Information Managementfor State Health OfficialsHIPAA Privacy Rule Implementationin State Public Health AgenciesASSOCIATION OF STATE AND TERRITORIAL HEALTH OFFICIALSAssociation of State and Territorial Health Officials1275 K Street, NWSuite 800Washington, D.C. 20005-4006www.astho.orgPRIVACY AND PUBLIC HEALTH PRACTICE SERIESSuccesses, Challenges, and Future Needs35717_ASTHO_S2.qxd 9/2/05 6:42 AM Page 1© 2005 Association of State and Territorial Health Officials 1 HIPAA Privacy Rule Implementation in State Public Health AgenciesSuccesses, Challenges, and Future Needs —© 2005 Association of State and Territorial Health Officials 2 This project was made possible with funding from the Centers for Disease Control and Prevention, Health Information Privacy Office, Cooperative Agreement to Improve the Nation’s Public Health Infrastructure with State Public Health Agencies/Systems (#U50-CCU313903-06). ASTHO is grateful for this support. The Association of State and Territorial Health Officials is the national non-profit organization representing the state and territorial public health agencies of the United States, the U.S. territories, and the District of Columbia. ASTHO’s members, the chief health officials in these jurisdictions, are dedicated to formulating and influencing sound public health policy, and assuring excellence in state-based public health practice. For additional information contact: [email protected] 1275 K Street, NW, Suite 800 Washington, DC 20005 Phone: (202) 371-9090 Fax (202)371-9797 www.ASTHO.org www.StatePublicHealth.org© 2005 Association of State and Territorial Health Officials 3 Executive Summary To assist states with implementation of the Health Insurance Portability and Accountability Act (HIPAA), the Association of State and Territorial Health Officials (ASTHO) developed a brief survey to evaluate states’ experiences with the Act. The survey was distributed in August 2004 to state senior deputies, members of ASTHO’s HIPAA Task Team, and designated state staff members. This issue report presents the survey results, including how states have classified themselves under the Privacy Rule, their outstanding achievements, implementation barriers, and how those barriers have been overcome. HIPAA, the Federal Privacy Rule, and Public Health An Overview Issued under the Health Insurance Portability and Accountability Act of 1996, the federal Privacy Rule provides individuals with new protections regarding the confidentiality of their health information and establishes new protections for health care providers, health plans, and other entities to protect such information.1 On April 14, 2003, most entities were required to be in compliance with the Privacy Rule. How State Public Health Agencies Are Classified Under HIPAA The Privacy Rule classifies entities based on whether an agency includes covered or non-covered functions. These classifications are defined as either a covered entity or a hybrid entity. • Thirty-two states (64 percent) out of the 50 states surveyed classified themselves as hybrid entities. • Fourteen states (28 percent) classified themselves as covered entities. • Four states (8 percent) said they were in the “other” category. No state reported a change of status during the survey conducted by ASTHO. However, new state legislation could lead to a change in one state’s classification. Achievements States dedicated considerable effort to train employees on the Privacy Rule and its requirements. Several states highlighted web-based training efforts, monthly newsletters that raise employees’ awareness of HIPAA, and individual, face-to-face training efforts. In addition, some states modified their statutes to conform with HIPAA, although the Privacy Rule does not pre-empt state privacy laws that are more stringent or more protective. Implementation Barriers The Privacy Rule specifically allows for disclosures of protected health information to public health authorities. However, several states reported a reluctance to comply with this provision, or a general lack of understanding among entities. This lack of understanding was overcome or lessened by training the workforce and educating healthcare providers about the Privacy Rule and how it impacts public health. Many states commented that they have had limited resources to implement the Privacy Rules. Although this response was a primary answer to our question about barriers to implementation, states also commented they felt they did a good job with the funding and human resources that were available. Conclusion States highlighted their achievements in training and education, developing resources for both internal and external use, aligning state laws and regulations to HIPAA, and conducting on-site reviews. As always, there are challenges to any new regulation. The states experienced challenges and responded by providing more knowledge and resources. —© 2005 Association of State and Territorial Health Officials 4 About ASTHO The Association of State and Territorial Health Officials (ASTHO) is the national nonprofit organization representing the state and territorial public health agencies of the United States, the U.S. Territories, and the District of Columbia. ASTHO’s members, the chief health officials of these jurisdictions, are dedicated to formulating and influencing sound public health policy and to assuring excellence in state-based public health practice. Guided by its policy committees, ASTHO addresses a variety of key public health issues and publishes newsletters, survey results, resource lists, and policy papers that assist states in developing public policy and promoting public health programs at the state level. About the HIPAA Task Team Due to the complexity of the Health Insurance Portability and Accountability Act (HIPAA) rules coupled with the timeframe for implementation, ASTHO formed a group that could identify and share states’ needs for HIPAA Privacy Rule implementation. The purpose of the HIPAA Task Team (HTT) is to identify issues that impact primarily state health departments—recognizing many of these same issues will pertain to local health departments. The HTT, which has been in place for more than three years, consists of senior leaders in state health departments as well as members of the National Association of County and City Health Officials (NACCHO), ASTHO affiliate