What is HIPAA?
The Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), as modified by the Health Information Technology and Economic and Clinical Health Act ("HITECH Act") and its regulations (the "Privacy Rule," the "Security Rule" and the "Breach Notification Rule") protect the privacy of an individual's health information and govern the way certain health care providers and benefit plans collect, maintain, use and disclose prohibited health information (PHI).
HIPAA’s Privacy and Security Rules regulate how covered entities may use and disclose PHI, regardless of its form (i.e., paper, electronic, or oral), and describe the conditions under which PHI may be used or disclosed for research purposes.
What is a “Covered Entity”?
A Covered Entity includes any health plan, health care clearinghouse and health care provider that electronically transmits any health information as a part of billing. Examples include hospitals, academic medical centers, and health providers that electronically submit claims to health plans or third-party administrators of health plans. Stanford Health Care (SHC) and Stanford Children's Hospital (SCH) (collectively "the Hospitals") and portions of Stanford University are Covered Entities as health care providers. Health information collected and/or used by our medical staff and clinical research projects are PHI and subject to the Privacy and Security Rules.
Which groups at Stanford are subject to the HIPAA Privacy and Security Rules?
Stanford University is considered a "hybrid entity" under HIPAA. This means that certain components—those that fall into Stanford University’s HIPAA Components (SUHC)—fall within the definition of a "Covered Entity" under HIPAA and are subject to HIPAA. Since not all of Stanford University’s functions meet the definition of a Covered Entity, Stanford has excluded certain programs that have no need to create, use, receive or disclose PHI from the Covered Entity. For example, the School of Education and the School of Law are not included in the Stanford University HIPAA Components (SUHC). SUHC is the group of health care components of Stanford University that are its health care providers (e.g., School of Medicine, Vaden Health Center) and selected support units which by the nature of their function have a need to share PHI with the health care providers.
Schools, programs, departments and labs included in SUHC must develop special administrative procedures to comply with these policies. The members of SUHC are located at this link: https://privacy.stanford.edu/hipaa/stanford-affiliated-covered-entity.
Stanford University's HIPAA Components (SUHC) are also part of an overarching Covered Entity called a "single affiliated covered entity" under HIPAA. HIPAA allows covered entities under common ownership or control to join together to form a “single affiliated covered entity” for purposes of compliance with HIPAA. As a health care provider, Stanford has formed what is known as the Stanford Affiliated Covered Entity (SACE). The SACE includes Stanford Health Care (SHC), Stanford Children's Hospital (SCH) and the Stanford University HIPAA Components (SUHC). This association enables the sharing of PHI between the three organizations.
HIPAA also applies to benefits plans. As an employer, Stanford University sponsors and maintains varoius ERISA health benefits plans that are subject to HIPAA. Stanford refers to these covered Plans as the Group Health Plans (GHP). These include the following:
- Educated Choices (Plan 513)
- Post-Retirement and Post-Employment (Plan 516)
- Post-Doctoral (Plan 517)
- Medical Faculty (Plan 518)
- Other plans as modified, added, and eliminated in the future
To meet the requirements of the HIPAA Privacy and Security Rules, Stanford University, the Stanford Health Care (SHC) and Stanford Children's Hospital (SCH) and the GHP have each adopted policies which govern the use and disclosure of PHI. Handling of PHI in research and fundraising activities have special restrictions under HIPAA, and additional policies apply to these activities. Stanford University's Privacy Policies may be accessed under the "Policies" tab on our website.
What constitutes “PHI”?
PHI is any health information that also includes any one of the following 18 identifiers:
- Geographic information smaller than state
- Elements of dates (birth date, admission date, date of death, ages greater than or equal to 90 years of age)
- Telephone numbers
- Fax numbers
- Email addresses
- Social security numbers
- Medical record numbers
- Account numbers
- Certificate or license number
- Vehicle identifiers and serial numbers including license plate
- Device identifiers and serial numbers
- IP address numbers
- Biometric identifiers
- Full face photographic images and comparable images
- Health plan beneficiary numbers
- Any other unique identifying number, characteristic, or code
What are the limitations on how we can use PHI internally or disclose PHI externally?
The Privacy Rule establishes permitted uses and disclosures of PHI by Covered Entities such as Stanford. When PHI is shared within the Stanford Affiliated Covered Entity, it is being “used”. When PHI is shared outside of the Covered Entity (either with someone in a Stanford department not included in the SUHC or with someone outside of Stanford) it is being “disclosed”.
The Privacy Rule allows the use or disclosure of PHI:
- For treatment (including treatment in the course of research)
- For payment
- For health care operations (including education programs)
- With authorization by the individual
- When compelled by law
In addition, all research is subject to special requirements under the Privacy Rule which govern the handling of PHI.
Individuals have certain rights with respect to their PHI, including the right to receive an accounting of all disclosures made to people or groups outside of the Stanford Affiliated Covered Entity for purposes other than for treatment, payment, health care operations or with authorization by the individual. This means that each organization within the Stanford Affiliated Covered Entity must maintain records of disclosures outside the Covered Entity for all other purposes (including for health care operations and when compelled by law) and make these records available to individuals when requested.
How do I know if I can share PHI?
There is a 3 pronged test to determine whether you can use or share PHI:
- Is the disclosure for treatment, payment or health care operations purposes?
- If not, do you have authorization from the patient?
- If not, is there another legal requirement for disclosure?
If you answer “yes” to any of the questions above, then you may share PHI both within and outside the Covered Entity. If the answer is “no” to any of the questions above, do not share the PHI without contacting your Privacy Officer. Records must be kept only of those disclosures outside of the Stanford Affiliated Covered Entity compelled by law as well as any disclosures that are not permitted under the Privacy Rule.
Even if use or disclosure of PHI is permitted under the Privacy Rule, care must be taken to:
- Eliminate all of the personal identifiers which are not essential to the purpose for which the PHI is being used or disclosed.
- Use or disclose only the minimum necessary amount of PHI necessary to satisfy the purpose of the use or disclosure.
Example 1: You are part of the School of Medicine. You want to ask a researcher outside of the School to help you analyze some data. First, check to see if you have an authorization from the patient. If you do, you may share the information once you have eliminated all identifiers from the data that are not necessary for the assistance you seek. If you do not have authorization, you should eliminate all personal identifiers from the information.
Example 2: You are part of the School of Medicine and are in the café talking about your research with a colleague from the School of Engineering lab across the hall. In the course of your conversation you want to share a picture showing the artificial limb on one of the subjects of your study. Without authorization, you may talk about the subject and show the photo so long as you do not refer to the subject by name, you cover up the subject’s face in the photo, and you eliminate all other personal identifiers listed above. Do not share any PHI about your research population without authorization and without ensuring it is the minimum necessary for the purpose of the disclosure.
Example 3: You are part of the School of Medicine. You get a request for information from the private physician of one of the subjects in your research study on heart disease. She has been diagnosed with cancer unrelated to your project. You may share PHI gathered in your research records with a private doctor to the extent necessary for the patient’s treatment.
How does HIPAA impact my activities if I am in a Stanford Covered Entity?
Inclusion in a Stanford covered entity will ensure that PHI can be made readily available by and shared with SHC, SCH, School of Medicine and the other SUHC as needed to achieve your unit’s objectives. Special procedures need to be in place for those not in the Covered Entity to receive and use PHI:
Check the individual’s authorization to determine if PHI may be disclosed and/or used in the manner proposed, especially before sharing information with someone outside of the School of Medicine or the Hospitals. Without prior authorization every disclosure of PHI outside of the Stanford Affiliated Covered entity must be documented in the patient records. This includes information disclosed in the course of casual conversations, information disclosed as the result of sharing data, and information disclosed when seeking assistance from a colleague outside of your lab.
Take care to protect PHI from accidental disclosure:
- Use a fax cover sheet when faxing PHI, double check the fax number to be sure it is correct, and be sure the intended recipient is available to pick up the fax when delivered.
- Keep all files containing PHI locked in file cabinets.
- Password protect all computer files containing PHI, and don’t share passwords.
- Eliminate all names and other identifiers when doing presentations including PHI.
- Don’t share subject names and other identifiers in conversations with colleagues outside of your department or lab.
- Place computer screens so they are not readily visible by people passing by.
- Don’t send PHI by e-mail if at all possible. When necessary, be sure it is encrypted.
What standards are established by the Security Rule?
The HIPAA Security Rule establishes administrative, physical and technical safeguards to secure protected health information that is (i) transmitted by electronic media or (ii) maintained in electronic media. Electronic protected health information is commonly referred to as ePHI.
The Security Rule requires that Covered Entities restrict access to ePHI to only those workforce members or business associates who require access to that data in order to perform their job functions. Systems access controls and procedures must be in place on all information systems that maintain ePHI to guard against unauthorized access to such data. Security mechanisms and procedures must be implemented to limit access to facilities and physical areas in which information systems that maintain or access ePHI are housed.
Computing devices must be installed, configured and located in a way that minimizes the unauthorized or incidental disclosure of ePHI. Managers and workforce members are responsible for employing appropriate safeguards to deter unauthorized access in the workplace and on their computing devices and storage media.
When ePHI is transmitted over an electronic communications network (e.g., file transfer, email), the ePHI must be secured against unauthorized access and modification. The sender must use a secure electronic messaging system (e.g., secure email) that has been approved by the Stanford Information Security Officer. If a secure system is not used to transfer the ePHI, then the ePHI must be encrypted.
System Owners are responsible for establishing appropriate auditing mechanisms and procedures to detect potential security incidents involving ePHI. Contingency plans must be developed and implemented for each information system for responding to and recovering from system outages or other emergencies that may damage or make unavailable the system or ePHI.
Stanford University has developed security policies to support these and other HIPAA Security Rule requirements.
What additional rules apply to research using PHI?
HIPAA affects an investigator’s ability to collect and otherwise access PHI. The Privacy Rule requires certain procedural steps prior to releasing PHI to any investigator for use in research. This is true whether or not the investigator is in or outside of the Stanford Affiliated Covered Entity. Therefore, the Privacy Rule impacts the ability of one Stanford investigator to share PHI with another Stanford investigator or with investigators connected with other Covered Entities, such as NIH or another academic medical center. When PHI is to be shared for research purposes, a HIPAA authorization must be added to the research informed consent or a waiver of the HIPAA authorization for the research use must be obtained from the IRB.