file unit of the medical record to individually identifiable health information in all types of file systems, documents, formats, and media; and the first federal law to extend rights of privacy beyond health information of living individuals to health information of decedents.  Although much of the Privacy Rule was needed to protect individuals’ health information in the digital age, some aspects created compliance requirements that either were overly broad or left gaps in protection.  HIPAA also defined “Covered Entities” as those institutions that are subject to HIPAA and must comply with its provisions.

Adoption of the Privacy Rule under HIPAA has had a major impact on archivists who are responsible for collections documenting the health sciences.

Interpretations of and the application of the HIPAA Privacy Rule to archival repositories vary widely based on a number of factors (the most prominent of which is whether the repository is part of a Covered Entity).  In the absence of clear guidance and consistent best practices, some repositories can and do restrict access to collections that could be made available under the terms of HIPAA and state laws governing health information and medical records.

As archivists came to understand the implications of HIPAA for their repositories, they began to advocate for changes to the rule. In 2005, Nancy McCall and Stephen Novak testified to the National Committee on Vital and Health Statistics regarding the impact of the Privacy Rule on archives at Covered Entities.[1] They pointed out that the Privacy Rule applied only to archives designated as part of HIPAA Covered Entities and did not apply to archives that are not part of Covered Entities but that also hold medical records and other related health information. They noted that HIPAA contained no provision for passage of time and questioned whether incidental health information related to long-deceased individuals required protection.

In July 2010, as a result of the HITECH ACT, the Office for Civil Rights of the U.S. Department of Health and Human Services (OCR) proposed changes to the Privacy Rule that took into consideration the concerns of archivists and historians, citing the testimony of McCall and Novak.  Archivists and historians submitted comments both individually and through their professional organizations regarding the proposed changes.[2] 

On January 25, 2013, OCR published in the Federal Register its final rule to implement the privacy and enforcement provisions of the HITECH Act (the “Final Rule”).[3] The Final Rule, which was effective on March 26, 2013, with a compliance date of September 23, 2013, modifies the HIPAA Privacy, Security, and Enforcement rules. Covered Entities had a deadline of September 23, 2014, to revise existing Business Associate Agreements in light of the changes in the Final Rule.

In considering these various Rules, SAA’s opinion is informed by the belief that personal privacy should be respected throughout an individual’s lifetime in appropriate ways. Documents that record private information related to the health of living individuals should be disclosed involuntarily only when disclosure accomplishes a greater public purpose.  The need for privacy rights to be extended to deceased individuals and the harm of disclosing their health information decreases over time.  It is impractical for the staff of archival repositories to “de-identify” health information in all types of documents so that it may not be used to identify an individual.  Further, for many types of studies, the removal of identifiers devalues the usefulness of the information and compromises the scope of research. It is impractical and not always advisable to seek out a personal representative for the long-deceased to authorize disclosure of individually identifiable health information. Archivists continue to advocate for a balance between reasonable access to historical documentation and necessary protections of individual privacy.

[1] For Nancy McCall’s testimony see: http://www.ncvhs.hhs.gov/050111p6.pdf.  For Stephen Novak’s testimony see http://www.ncvhs.hhs.gov/050111p5.htm.

[2] For the SAA comment submitted by SAA President Helen Tibbo on September 13, 2010, seehttp://www2.archivists.org/sites/all/files/SAA_HIPAA_091310.pdf.  On November 27, 2007, SAA had submitted a letter to individual members of the Senate’s Health, Education, Labor, and Pensions (HELP) Committee in response to introduction of S. 1814, The Health Information Privacy and Security Act of 2007, authored by Senators Kennedy and Leahy.  See http://www2.archivists.org/news/2007/saa-urges-congress-to-reconsider-hipsa-provisions.  

[3] The final rule is available in full in the Federal Register: http://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf.  

ADDITIONAL REFERENCE SOURCES

Members of the Society of American Archivists Science, Technology and Health Care Roundtable (STHC) and the Archivists and Librarians in the History of the Health Sciences (ALHHS) have compiled a HIPAA resource page that includes links to the Privacy Rule and official resources from the Department of Health and Human Services, testimony by archivists on HIPAA, background articles, presentations, and other resources and tools for archivists. See http://www.alhhs.org/hipaa_sthc_alhhs.html. (Accessed July 10, 2014.)

Approved by the SAA Council: August 2014