City of Paterson Health Department
Paterson, New Jersey, USA
July 26, 2004

In determining the City of Paterson Health Department’s (CPHD) covered entity status, CPHD staff conducted an assessment with different departments within the health agency. The CPHD Health Officer and city attorney verified the specific status of each individual department to determine whether it functioned as a business associate, a health care clearinghouse or a health care provider according to the specific provisions of HIPAA. As a health agency, CPHD is involved in public health activities as defined by New Jersey state law. However, it was determined that under the definition provided by HIPAA, CPHD functioned as a health care provider because some of its clinics used electronic billing and thus must adhere to the provisions of the Privacy Rule. Based on the activities that the Department conducts, CPHD could have been declared a hybrid entity for purposes of HIPAA. However, CPHD officials believed that the work necessary to maintain the necessary divisions within the department to comply with hybrid status (e.g., firewalls) would be too difficult. As a result, CPHD was declared a fully-covered designated health care provider. CPHD also identified its public health functions, as defined under HIPAA, separately from its provider functions.

CPHD is a recognized municipal health department under the New Jersey Department of Health and Senior Services. The Mayor of the City of Paterson and the City Council establish the operating budget for CPHD. CPHD has a working relationship with the county for certain services, but remains independent of the county. CPHD reports directly to the state for priority funding requirements.

Internal and External Uses/Disclosures

Following implementation of the HIPAA Privacy Rule, CPHD had trouble obtaining information from private physicians. As a public health authority, CPHD is entitled to individual’s health information from private providers in order to protect the health of the community. In spite of this, physicians were reluctant to provide such data to the health agency for fear of breaking federal law. Prior to the implementation of the HIPAA Privacy Rule, CPHD would simply call providers on the phone, identify themselves and request the information, which the providers would make readily available. After the implementation of HIPAA, providers were afraid of being sued or fined. They were unclear as to whom they could release data and what was the appropriate process for sending data. The confusion among physicians created a substantial challenge to CPHD and their ability to conduct their public health functions.

Privacy Safeguards

Prior to implementation of the HIPAA Privacy Rule, the vital statistics department staff would often take files with protected health information (PHI) out of the health department for work at home. In some cases, family members of the health department staff would assist in completing vital statistics documentation. Under HIPAA, this practice is no longer legal.

Business Associate Agreements

CPHD staff reviewed the HIPAA Privacy Rule to determine how each of its provisions would apply to the different functional units of the health agency. As CPHD staff went through this process, they were uncertain how to proceed regarding the various business associate agreements they had in place and who would be responsible for creating new and amended agreements.

Protected Health Information

Over the last 22 years, Paterson has had a significant lead poisoning problem, due primarily to older houses with lead-based paint. In an attempt to assess the severity of the problem and provide any necessary care to address subsequent health needs, the CPHD Health Officer recommended that CPHD nurses conduct home visits to all newborn children to monitor lead levels. To facilitate these visits, CPHD planned on using birth certificate data. However, according to New Jersey< state health officials, CPHD may not obtain birth certificate data for this purpose since it is considered confidential data, ostensibly a violation of HIPAA. As a result, CPHD was unable to commence this new program. The issue was not pursued further, however, so CPHD does not know whether the barrier to using birth certificate information in this situation is related to HIPAA privacy regulations or to other state law.

Training

CPHD staff struggled to understand the specific provisions of the HIPAA Privacy Rule. They were unsure how the Rule would impact their department and in what manner their daily tasks would be affected. The legal jargon and unfamiliar terminology contributed to the staff’s confusion.

Internal and External Uses/Disclosures

In an effort to clear-up confusion regarding the use and disclosure of data from providers to the health department, CPHD sent individualized letters to providers. These letters explained the proper procedures for data use and disclosure permissible under HIPAA as it related to the health department, and were sent to all physicians who had indicated reluctance to providing PHI following implementation of the Privacy Rule. CPHD also instituted follow-up phone calls to further educate providers on this topic.

Privacy Safeguards

The issue of health information leaving the health department was brought to the attention of the Health Officer of CPHD and the city attorney. As a result of their discussions, the practice was ended due to privacy guidelines, which prevented unauthorized persons from accessing protected health information, such as that available on vital statistics records.

Business Associate Agreements

CPHD is currently in the process of renewing contracts with their vendors. During this process, the CPHD Health Officer determines which vendors are to be considered business associates as prescribed in the Privacy Rule (e.g., contracting communities in CPHD’s jurisdiction) and establishes the contractual agreements with the vendors. All vendors that are considered business associates under HIPAA will have special clauses inserted into their new contracts. This function will be conducted through the legal department.

Protected Health Information

CPHD wrote a letter to the New Jersey Department of Health and Senior Services, stating CPHD’s duty to monitor lead levels in Paterson for which access to confidential birth certificate data was necessary. The letter requested permission from the state to use the birth certificate data.

Training

The Privacy Officer met with staff from each department and trained them on issues related to HIPAA. The Privacy Officer used job descriptions for each labor category and operations of each particular department to determine which departments needed a basic introduction to HIPAA and which departments required a more rigorous explanation and understanding of all issues related to HIPAA. For departments that were using electronic billing, it was necessary for the Privacy Officer to explain the rationale for the new changes under HIPAA. The Privacy Officer maintained a "training record," which each employee had to sign to ensure that he or she had completed the HIPAA training. These formal trainings were scheduled for specific days during the week and lasted for approximately one to two hours, depending on the number of questions asked by the staff. Training sessions for new employees are offered twice per year.

Statewide Training

The State of New Jersey conducted a statewide HIPAA training through Thomas Edison College and the Midwest Center for HIPAA Education. They developed a HIPAA Privacy Toolkit with two binders, one containing the actual Privacy Toolkit and the other with instructions for how to use the toolkit, customized for the state of New Jersey. The toolkit was created specifically for all health officers in New Jersey in order to facilitate HIPAA implementation. The Privacy Officer met with each individual department and reviewed the template for the Notice of Privacy Practices from the HIPAA Toolkit. The template was then revised to reflect the activities of each of the health agency’s departments. The toolkit also provided a valuable resource in understanding and implementing the HIPAA Privacy Rule. CPHD used the information in the toolkit to revise their manual of policies and procedures.

Midwest Center for HIPAA Education (MCHE) Working Group for HIPAA Toolkit

The Privacy Officer at CPHD was a member of the working group that helped MCHE create the HIPAA Toolkit. MCHE analyzed state laws and conducted the state law preemption analysis. Since the state of New Jersey has rather stringent privacy laws, all of the HIPAA laws were in accordance with the New Jersey state laws. Prior to the creation of this working group, all questions related to state law preemption were sent directly to the CPHD legal counsel.

Internal and External Uses/Disclosures

Even after receiving the letter, some providers remain reluctant to share information with the health agency.

Privacy Monitoring and Compliance

After meeting with the MCHE and reviewing the information in the toolkit, CPHD realized that they would need to revise their entire manual of policies and procedures, which took the health agency approximately nine months to complete.

Protected Health Information

In response to CPHD’s request for use of birth certificate data to monitor for lead poisoning, the New Jersey Health Commissioner expressed concern that the birth certificate data is confidential and that the state does not see this as an immediate health need. While CPHD, as a public health authority, has the ability to collect data to protect the health of the population, the state ruled that the monitoring function that CPHD wanted to conduct was indeed a preventive measure. Therefore, the request to allow release of the electronic birth records was denied.

Internal and External Uses/Disclosures

As a participant of the statewide HIPAA training, CPHD privacy staff received information regarding the use and disclosure of data from providers. Specifically, the HIPAA Privacy Toolkit given to training participants contains a sample letter for health officials to use to educate physicians on the proper disclosure of health care information to pubic health authorities. This form can be used to further educate providers who are unsure of the implications of providing data to the health agency. CPHD used the generic letter as the basis for its own, customized the content for its purposes, and then sent this letter to area providers to clarify any misconceptions regarding the use and disclosure of PHI.

Privacy Monitoring and Compliance

As CPHD began the process of reviewing their manual of policies and procedures, they conferred with their legal department. As each section was created, it was sent to the legal counsel to review, prior to implementation. In addition, every file cabinet with protected health information at CPHD was fitted with a special lock and key. The entire health agency also undergoes periodic inspections by the Privacy Officer.

Protected Health Information

The state health department hired a consultant to review the issue of releasing the electronic health records for surveillance purposes, but no decision has been reached. Since the state has not granted permission for CPHD to review all electronic birth records, the local health agency is unable to screen these clients. However, CPHD continues to receive data on high risk births and is able to monitor those clients for lead screening. As a result, the lead screening program is reaching a much narrower group of infants and parents than necessary.

The Board of Health Attorney for the City of Paterson

The Board of Health Attorney provided e-mail feedback to CPHD during the initial phase of HIPAA implementation.

Federal Government Glossary of Terms

The Federal Government Glossary of Terms was used by CPHD staff to clarify complicated terms and ideas related to HIPAA.

State Department of Health Hotline

The State Department of Health HIPAA group created a hotline to provide answers to questions. CPHD used this hotline to facilitate their implementation.

Conferences

CPHD staff attended numerous conferences to facilitate a better understanding of HIPAA, how to implement the Privacy Rule, and how to make sure that the health agency was fully-compliant.

Statewide Training

CPHD’s Privacy Officer was able to network with other state and local health department staff while participating in the MCHE working group, including the State Department of Health contractor, who provided CPHD with general guidance on HIPAA. The Privacy Officer was then able to take the information learned at the statewide training and disseminate this to local health officers. The other local health officers were confused and resisted ensuring that their departments were in compliance. These other officers did not want to engage in a major effort and were generally resistant to change. The CPHD Privacy Officer was able to take the information from the statewide training and show the other health officers what the state statutes were and how they related to HIPAA.