Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
56 Rule.â603 Likewise, FEMA provides information on emergency planning for âspecial needsâ popula- tions and for the use of registries.604 Lastly, to the extent that HIPAA is a concern, patrons could provide health information to tran- sit agencies and/or sign an authorization for the release of information by covered entities or busi- ness associates (or others not covered by HIPAA but concerned that HIPAA applies to them) to en- able transit agencies to create a registry or data- base. As discussed previously in this digest, cov- ered entities and business associates also must disclose PHI when required by law.605 XIX. INDUSTRY PRACTICES AND STANDARDS APPLICABLE TO TRANSIT AGENCIES HAVING HEALTH INFORMATION ON PATRONS Transit agenciesâ procedures and practices, which appear to be quite consistent, regarding the privacy and security of patronsâ health informa- tion are discussed throughout this digest. How- ever, transit agencies responding to the survey also explained more generally the industry prac- tices or standards that are applicable to transit agencies receiving and maintaining health infor- mation on their patrons. Copies of documents pro- vided by transit agencies are included in Appen- dix C. Some of the transit documents assume that HIPAA applies to transit agencies. Moreover, the business associate and subcontractor agreements included in Appendix C stipulate that HIPAA ap- plies to the agreements. EBPCâs response stated that the best industry practices and standards are for transit staff to understand that all health information on patrons must be treated confidentially; that the use of in- formation in electronic files must be limited to trip requirements only; and that âprint filesâ are to be kept in a secure location. KAT stated that the information it receives and maintains is private, that its records are secured, and that â[o]perators are instructed not to share any information to anyone outside of KAT.â 603 Id. 604 FEMA, Comprehensive Preparedness Guide 301 (CPG-301): Interim Emergency Management Planning Guide for Special Needs Populations, Federal Emer- gency Management Agency (Aug. 15, 2008), hereinafter referred to as âFEMA Comprehensive Preparedness Guide,â available at http://www2.ku.edu/~rrtcpbs/ resources/pdf/FEMA_CPG301.pdf. 605 See Sections VIII.B.2 and X of this digest. Kitsap advised that all passenger records are treated as confidential and only reviewed by staff as is necessary to provide safe transportation. âAppropriate database securities are in place to prevent access to these records by nonessential personnel or the general public.â606 MATA stated that it only receives medical in- formation from health care providers and that the information is only used for certifying that pa- trons qualify for paratransit service, information that is âfiled and secured.â607 Finally, as stated by other transit agencies, Whatcom advised that the best industry practices and standards dictate that confidential files must to be maintained in a secure physical setting and that computer files must be password protected. In sum, based on the research and the survey responses it appears that transit agencies have procedures and practices to safeguard patronsâ health information regardless of whether the agencies are subject to HIPAA. Moreover, some transit agencies have entered into business asso- ciate and subcontractor agreements, for example, to participate in a coordinated transportation ser- vices program, that obligate the agencies to com- ply with HIPAA. CONCLUSION Of primary concern for this digest is whether the privacy and security rules established by HIPAA apply to transit agencies having health information on their patrons. However, HIPAA 606 Response of Kitsap. Kitsap provided a copy of its Notice of Privacy Practices and of its Medical Verifica- tion Release Form. New Haven Transit provided a copy of its Request for Professional Verification, Authoriza- tion to Release Confidential Information, and Physician or Other Professional Information. 607 See also Response of Riverside (stating that medi- cal documentation is required to support a claim of dis- ability under the ADA regulations for certification for paratransit service and that such information is âconfi- dential[] and is treated as such in our processâ); Re- sponse of Salem-Keizer (reporting that the information it receives âis functional (as far as ADA service eligibil- ity) and eligibility data from the State of Oregon [is] covered by [a] confidentiality clauseâ); Response of Utah Transit (reiterating that any information received from a client is confidential and is not shared without a cli- entâs or a clientâs agentâs written consent and that re- cords are secured in a locked room); Response of Votran (stating that â[h]ealth information is not disclosed to parties other than the necessary staff responsible for processing paratransit eligibility applications or per- forming functional assessmentsâ).
57 does not apply to every health record keeper or to every health record. If a personâs health informa- tion is not being maintained by a covered entity or by a business associate on behalf of a covered en- tity, the health information most likely is not pro- tected by HIPAA. If a covered entity or its busi- ness associate discloses PHI to anyone who is not covered by HIPAA the information is no longer subject to HIPAA. Protected health information that is provided by a patron or pursuant to a pa- tronâs authorization to a transit agency is no longer subject to HIPAA. Only if a transit agency is a business associate of a covered entity or a subcontractor of a busi- ness associate is a transit agency subject to HIPAA. However, it does not appear that a transit agency meets HIPAAâs definition of a business associate. HHS clearly states that if a person or entity does not meet the criteria for a business associate then the person or entity is not subject to HIPAA. However, it also appears that transit agencies have entered into agreements that pro- vide that PHI may be shared by covered entities with transit agencies as brokers, business associ- ates, or subcontractors and that transit agencies thus agree to comply with HIPAA. As noted in this digest, the law on the privacy of health information is highly fragmented. Ap- pendix A discusses other federal laws that are applicable to the privacy of health information. Under HIPAA, covered entities and their business associates may only disclose PHI as permitted or mandated by the HIPAA regulations. However, HIPAA also authorizes a disclosure of PHI when another federal law requires a disclosure of PHI. There are some state laws that are more re- strictive than HIPAA. Even though health infor- mation may no longer be subject to HIPAA after being disclosed to a person or entity that is not subject to HIPAA, some state laws prohibit a fur- ther disclosure by a downstream recipient of an individualâs health information unless the subject of the health information authorizes or reautho- rizes a disclosure. Persons who wrongfully use or disclose health information may be subject to civil claims under provisions of state constitutions or statutes for invasions of privacy and for other claims in tort or for breach of contract. However, in many of the cases discussed in this digest the courts dismissed the claims at the summary judgment stage. The plaintiffs often were unable to show that the de- fendant had a duty to the plaintiff or failed to demonstrate other required elements for a claim, including a plaintiffâs failure to prove any dam- ages resulting from a disclosure of health infor- mation. Finally, notwithstanding some concerns, it does not appear that HIPAA presents any barrier to transit agencies that want to create a registry or database on patrons and their health require- ments for use during emergency operations. Un- der HIPAA, covered entities or their business as- sociates may use or disclose PHI only if a use or disclosure comes within one the permitted or mandatory uses or disclosures under the HIPAA regulations. Thus, a person or entity not covered by HIPAA may provide health information on an individual to a transit agency unless a disclosure is precluded by a confidentiality agreement or an- other federal or state law. In any event, a patron may furnish health information to a transit agency or authorize a covered entity such as a health care provider to provide whatever health information is needed by a transit agency for a registry or database that would assist in meeting a patronâs transportation needs during an emer- gency.
