Navy PAD Symposium

Samuel P. Jenkins, CHE

TMA Privacy Officer

HEALTH AFFAIRSTRICARE

Management Activity

This document contains proprietary information and will be handled within Government regulations. It is intended solely for the use and information of the Military Health System.

2

Training Objectives

• At the completion of this brief you should be able to:

– Understand Relationship between HIPAA Privacy/ Security and JCAHO

– Explain the Requirement for the Notice of Privacy Practices

– Understand the Security Concerns with Electronic Health Records

– Provide an Overview of Allowable Disclosures

– Implement Privacy/Security Requirements in Your Area of Responsibility

– Understand the Challenges

3

HIPAA

• The Health Insurance Portability and Accountability Act (HIPAA) of 1996, Public Law 104-191 was designed to:

– Improve portability and continuity of health insurance coverage

– Improve access to long term care services and coverage

– Simplify the administration of health care

4

COMPLIANCE

• The TRICARE Management Activity (TMA) Privacy Office published HIPAA Privacy policies in the Department of Defense (DoD) document titled “Health Information Privacy Regulation” and ”Security of Individually Identifiable Health Information” under the authority of the Assistant Secretary of Defense for Health Affairs (ASD/HA) who exercises oversight to ensure compliance of the HIPAA Privacy and Security rules in the DoD health care programs

• The TMA Privacy Office is now moving from the HIPAA planning and implementation phase to the compliance phase–Privacy Rule: April 2003–Security Rule: April 2005

5

JCAHO - Patient Rights

RI Standards 2.10, 2.20, 2.50, 2.120, 2.130 and 2. 180

• Respects the rights of patients including:– Information about their rights– Confidentiality, privacy, and security needs– Obtaining consent for non-healthcare related recording or

filming– Resolution of complaints– During involvement in research, investigation and clinical

trials

Source: Joint Commission on Healthcare Accreditation Brief

from April 2006 HIPAA Summit

6

Notice of Privacy Practices

• Explains:

– MHS duty to protect health information

– How the MHS may use and disclose PHI

– Patients’ rights

– Patient complaint procedures

– Contact information

7

Acknowledging the Notice

8

JCAHO - Management of Information (1 of 2)

IM Standards 1.10, 2.10, 2.20, 2.30, 3.10, 4.10, 6.10, 6.50 and 6.60

• Maintain information privacy, security, confidentiality, integrity, availability and continuity

• Plan and design IM processes and systems that:– Meet internal and external information needs – Support decision making

Source: Joint Commission on Healthcare Accreditation Brief

from April 2006 HIPAA Summit

9

JCAHO - Management of Information (2 of 2)

• Manage clinical/service and non-clinical data and information including: – Capturing, reporting, processing, storing, retrieving,

disseminating, and displaying

• Ensure medial records are:– Complete and accurate– Available on every patient assessed, cared for, treated or

served– Available when needed

Source: Joint Commission on Healthcare Accreditation Brief

from April 2006 HIPAA Summit

10

Electronic Health Records

• PADs must increase awareness of HIPAA Security requirements, and increase collaboration with HIPAA Security / IT Security personnel

• Main EHR currently is AHLTA, which does execute much of the HIPAA Security Rule

• EHR/AHLTA introduces additional security considerations. CHDR is a module of AHLTA that permits electronic health information sharing between DoD and VA

11

Permitted Uses and Disclosures of PHI (1 of 2)

• Permitted Uses and Disclosures

– For the permitted uses and disclosures listed below, a patient’s opportunity to agree or object is not required

1. As required by law 2. Avert serious threats to health or safety3. Specialized government functions4. Judicial and administrative proceedings5. Medical facility patient directories 6. Cadaver organ, eye or tissue donation purposes 7. Victims of abuse, neglect or domestic violence8. Inmates in correctional institutions or in custody9. Workers’ compensation10. Research purposes11. Public health activities12. Health oversight activities13. About decedents14. Law enforcement purposes

12

• Disclosures should all be made from established points of disclosure within a facility

• The PAD is often the best office to service as the point of disclosure

• All uses and disclosures of information are limited by the ‘need-to-know’ standard except for uses and disclosures for treatment

• Only the amount of information reasonably necessary to achieve the purpose of the release is permitted

Permitted Uses and Disclosures of PHI (2 of 2)

13

What is the PHIMT?

• The PHIMT is a web-based application that assists in complying with the HIPAA Privacy Disclosure Accounting Requirement

• It allows users to track disclosures, document requests for amendments and authorizations, document complaints and restrictions to Protected Health Information (PHI)

– Commercial Off-The-Shelf (COTS) Product customized for TMA

– Deployed in October 2003 with a series of training supporting the deployment to the MTFs

14

Why Does the PHIMT Exist? (1 of 2)

• The HIPAA Privacy Rule requires a covered entity to maintain a history of when and to whom disclosures of PHI are made for purposes other than treatment, payment and healthcare operations (TPO)

• Individuals have the right to receive an accounting of disclosures of PHI made by the covered entity

• MHS must be able to provide an accounting of those disclosures to an individual upon request

– Not required to account for disclosures that occurred prior to the April 14, 2003 compliance date

15

Why Does the PHIMT Exist? (2 of 2)

• To comply with this requirement, TMA provides an electronic disclosure-tracking tool

– Centrally managed application that is accessed via the Internet

– Database is stored within TMA’s Network Operations Center located in Falls Church, VA

– Stores information about all disclosures, authorizations, and restrictions that are made for a particular patient

16

JCAHO - Environment of Care & Patient Safety

EC Standards 2.10 and 9.10

• Address auditory and visual privacy

• Identify and manage security risks

• Monitor conditions in the environment

Medication Reconciliation 8b

• Communicate patient’s medications when referred or transferred to another service, practitioner, or level of care within or outside the organization

Source: Joint Commission on Healthcare Accreditation Brief

from April 2006 HIPAA Summit

17

Public Concerns about Privacy … Breaches of Confidentiality

• June 2006 – Nurse prosecuted for disclosing patient information for personal gain, violating HIPAA

• May 2006 – A laptop containing information on 26.5 million beneficiaries is stolen from the home of a VA Employee

• April 2006 – HA/TMA Network is hacked, information on both government employees and beneficiaries is compromised

18

Public Concerns about Privacy … Breaches of Confidentiality

• Bank of America loses credit card account data of 1.2 million federal employees, including 60 U.S. senators– Several senators have introduced privacy legislation in

the wake of this and other breaches

• ChoicePoint Settles Data Security Breach Charges; to Pay $10 Million in Civil Penalties, $5 Million for Consumer Redress– At Least 800 Cases of Identity Theft Arose From

Company’s Data Breach

19

Public Concerns about Privacy … Breaches of Confidentiality

• 'Human error' exposes patients' Social Security numbers in N.C.– More than 600 Blue Cross members in the state were

affected by the breach

• Contractor sent names and Social Security numbers of current and former employees, vendors and contractors to his home computer in violation of company policies– That file contained the names and Social Security

numbers of 27,000 former and current internal and contract employees

20

This Is Happening to You

• Hacker Steals Air Force Officers' Personal InformationBy Jonathan Krim

Washington Post Staff Writer

Tuesday, August 23, 2005; Page D01

• Social Security numbers, birth dates and other private data on roughly 33,000 Air Force officers -- about half the branch's officer corps -- were stolen from a military computer database, the service informed its personnel…

21

Due Diligence: How Do You Know You Are Safe?

• What are you doing to prevent a compromise from happening?

• Are you aware of the issues your HIPAA Privacy and Security Officers are facing?

• Is there enough time, resource, personnel, and money to get the job done?

• What are your policies and procedures related to the protection of data and Protected Health Information (PHI)?

• Have you mapped the flow of data in your MTF/Clinic/Organization?

• Have you expanded your HIPAA and other Privacy and Security training to include related responsibilities?

22

What Can You Do?

• Policies Procedures– Existence– Enforcement– Standardization– Accountability

• Training Statistics– Percentage Complete– Delinquency– Time to complete

course/exam

• Accounting of Disclosures– Use of centralized tool (PHIMT)– Multiple disclosure procedure– Documentation

23

JCAHO - Leadership

LD Standards 1.30 and 3.15

• Comply with applicable licensure requirements, laws, rules and regulations

• Develop and implement plans to identify and mitigate impediments to efficient patient flow

Source: Joint Commission on Healthcare Accreditation Brief

from April 2006 HIPAA Summit

24

Leadership

• Be a proactive Leader• Take ownership of program• Develop “Best Practices”• Become the expert• Innovation is the key• Get involved and stay involved• Communicate• Become a HIPAA advocate forthe beneficiaries and your staff

HIPAA

25

Biggest Challenge

• Need to assess everyday practices such as:– Who has the need to know?

– What information is discussed during Morning Reports?

– How do your medical records move within and outside of your facility?

– Where is PHI being released?

– What vulnerabilities exist?

– What current practices within your facility are truly necessary or are just traditional?

– Are you at risk?

26

TMA Privacy Office Websitewww.tricare.osd.mil/tmaprivacy

27

Our Commitment

The TRICARE Management Activity (TMA) Privacy Office is committed to ensuring the privacy and security of patient information at every level as we deliver the best medical care possible to those we serve.

TRICAREManagement

Activity

28

Resources

• DoD 6025.18-R, “DoD Health Information Privacy Regulation”, January 2003

• DoD 8580.x-R, Draft “DoD Health Information Security Regulation”

• www.tricare.osd.mil/tmaprivacy/hipaa.cfm

• privacymail@tma.osd.mil for subject matter questions

• hipaasupport@tma.osd.mil for tool related questions

• http://www.tricare.osd.mil/tmaprivacy/Mailing-List.cfm to subscribe to the TMA Privacy Office E-News

• HIPAA Privacy and Security Service Representatives

Questions?

HEALTH AFFAIRSTRICARE

Management Activity