How the Health Insurance Portability and Accountability Act (HIPAA) and Other Privacy Laws Affect Public Transportation Operations (2014)

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

13 other hand, Metro Transit in Madison, Wisconsin, which maintains that it is not subject to HIPAA, stated that some departments of its municipal government have been designated hybrid entities. VII. HIPAA’S DEFINITION OF PROTECTED HEALTH INFORMATION PHI means individually identifiable health in- formation transmitted by electronic media; main- tained in electronic media; or transmitted or “maintained in any other form or medium (em- phasis added).”91 PHI does not include individu- ally identifiable health information in employ- ment records held by a covered entity in its role as an employer or in education records covered by the Family Educational Rights and Privacy Act,92 as well as otherwise set forth in the regulations.93 Although transit agencies may receive health in- formation directly from patrons or from covered entities when authorized by the subjects of the health information, transit agencies are not the type of entity that must create health information for it to be subject to HIPAA. However, assuming that transportation services come within HIPAA’s definition of a business associate, an assumption that appears to be doubtful given the specific, lim- iting language in HIPAA’s definition, a transit agency as a business associate could create, re- ceive, maintain, or transmit PHI on behalf of a covered entity.94 The definitions of three terms in the HIPAA regulations give effect to what kind of information is subject to HIPAA: health information, indi- vidually identifiable health information, and PHI. First, the term “health information” applies to any information regardless of whether it is “oral or recorded in any form or medium;”95 thus, HIPAA’s Privacy Rule is not limited to electronic records.96 transit trips it provides are “actually Medicaid eligible trips.” 91 45 C.F.R. §§ 160.103(1)(i)-(iii) (2013) (subsection (1) of the definition of PHI). 92 Pub. L. No. 93-380 § 513, 88 Stat. 484 (1974), codi- fied at 20 U.S.C. § 1232g (2013). 93 45 C.F.R. § 160.103 (2013) (subsection (2) of the definition of PHI). 94 See Section IX.D of this digest. 95 45 C.F.R. § 160.103 (2013) (defining health infor- mation). 96 South Carolina Medical Ass’n v. Thompson, 327 F.3d 346 (4th Cir. 2003); Association of American Phy- sicians & Surgeons, Inc. v. U.S. Dep’t of Health and Human Services, 224 F. Supp. 2d 1115 (S.D. Tex. 2002). Second, health information as defined by HIPAA is not health information that is created or received by just anyone, such as a transit agency. Health information subject to HIPAA in- cludes “information, including genetic informa- tion, whether oral or recorded in any form or me- dium, that…[i]s created or received by a health care provider, health plan, public health author- ity, employer, life insurer, school or university, or health care clearinghouse…(emphasis added).”97 Third, health information is not just any kind of medical information. The health information must come within one of three categories or types of health information: it must relate “to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or fu- ture payment for the provision of health care to an individual.”98 Even if a transit agency meets one or more of the last three criteria (i.e., the health information “relates to”), a transit agency does not come within the HIPAA definition of health information, which must have been “cre- ated or received by a health care provider, health plan, public health authority, employer, life in- surer, school or university, or health care clear- inghouse… (emphasis added).”99 A transit agency does not create health information nor is it one of the named entities that must receive the health information for it to become PHI subject to HIPAA. As HHS’s commentary to its 2013 final rule states, there are many businesses and other entities that receive PHI that are not subject to HIPAA.100 A subset of health information under HIPAA is individually identifiable health information (IIHI). IIHI includes information that is “demo- graphic information collected from an individ- ual.”101 IIHI either must identify an individual or provide a “reasonable basis” for believing that the information could be used to identify an individ- PHI stored, whether intentionally or not, in photocopi- ers, facsimile, and other devices is subject to the Secu- rity Rule. 78 Fed. Reg. 5576. See discussion in Section VIII.C of this digest. 97 45 C.F.R. § 160.103 (2013) (subsection (1) of the definition of health information). 98 Id. 99 45 C.F.R. § 160.103 (2013). 100 78 Fed. Reg. 5591. 101 45 C.F.R. § 160.103 (2013) (definition of individu- ally identifiable health information).