Archive for November, 2008

More than a Green Light: The Heightened Protection of Individually Identifiable Health Information

Take note, the health and medical data you may receive from your clients, employees, and/or customers is subject to a special level of protection from your use if it in any way identifies the person. Besides the obvious categories of information such as names or contact information, protected information includes birthdays, medical record numbers, or any full face photographs or comparable images where a person’s identity could be established (a list of 18 individual identifiers according to HIPAA 1996 follows the end of this entry).

So what if you have some great pictures you would like to use in a presentation or study? The Department of Health and Human Services established guidelines that must be followed to get the person’s valid and legal authorization.

Simply having the person sign a generic authorization form or “release” (often called a “model release” for photos) will not do. Because medical information is seen as highly private, the Federal Regulations demand that you take specific steps in order to provide the person with the highest level of understanding of what exactly you are asking for. A valid authorization under the Code of Federal Regulations, section 164.508, has core elements which are required for all authorizations regarding the use of health care information. These core elements, without any of which an authorization is invalid, are:

  1. A description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion.
  2. The name or other specific identification of the person(s), or class of persons, authorized to make the requested use or disclosure.
  3. The name or other specific identification of the person(s), or class of persons, to whom the covered entity may make the requested use or disclosure.
  4. A description of each purpose of the requested use or disclosure.
  5. An expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure.
  6. Signature of the individual and date.
  7. A statement of the individual’s right to revoke the authorization in writing, and the exceptions to the right to revoke and a description of how the individual may revoke the authorization.
  8. A statement of the ability or inability to condition treatment, payment, enrollment or eligibility for benefits on the authorization.

45 C.F.R. § 164.508(c)(1-2). In addition, the contract must be written in plain language, and a copy of the authorization must be given to the individual. 45 C.F.R. § 164.508(c)(3-4).

These requirements are not to be taken lightly, as they provide protection to the individual by providing notice of what they are allowing you to do with their personal information. For example, for the description of the purpose of the requested use, the comments to the Rule provide that no mere generalization will suffice; instead, you must detail specifically what you want and what you plan to do with it:

[a]uthorizations requested by covered entities for their own uses and disclosures of protected health information must also identify each purpose for which the information is to be used or disclosed. The required statement of purpose(s) must provide individuals with the facts they need to make an informed decision whether to allow release of the information. We prohibit the use of broad or blanket authorizations requesting the use or disclosure of protected health information for a wide range of unspecified purposes. Both the information that is to be used or disclosed and the specific purpose(s) for such uses or disclosures must be stated in the authorization.

65 Fed. Reg. 82,518 (December 28, 2000). It is only when armed with this specific information that the individual will be able to make a true decision on whether to allow you greater rights in that information. This personal interest is at the foundation of the HHS Privacy Rule, and cannot be tossed aside lightly.

So be wary when writing an authorization form in order to gain the rights to use person information. Even if you personally gathered all of the data, you must be able and willing to follow each of the steps listed above. If you don’t, you are inviting liability in the form of an invasion of privacy claim.

List of 18 Individual Identifiers according to HIPAA 1996:

  1. Names;
  2. All geographical subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code, if according to the current publicly available data from the Bureau of the Census: (1) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and (2) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.
  3. dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;
  4. Phone numbers;
  5. Fax numbers;
  6. Electronic mail addresses;
  7. Social Security numbers;
  8. Medical record numbers;
  9. Health plan beneficiary numbers;
  10. Account numbers;
  11. Certificate/license numbers;
  12. Vehicle identifiers and serial numbers, including license plate numbers;
  13. Device identifiers and serial numbers;
  14. Web Universal Resource Locators (URLs);
  15. Internet Protocol (IP) address numbers;
  16. Biometric identifiers, including finger and voice prints;
  17. Full face photographic images and any comparable images; and
  18. Any other unique identifying number, characteristic, or code (note this does not mean the unique code assigned by the investigator to code the data)
  19. For more information, please contact Timothy Buckley III, Esq. at (404) 633-9230.

Subscribe to the Buckley Brown Blog!