Laboratory of Pathology - Staff

Patient Privacy Policy 

The Privacy Act

The Privacy Act (45CFR5b) regulations affect the routine manners in which we maintain and control private information of our patients. We must protect the privacy of individuals to the fullest extent possible while permitting the exchange of records to efficiently carry out the objectives of the mission of the Laboratory of Pathology (LP) compatible with the purpose for which the records are collected and maintained. This policy applies to employees, contractors, and volunteers who work with private information in LP; but may also be shared with healthcare providers and their patients to assist them in understanding why information is collected and how it is used. The PRIVACY ACT OF 1974, 5 U.S.C. § 552a – As Amended  (U.S. Department of Justice) protects personal information about individuals held by the Federal government. Covered entities that are Federal agencies or Federal contractors that maintain records that are covered by the Privacy Act not only must obey the Privacy Rule’s requirements, but also must comply with the Privacy Act.

The Privacy Rule

The U.S. Department of Health and Human Services (HHS) issued the Privacy Rule to implement the requirement of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. The Rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections. The Office for Civil Rights enforces the HIPAA Privacy Rule, which protects the privacy of individually identifiable health information, and the confidentiality provisions of the Patient Safety Rule, which protect identifiable information being used to analyze patient safety events and improve patient safety.

HIPAA Administrative Simplification Statute and Rules

To improve the efficiency and effectiveness of the health care system, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, included Administrative Simplification provisions that required HHS to adopt national standards for electronic health care transactions and code sets, unique health identifiers, and security. At the same time, Congress recognized that advances in electronic technology could erode the privacy of health information. Consequently, Congress incorporated into HIPAA provisions that mandated the adoption of Federal privacy protections for individually identifiable health information. HHS published a final Privacy Rule in December 2000, which was later modified in August 2002. This Rule set national standards for the protection of individually identifiable health information by three (3) types of covered entities: health plans, health care clearinghouses, and health care providers who conduct the standard health care transactions electronically. Compliance with the Privacy Rule was required as of April 14, 2003 (April 14, 2004, for small health plans).

The HHS Office for Civil Rights administers and enforces the Privacy Rule, the Security Rule and the HIPAA Privacy Rule.

Personally Identifiable Information (PII) and Protected Health Information (PHI)

The HIPAA Privacy Rule provides federal protections for Personal Health Information (PHI) held by covered entities and gives patients an array of rights with respect to that information, while Titles II and III of the E-Government Act of 2002 require that agencies evaluate systems that collect Personally Identifiable Information (PII) to ensure the privacy of this information is adequately protected. At the same time, the Privacy Rule is balanced so that it permits the disclosure of PHI needed for patient care and other important purposes. 

The following are 18 HIPAA personal identifiers:

• Name
• Address (all geographic subdivisions smaller than state, including street address, city county, and zip code)
• All elements (except years) of dates related to an individual (including birthdate, admission date, discharge date, date of death, and exact age if over 89)
• Telephone numbers
• Fax number
• Email address
• Social Security Number
• Medical record number
• Health plan beneficiary number
• Account number
• Certificate or licence number
• Any vehicle or other device serial number
• Web URL
• Internet Protocol (IP) Address
• Finger or voice print
• Photographic image - Photographic images are not limited to images of the face.
• Any other characteristic that could uniquely identify the individual

When personally identifiable information is used in conjunction with an individual's physical or mental health or condition healthcare it becomes protected health information.

Requests for Medical Records or Patient Case Material

• The comprehensive LP policies and procedures for the release of medical records or patient material is available: Policy for Handling Surgical Pathology Slides/Blocks for Medicolegal Requests and Returning Submitted Case Material.
• Patients requests for medical records or pathology material (slides, blocks, tissue) must be requested through the Clinical Center Medical Records Department. Provide the Authorization for the Release of Medical Information form to patients or outside providers, which will direct them to the Medical Records Department 301-496-3331 or 888-790-2133.
• The pathologist who signed out the case should review the material that is released, whenever slides or blocks are released. If the pathologist is not available, refer the request to the alternate pathologist covering for the absent pathologist or to the Section Chief. Document the release of the material according to the procedures of the appropriate section.

If the responsible Section determines that there will be a delay in responding to a request for any reason, they must inform the individual and indicate when notification or access will be granted. Routine expected turnaround times are indicated below:

• Reports only (0-2 business days)
• Slides and/or blocks (1-5 business days)
• Archived material (2--7 business days)

An accounting of all disclosures must be maintained for a period of five (5) years, or for the life of the record, whichever is longer. Accounting is not required for situations in which an employee of LP has a need for a patient’s record to perform his/her duties. If a patient requests an accounting of disclosures, please contact the NCI Privacy Act Coordinator to assist with this process.

Encrypted Email Procedures for Sending Patient Reports or Emails Containing PII/PHI

LP staff who communicate any information to authorized recipients (e.g. patient's clinician or clinical care providers) that include PHI (e.g. name, DOB, medical record #s, etc.,) via email must encrypt the email using the NIH Secure Desktop encryption for NIH staff and Medical Secure Email service when sending pathology reports or PII/PHI to non-NIH recipients. 

NIH-CIT offers Advanced Security based on Secure MIME (S/MIME). S/MIME allows users who need to send and receive confidential messages to digitally sign and/or encrypt them. Advanced security uses industry standard cryptography methods to provide security.

The following safeguards when communicating PII/PHI in or attached to an email message must be utilized:

(1) Email communications containing PHI/PII regarding CC patients will be transmitted within NIH encryption using secure S/MIME encryption or "Encrypt-only" permissions (e.g. the mechanism that uses PIV or PIV-derived credentials in Outlook) or the NIH Secure Email and File transfer Service (https://secureemail.nih.gov/bds/Login.do). 

• Unencrypted email must not be used to communicate PHI/PII. 
• If a recipient does not have encryption capabilities (e.g. PIV certificate expired), delete the recipient from saved auto-fill in Outlook and search their name in the NIH address book. This will allow Outlook to search for that staff's updated encryption key.
• If the recipient is still not able to receive encrypted email, call the intended recipient and request they enter a CIT ticket to refresh their PKI certificate, OR send via NIH Secure Email and File Transfer  https://secureemail.nih.gov/bds/Login.do.  
• Do NOT send unencrypted emails under any circumstance if the email contains PHI/PII.

(2) ALL pathology reports and emails that contain PII/PHI being sent to non-NIH emails that do not have access to NIH encryption MUST be sent via the NIH Secure Email & File Transfer (https://secureemail.nih.gov/) or using the “Encrypt-only” permission in Outlook (requiring the receiver to enter their MS password to verify their account).

(3) Laboratory of Pathology staff do not typically communicate directly with patients, but rather through the patient's treating clinicians. If there is ever a need to communicate with a patient, the preferred system is the Secure Health Messaging service that is available within CRIS and via the web (https://shm.cc.nih.gov/).

• Patients need patient portal account (FollowMyHealth).
• This ensures that providers are emailing patients at their preferred addresses, and have signed the electronic communications consent.
• Patients may initiate communication to any provider added to their Care Providers list in CRIS (providers can use the “Add Me” function to add themselves).

General Rules Regarding Email Encryption

(a) For internal communications, emails containing ONLY the case number (eg. SI-XX-XXXX) can be sent unencrypted if there are no other identifiers included.  

(b) PII will not be transmitted in the subject line of the email message.

(c) The fact that the message or an attachment to the message contains PHI/PII will be reflected in the subject line of the email message.

(d) If a document that contains PHI/PII is attached to the message, the sender must verify before transmitting the email message that he/she has attached the proper attachment. 

(e) LP staff communicating any patient identifiers (name, DOB, medical record #s, etc.,) must encrypt emails. If a recipient does not have encryption capabilities (e.g. PKI certificate expired), delete the recipient from saved autofill in Outlook and search their name in the NIH address book.

Other Privacy Information 

Digital signatures ensure that messages aren't modified during transit. They also prevent forgeries by allowing users to place the equivalent of their signatures on messages. The recipient can then be certain that the message originated from the sender. Data encryption provides confidentiality by ensuring that only the intended recipients can read a message. 

To use this method, you must obtain a Public Key Infrastructure (PKI) certificate. Please contact the NIH IT Service Desk for assistance with this task. They are staffed with qualified personnel to assist you. For more information about this service, or to request a certificate, you may go to PKI.NIH.GOV.

For other matters pertaining to privacy information, please refer to the NIH Privacy Policy https://www.nih.gov/web-policies-notices# and the NIH Clinical Center MEC Policy: http://cc-internal.cc.nih.gov/policies/PDF/M09-3.pdf

• NCI Web site Privacy and Security Policy 
• NIH Records Management Policies
• NIH Privacy Act Web page
• NIH Medical Administrative Series M09-3