HIPAA 101 Privacy - NCHICA · 14 Sanctions for Violators Workforce members who violate policies...
Transcript of HIPAA 101 Privacy - NCHICA · 14 Sanctions for Violators Workforce members who violate policies...
1
HIPAA 101
PrivacyPart 2
August 13, 2018
Lawrence H. Muhlbaier, PhD
2
Basic Elements of a Privacy Program
• Controls
• Evaluate
• Monitor
•Enforce
•Consistent
•Corrective Action
• Areas of Risk
• Policies
• Sanctions
•Effective•Communicated•Enforced
Policies Training
AuditSanctions
3
Administrative Requirements
Policies and Procedures
Notice of Privacy Practices
Safeguards and Mitigation
Workforce Training & Employee Sanctions
Personnel Designations - Privacy Official
Person responsible for Policies, Procedures and Receiving Complaints
Complaint Process
No retaliation
3
4
Policies & Procedures
Authorization to release medical information
» Consider state requirements
Accounting for disclosures
Complaint Process
Patient Requests
Notice of Privacy Practices
No retaliation
4
5
Policies & Procedures Con’t
Marketing & Sale of PHI
Fundraising
Research
Sanctions
Safeguards & Mitigation
Training
Uses & Disclosures
Required Minimum Record Retention
This is not intended to be an all inclusive list
5
6
Notice of Privacy Practices
The HIPAA Privacy Rule gives individuals a fundamental new right to be informed of the privacy practices of their health plans and of most of their health care providers, as well as to be informed of their privacy rights with respect to their personal health information.
Health plans and covered health care providers are required to develop and distribute a notice that provides a clear explanation of these rights and practices.
6
7
Notice of Privacy Practices
Notice content – Including effective date
See 45 CFR 164.520(b)
Post and make available on website
Provide to individuals on request
Document that Notice was provided
Note – no signed Acknowledgement
7
8
Notice of Privacy Practices
Patients have the right to:
Request restrictions on release of their PHI
Receive confidential communications
Inspect & copy medical records
Request Electronic Copy
Request amendment to medical records
Make a complaint
Receive an accounting of any non TPO disclosures.
Obtain a paper copy of the Notice of Privacy Practices on request
8
9
Facility Directory
Must give individual opportunity to restrict or
prohibit use or disclosure of name, location,
general condition and religious affiliation
Opt Out required, Opt In allowed
Procedures to manage
9
10
Safeguards and Mitigation
• What safeguards are in place to prevent the unauthorized use and/or disclosure of medical information
• Implement appropriate administrative, technical, and physical safeguards to protect the privacy of PHI
• Mitigate any harmful effect of any use or disclosure of PHI in violation of policies and procedures that is known to the extent practicable
10
11
Workforce Training
Who needs to be trained?• Employees
• Clinicians
• Students
• Volunteers
What is the training content?• Training by role - MD vs. support staff vs.
housekeeper?
• How frequently will training be provided?•Annual is optimal
• Who will maintain documentation of training?
11
12
Designate a Privacy Official
• Job description
• Roles & responsibilities
• Reporting structure
• Identify individual to respond•to complaints, inquiries, etc.
• Inform Workforce
12
13
Complaint Process
Who receives complaints?
What is the definition of a complaint?
Who investigates complaints?
Where is documentation of the complaint
maintained?
Who communicates with the patient, family member
or other complainant?
13
14
Sanctions for Violators
Workforce members who violate policies regarding privacy / security of confidential /protected health information or ePHI are subject to sanctions.
Actions taken may include:• Department/Program is responsible for fines, penalties, notification costs
etc.
• Counseling & additional training
• Suspension
• Termination
• Violation of City, State and Federal laws may carry additional consequences of prosecution under the law
• Knowing, malicious intent can increase Penalties:• fines, jail!
14
15
Record Retention Requirements
Maintain program information for 6 years after last in
effect Policies and Procedures
Training Provided/Privacy Official
Complaints to Covered Entity
Notice of Privacy Practices / Acknowledgement (signature not
required)
Authorizations
Business Associate Agreements
IRB / Privacy Board Waivers
Designated Record Set(s)
Disclosures for accounting to individual
15
16
SUMMARY
Inform people of how
their information is used
Require NO disclosures
except to individual and
HHS for investigation or
enforcement
Require written
authorization for use
and disclosure for
other purposes
Allow disclosure for
national priorities
Allow heath information
to be used and shared for
treatment and payment of
health care
Require health plans and
providers to maintain
administrative & physical
safeguards
Hold accountable
entities that violate
privacy
16
17
Avoiding Penalties
17
Comprehensive Written Program
Policies and Procedures
Workforce Education
Periodic Evaluation
Prompt Corrective Action Plans
18
Hot Topics and Potential Risk Areas
Security Breaches
Security Incident Response
Physical Security
Disaster Recovery and
Business Continuity
Planning
Increased Enforcement
Privacy & Security
Training
Cyber Security Incidents
Disposal of Device Security
Mobile Healthcare
Use of Social Media
Cloud Computing
Meeting Meaningful Use
Requirements
Business Associates,
Vendors, Contractors
1
8
19
Breach Notification
19
• In Depth Discussion this afternoon
Applies to all electronic “unsecured Protected Health
Information” “encryption required”
Requires immediate notification to Federal
Government if more than 500 individuals affected
Annual notification if less that 500 individuals
Breach>500 is listed on a public website
Requires individual notification to patients /
remediation
May require notification to a major media outlet
20
Breach Notification
In depth discussion this afternoon
Applies to all electronic "unsecured PHI"
Breaches >500 listed on public web site
Requires individual notification/remediation
May require notification to major media
outlet
21
Major Recent Enforcement Actions
Unauthorized Filming for “NY Med” Results in $2.2 Million Settlement with New York Presbyterian Hospital
$750,000 settlement highlights the need for HIPAA business associate agreements (Raleigh, NC)
Five breaches add up to millions in settlement costs for entity that failed to heed HIPAA’s risk analysis and risk management rules - February 1, 2018
Most enforcement actions cite inadequate Policies & Procedures
http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements
22
Trends for Privacy & Information Security
• More policing, more penalties, OCR-style
• Increase in healthcare data breaches
• A wider use of mobile devices in healthcare
• Greater patient awareness
• Increased use of business associates (BAs)
• HITECH regs make BAs responsible for data protections
• Data breaches are costing healthcare organizations more than ever (In 2018 >$400/person)
• Taking protected health information (PHI) to the cloud
23
Future Rules
Access Accounting rule
Disclosure Accounting for TPO
24
Patient Privacy
At some point in our lives we will all be a patient.
Treat all information as though it were your own.
25
Resources
OCRhttp://www.hhs.gov/hipaa/index.html
Regulations texthttp://www.hhs.gov/sites/default/files/hipaa-simplification-
201303.pdf
NCHICA (membership recommended)http://nchica.org/resources/hipaahitech/
Privacy Rule & Research Guidancehttps://privacyruleandresearch.nih.gov/
26
Questions?
27
Contact
Lawrence H. ("Doc") Muhlbaier, PhD
Office of Audit, Risk and Compliance
Duke University
919-630-2509 (mobile)
28
Additional Slides on Research follow
29
Research and HIPAA
29
30
Research and HIPAA
The Privacy Rule protects the privacy of Protected Health Information (PHI) by establishing conditions for its use and disclosure.
Includes record research that uses existing PHI, e.g., databases and repositories; and research that includes treatment of research participants such as clinical trials.
Covered entities may use and/or disclose PHI for research: with an individual authorization or
without individual authorization under limited circumstances
30
31
Common Rule Vs. Privacy Rule
The Common Rule is a federalpolicy regarding Human Subjects Protection.
The main elements of the Common Rule include:
Requirements for assuring compliance by research institutions
Requirements for researchers’ obtaining and documenting informed consent to participate in the research based on the risk and benefits
Requirements for InstitutionalReview Board (IRB) membership, function, operations, review of research, and record keeping.
The Privacy Rule for HIPAA establishes privacy standards to protect a person’s health information
Limits the use and disclosure of health information
Gives patients the right to access their medical information, request amendments and restrict disclosures to the minimum intended purpose.
Established new requirements for access to records by researchers
Authorization generally required to use or disclose PHI (except TPO)
Waiver allowed for minimal risk
31
32
Key Terms for Researchers
• Covered Entity
• Business Associate Agreement
• Use – Sharing within the Organization
• Disclosure – Sharing outside the organization
• Data Use Agreement / Limited Data Set
• De-identified – without 18 identifiers
• Waiver / Authorization
32
33
Authorization for Research Purposes
• Permission to use or disclose PHI for research purposes
• Alternative to authorization is waiver or alteration – must
meet criteria
• Research participant authorization is required to use and/or
disclose PHI for research
•May be combined with informed consent to participation
in research
•Must include expiration date - May be "none" or may
continue until “end of research study”
33
34
Research Waiver or Alteration of Authorization
Requires a written assurance to the IRB or Privacy Board that PHI will not be re-used or disclosed except:
• As required by law,
• For authorized oversight of the research, or
• For other research that has been reviewed and approved by the IRB / Privacy Board with specific approval regarding access to this PHI
Consider - How will this information be protected?
Waiver requires minimal risk. Data protection is part of minimizing risk.
34
35
Decedent Data
Common Rule: definition of "human subjects" does not
include "decedents"
Privacy Rule: Protection extends to identifiable
information of decedents who have been dead <50 years
Must obtain "Notice" from researcher:
Representation that use or disclosure of PHI is necessary
for research purpose and will only be used for research
purposes
Documentation of the death of the individual, upon covered
entity’s request
(Note: no 'approval' required)
35
36
Limited Data Set with
Data Use Agreement
Only use or disclose limited data set / indirect identifiers
For Public Health, Research, Healthcare OperationsMost privacy Rule requirements do not apply
No authorization or waiver required
No need to track disclosures
Recipient must agree to a “data use agreement”Agreement between the covered entity and recipient of data
Generally describes the permitted used and disclosures of the information received and prohibits re-identifying or using this information to contact individuals.
Notify CE if loss/unauthorized use (breach analysis)
36
37
Research Privacy Considerations
• The Common Rule remains the rule for
research issues.
• The Privacy Rule was not written with
research in mind so the fit is not perfect.
• When the Common Rule and the Privacy
Rule do not agree – the correct path is
whatever offers the higher privacy
protection.
37