The Culture of Healthcare Privacy, Confidentiality, and Security Lecture c This material...
-
Upload
anastasia-ruby-cain -
Category
Documents
-
view
214 -
download
0
Transcript of The Culture of Healthcare Privacy, Confidentiality, and Security Lecture c This material...
The Culture of Healthcare
Privacy, Confidentiality, and Security
Lecture c
This material (Comp2_Unit9c) was developed by Oregon Health and Science University, funded by the Department of Health and Human Services, Office of the National Coordinator for Health Information Technology under Award Number
IU24OC000015.
Privacy, Confidentiality, and SecurityLearning Objectives
• Define and discern the differences between privacy, confidentiality, and security (Lecture a)
• Discuss the major methods for protecting privacy and confidentiality, including through the use of information technology (Lecture b)
• Describe and apply privacy, confidentiality, and security under the tenets of HIPAA Privacy Rule (Lecture c)
• Describe and apply privacy, confidentiality, and security under the tenets of the HIPAA Security Rule (Lecture d)
2Health IT Workforce Curriculum Version 3.0/Spring 2012
The Culture of Healthcare Privacy, Confidentiality, and Security
Lecture c
HIPAA Privacy and Security
• General history of law, identifier standards, and transaction standards already described
• Privacy Rule– http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/
• Security Rule– http://www.hhs.gov/ocr/privacy/hipaa/understanding/srsummary.htm
l
• Both “enhanced” with ARRA/HITECH legislation in 2009 (Federal Register, 2009; http://www.hhs.gov/ocr/privacy/)– Many summaries available (ID Experts, 2009;
BridgeFront, 2009; Leyva, 2011)– Rules finalized and to go into effect in 2012
3Health IT Workforce Curriculum Version 3.0/Spring 2012
The Culture of Healthcare Privacy, Confidentiality, and Security
Lecture c
HIPAA Privacy Rule
• Applies to “covered entities” (CEs) – any entity that bills electronically– Healthcare providers
• Clinicians, hospitals, clinics, etc.– Health plans
• HMOs, insurance companies, etc.– Healthcare clearinghouses
• Billing services
• Patient must authorize any disclosure, with the exception of “treatment, payment, or operations” (TPO), i.e., does not preclude healthcare providers from sharing data for patient care, a not-uncommon misunderstanding (Houser, 2007)
4Health IT Workforce Curriculum Version 3.0/Spring 2012
The Culture of Healthcare Privacy, Confidentiality, and Security
Lecture c
Physician Oaths of Privacy are Not New
• Oath of Hippocrates, 5th century BC (AAPS, nd.)
– “All that may come to my knowledge in the exercise of my profession or outside of my profession or in daily commerce with men, which ought not to be spread abroad, I will keep secret and never reveal.”
• Declaration of Geneva, 20th century– “I will respect the secrets which are confided
in me, even after the patient has died.” (AAPS, nd.)
5Health IT Workforce Curriculum Version 3.0/Spring 2012
The Culture of Healthcare Privacy, Confidentiality, and Security
Lecture c
What is Covered?
• Protected Health Information (PHI)– Collected from patient and created by covered entity
(CE)– Individually identifiable– Electronically transmitted – in reality, all information
• Extends to covered entities or business associates• De-identified information is not covered• Pre-emption
– HIPAA trumps state law if state law is less protective of privacy and security, but state laws that go beyond the HIPAA protections are not nullified by HIPAA and must be followed
6Health IT Workforce Curriculum Version 3.0/Spring 2012
The Culture of Healthcare Privacy, Confidentiality, and Security
Lecture c
Identifiers Contained in Protected Health Information (PHI)
• Name• Address (street
address, city, county, zip code)
• Names of relatives• Names of employers• E-mail address • Fax number • Telephone number • Birth date• Finger or voice prints • Photographic images • Social security number
• Internet protocol (IP) address
• Any vehicle or device serial number
• Medical record number • Health plan beneficiary
number • Account number• Certificate/license
number • Web URL • Any other unique
identifying number, characteristic, or code
7Health IT Workforce Curriculum Version 3.0/Spring 2012
The Culture of Healthcare Privacy, Confidentiality, and Security
Lecture c
Key Privacy Compliance Areas
• Notice of privacy practices• Authorization• Business associates• Allowable disclosures• Marketing• Physician and staff training• Penalties
8Health IT Workforce Curriculum Version 3.0/Spring 2012
The Culture of Healthcare Privacy, Confidentiality, and Security
Lecture c
Notice of Privacy Practices
• Patient has right to– Adequate notice of privacy practices– Uses and disclosures of PHI– Description of individual rights– Covered entities’ legal duties
• One problem is readability of NPP forms comparable to medical journal articles and beyond 80% of US adults (Breese, 2005)
• Physicians’ requirements for obtaining NPP consent include– “Good faith effort” to obtain acknowledgement during first
provision of in-person service– Failure to obtain is not penalized (per Bush administration
revision)
9Health IT Workforce Curriculum Version 3.0/Spring 2012
The Culture of Healthcare Privacy, Confidentiality, and Security
Lecture c
Other Aspects of Privacy Practices
• Must be written in plain language• Practices/organizations must state they preserve
the right to change Notice of Privacy Practices• There must be a complaint process• Practices/organizations must designate a
privacy official in the office• See OHSU examples of Notice of Privacy
Practices (NPP)– http://www.ohsu.edu/xd/about/services/integrity/ips/npp.cfm/
10Health IT Workforce Curriculum Version 3.0/Spring 2012
The Culture of Healthcare Privacy, Confidentiality, and Security
Lecture c
Authorizations
• Providers must obtain an authorization before using PHI for purposes other than TPO
• They may not condition treatment on an individual’s authorization
• CEs must make “reasonable safeguards” to limit the use or disclosure of PHI to the minimum amount necessary– Non-treatment disclosure governed by
“Minimum Necessary” standard (HHS OCR, 2003)
11Health IT Workforce Curriculum Version 3.0/Spring 2012
The Culture of Healthcare Privacy, Confidentiality, and Security
Lecture c
Authorizations Must Include
• Names of authorized persons making use or disclosure
• Description of information• Expiration of date of event• Patient’s right to revoke and instructions on how
to do so• Purpose of use or disclosure• Signature and date
12Health IT Workforce Curriculum Version 3.0/Spring 2012
The Culture of Healthcare Privacy, Confidentiality, and Security
Lecture c
Business Associates
• Agents, contractors, or others doing work on behalf of a CE and using or disclosing PHI, such as– Billing companies– Vendors (with access to PHI)
• In original HIPAA, had to obtain “satisfactory assurances” of privacy protections for Business Associates (Bas), but in HITECH enhancements, BAs now directly accountable to HHS for compliance– Each BA must sign agreement with CE– BAs subject to breach notification rules– BAs include health information exchanges, PHR
vendors who work with CEs, etc.
13Health IT Workforce Curriculum Version 3.0/Spring 2012
The Culture of Healthcare Privacy, Confidentiality, and Security
Lecture c
Allowable Non-TPO Disclosures
• Research– Overview: HHS, 2004– Authorization by patient is
generally required– Authorization waiver can be
provided by an Institutional Review Board (IRB) or Privacy Board approval
• Must involve “no more than a minimal risk”
• Research could not be practically conducted without waiver and without access to PHI
• Public Health– Can be disclosed to public
health agencies for public health activities
– Also allowed for child abuse reporting, exposure to communicable diseases, and workforce surveillance
• Other– Law enforcement– Decedents– Cadaveric tissue donation
14Health IT Workforce Curriculum Version 3.0/Spring 2012
The Culture of Healthcare Privacy, Confidentiality, and Security
Lecture c
Marketing
• Defined as “a communication about a product/service that encourages recipients of the communication to purchase/use the product/service”
• Using PHI for marketing requires authorization from the individual
• Is not marketing for providers if treatment is– Therapy recommendation– Appointment notification– Prescription refills
15Health IT Workforce Curriculum Version 3.0/Spring 2012
The Culture of Healthcare Privacy, Confidentiality, and Security
Lecture c
Physician and Staff Training
• Practices/organizations must– Designate a Privacy Officer– Develop policies and procedures– Provide privacy training to workforce– Develop a system of sanctions for employees
who violate the privacy law
16Health IT Workforce Curriculum Version 3.0/Spring 2012
The Culture of Healthcare Privacy, Confidentiality, and Security
Lecture c
Penalties
• Enforced by HHS Office for Civil Rights (OCR, http://www.hhs.gov/ocr/privacy/)
• Penalties higher for “willful neglect,” i.e., offender knew about violation or was recklessly indifferent
• Original HIPAA criticized for modest penalties and minimal prosecutions
• HITECH increased severity of penalties– Tiered penalty structure ranging from $25,000
to $1.5M per year, with $100 to $50,000 per violation (for each record)
17Health IT Workforce Curriculum Version 3.0/Spring 2012
The Culture of Healthcare Privacy, Confidentiality, and Security
Lecture c
Does HIPAA Privacy Rule Protect Privacy?
• Reviews by NCVHS (Lumpkin, 2004) and GAO (2004) found adherence less problematic than anticipated
• Major concerns relate to difficulty in performing clinical research– Finding and accessing patients for research more difficult
(Armstrong, 2005)– Two-thirds of researchers surveyed reported more difficulty in
work while only one-quarter believed privacy enhanced (Ness, 2007)
– Reports from AAHC (2008) and IOM (2009) argue for revision to make research easier
• Also concerns with implications for public health (Kamoie, 2004)• Another view calls for less emphasis on consent and more on a
framework that makes for easier sharing of TPO (with some modifications of “O”) with more rigorous restrictions on other uses, such as marketing (McGraw, 2009; McGraw, 2009)
18Health IT Workforce Curriculum Version 3.0/Spring 2012
The Culture of Healthcare Privacy, Confidentiality, and Security
Lecture c
Other Modifications in HITECH
• Breach notification – when 500 or more patients, must be reported to local media and HHS OCR– http://www.hhs.gov/ocr/privacy/hipaa/administrative/
breachnotificationrule/breachtool.html– Restrictions on disclosures– Information about services paid for out of pocket must
be withheld from payers upon request– TPO disclosures must be tracked and records
maintained for three years– CEs with EHRs must provide or transmit PHI in
electronic format as directed by patient• Patients can opt out of fundraising appeals
19Health IT Workforce Curriculum Version 3.0/Spring 2012
The Culture of Healthcare Privacy, Confidentiality, and Security
Lecture c
Privacy, Confidentiality, and SecuritySummary – Lecture c
• HIPAA Privacy Rule restricts disclosure of information not authorized by a patient; has been enhanced in HITECH Act
• Patient authorization is not required for treatment, payment, or operations (TPO)
• HIPAA Privacy Rule defines covered entities that must adhere and defines business associates of those entities that also must adhere
20Health IT Workforce Curriculum Version 3.0/Spring 2012
The Culture of Healthcare Privacy, Confidentiality, and Security
Lecture c
Privacy, Confidentiality, and SecurityReferences – Lecture c
References • Anonymous. (2007b). Security 101 for Covered Entities. Baltimore, MD: Centers for Medicare and Medicaid
Services. Retrieved from http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/security101.pdf• Anonymous. (2009a). 2009 HIMSS Analytics Report: Evaluating HITECH’s Impact on Healthcare Privacy and
Security. Chicago, IL: HIMSS Analytics. Retrieved from http://haprod.himssanalytics.org/docs/ID_Experts_111509.pdf
• Anonymous. (2009b). Impact of the American Recovery & Reinvestment Act of 2009 on HIPAA Privacy & Security. Beaverton, OR: Bridgefront. Retrieved from http://www.hipaarx.net/downloads/ARRA_HIPAA_White_Paper.pdf
• Armstrong, D., Kline-Rogers, E., Jani, S., Goldman, E., Fang, J., Mukherjee, D., . . . Eagle, K. (2005). Potential impact of the HIPAA privacy rule on data collection in a registry of patients with acute coronary syndrome. Archives of Internal Medicine, 165, 1125-1129.
• Association of American Physicians and Surgeons, Inc. (nd.). Oath of Hippocrates; Declaration of Geneva of the WMA. Retrieved Jan 2012 from: http://www.aapsonline.org/ethics/oaths.htm.
• Breese, P., & Burman, W. (2005). Readability of notice of privacy forms used by major health care institutions. Journal of the American Medical Association, 293, 1593-1594.
• Houser, S., Houser, H., & Shewchuk, R. (2007). Assessing the effects of the HIPAA privacy rule on release of patient information by healthcare facilities. Perspectives in Health Information Management, 23(4), 1. Retrieved from http://www.pubmedcentral.nih.gov/articlerender.fcgi?pubmedid=18066351
• Kamoie, B., & Hodge, J. (2004). HIPAA's implications for public health policy and practice: guidance from the CDC. Public Health Reports, 119, 216-219.
• Leyva, C., & Leyva, D. (2011). HIPAA Survival Guide for Providers: Privacy & Security Rules, Third Edition. Largo, FL: HITECH Survival Guide.
21Health IT Workforce Curriculum Version 3.0/Spring 2012
The Culture of Healthcare Privacy, Confidentiality, and Security
Lecture c
Privacy, Confidentiality, and SecurityReferences – Lecture c (continued)
References (continued)• McGraw, D. (2009). Rethinking the Role of Consent in Protecting Health Information Privacy. Washington, DC:
Center for Democracy & Technology. Retrieved from http://www.cdt.org/healthprivacy/20090126Consent.pdf• McGraw, D., Dempsey, J., Harris, L., & Goldman, J. (2009). Privacy as an enabler, not an impediment: building
trust into health information exchange. Health Affairs, 28, 416-427. • Nass, S., Levit, L., & Gostin, L. (Eds.). (2009). Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving
Health Through Research. Washington, DC: National Academies Press.• Ness, R. (2007). Influence of the HIPAA Privacy Rule on health research. Journal of the American Medical
Association, 298, 2164-2170.
22Health IT Workforce Curriculum Version 3.0/Spring 2012
The Culture of Healthcare Privacy, Confidentiality, and Security
Lecture c