Skip to content

Latest commit

 

History

History
242 lines (203 loc) · 15.5 KB

11.-legal-framework.md

File metadata and controls

242 lines (203 loc) · 15.5 KB
icon
scale-unbalanced

11. Legal Framework

The overarching legal framework for the CHHS Data De-identification Guidelines is the California Information Practices Act, California Civil Code 1798 et seq., which was established in 1977 and applies to all state government entities. The IPA includes requirements for the collection, maintenance, and dissemination of any information that identifies or describes an individual. The IPA and other California statutes limit the disclosure of personal information, consistent with the California Constitutional right to privacy. However, state agencies are generally permitted (and sometimes required under the California Public Records Act and other laws) to disclose data that have been de-identified. Summarized or aggregated data may still be identifiable; the DDG provides Guidelines for assessing whether data have been de-identified.

While most state agencies are covered by the IPA, some are also covered by or impacted by HIPAA. Unlike the IPA, which applies to all personal information, HIPAA only applies to certain health or healthcare-related information. HIPAA requirements apply in combination with IPA requirements.

Personal Information

“Personal Information” is defined by the California Civil Code section 1798.3(a) as “any information that is maintained by an agency that identifies or describes an individual, including, but not limited to,

  • his or her name,
  • social security number,
  • physical description,
  • home address,
  • home telephone number,
  • education,
  • financial matters, and
  • medical or employment history.
  • It includes statements made by, or attributed to, the individual.”

Under Section 1798.24 of the IPA, “An agency shall not disclose any personal information in a manner that would link the information disclosed to the individual to whom it pertains,” unless it is disclosed as described in Section 1798.24.

Senate Bill 13 updated the IPA, effective January 1, 2006, to require Committee for the Protection of Human Subjects (CPHS) review and approval before personal information (linkable to any individual) that is held by any state agency or department can be released for research purposes. CPHS does not delegate reviews for compliance with the IPA to other institutional review boards. (http://www.oshpd.ca.gov/Boards/CPHS/)

California Laws

California Laws Governing the Collection and Release of Confidential, Personal, or Sensitive Information (please note that this is not an exhaustive list)

General State Collected Information and Data

  • Civil Code 1798.24, 1798.24a, 1798.24b (all personal information including health data)
  • Government Code 11015.5 (electronically collected personal information) General Medical Data
  • Civil Code 56.10 – 56.11
  • Civil Code 56.13
  • Civil Code 56.29
  • Health & Safety Code 128730
  • Health & Safety Code 128735
  • Health & Safety Code 128736
  • Health & Safety Code 128737
  • Health & Safety Code 128745
  • Health & Safety Code 128766 Birth Defects
  • Health & Safety Code 103850 Blood Lead Analysis
  • Health & Safety Code 124130 Cancer
  • Health & Safety Code 104315
  • Health & Safety Code 103875
  • Health & Safety Code 103885 Child Health Information
  • Health & Safety Code 130140.1 Child Health Screening
  • Health & Safety Code 124110
  • Health & Safety Code 124991

Cholinesterase Testing

  • Health & Safety Code 105206 Developmentally Disabled
  • Health & Safety Code 416.18
  • Health & Safety Code 416.8
  • Welfare & Institutions Code 4514, 4514.3, 4514.5
  • Welfare & Institutions Code 4517 (aggregation and publication of data)
  • Welfare & Institutions Code 4744
  • Welfare & Institutions Code 4659.22

Environmental Health Hazards

  • Health & Safety Code 59016 General Public Health Records
  • Health & Safety Code 121035
  • Health & Safety Code 100330 Genetic Information
  • Health & Safety Code 124975
  • Health & Safety Code 124980
  • Health & Safety Code 125105 (prenatal test)
  • Civ. Code 56.17 HIV/AIDS
  • Health & Safety Code 121022
  • Health & Safety Code 121023
  • Health & Safety Code 121025
  • Health & Safety Code 121075
  • Health & Safety Code 121085
  • Health & Safety Code 121110
  • Health & Safety Code 121125
  • Health & Safety Code 121010
  • Health & Safety Code 120820
  • Health & Safety Code 120980
  • Health & Safety Code 121280
  • Health & Safety Code 120962
  • Health & Safety Code 120975
  • Health & Safety Code 121080
  • Health & Safety Code 121090
  • Health & Safety Code 121095
  • Health & Safety Code 121120
  • Rev. & T. Code 19548.2 Immunizations
  • Health & Safety Code 120440 Independent Medical Review
  • Health & Safety Code 1374.33

Involuntary Mental Health (LPS covered records)

  • Welfare & Institutions Code 5328 through 5328.9
  • Welfare & Institutions Code 5329 (aggregation and publication of data)
  • Welfare & Institutions Code 5540
  • Welfare & Institutions Code 5610
  • Welfare & Institutions Code 4135
  • Education Code 56863

Medi-Cal Data

  • Welfare & Institutions Code 14100.2
  • Welfare & Institutions Code 14015.8
  • Welfare & Institutions Code 14101.5 Parkinson’s Disease Registry
  • Health & Safety Code 103865 Payment and Billing Info
  • Health & Safety Code 440.40 (applies only to GACHs) Prenatal Tests
  • Health & Safety Code 120705
  • Health & Safety Code 125105

Public Assistance

  • Welfare & Institutions Code 10850 (Confidential Information) Public Social Services
  • Welfare & Institutions Code 10850 Substance Abuse Treatment Data
  • Health & Safety Code 11845.5
  • Health & Safety Code 11812 Vital Records
  • Health & Safety Code 102430
  • Health & Safety Code 102425
  • Health & Safety Code 102426
  • Health & Safety Code 102455
  • Health & Safety Code 102460
  • Health & Safety Code 102465
  • Health & Safety Code 102475
  • Health & Safety Code 103025

Federal Laws Governing Public Data Release

{% hint style="warning" %} Please note that this is not an exhaustive list {% endhint %}

  • HIPAA - Section 164.514 of the HIPAA Privacy Rule (45 CFR)
  • 42 CFR Part 2
  • Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99)
  • Freedom of Information Act (FOIA) (5 U.S.C. § 552)

Data De-identification

While the IPA does not include specific de-identification methods or criteria, the basic concept of statistical de-identification has no different meaning, and the basic standard of protection of identifiable data is no different for IPA covered PI than for HIPAA covered PHI.

The California Office of Health Information Integrity (CalOHII) is authorized by state statute to coordinate and monitor HIPAA compliance by all California State entities within the executive branch of government covered or impacted by HIPAA. The 2014 assessment that was revised July 2015, identified programs and departments in CalHHS that are considered covered entities under HIPAA as a Health Care Provider, Health Care Plan, Health Care Clearinghouse, Hybrid Entity or Business Associate. Detail is provided in Appendix B. One difference between CA IPA and HIPAA is the documentation requirement in HIPAA for data de-identified using the Expert Determination method. Each of the following departments will need to identify which programs within the department are impacted by HIPAA as part of the department specific DDG.

  • Department of Aging
  • Department of Developmental Services
  • Department of Health Care Services
  • Department of Managed Health Care
  • Department of Public Health
  • Department of Social Services
  • Department of State Hospitals
  • Health and Human Services Agency
  • Office of Systems Integration

For programs and departments that are covered by HIPAA, de-identification must meet the HIPAA standard. The DDG serves as a tool to make and document an expert determination consistent with the HIPAA standard. The following comes from federal guidance for HIPAA that provides more detail regarding Safe Harbor and Expert Determination under the HIPAA standard.

The HIPAA Standard1 for de-identification of protected health information (PHI)2 states “Health information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual is not individually identifiable health information.” If the data are de-identified, and it is not reasonably likely that the data could be re-identified, the Privacy Rule no longer restricts the use or disclosure of the de-identified data.

The following is quoted from the “Guidance Regarding Methods for De-identification of Protected Health Information in Accordance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule”, published November, 2012 by the U.S. Department of Health & Human Services, Office for Civil Rights: (https://www.hhs.gov/hipaa/for-professionals/special-topics/de-identification/index.html#standard)

{% hint style="warning" %} Formatting of text may be different than the original document. {% endhint %}

The HIPAA De-identification Standard

Section 164.514(a) of the HIPAA Privacy Rule provides the standard for de-identification of protected health information. Under this standard, health information is not individually identifiable if it does not identify an individual and if the covered entity has no reasonable basis to believe it can be used to identify an individual.

§ 164.514 Other requirements relating to uses and disclosures of protected health information.
(a) Standard: de-identification of protected health information. Health information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual is not individually identifiable health information.

Sections 164.514(b) and(c) of the Privacy Rule contain the implementation specifications that a covered entity must follow to meet the de-identification standard. As summarized in Figure 1, the Privacy Rule provides two methods by which health information can be designated as de-identified.

Figure 1. Two methods to achieve de-identification in accordance with the HIPAA Privacy Rule.

The first is the “Expert Determination” method:

(b) Implementation specifications: requirements for de-identification of protected health information. A covered entity may determine that health information is not individually identifiable health information only if:
(1) A person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable:
(i) Applying such principles and methods, determines that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is a subject of the information; and
(ii) Documents the methods and results of the analysis that justify such determination; or

The second is the “Safe Harbor” method:

(2)(i) The following identifiers of the individual or of relatives, employers, or household members of the individual, are removed:

(A) Names

(B) All geographic subdivisions smaller than a state, including street address, city, county, precinct, ZIP code, and their equivalent geocodes, except for the initial three digits of the ZIP code if, according to the current publicly available data from the Bureau of the Census:
(1) The geographic unit formed by combining all ZIP codes with the same three initial digits contains more than 20,000 people; and
(2) The initial three digits of a ZIP code for all such geographic units containing 20,000 or fewer people is changed to 000

(C) All elements of dates (except year) for dates that are directly related to an individual, including birth date, admission date, discharge date, death date, and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older

(D) Telephone numbers

(L) Vehicle identifiers and serial numbers, including license plate numbers

(E) Fax numbers

(M) Device identifiers and serial numbers

(F) Email addresses

(N) Web Universal Resource Locators (URLs)

(G) Social security numbers

(O) Internet Protocol (IP) addresses

(H) Medical record numbers

(P) Biometric identifiers, including finger and voice prints

(I) Health plan beneficiary numbers

(Q) Full-face photographs and any comparable images

(J) Account numbers

(R) Any other unique identifying number, characteristic, or code, except as permitted by paragraph (c) of this section [Paragraph (c) is presented below in the section “Re-identification”]; and

(K) Certificate/license numbers

(ii) The covered entity does not have actual knowledge that the information could be used alone or in combination with other information to identify an individual who is a subject of the information.

Satisfying either method would demonstrate that a covered entity has met the standard in §164.514(a) above. De-identified health information created following these methods is no longer protected by the Privacy Rule because it does not fall within the definition of PHI. Of course, de-identification leads to information loss which may limit the usefulness of the resulting health information in certain circumstances. As described in the forthcoming sections, covered entities may wish to select de-identification strategies that minimize such loss.

Re-identification

The implementation specifications further provide direction with respect to re-identification, specifically the assignment of a unique code to the set of de-identified health information to permit re-identification by the covered entity.

If a covered entity or business associate successfully undertook an effort to identify the subject of de-identified information it maintained, the health information now related to a specific individual would again be protected by the Privacy Rule, as it would meet the definition of PHI. Disclosure of a code or other means of record identification designed to enable coded or otherwise de-identified information to be re-identified is also considered a disclosure of PHI.

(c) Implementation specifications: re-identification. A covered entity may assign a code or other means of record identification to allow information de-identified under this section to be re-identified by the covered entity, provided that:
(1) Derivation. The code or other means of record identification is not derived from or related to information about the individual and is not otherwise capable of being translated so as to identify the individual; and
(2) Security. The covered entity does not use or disclose the code or other means of record identification for any other purpose, and does not disclose the mechanism for re-identification.

Footnotes

  1. The Standard is found in the HIPAA Privacy Rule, 45 CFR section 164.514(a)

  2. “PHI” is defined as information which relates to the individual’s past, present, or future physical or mental health or condition, the provision of health care to the individual, or the past, present, or future payment for the provision of health care to the individual, and that identifies the individual, or for which there is a reasonable basis to believe can be used to identify the individual. (45 CFR section 160.103)