Up to my HIPAA in regulations

I have spent the better part of the last week immersed in the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Privacy Rule regulation that establishes the minimum Federal standards for safeguarding the privacy of individually identifiable health information.

Mostly I am preparing for a presentation at the Midwest Archives Conference in Columbus Ohio on privacy concerns in academic and medical archives but I am also researching the need for an agreed upon role of the Privacy Rule within this archives project.

Most archives/HIPAA literature has focused on archives that are part of a health science organization or educational institution. The University of Minnesota is a hybrid institution meaning that some parts of the University are regulated by the Privacy Rule (the Academic Health Center) and other parts are not (University Archives). This makes it all the more difficult in determining how best to manage materials that may or may not contain personal health information (PHI) in the archives.

Some interesting key points I have learned so far include:

• The Privacy Rule in HIPAA applies only to covered entities (institutions governed by the Privacy Rule); it does not apply to all persons or institutions that collect individually identifiable health information.

• The Privacy Rule in HIPAA pertains only to PHI created or collected by a covered entity. Personal health information created or collected by a non-covered entity does not have to comply with the Privacy Rule.

• The Privacy Rule does not “pass through” its requirements to business associates (person/entity that provides certain functions or services for a covered entity); instead, it requires, typically by contract with the covered entity, satisfactory assurances to the safeguarding of information.

• De-identified health information is not PHI and thus not protected by the Privacy Rule.

• Enforcement of the Privacy Rule is complaint driven. Covered entities will not be periodically audited or monitored.

Most of this information and more can be found through the resources provided at the HIPAA Resources Page for the Science, Technology & Health Care Roundtable of the Society of American Archivists.