The Health Insurance Portability and Accountability Act ("HIPAA") privacy regulations1 that went into effect on April 14, 2003 have raised many questions about the use of tests. Generally speaking, the questions relate to either 1) Buying and scoring of Pearson Assessments' tests; or 2) Patient access to and right to copy test materials under HIPAA. Below, we address these questions to the best of our ability at this time. Note that words printed in italics below are defined in the HIPAA regulations. If you have additional questions related to HIPAA and Pearson Assessments, please call our customer support representatives at 1-800-627-7271.
Buying and Scoring Pearson Assessments Tests
- Is Pearson Assessments a covered entity² under HIPAA?
- Is Pearson Assessments a business associate³ to customers who use Pearson Assessments' MICROTEST Q™ or Q Local™ software or scoring services? Should these customers enter into a business associate agreement with Pearson Assessments?
- What if the customer has answer sheets that include name grids and other such identifiable information? Can these still be scored by Pearson Assessments?
Buying and Scoring Pearson Assessments Tests
Is Pearson Assessments a covered entity² under HIPAA?
Is Pearson Assessments a business associate³ to customers who use Pearson Assessments' MICROTEST Q™ or Q Local™ software or scoring services? Should these customers enter into a business associate agreement with Pearson Assessments?
No. Business associates must receive, create or use individually identifiable health information4 for or on behalf of a covered entity. Our customers may be covered entities, but they do not disclose individually identifiable health information to us. For that reason, Pearson Assessments is not a business associate to its customers.
- Purchasing test materials or administrations from Pearson Assessments: No individually identifiable health information is disclosed by the customer to Pearson Assessments in the course of purchasing our tests or MICROTEST Q or Q Local test administrations.
- Scoring tests using MICROTEST Q or Q Local software: Because the software resides entirely on our customer’s computer system, there is no disclosure of individually identifiable health information to Pearson Assessments in the course of scoring tests using the software.
- Scoring tests using Pearson Assessments’ scoring services: Pearson Assessments does not require individually identifiable health information in order to score answer sheets sent by mail or fax. Over the past year, we have removed name grids and spaces for other identifying information from most of our forms, leaving the forms identified only by a (non-social security number) ID number that is selected by the customer. We have no way of linking the ID number with an individual. Therefore, the information contained in the answer sheets is not individually identifiable health information when it arrives at Pearson Assessments for scoring.
What if the customer has answer sheets that include name grids and other such identifiable information? Can these still be scored by Pearson Assessments?
Yes, with a little modification. The HIPAA regulations allow individually identifiable health information to be de-identified prior to disclosure by the covered entity.5 Because we do not need the answer sheet to be individually identifiable in order to score the test and return it to their customer, we ask you to de-identify the answer sheet before sending. In simple terms, that means that the customer will omit or use a marker to completely conceal the name and other individually identifiable information prior to sending the form. If you have questions about what information to omit or conceal, our customer support representatives will be happy to provide test-specific guidance.
Patient Access To and Right To Copy Test Information and Results Under HIPAA
As you know, most Pearson Assessments' test materials and output reports were never intended to be handed to the patient. They are sold for use only by qualified professionals. Testing material is protected by intellectual property law including copyright and trade secret law. The disclosure of test material could damage the test's integrity and usefulness in evaluation, diagnosis and treatment. Therefore, Pearson Assessments recommends that its customers do not provide access to or copies of test materials and/or reports unless disclosure is clearly required. Under the HIPAA statute6, covered entities are not required to provide a patient with access to and or the right to copy any test materials or reports to the extent that doing so would result in the disclosure of trade secrets.
Your organization, as a covered entity, may have generated HIPAA disclosure guidelines for your use. In creating those guidelines, your organization may or not have given assessments any specific attention. The following information may be helpful to both you and your organization. Please read this entire section and share it with your HIPAA compliance officer and/or legal counsel.
- If a patient makes a HIPAA request for access to or copies of test materials and/or reports, what kind of disclosure is required?
- What is Protected Health Information or PHI?
- Are covered entities required to provide access to and copies of Profile and Interpretive reports?
- What might the patient expect to be provided access to and copies of?
- May a covered entity provide a patient with summary information rather than access to or copies of test answer sheets and reports?
- Under what other circumstances may a covered entity deny access to or copies of Protected Health Information?
- Are there any other issues that customers should be aware of related to Pearson Assessments' tests and HIPAA regulations?
If a patient makes a HIPAA request for access to or copies of test materials and/or reports, what kind of disclosure is required?
Under HIPAA, covered entities are not required to provide a patient with access to and/or the right to copy any material or information that is not Protected Health Information or PHI.
What is Protected Health Information or PHI?
Under HIPAA, protected health information or PHI7 is individually identifiable health information that is used to make decisions about an individual and is maintained in the designated record set.
The following portions of our test materials are NOT PHI because they do not contain individually identifiable health information. Therefore, PATIENTS SHOULD BE DENIED ACCESS TO AND COPIES OF THE FOLLOWING under a HIPAA request:
- Test booklets (when answers are entered on a separate form)
- Test questions (by themselves)
- Test manuals
- Test user guides
- Wall charts
- Scoring templates
- Scoring keys
- Computer scoring programs such as MICROTEST Q or Q Local software.
- Profile and Interpretive Reports are addressed in the next question. PLEASE READ ON.
Are covered entities required to provide access to and copies of Profile and Interpretive reports?
No, there is an explicit exception in the HIPAA8 statute that exempts trade secrets from disclosure. Because Pearson Assessments protects MICROTEST Q software and Q Local software and the computerized output reports generated using MICROTEST Q and Q Local as trade secrets, PATIENTS SHOULD BE ALSO DENIED ACCESS TO THE FOLLOWING (Note that this denial applies to requests under HIPAA or any other data disclosure law that exempts trade secrets from disclosure):
- MICROTEST Q or Q Local Software containing patient files,
- Profile or Interpretive Reports generated using MICROTEST Q OR Q Local profile reports software, and
- Profile or Interpretive Reports obtained by mailing or faxing answer sheets to Pearson Assessments mail-in scoring service.
What might the patient expect to be provided access to and copies of?
Unless there is an explicit exception in the HIPAA regulation, an individual has the right to inspect and obtain a copy of protected health information or PHI about the individual in a designated record set, for so long as the PHI is maintained in the designated record set.
If the request is not subject to denial (read further to learn about exceptions in the HIPAA regulations that permit denial of access), the patient may expect disclosure of:
- Answer sheets stored by the covered entity that are identified by the patient's ID number, and on which the patient has marked the bubbles or filled in the blanks.
- The Item Response page (only) generated by MICROTEST Q or Q Local software.
May a covered entity provide a patient with summary information rather than access to or copies of test answer sheets and reports?
Yes. The HIPAA regulations allow a covered entity to provide an individual with summary information rather than underlying file documents but only if the patient agrees in advance to receive such a summary. Note, however, an individual who earlier agrees to receive summary information does not relinquish the right to later request access to the underlying documents. Access to and copies of MICROTEST Q or Q Local Software or Profile and Interpretive Reports should be denied under such a later request.
Under what other circumstances may a covered entity deny access to or copies of Protected Health Information?
Denials can also be based on the application of professional judgment on the part of the covered entity. HIPAA regulations state that a covered entity may deny an individual access, provided that the individual is given a right to have such denials reviewed…in the following circumstances:
(i) A licensed health care professional has determined, in the exercise of professional judgment, that the access requested is reasonably likely to endanger the life or physical safety of the individual or another person;
(ii) The protected health information makes reference to another person (unless such other person is a health care provider) and a licensed health care professional has determined, in the exercise of professional judgment, that the access requested is reasonably likely to cause substantial harm to such other person; or
(iii) The request for access is made by the individual's personal representative and a licensed health care professional has determined, in the exercise of professional judgment, that the provision of access to such personal representative is reasonably likely to cause substantial harm to the individual or another person.
Denials by correctional facilities or those covered entities supporting correctional facilities, in response to requests by inmates are specifically addressed in the regulations. Covered entities providing services to inmates should be familiar with those provisions of the privacy regulations.
Access to Protected Health Information may be denied if the PHI was compiled “in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding.”9 Pearson Assessments believes this provision of the privacy regulation should apply as follows:
Covered entities may deny access to and the right to copy if PHI was compiled in reasonable anticipation of or for use in:
- Child custody disputes
- Commitment hearings (mental health institutions)
- Conservator/guardianship/competency hearings
- Competency to stand trial/commitment hearings
- Civil/criminal/pre-trial/pre-sentence criminal evaluations
- Getting back driver’s license after DUI
- Insanity defense
- Personal injury lawsuits/neurological evaluations
- Determine malingering, lying, acting
- Workers Compensation
- Work hardening programs
- Social Security Disability evaluations
- Personal injury evaluations
- Insanity defense
CIVIL, CRIMINAL TRIALS
- To support or impeach expert testimony
To support classification, treatment, and management decisions at intake and throughout incarceration in criminal justice and correctional settings (Housing placement) (security level), parole, pre-sentence investigation, probation).
- Readiness to be released
- Assess behaviors
- Security risks
- Rehabilitation potential
- Assess substance abuse, sexual predation, or mental instability (for placement in certain programs)
MARRIAGE AND FAMILY COUNSELING (in legal proceedings)
- Parental fitness
- Adoption evaluations
Are there any other issues that customers should be aware of related to Pearson Assessments' tests and HIPAA regulations?
You should check with your HIPAA compliance officer for legal advice and information specific to your covered entity. As you know, all Pearson Assessments’ tests and output reports are protected by copyright and other intellectual property rights. As the HIPAA regulations are clarified, the information in these pages is subject to change. The issue of whether copyrighted material may be disclosed under HIPAA remains an open legal question. Even though MICROTEST Q software, Q Local Software, and Profile and Interpretive reports are exempt from disclosure as trade secrets and test booklets, manuals, user guides, wall charts, scoring keys and templates are exempt from disclosure because they are not PHI, nevertheless, some patients may be entitled to inspect and/or copy portions of PHI such as their bubble answer sheet (without question text) and the Item Responses page (only) generated by MICROTEST Q or Q Local software. The covered entity's HIPAA compliance officer or legal counsel should advise you regarding changes and modifications to the regulations, and the outcome of HIPAA-related litigation. If you have additional questions specifically related to HIPAA and Pearson Assessments, please call our customer support representatives at 1-800-627-7271.
1 We have footnoted the HIPAA rule sections for your reference. Text of the HIPAA privacy rule can be found online at http://www.os.dhhs.gov/ocr/hipaa/finalreg.html.
2 See 45 CFR 160.103.
3 See 45 CFR 160.103.
4 See 45 CFR 160.103.
5 See 45 CFR 164.514 (a) and (b).
6 Social Security Act § 1172(e) (codified at 42 U.S.C. § 1320d-1(e)).
7 See 45 CFR 164.501.
8 Social Security Act § 1172(e) (codified at 42 U.S.C. § 1320d-1(e)).
9 45 C.F.R. 164.524(a)(1)(ii).