1 Changes to Privacy Regulations under ARRA May 4, 2009 Melissa Goldstein, J.D. The George...
-
Upload
sybil-norman -
Category
Documents
-
view
214 -
download
0
description
Transcript of 1 Changes to Privacy Regulations under ARRA May 4, 2009 Melissa Goldstein, J.D. The George...
![Page 1: 1 Changes to Privacy Regulations under ARRA May 4, 2009 Melissa Goldstein, J.D. The George Washington University School of Public Health and Health Services.](https://reader036.fdocuments.net/reader036/viewer/2022070605/5a4d1ad87f8b9ab059973c9b/html5/thumbnails/1.jpg)
1
Changes to Privacy Regulations under
ARRAMay 4, 2009
Melissa Goldstein, J.D.
The George Washington University School of Public Health and Health
Services
![Page 2: 1 Changes to Privacy Regulations under ARRA May 4, 2009 Melissa Goldstein, J.D. The George Washington University School of Public Health and Health Services.](https://reader036.fdocuments.net/reader036/viewer/2022070605/5a4d1ad87f8b9ab059973c9b/html5/thumbnails/2.jpg)
2
HIPAA Privacy Rule in a Nutshell
• A covered entity cannot use or disclose protected health information unless it is permitted or required by the Rule
• And then, generally, only the minimum necessary information may be used or disclosed
• Rule sets a federal floor• More protective state statutes are
permitted
![Page 3: 1 Changes to Privacy Regulations under ARRA May 4, 2009 Melissa Goldstein, J.D. The George Washington University School of Public Health and Health Services.](https://reader036.fdocuments.net/reader036/viewer/2022070605/5a4d1ad87f8b9ab059973c9b/html5/thumbnails/3.jpg)
3
American Recovery & Reinvestment Act of 2009
(ARRA)• Title XIII – Health Information Technology (HITECH)• $19 billion over 10 years• Establishes HIT infrastructure at HHS (Advisory
committees on policy and standards)• Significant changes to healthcare privacy and
security environment• Does not change all of HIPAA but should be
addressed by entities handling health care information
• Most provisions require further regulatory clarification
![Page 4: 1 Changes to Privacy Regulations under ARRA May 4, 2009 Melissa Goldstein, J.D. The George Washington University School of Public Health and Health Services.](https://reader036.fdocuments.net/reader036/viewer/2022070605/5a4d1ad87f8b9ab059973c9b/html5/thumbnails/4.jpg)
4
Overview of Investment
• $2 billion in grants – $300M for subnational and regional
exchange efforts– $20M for NIST for health care
information enterprise integration• Incentives through Medicare &
Medicaid for healthcare professionals, hospitals and other providers
![Page 5: 1 Changes to Privacy Regulations under ARRA May 4, 2009 Melissa Goldstein, J.D. The George Washington University School of Public Health and Health Services.](https://reader036.fdocuments.net/reader036/viewer/2022070605/5a4d1ad87f8b9ab059973c9b/html5/thumbnails/5.jpg)
5
Changes to HIPAA
• Enhanced Individual Control – Right of electronic access– Can direct record to another entity or
individual (PHR)– Right to restrict disclosures to health plans for
payment and operations• Application to business associates (entities that
act on behalf of “covered entities”)– HIPAA security rules– HIPAA privacy rules– Provisions in ARRA
![Page 6: 1 Changes to Privacy Regulations under ARRA May 4, 2009 Melissa Goldstein, J.D. The George Washington University School of Public Health and Health Services.](https://reader036.fdocuments.net/reader036/viewer/2022070605/5a4d1ad87f8b9ab059973c9b/html5/thumbnails/6.jpg)
6
Changes to HIPAA
• Business Associate contracts– Required for health information
exchanges, RHIOs, and other entities that transmit protected health information (PHI) to a covered entity
– Required for vendors that contract with a covered entity to offer a personal health record (PHR)
• Breach notification requirement– Definition of breach– Safe harbor for “protected” data
![Page 7: 1 Changes to Privacy Regulations under ARRA May 4, 2009 Melissa Goldstein, J.D. The George Washington University School of Public Health and Health Services.](https://reader036.fdocuments.net/reader036/viewer/2022070605/5a4d1ad87f8b9ab059973c9b/html5/thumbnails/7.jpg)
7
Changes to HIPAA
• Accounting for disclosure requirements for entities using electronic health records– Requirement applies after standard
and regulations are developed– Phased in over time– Covers only 3 years
![Page 8: 1 Changes to Privacy Regulations under ARRA May 4, 2009 Melissa Goldstein, J.D. The George Washington University School of Public Health and Health Services.](https://reader036.fdocuments.net/reader036/viewer/2022070605/5a4d1ad87f8b9ab059973c9b/html5/thumbnails/8.jpg)
8
Changes to HIPAA
• Marketing– Limited right to use information for
marketing if the communication is paid for by an outside entity
– Exceptions for treatment and communications about current drugs and biologics
• Fundraising– Opt-out required
![Page 9: 1 Changes to Privacy Regulations under ARRA May 4, 2009 Melissa Goldstein, J.D. The George Washington University School of Public Health and Health Services.](https://reader036.fdocuments.net/reader036/viewer/2022070605/5a4d1ad87f8b9ab059973c9b/html5/thumbnails/9.jpg)
9
Changes to HIPAA• Prohibition on sale of health records
or protected health information• Exceptions
– Public health– Research– Treatment of an individual– Sale of a facility/business– Payments to business associates– Copies to individuals
![Page 10: 1 Changes to Privacy Regulations under ARRA May 4, 2009 Melissa Goldstein, J.D. The George Washington University School of Public Health and Health Services.](https://reader036.fdocuments.net/reader036/viewer/2022070605/5a4d1ad87f8b9ab059973c9b/html5/thumbnails/10.jpg)
10
Changes to HIPAA• Secretary guidance on minimum
necessary– Use of limited data set where possible in
interim– Discloser determines minimum necessary
• Minimum necessary still does not apply to treatment or de-identified information
• Study on implementation of the de-identification requirements
![Page 11: 1 Changes to Privacy Regulations under ARRA May 4, 2009 Melissa Goldstein, J.D. The George Washington University School of Public Health and Health Services.](https://reader036.fdocuments.net/reader036/viewer/2022070605/5a4d1ad87f8b9ab059973c9b/html5/thumbnails/11.jpg)
11
Enhanced Enforcement of HIPAA
• Tiered increase in civil penalties• Secretary required to do periodic
audits• State Attorney General civil
enforcement
![Page 12: 1 Changes to Privacy Regulations under ARRA May 4, 2009 Melissa Goldstein, J.D. The George Washington University School of Public Health and Health Services.](https://reader036.fdocuments.net/reader036/viewer/2022070605/5a4d1ad87f8b9ab059973c9b/html5/thumbnails/12.jpg)
12
Entities not covered by HIPAA
• Study of privacy protections– HHS & FTC report to Congress on
privacy and security recommendations for PHRs
• Temporary breach notification provisions– FTC enforced
![Page 13: 1 Changes to Privacy Regulations under ARRA May 4, 2009 Melissa Goldstein, J.D. The George Washington University School of Public Health and Health Services.](https://reader036.fdocuments.net/reader036/viewer/2022070605/5a4d1ad87f8b9ab059973c9b/html5/thumbnails/13.jpg)
13
Implementation
• Refining terms “certified EHR” and “meaningful use”
• Strategic plan for rollout• Implementation of privacy and
security provisions