The Impact Of The HIPAA Privacy Rule From
The State Public Health Department Perspective

Testimony To The National Committee on Vital and Health Statistics
Subcommittee on Privacy and Confidentiality

November 19, 2003, Silver Spring, Maryland

Dave Orren, Minnesota Department of Health

Introduction. Mr. Chair and members of the Subcommittee, my name is Dave Orren. I am the Data Practices Coordinator for the Minnesota Department of Health (MDH). Thank you very much for the opportunity to discuss the impact of the HIPAA privacy rule on public health practice. We have had several years of anticipation leading up to the HIPAA privacy rule and now seven months of experience working with the HIPAA privacy rule. There is certainly enough to discuss.

Congressional mandate - no HIPAA impact on public health. First, it should be noted that Congress mandated that HIPAA not limit public health. Section 1178(b) of the Health Insurance Portability and Accountability Act of 1996 explicitly carves out protection for state public health laws. This provision states: “... nothing in this part shall be construed to invalidate or limit the authority, power, or procedures established under any law providing for the reporting of disease or injury, child abuse, birth or death, public health surveillance, or public health investigation or intervention.”

Not a covered entity, but still affected by HIPAA. MDH is not a covered entity under HIPAA. The huge majority of our programs are clearly public health and clearly not covered by HIPAA. We had to do a more careful analysis of three of our programs to determine that they were not covered by HIPAA. However, even though MDH is not covered by HIPAA, there is a significant, although indirect, effect of the HIPAA privacy rule on MDH’s public health practice.

Minnesota patient privacy laws. In Minnesota, we have had strong patient privacy and patient rights laws for many years. Patients will not notice much of a difference in their health care other than all the privacy notices they have been receiving. One big plus because of HIPAA is the attention to privacy. This has lead to additional privacy training and better awareness for providers and plans.

In general. In general and for the most part, MDH still gets much of the data we need, but there have been bumps in the road and there are problems to resolve.

Disclosure tracking can create a disincentive. HIPAA’s biggest impact on MDH’s public health practice, in my opinion, is due to the HIPAA requirements to track disclosures. The extra work and resources needed to track disclosures create a disincentive for providers and plans to voluntarily report public health data to MDH.

• Some providers and plans have interpreted the disclosure tracking requirements to mean that they must annotate each patient record whenever a routine public health disclosure is made. Tracking disclosures this way would be very burdensome.
• The requirement to track disclosures potentially has a big impact on voluntary immunization registries. We have had some providers ask patients to sign authorizations as a way to avoid disclosure tracking. I can see how this would reduce the amount of information getting into an immunization registry, but I cannot see how this would protect privacy any better.
• We are working on a couple of public health studies where plans have asked MDH to use a limited data set/data use agreement as a way to avoid disclosure tracking. I do not see how a limited data set/data use agreement would protect privacy any better than the privacy practices and privacy laws currently in place. However, I do see how this can reduce the amount of data MDH has to analyze while increasing the burden of getting the data.
• The requirement to track disclosures, if interpreted to mean annotating each patient record, could seriously limit provider and plan participation in voluntary hospital discharge data bases and health care billing data bases that some states use or are attempting to create.

Educational materials for providers and plans. MDH has developed a number of brochures and memos to help providers and plans understand that they can continue to provide public health data to MDH, as they have done before HIPAA. Two samples of these are included with my written testimony. Both discuss the fact that HIPAA allows reporting of PHI to public health. Both also give our interpretation that HIPAA allows for a simplified means to track multiple disclosures for the same purpose.

Minnesota’s Notice of Patient Rights. MDH is required by Minnesota Statutes to prepare a notice of patient rights that tells patients of the disclosures that can be made without written consent and the rights of patients to access and obtain copies of their own health records. The one-page, Cliff’s Notes version (which is posted at providers’ offices) and the nine-page, complete version (which is posted on our web site) are included with my testimony. The second document will give the subcommittee some idea of the long list of possible disclosures that providers and plans may have to track. Patients might very well be as well informed of the non-authorized disclosures of their PHI by a listing of the statutes that mandate or permit the disclosures as they would be by an annotation of their records for each disclosure. Such an approach would significantly reduce the burden and, therefore, the disincentive for providers to disclose public health data to public health agencies.

Mandating public health data reporting. MDH has issued commissioner’s orders and adopted rules in order to make certain public health data submissions mandatory instead of discretionary.

FERPA. MDH staff working with the sharing of immunization data have asked me to raise this issue with the Subcommittee. The attention to HIPAA has also shined a spotlight on the federal Family Educational Rights and Privacy Act (FERPA). I know that FERPA is not today’s topic, but perhaps you could note this problem related to public health practice and FERPA. Most states have mandatory student immunization laws, along with requirements for schools to monitor student compliance with these laws. An efficient way to monitor student compliance with these laws is the use of immunization registries. Immunization data flows mostly into the schools. FERPA does not restrict this. However, the schools have a significant amount of data that could go back to the registries (from shots given at school clinics or from student compliance documentation sent to the schools). FERPA requires written parental consent for this. Perhaps FERPA could contain provisions similar to HIPAA that allow disclosure to public health where it is mandated or permitted by law.

Bumps in the road. Some of the bumps in the road that MDH has encountered and that I expect will diminish and disappear over time include:

• Requests to sign business associate agreements.
• Convincing providers and plans that HIPAA allows them to still give MDH data.
• It has taken extra time and effort to get data from providers and plans for public health studies. An MDH epidemiologist told me that it took him and his staff an extra 400 hours to respond to hospitals’ requests to address and clarify issues so they could better evaluate that a public health study was meeting HIPAA requirements.
• It has taken me extra time to work through HIPAA issues in a contract with a hospital-based lab to perform some newborn screening services for us.

NAHDO. We endorse the comments today of the National Association of Health Data Organizations (NAHDO).

Recommendation. We encourage the subcommittee to endorse the use of an interpretation of HIPAA that allows for the simplified means to track multiple disclosures.

Bottom line. For years, public health has had access to sensitive health data for the purpose of protecting public health. For years, public health has done an excellent job of protecting privacy. This is very likely the reason Congress has mandated that nothing in the Act should be construed to limit public health.

Thank you. Thank you very much for the opportunity to discuss this with you.