If you have been to a doctor’s office in the last several years, you’ve likely signed a form detailing the provider’s privacy practices, how they protect your information, and how they comply with something called HIPAA. The Healthcare Information Portability and Accountability Act (HIPAA, pronounced just like it is spelled: hip-ahh) was enacted in 1996 in response to the shift from paper medical records to electronic and keeps your Protected Health Information (PHI) safe.
How does HIPAA protect PHI and how does CIVHC work within HIPAA to release CO APCD data?
A good way to think about it is like this: PHI in the CO APCD is a treasure surrounded by a fortress (HIPAA) and guarded by a keeper (CIVHC) who makes sure no one gains access to the treasure without having a darned good reason and providing the right information. The Bridgekeeper from Monty Python and the Holy Grail comes to mind – though CIVHC is less unpredictable with its questions and there is no Gorge of Eternal Peril.
“…answer me these questions three…”
HIPAA governs how covered entities, like CIVHC, use, store, and transmit PHI. The rules surrounding PHI include ensuring that it is locked up securely, encrypted, and only given to people who absolutely need to know and in the smallest amount possible. CIVHC does not store any PHI on the computers in the office and very few analysts are able to access it via a secure data enclave maintained by our data vendors Human Services Research Institute (HSRI) in Cambridge, MA and NORC at the University of Chicago.
Under HIPAA, there are only three types of projects for which CIVHC can release PHI from the CO APCD to a data requestor. These projects must be focused on:
- Treatment, Payment, and Health Care Operations,
- Research, or
- Public Health Activities.
It is the job of CIVHC’s Data Release Review Committee (DRRC) to evaluate every request for PHI to ensure that the project fits under one of these categories. At the same time, the DRRC is checking the data application to make sure that the PHI requested is absolutely necessary to support the proposed use and limited to the absolute smallest quantity required to complete the goals of the project. This is referred to under HIPAA as the minimum necessary standard.
“What is the air-speed velocity of an unladen swallow?”
CIVHC does not treat requests to release PHI lightly. We take our responsibility to protect Protected Health Information very seriously. If there is any question regarding whether or not a request satisfies the HIPAA release criteria, the DRRC will not recommend the application for approval until such questions are fully resolved.
“What is your favorite (CIVHC) color?”