The Culture of Healthcare Privacy, Confidentiality, and Security Lecture c This material...

The Culture of Healthcare

Privacy, Confidentiality, and Security

Lecture c

This material (Comp2_Unit9c) was developed by Oregon Health and Science University, funded by the Department of Health and Human Services, Office of the National Coordinator for Health Information Technology under Award Number

IU24OC000015.

Privacy, Confidentiality, and SecurityLearning Objectives

• Define and discern the differences between privacy, confidentiality, and security (Lecture a)

• Discuss the major methods for protecting privacy and confidentiality, including through the use of information technology (Lecture b)

• Describe and apply privacy, confidentiality, and security under the tenets of HIPAA Privacy Rule (Lecture c)

• Describe and apply privacy, confidentiality, and security under the tenets of the HIPAA Security Rule (Lecture d)

2Health IT Workforce Curriculum Version 3.0/Spring 2012

The Culture of Healthcare Privacy, Confidentiality, and Security

Lecture c

HIPAA Privacy and Security

• General history of law, identifier standards, and transaction standards already described

• Privacy Rule– http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/

• Security Rule– http://www.hhs.gov/ocr/privacy/hipaa/understanding/srsummary.htm

l

• Both “enhanced” with ARRA/HITECH legislation in 2009 (Federal Register, 2009; http://www.hhs.gov/ocr/privacy/)– Many summaries available (ID Experts, 2009;

BridgeFront, 2009; Leyva, 2011)– Rules finalized and to go into effect in 2012



Lecture c

http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/

http://www.hhs.gov/ocr/privacy/hipaa/understanding/srsummary.html

http://www.hhs.gov/ocr/privacy/hipaa/understanding/srsummary.html

http://www.hhs.gov/ocr/privacy/

HIPAA Privacy Rule

• Applies to “covered entities” (CEs) – any entity that bills electronically– Healthcare providers

• Clinicians, hospitals, clinics, etc.– Health plans

• HMOs, insurance companies, etc.– Healthcare clearinghouses

• Billing services

• Patient must authorize any disclosure, with the exception of “treatment, payment, or operations” (TPO), i.e., does not preclude healthcare providers from sharing data for patient care, a not-uncommon misunderstanding (Houser, 2007)



Lecture c

Physician Oaths of Privacy are Not New

• Oath of Hippocrates, 5th century BC (AAPS, nd.)

– “All that may come to my knowledge in the exercise of my profession or outside of my profession or in daily commerce with men, which ought not to be spread abroad, I will keep secret and never reveal.”

• Declaration of Geneva, 20th century– “I will respect the secrets which are confided

in me, even after the patient has died.” (AAPS, nd.)



Lecture c

What is Covered?

• Protected Health Information (PHI)– Collected from patient and created by covered entity

(CE)– Individually identifiable– Electronically transmitted – in reality, all information

• Extends to covered entities or business associates• De-identified information is not covered• Pre-emption

– HIPAA trumps state law if state law is less protective of privacy and security, but state laws that go beyond the HIPAA protections are not nullified by HIPAA and must be followed



Lecture c

Identifiers Contained in Protected Health Information (PHI)

• Name• Address (street

address, city, county, zip code)

• Names of relatives• Names of employers• E-mail address • Fax number • Telephone number • Birth date• Finger or voice prints • Photographic images • Social security number

• Internet protocol (IP) address

• Any vehicle or device serial number

• Medical record number • Health plan beneficiary

number • Account number• Certificate/license

number • Web URL • Any other unique

identifying number, characteristic, or code



Lecture c

Key Privacy Compliance Areas

• Notice of privacy practices• Authorization• Business associates• Allowable disclosures• Marketing• Physician and staff training• Penalties



Lecture c

Notice of Privacy Practices

• Patient has right to– Adequate notice of privacy practices– Uses and disclosures of PHI– Description of individual rights– Covered entities’ legal duties

• One problem is readability of NPP forms comparable to medical journal articles and beyond 80% of US adults (Breese, 2005)

• Physicians’ requirements for obtaining NPP consent include– “Good faith effort” to obtain acknowledgement during first

provision of in-person service– Failure to obtain is not penalized (per Bush administration

revision)



Lecture c

Other Aspects of Privacy Practices

• Must be written in plain language• Practices/organizations must state they preserve

the right to change Notice of Privacy Practices• There must be a complaint process• Practices/organizations must designate a

privacy official in the office• See OHSU examples of Notice of Privacy

Practices (NPP)– http://www.ohsu.edu/xd/about/services/integrity/ips/npp.cfm/



Lecture c

http://www.ohsu.edu/xd/about/services/integrity/ips/npp.cfm/

Authorizations

• Providers must obtain an authorization before using PHI for purposes other than TPO

• They may not condition treatment on an individual’s authorization

• CEs must make “reasonable safeguards” to limit the use or disclosure of PHI to the minimum amount necessary– Non-treatment disclosure governed by

“Minimum Necessary” standard (HHS OCR, 2003)



Lecture c

Authorizations Must Include

• Names of authorized persons making use or disclosure

• Description of information• Expiration of date of event• Patient’s right to revoke and instructions on how

to do so• Purpose of use or disclosure• Signature and date



Lecture c

Business Associates

• Agents, contractors, or others doing work on behalf of a CE and using or disclosing PHI, such as– Billing companies– Vendors (with access to PHI)

• In original HIPAA, had to obtain “satisfactory assurances” of privacy protections for Business Associates (Bas), but in HITECH enhancements, BAs now directly accountable to HHS for compliance– Each BA must sign agreement with CE– BAs subject to breach notification rules– BAs include health information exchanges, PHR

vendors who work with CEs, etc.



Lecture c

Allowable Non-TPO Disclosures

• Research– Overview: HHS, 2004– Authorization by patient is

generally required– Authorization waiver can be

provided by an Institutional Review Board (IRB) or Privacy Board approval

• Must involve “no more than a minimal risk”

• Research could not be practically conducted without waiver and without access to PHI

• Public Health– Can be disclosed to public

health agencies for public health activities

– Also allowed for child abuse reporting, exposure to communicable diseases, and workforce surveillance

• Other– Law enforcement– Decedents– Cadaveric tissue donation



Lecture c

Marketing

• Defined as “a communication about a product/service that encourages recipients of the communication to purchase/use the product/service”

• Using PHI for marketing requires authorization from the individual

• Is not marketing for providers if treatment is– Therapy recommendation– Appointment notification– Prescription refills



Lecture c

Physician and Staff Training

• Practices/organizations must– Designate a Privacy Officer– Develop policies and procedures– Provide privacy training to workforce– Develop a system of sanctions for employees

who violate the privacy law



Lecture c

Penalties

• Enforced by HHS Office for Civil Rights (OCR, http://www.hhs.gov/ocr/privacy/)

• Penalties higher for “willful neglect,” i.e., offender knew about violation or was recklessly indifferent

• Original HIPAA criticized for modest penalties and minimal prosecutions

• HITECH increased severity of penalties– Tiered penalty structure ranging from $25,000

to $1.5M per year, with $100 to $50,000 per violation (for each record)



Lecture c



Does HIPAA Privacy Rule Protect Privacy?

• Reviews by NCVHS (Lumpkin, 2004) and GAO (2004) found adherence less problematic than anticipated

• Major concerns relate to difficulty in performing clinical research– Finding and accessing patients for research more difficult

(Armstrong, 2005)– Two-thirds of researchers surveyed reported more difficulty in

work while only one-quarter believed privacy enhanced (Ness, 2007)

– Reports from AAHC (2008) and IOM (2009) argue for revision to make research easier

• Also concerns with implications for public health (Kamoie, 2004)• Another view calls for less emphasis on consent and more on a

framework that makes for easier sharing of TPO (with some modifications of “O”) with more rigorous restrictions on other uses, such as marketing (McGraw, 2009; McGraw, 2009)



Lecture c

Other Modifications in HITECH

• Breach notification – when 500 or more patients, must be reported to local media and HHS OCR– http://www.hhs.gov/ocr/privacy/hipaa/administrative/

breachnotificationrule/breachtool.html– Restrictions on disclosures– Information about services paid for out of pocket must

be withheld from payers upon request– TPO disclosures must be tracked and records

maintained for three years– CEs with EHRs must provide or transmit PHI in

electronic format as directed by patient• Patients can opt out of fundraising appeals



Lecture c

http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html

Privacy, Confidentiality, and SecuritySummary – Lecture c

• HIPAA Privacy Rule restricts disclosure of information not authorized by a patient; has been enhanced in HITECH Act

• Patient authorization is not required for treatment, payment, or operations (TPO)

• HIPAA Privacy Rule defines covered entities that must adhere and defines business associates of those entities that also must adhere



Lecture c

Privacy, Confidentiality, and SecurityReferences – Lecture c

References • Anonymous. (2007b). Security 101 for Covered Entities. Baltimore, MD: Centers for Medicare and Medicaid

Services. Retrieved from http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/security101.pdf• Anonymous. (2009a). 2009 HIMSS Analytics Report: Evaluating HITECH’s Impact on Healthcare Privacy and

Security. Chicago, IL: HIMSS Analytics. Retrieved from http://haprod.himssanalytics.org/docs/ID_Experts_111509.pdf

• Anonymous. (2009b). Impact of the American Recovery & Reinvestment Act of 2009 on HIPAA Privacy & Security. Beaverton, OR: Bridgefront. Retrieved from http://www.hipaarx.net/downloads/ARRA_HIPAA_White_Paper.pdf

• Armstrong, D., Kline-Rogers, E., Jani, S., Goldman, E., Fang, J., Mukherjee, D., . . . Eagle, K. (2005). Potential impact of the HIPAA privacy rule on data collection in a registry of patients with acute coronary syndrome. Archives of Internal Medicine, 165, 1125-1129.

• Association of American Physicians and Surgeons, Inc. (nd.). Oath of Hippocrates; Declaration of Geneva of the WMA. Retrieved Jan 2012 from: http://www.aapsonline.org/ethics/oaths.htm.

• Breese, P., & Burman, W. (2005). Readability of notice of privacy forms used by major health care institutions. Journal of the American Medical Association, 293, 1593-1594.

• Houser, S., Houser, H., & Shewchuk, R. (2007). Assessing the effects of the HIPAA privacy rule on release of patient information by healthcare facilities. Perspectives in Health Information Management, 23(4), 1. Retrieved from http://www.pubmedcentral.nih.gov/articlerender.fcgi?pubmedid=18066351

• Kamoie, B., & Hodge, J. (2004). HIPAA's implications for public health policy and practice: guidance from the CDC. Public Health Reports, 119, 216-219.

• Leyva, C., & Leyva, D. (2011). HIPAA Survival Guide for Providers: Privacy & Security Rules, Third Edition. Largo, FL: HITECH Survival Guide.



Lecture c

Privacy, Confidentiality, and SecurityReferences – Lecture c (continued)

References (continued)• McGraw, D. (2009). Rethinking the Role of Consent in Protecting Health Information Privacy. Washington, DC:

Center for Democracy & Technology. Retrieved from http://www.cdt.org/healthprivacy/20090126Consent.pdf• McGraw, D., Dempsey, J., Harris, L., & Goldman, J. (2009). Privacy as an enabler, not an impediment: building

trust into health information exchange. Health Affairs, 28, 416-427. • Nass, S., Levit, L., & Gostin, L. (Eds.). (2009). Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving

Health Through Research. Washington, DC: National Academies Press.• Ness, R. (2007). Influence of the HIPAA Privacy Rule on health research. Journal of the American Medical

Association, 298, 2164-2170.



Lecture c

The Culture of Healthcare Privacy, Confidentiality, and Security Lecture c This material...

Documents

Transcript of The Culture of Healthcare Privacy, Confidentiality, and Security Lecture c This material...