HIPAA and CIIS
What is the Health Insurance Portability and Accountability Act (HIPAA)?
Passed by Congress in 1996, HIPAA does the following:
- Provides the ability to transfer and continue health insurance coverage when a person loses or changes their job;
- Reduces health care fraud and abuse;
- Mandates industry-wide standards for health care information on electronic billing and other processes; and
- Requires the protection and confidential handling of protected health information (HIPAA Privacy Rule).
The HIPAA Privacy Rule
The HIPAA Privacy Rule (45 CFR Part 160 and Subparts A and E of Part 164) establishes national standards to protect individuals’ personal health information. A major goal of the Privacy Rule is to assure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public's health and well being. There are no restrictions on the use or disclosure of de-identified health information. The Privacy Rule applies to what are known as “covered entities”, specifically health plans, health care clearinghouses, and health care providers who conduct certain health care transactions electronically.
How does the HIPAA Privacy Rule apply to the Department and CIIS?
We are a “public health authority” as defined by HIPAA. A public health authority is an agency or authority of the U.S. government, a state, a territory, a political subdivision of a state or territory, or Indian tribe that is responsible for public health matters as part of its official mandate. Under 45 CFR § 164.512(b), covered entities may disclose protected health information to public health authorities authorized by law to collect or receive such information for preventing or controlling disease, injury, or disability, such as the reporting of diseases, and the conduct of public health surveillance, public health investigations, and public health interventions. This includes the reporting of immunization information through CIIS, without patient authorization, to us. In accord with our privacy policies, such as limiting access to the minimum amount necessary, we protect the privacy and confidentiality of this immunization information.
How does the HIPAA Privacy Rule apply to providers who report data to CIIS?
Providers who report immunization information to CIIS are covered entities under HIPAA and subject to its requirements. HIPAA allows healthcare providers to disclose immunization information, including patient identifiers, to CIIS without patient authorization. Providers must make reasonable efforts to limit the use or disclosure of personal health information to the minimum amount necessary to accomplish their purpose (45 CFR. 164.502 (b)(1)). The agreements signed between CIIS participating providers and us, along with the CIIS Privacy and Confidentiality Policy, limit both the use and disclosure of the immunization information in CIIS to those authorized by the Colorado Immunization Registry Act.
Privacy: Patients Right to Opt Out
Per CRS § 25-4-2403 (7), all persons have the statutory right to exclude their information from CIIS at any time. Participating sites that have a signed CIIS Letter of Agreement with us are required to notify individuals, parents, and legal guardians of their right to opt out of the system. It is the responsibility of the individual, parent, or legal guardian to submit their opt-out request to us for processing. NOTE: CIIS works on a search function; system users have to search for and find an individual in CIIS prior to viewing or updating the individual’s record. The following demographic information is kept in CIIS for opt-out individuals: First Name, Last Name, Date of Birth, Gender, City, County and Zip Code. This information is retained to prevent CIIS users from inadvertently adding opt-out individuals back into CIIS, either through direct data entry or electronic reporting to CIIS. This is the only way to guarantee the continued privacy of persons who opt out.