the prism privacy tool: a user’s guide phdsc home page prism web page

The PRISM Privacy Tool:A User’s Guide

PHDSC Home Page PHDSC Home Page http://www.phdsc.org/ http://www.phdsc.org/PRISM Web Page PRISM Web Page http://www.phdsc.org/prism/introduction.htm http://www.phdsc.org/prism/introduction.htm

What is PRISM? A framework for understanding the basic

legal privacy requirements for the use and disclosure of health information

Created to help public sector health programs understand and apply state and federal privacy laws to their activities

What is PRISM? (cont’d)

An electronic, web-based tool Set up as web tables to easily

access and focus information relevant to a specific situation

Multiple tables created to inform all the common public sector health functions

Purpose of PRISM

Identifies and defines the baseline conditions and requirements that a government or other health entity must follow when using and disclosing specific types of health information

Organizes key privacy requirements related to uses and disclosures to provide direction to improve privacy policies, procedures, and compliance

What Information is in PRISM?

Uses the HIPAA privacy rule to set the basic framework

Incorporates other federal privacy laws, such as 42 CFR pt. 2 and FERPA, where relevant

References common provisions in state law

Focuses on DISCLOSURES of health information done by public programs

Includes other laws or requirements that may have an impact

Provides additional information on how the requirement may be interpreted or applied in public programs

What Information is in PRISM? (cont’d)

Why was PRISM developed?

Address a gap in federal HIPAA privacy guidance

HIPAA requirements do not always map to public sector health program activities

Why was PRISM developed? (cont’d)

Public sector health programs often combine multiple activities and functions, so rule application can be confusing

Useful for most payer and provider entities, whether public or private

Who developed PRISM? Developed through the Public Health

Data Standards Consortium (PHDSC)

Funded by the National Center for Health Statistics (NCHS)

Development oversight provided by the Consortium’s Privacy, Security, and Data Sharing Committee (PSDSC)

Who developed PRISM? (Cont’d)

Content developed by Consortium members: Walter Suarez, MD, PHDSC President Vicki Hohner, Co-Chair PSDS Committee

Legal Reviewer: Joy Pritts, JD, Senior Policy Analyst and

HIPAA Privacy expert, Georgetown University

How is PRISM structured?

Three separate tables for common public sector health-related functions:

Public Health Authority Provider Payer

Focus is on disclosures of specific types of identifiable health information

How is PRISM structured? (cont’d)

Tables organized by: Disclosure Purpose

Treatment, Payment, Operations Required by law (public health,

health oversight) Judicial/administrative

proceedings, law enforcement

How is PRISM structured?(cont’d)

Tables organized by: Disclosure Purpose Type of Information

HIV, immunizations, medical records Separate section for minors Separate table addressing who (as

the individual) can control uses and disclosures and under what conditions

What information is in the PRISM tables?

Tables divided into cells that contain information about specific disclosures

HIPAA citation Type of disclosure (required vs.

permitted) Information related to the disclosure

(conditions, special requirements)

What information is in the PRISM tables (cont’d)?

HIPAA requirements of the disclosure Whether consent/authorization is required Whether minimum necessary applies If an accounting of disclosure is required

Additional general state law issues/ requirements that may apply

Where can I find PRISM?

PHDSC Home Page: PHDSC Home Page: http://www.phdsc.org/ PRISM Web Page: PRISM Web Page: http://www.phdsc.org/prism/introduction.htm

Introduction to PRISM

Click on Click on “Proceed to PRISM Privacy Tool”“Proceed to PRISM Privacy Tool” at bottom of this web page at bottom of this web page

Understanding and Using PRISM

Proceed down the page and click on Proceed down the page and click on “Government Entity Acting As….”“Government Entity Acting As….”

Understanding and Using PRISM

Government Entity Acting As…

Proceed down the page and click on one of the Proceed down the page and click on one of the Type of DisclosureType of Disclosure tables tables

Government Entity Acting As…

How do I use PRISM? (Cont’d)

Click on a specific functional table to access the actual table

This takes you to the grid of disclosure purposes for that table by specific data type

Click on a folder icon to access the content for a specific disclosure/data type

This screen provides you with disclosure guidelines specific to this type of disclosure

How do I use PRISM? (Cont’d)

Example #1 My program functions as a provider I want to disclose information on

children’s immunizations for public health purposes

1. First click to access the Public Health Healthcare Provider table

Example #1 (Cont’d)

2. Then go to table 4, Disclosures Required by Law; for Public Health; etc., which covers disclosures for public health purposes

3. Look along the top for the Public health purpose column, then for Unemancipated minors information down the side, and click to open


4. Using the information in the cell: If an entity is performing public health activities

as a provider, that disclosure is allowed without consent or authorization under HIPAA

State laws define and control legal issues related to minors, but public health activities are normally not affected by these laws


Example #2 My program functions as a provider

AND a public health authority I need to disclose HIV AIDS

information for treatment purposes

1. First click to access the Provider table


2. Then go to table 2, Disclosures for Treatment, Payment, and Health Care Operations, which contains specific information for TPO purposes

3. Look for the Treatment disclosures column, and the STD/AIDS row, and click on the cell to open


4. Then click on the Public Health Authority table, go to table 2,Disclosures for Treatment, Payment, and Health Care Operations, which contains specific information for TPO purposes


5. Look for the Treatment disclosures column, and the STD/AIDS row, and click on the cell to open


6. Using the information in both cells: If an entity is performing treatment activities as a

provider, that disclosure is allowed without consent or authorization under HIPAA

However, HIV information is often subject to stricter state protections, so state laws may require consent or authorization for some or all treatment activities

If an entity is performing treatment activities as a public health authority, then that disclosure is not subject to the HIPAA requirements

However, those treatment activities must be clearly identifiable as public health activities defined by law to qualify


PRISM Privacy Definitions and Resources

How can I provide feedback on PRISM?

Feedback/Comment form:http://www.phdsc.org/about/feedback.asp?cf=pr

Your comments are critical to future revisions and enhancements to this tool

Other Consortium Products and Activities

Products Websites Local health privacy case studies

Activities Participate in state and national privacy

and security projects (HISPC) Participate in national privacy and

security standards harmonization (HITSP)

For more information

About the Consortium and other Consortium products: http://www.phdsc.org

Invite participation in Consortium activities

Help produce more useful tools and information

Consider joining the Consortium to further these and other efforts

Contact Information

Walter G. Suarez, MDPresident and CEOInstitute for HIPAA/HIT Education and ResearchEmail: [email protected]: 703-519-1828

Vicki Hohner, MBASenior ConsultantFox Systems, Inc.Email: [email protected]: 360-970-6856

the prism privacy tool: a user’s guide phdsc home page prism web page

Documents

prism tables

law public health

prism privacy tool

health entity

consortiums privacy

privacy policies

public programswhy

federal privacy laws