Privacy, Confidentiality, and Security Lecture 2_slides
1.
2. The Culture of Health Care
Privacy, Confidentiality, and Security
Lecture c
This material (Comp 2 Unit 9) was developed by Oregon Health & Science University, funded by the Department
of Health and Human Services, Office of the National Coordinator for Health Information Technology under
Award Number IU24OC000015. This material was updated in 2016 by Bellevue College under Award
Number 90WT0002.
This work is licensed under the Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International
License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-sa/4.0/.
3. Privacy, Confidentiality, and Security
Learning Objectives
⢠Define and discern the differences between privacy,
confidentiality, and security (Lecture a).
⢠Discuss methods for using information technology to
protect privacy and confidentiality (Lecture b).
⢠Describe and apply privacy, confidentiality, and
security under the tenets of HIPAA Privacy and
Security rules (Lectures c and d).
⢠Discuss the intersection of a patientâs right to privacy
with the need to share and exchange patient
information (Lecture d).
3
4. HIPAA Privacy and Security
⢠2006 HIPAA Rule
â Privacy Rule:
http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary
â Security Rule: www.hhs.gov/ocr/privacy/hipaa/understanding/srsummary.html
⢠2008 Genetic Information Nondiscrimination Act (GINA)
â Genetic information is protected under the HIPAA Privacy Rule
â Prohibits most health plans from using/disclosing genetic information for
underwriting purposes
â www.eeoc.gov/laws/statutes/gina.cfm
⢠2009 ARRA/HITECH legislation enhanced both rules
â http://www.hhs.gov/ocr/privacy
⢠2013 HIPAA Rule updated
â Strengthens privacy protections, new rights for individuals to their health
information, strengthens the governmentâs ability to enforce the law
â www.hhs.gov/about/news/2013/01/17/new-rule-protects-patient-privacy-secures-
health-information.html
4
5. HIPAA Privacy and Security
Continued
â Original rule summaries available (ID Experts,
2014; BridgeFront, 2009; Leyva, 2011)
â HHS resources such as HIPAA & Health IT
â Various HIPAA tool kits
â NIHâs research entities guides
â Employee training resources
â HIPAA certificates and training courses
â HHSâs consumer resources for the public
5
6. HIPAA Privacy Rule
⢠Applies to âcovered entitiesâ (CEs)âany entity that bills
electronically
â Health care providers
o Clinicians, hospitals, clinics, etc.
â Health plans
o HMOs, insurance companies, etc.
â Healthcare clearinghouses
o Billing services
â Business associates
⢠Patient must authorize any disclosure, with the exception of
âtreatment, payment, or operationsâ (TPO); does not preclude
health care providers from sharing data for patient care, a common
misunderstanding (Houser, Houser, & Shewchuk, 2007)
6
7. Physician Oaths of Privacy
Are Not New
⢠Oath of Hippocrates, fifth century BC
â âAll that may come to my knowledge in the
exercise of my profession or outside of my
profession or in daily commerce with men,
which ought not to be spread abroad, I will
keep secret and never reveal.â
⢠Declaration of Geneva, 20th century
â âI will respect the secrets which are confided
in me, even after the patient has died.â
AAPS, n.d.
8. What Is Covered?
⢠Protected health information (PHI)
â Collected from patient and created by covered entity
â Individually identifiable
â Electronically transmittedâin reality, all information
⢠Extends to covered entities and business associates
⢠De-identified information is not covered
⢠Pre-emption
â HIPAA trumps state law if state law is less protective of privacy
and security, but state laws that go beyond the HIPAA
protections are not nullified by HIPAA and must be followed
8
9. Identifiers Contained in Protected
Health Information (PHI)
⢠Name
⢠Address (street address, city,
county, ZIP code)
⢠Names of relatives
⢠Names of employers
⢠E-mail address
⢠Fax number
⢠Telephone number
⢠Birth date
⢠Finger or voice prints
⢠Photographic images
⢠Social Security number
⢠Internet protocol (IP) address
⢠Any vehicle or device serial
number
⢠Medical record number
⢠Health plan beneficiary number
⢠Account number
⢠Certificate/license number
⢠Web URL
⢠Any other unique identifying
number, characteristic, or code
9
10. Key Privacy Compliance Areas
⢠Notice of privacy practices
⢠Authorization
⢠Business associates and subcontractors
⢠Allowable disclosures
⢠Marketing
⢠Physician and staff training
⢠Penalties
10
11. Notice of Privacy Practices
⢠Patient has right to
â Adequate notice of privacy practices
â Uses and disclosures of PHI
â Description of individual rights
â Covered entitiesâ legal duties
⢠One problem is readability of Notice of Privacy Practices (NPP)
forms comparable to medical journal articles and beyond 80% of
U.S. adults (Breese & Burman, 2005)
⢠Physiciansâ requirements for obtaining NPP consent include
â âGood faith effortâ to obtain acknowledgment during first provision of in-
person service
â Failure to obtain is not penalized (per Bush administration revision)
⢠Many publicly available industry resources
11
12. Other Aspects of Privacy Practices
⢠Must be written in plain language
⢠Practices/organizations must state they preserve
the right to change NPP
⢠There must be a complaint process
⢠Practices/organizations must designate a
privacy official in the office
⢠See Oregon Health & Science Universityâs
examples of NPP:
http://www.ohsu.edu/xd/about/services/integrity/i
ps/npp.cfm
12
13. Authorizations
⢠Providers must obtain authorization before
using PHI for purposes other than TPO
⢠They may not condition treatment on an
individualâs authorization
⢠Covered entities must make âreasonable
safeguardsâ to limit the use or disclosure
of PHI to the minimum amount necessary
â Non-treatment disclosure governed by
âMinimum Necessaryâ standard (HHS, 2003)
13
14. Authorizations Must Include
⢠Names of authorized persons making use
of disclosure
⢠Description of information
⢠Expiration of date of event
⢠Patientâs right to revoke and instructions
on how to do so
⢠Purpose of use or disclosure
⢠Signature and date
14
15. Business Associates
⢠Business associate (BA)
â Does work on behalf of a covered entity using
or disclosing PHI
o Anyone who comes in contact with and uses PHI
â Must sign agreement with covered entity
â Is directly accountable to HHS for compliance
and subject to breach notification rules
â Includes all subcontractors to business
associates
15
16. Allowable Non-TPO Disclosures
⢠Research
â Overview: HHS, 2004
â Authorization by patient is
generally required
â Authorization waiver can
be provided by an
institutional review board
(IRB) or privacy board
approval
o Must involve âno more
than a minimal riskâ
o Research could not be
practically conducted
without waiver and without
access to PHI
⢠Public Health
â Can be disclosed to public
health agencies for public
health activities
â Also allowed for child
abuse reporting, exposure
to communicable diseases,
and workforce surveillance
⢠Other
â Law enforcement
â Decedents
â Cadaveric tissue donation
16
17. Marketing
⢠Defined as âa communication about a
product/service that encourages recipients of the
communication to purchase/use the
product/serviceâ
⢠Using PHI for marketing requires authorization
from the individual
⢠Is not marketing for providers if treatment is
â Therapy recommendation
â Appointment notification
â Prescription refill reminder
17
18. Physician and Staff Training
⢠Practices/organizations must
â Designate a privacy Officer
â Develop policies and procedures
â Provide privacy training to workforce
â Develop a system of sanctions for employees
who violate privacy laws
18
19. Penalties
⢠Enforced by HHS Office for Civil Rights
http://www.hhs.gov/ocr/index.html
⢠Penalties higher for âwillful neglectâ (i.e.,
offender knew about violation or was recklessly
indifferent)
⢠Original HIPAA criticized for modest penalties
and minimal prosecutions
⢠HITECH increased severity of penalties:
â Tiered penalty structure ranging from $25,000 to $1.5
million per year, with $100 to $50,000 per violation
(for each record)
19
20. Does HIPAA Privacy Rule
Protect Privacy?
⢠Reviews by GAO (2004) and NCVHS (Kanaan, 2007) found
adherence less problematic than anticipated
⢠Major concerns relate to difficulty in performing clinical research
â Finding and accessing patients for research more difficult (Armstrong et
al., 2005)
â Two-thirds of researchers surveyed reported more difficulty in work; only
one-quarter believed privacy enhanced (Ness, 2007)
â Reports from AAHC (Steinberg, & Rubin, 2009) and Institute of
Medicine (2009) argue for revision to make research easier
⢠Also concerns with implications for public health (Kamoie & Hodge,
2004)
⢠Another view calls for less emphasis on consent and more on a
framework that makes for easier sharing of TPO (with some
modifications of âOâ) with more rigorous restrictions on other uses,
such as marketing (McGraw, 2009; McGraw et al., 2009)
20
21. Other Modifications in HITECH
⢠Breach notification: When 500 or more patients affected,
breach must be reported to local media and OCR
â www.hhs.gov/hipaa/for-professionals/breach-
notification/index.html
â Restrictions on disclosures
â Information about services paid for out of pocket must be
withheld from payers upon request
â TPO disclosures must be tracked and records maintained for
three years
â Covered entities with EHRs must provide or transmit PHI in
electronic format as directed by patient
⢠Patients can opt out of fundraising appeals
21
22. Privacy, Confidentiality, and Security
Summary â Lecture c
⢠HIPAA Privacy Rule restricts disclosure of
information not authorized by a patient
⢠Privacy Rule is enhanced in HITECH Act
⢠Patient authorization is not required for
treatment, payment, or operations (TPO)
⢠HIPAA Privacy Rule defines covered
entities that must adhere and defines
business associates of those entities that
also must adhere
22
23. Privacy, Confidentiality, and Security
References â Lecture c
References
AAPS (Association of American Physicians and Surgeons). (n.d.). Physician oaths. Retrieved from
http://www.aapsonline.org/ethics/oaths.htm
AHIMA (American Health Information Management Association). (2016). AHIMA introduces new online
HIPAA privacy and security course. Retrieved from
http://www.ahima.org/education/onlineed/Programs/hipaa
Armstrong, D., Kline-Rogers, E., Jani, S. M., et al. (2005). Potential impact of the HIPAA privacy rule
on data collection in a registry of patients with acute coronary syndrome. Archives of Internal
Medicine, 165, 1125â1129.
Breese, P., & Burman, W. (2005). Readability of notice of privacy forms used by major health care
institutions. JAMA, 293, 1593â1594.
BridgeFront. (2009). Impact of the American Recovery & Reinvestment Act of 2009 on HIPAA privacy
& security. Retrieved from http://www.hipaarx.net/downloads/ARRA_HIPAA_White_Paper.pdf
Centers for Medicare and Medicaid Services (CMS). (2007). Security 101 for covered entities.
Baltimore, MD: CMS. Retrieved from
http://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/security101.pdf
GAO (Government Accounting Office). (2004). Health information: First-year experiences under the
federal privacy rule. Retrieved from http://www.gao.gov/new.items/d04965.pdf
HealthIT.gov. (2016). HIPAA and health IT. Retrieved from https://www.healthit.gov/policy-researchers-
implementers/hipaa-and-health-it
23
24. Privacy, Confidentiality, and Security
References â Lecture c Continued
HealthIT.gov. (2016). Health IT privacy and security resources. Retrieved from
https://www.healthit.gov/providers-professionals/ehr-privacy-security/resources
HHS (Department of Health and Human Services). (n.d.) Covered Entities and Business associates.
Retrieved from http://www.hhs.gov/hipaa/for-professionals/covered-entities/index.html
HHS. (n.d.). Helping entities implement privacy and security protections. Retrieved from
http://www.hhs.gov/hipaa/for-professionals/training/index.html
HHS. (n.d.). HIPAA for individuals. Retrieved from http://www.hhs.gov/hipaa/for-individuals/index.html
HHS. (2003). Minimum necessary requirement. Retrieved from http://www.hhs.gov/hipaa/for-
professionals/privacy/guidance/minimum-necessary-requirement/index.html
HHS. (n.d.). Notice of privacy practices for protected health information. Retrieved from
http://www.hhs.gov/hipaa/for-professionals/privacy/guidance/privacy-practices-for-protected-
health-information/index.html
HHS. (2013). New rule protects patient privacy, secures health information. HHS Press Office.
Retrieved from http://www.hhs.gov/about/news/2013/01/17/new-rule-protects-patient-privacy-
secures-health-information.html
HIMSS (Health Information and Management Systems Society). (2016). HIMSS privacy and security
toolkit. Retrieved from http://www.himss.org/library/healthcare-privacy-security/toolkit
HIMSS. (2009). 2009 HIMSS analytics report: Evaluating HITECHâs impact on healthcare privacy and
security. Chicago, IL: HIMSS Analytics. Retrieved from
http://app.himssanalytics.org/docs/ID_Experts_111509.pdf
24
25. Privacy, Confidentiality, and Security
References â Lecture c Continued 2
Hirsch, R., and Deixler, H. (2013). Final HIPAA Omnibus Rule brings sweeping changes to health care
privacy law: HIPAA privacy and security obligations extended to business associates and
subcontractors. Privacy & Security Law Report, 12 PVLR 168. Retrieved from
http://www.trideapartners.com/blog/wp-content/uploads/2013/09/HIPAAFinal-Rule.pdf
Houser, S., Houser, H., & Shewchuk, R. (2007). Assessing the effects of the HIPAA privacy rule on
release of patient information by healthcare facilities. Perspectives in Health Information
Management, 23(4), 1.
ID Experts. (2014). The HIPAA Final Omnibus Rule. Portland, OR: ID Experts. Retrieved from
http://lpa.idexpertscorp.com/acton/attachment/6200/f-002d/1/-/-/-/-/file.pdf
IOM (Institute of Medicine). (2009). Beyond the HIPAA Privacy Rule: Enhancing privacy, improving
health through research. Report Brief. Retrieved from http://www.nationalacademies.org/hmd/
~/media/Files/Report%20Files/2009/Beyond-the-HIPAA-Privacy-Rule-Enhancing-Privacy-
Improving-Health-Through-Research/HIPAA%20report%20brief%20FINAL.ashx
Kamoie, B., & Hodge, J. (2004). HIPAA's implications for public health policy and practice: guidance
from the CDC. Public Health Reports, 119, 216â219.
Kanaan, S. (2007). NCVHS Report 2005â2006. Retrieved from
http://www.cdc.gov/nchs/data/ncvhs/ncvhs05-06.pdf
Leyva, C., & Leyva, D. (2011). HIPAA survival guide for providers: Privacy & security rules, 3rd ed.
Largo, FL: HITECH Survival Guide.
25
26. Privacy, Confidentiality, and Security
References â Lecture c Continued 3
McGraw, D. (2009). Rethinking the role of consent in protecting health information privacy.
Washington, DC: Center for Democracy & Technology. Retrieved from
http://www.cdt.org/healthprivacy/20090126Consent.pdf
McGraw, D., Dempsey, J., Harris, L., & Goldman, J. (2009). Privacy as an enabler, not an impediment:
Building trust into health information exchange. Health Affairs, 28, 416â427.
Nass, S., Levit, L., & Gostin, L. (Eds.). (2009). Beyond the HIPAA privacy rule: Enhancing privacy,
improving health through research. Washington, DC: National Academies Press.
National Institutes of Health (2007). HIPAA privacy rule. Retrieved from
https://privacyruleandresearch.nih.gov
Ness, R. (2007). Influence of the HIPAA privacy rule on health research. JAMA, 298, 2164â2170.
Oregon Health and Science University. OHSU notice of privacy practices. Retrieved from
http://www.ohsu.edu/xd/about/services/integrity/ips/npp.cfm
Steinberg, M., & Rubin, E. (2009). The HIPAA Privacy Rule: Lacks patient benefit, impedes research
growth. Association of Academic Health Centers (AAHC). Retrieved from
http://http://www.aahcdc.org/Portals/41/Series/Issue-
Briefs/HIPAA_Privacy_Rule_Impedes_Research_Growth.pdf?ver=2017-02-17-141347-363
Terry, N. (2014). Health privacy is difficult but not impossible in a post-HIPAA data-driven world.
Chest, 146(3), 835â840.
26
27. The Culture of Health Care
Privacy, Confidentiality, and Security
Lecture c
This material was developed by Oregon Health &
Science University, funded by the Department of
Health and Human Services, Office of the National
Coordinator for Health Information Technology
under Award Number IU24OC000015. This
material was updated in 2016 by Bellevue College
under Award Number 90WT0002.
27
Hinweis der Redaktion
No audio. Recording preparation.
Welcome to The Culture of Health Care: Privacy, Confidentiality, and Security. This is Lecture c.
The component, The Culture of Health Care, addresses job expectations in health care settings. It discusses how care is organized within a practice setting, privacy laws, and professional and ethical issues encountered in the workplace.
The objectives for Privacy, Confidentiality, and Security are to:
Define and discern the differences between privacy, confidentiality, and security
Discuss methods for using information technology to protect privacy and confidentiality
Describe and apply privacy, confidentiality, and security under the tenets of the HIPAA Privacy and Security rules
Discuss the intersection of a patientâs right to privacy with the need to share and exchange patient information
This lecture discusses the Health Insurance Portability and Accountability Act (HIPAA) [hip-uh] Privacy Rule, which was signed into effect in 2006.
In 2008, the Genetic Information Nondiscrimination Act specifically addressed genetic information under the HIPAA Privacy Rule, prohibiting health plans from using or disclosing genetic information for underwriting purposes. The 2009 Health Information Technology for Economic and Clinical Health Act, or HITECH [high-tech] legislation, provided updates to the rules. Since the 2009 rule publication and HITECH, additional updates have been made through the federal rule-making process regarding the meaningful use program stages. In 2013, the HIPAA rule that focused on increasing the publicâs privacy protections and rights regarding their health information was updated and strengthened the governmentâs ability to enforce the law regardless of where the information is held, whether by a health plan, a health care provider, or one of their business associates.
There are also ongoing attempts to ensure that federal and state privacy laws are in agreement with each other. Aligning these laws is a significant work effort, since all state laws are not the same. The benefit of this effort results in not only protection of personal health information but also support in addressing the various issues involved in interstate commerce.
There are many summaries available on the HIPAA rules, several of which are listed on this slide.
The paper by ID Experts presents a relatively concise overview of the HIPAA omnibus law. BridgeFront focuses on some of the legal implications, and the Leyva [lay-vat] summary is focused more on the clinical side of the original law.
The Health IT government website has many publicly available resources, such as âHIPAA and Health IT,â which contain information regarding the Privacy Rule and ways it facilitates electronic data exchange. This site also has a Security Information Series, which has resources designed for HIPAA-covered entities, including guidelines for implementation. The Health Information and Management Systems Society (HIMSS) has the Privacy and Security Toolkit, which contains an analysis of the HIPAA law as well as tools and resources for understanding and implementing various elements of the law. This toolkit, like many other industry resources, provides HIPAA information on how the rule applies to specific areas, such as mobile devices, health information exchange organizations, public health, and cloud computing. Many industry resources focus on a specific health care professional, such as physicians, nurses, business associates, and human resources, for example. The National Institutes of Health (NIH) provides information on the HIPAA Privacy Rule specifically for the research community. Many organizations, such as the American Health Information Management Association (AHIMA), offer online HIPAA privacy and security courses with some offering certification. The Department of Health and Human Services (HHS) offers publicly available materials, called âHelping Entities Implement Privacy and Security Protections,â to support providers with HIPAA employee training. In addition, HHS offers âHIPAA for Individuals,â which provides information and resources for U.S. citizens to assist them in understanding their rights under HIPAA.
Those who work in a health care setting in the United States are probably familiar with the HIPAA Privacy Rule. Patients receiving care in the United States also are exposed to the HIPAA Privacy Rule. The HIPAA Privacy Rule applies to covered entities, which are essentially any entities that electronically bill or are involved in the billing process for patient care services. One category of covered entities is health care providers, such as clinicians, hospitals, and clinics. Another category is health plans, such as health maintenance organizations (HMOs), insurance companies, and others, including business associates. This rule also applies to health care clearinghouses that deal with sensitive health information usually concerning billing services.
A key point about HIPAA that leads to a lot of misconceptions is that the HIPAA Privacy Rule doesnât require patient authorization to disclose information for treatment, payments, or operations, sometimes called TPO [tee-pee-oh]. Probably the biggest misconception is that when a patient is transferred from one institution to another, the referring institution would be in violation of the HIPAA Privacy Rule by sending the patientâs information to the second institution. Not true! When a patient is transferred, itâs within the legal rights of everyone involved in the patientâs health care to disclose information to each other for the care of the patient.
The Notice of Privacy Practices is essentially an oath of privacy. An interesting Web page devoted to oaths of privacy in health care notes that physicians have been taking privacy seriously for quite some time. The Hippocratic Oath, or the Oath of Hippocrates, developed in the fifth century BC, requires the physician to state, âAll that may come to my knowledge in the exercise of my profession or outside of my profession or in daily commerce with men, which ought not to be spread abroad I will keep secret and never reveal.â Likewise, the Declaration of Geneva, usually considered to be the modern-day replacement of the Hippocratic Oath, states, âI will respect the secrets which are confided in me even after the patient has died.â
What is covered by the HIPAA privacy regulations? The privacy regulations cover protected health information, or PHI [P-H-I]. This is information that is collected from the patient and created by a covered entity, such as a health care provider, clearinghouse, or health plan. Itâs individually identifiable and electronically transmitted information. HIPAA regulations extend to covered entities and business associates of the covered entities.
For example, if a business works with a health care institution for whom the HIPAA regulations apply, then those regulations apply to that business as well. De-identified information is not covered; issues with so-called de-identified information were discussed in a previous lecture.
There are various levels of pre-emption: HIPAA trumps state law if state law is less protective of privacy and security, but state laws that go beyond the HIPAA protections are not nullified by HIPAA and must be followed.
What types of identifiers fall under PHI? The HIPAA definition of PHI is broad and comprehensive. The regulations define nineteen different types of patient data that can be PHI. Obviously, this includes information such as name and address, but it also includes ZIP code, employerâs e-mail address and telephone numbers, photographic images, Social Security number, medical record number, and any web URLs associated with the patient. Finally, any other unique identifying number, characteristic, or code is also considered PHI.
What are the key compliance areas for the HIPAA Privacy Rule?
Health care organizations must post and inform patients of their Notice of Privacy Practices.
HIPAA address issues related to authorization of the use of PHI.
There are rules that apply to business associates and subcontractors.
There are allowable disclosures, rules around marketing, and rules around physician and staff training.
Finally, there are penalties for noncompliance with the privacy rules.
These areas are discussed in the slides that follow.
One of the cornerstones of the HIPAA Privacy Rule is the Notice of Privacy Practices, or NPP [N-P-P]. People who have obtained health care in the United States in the last decade or so will have come across an NPP and probably had to sign it. The NPP states what the patient rights are. Under the HIPAA Privacy Rule, the patient has the right to know the privacy practices of a covered entity, such as a physician practice or hospital. The notice should contain the uses and disclosures of personal health information, including those that extend beyond TPO. The NPP should also describe individual rights as well as the legal duties of the covered entities. Part of the problem with these documents is that their readability is comparable to what is seen in medical journal articles. In other words, they are highly technical and are probably beyond the readability of eighty percent of the U.S. adult population.
The 2013 HIPAA update strengthened the patientâs rights with increased protection and control of personal health information. There are many publicly available industry resources to assist in compliance with NPP requirements, including resources and tools available on the HHS website âNotice of Privacy Practices for Protected Health Information.â
Some other aspects of privacy practices are that they must be written in plain language, although later slides will show that this is somewhat of an issue. Practices and organizations have to state that they reserve the right to change the NPP. There must be some sort of complaint process by which a patient can challenge whether the privacy practices have been inappropriate. Every practice organization must designate a privacy official, essentially a chief privacy officer. In smaller practices, this role may be filled by the office manager or perhaps one of the physicians in the practice. Listed on this slide is the link to the Oregon Health & Science Universityâs NPP, which has been translated into numerous languages. There are many publicly available resources that provide NPP template forms and tools.
The HIPAA Privacy Rule requires that an authorization be obtained for the use of PHI for purposes other than for TPO. The covered entity is not allowed to condition treatments of the patient on whether or not an individual gives authorization for use of PHI beyond TPO. When covered entities release PHI, reasonable safeguards must be in place to limit the use to the minimum necessary standard, as defined by the statute from the HHS Office for Civil Rights.
Authorizations must include the following:
The names of authorized persons making use of or disclosing the information
The description of the information
An expiration date so the authorization does not last into perpetuity
Instructions on the patientâs right to revoke the authorization and how to do so
A statement of the specific purpose of use or disclosure, and
A signature and date by the patient
Additional information may be required for designated restricted or sensitive health information, as described by federal and state law, such as with behavioral health and mental health information and records, developmental disability patient health information, and records on alcohol or other substance abuse patient health information or records.
HIPAA defines business associates and sets rules for their interactions with covered entities. These have been strengthened or updated since the original rule. A âbusiness associateâ is [quote] âa person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or in providing services to, a covered entity.â [end quote] Business associates are directly accountable to HHS for compliance and are subject to breach notification rules. Covered entities must have signed agreements with all of their business associates.
Examples of a providerâs business associates include billing companies, vendors, software vendors, personal health record vendors, health information exchange organizations, e-prescribing gateways, and other persons or entities that provide data transmission services with respect to PHI to a covered entity and that require access on a routine basis to such PHI. Also included is any subcontractor that creates, receives, maintains, or transmits PHI on behalf of the business associate, such as those involved in claims processing and administration, data analysis, utilization review, quality assurance, patient safety activities, and benefits management.
In the original HIPAA legislation, covered entities were only required to obtain what was called satisfactory assurances of privacy protections from business associates. Business associates are now required to meet the same rules that covered entities must meet. For example, each business associate must sign an agreement with the covered entity, stating that it will adhere to all of the HIPAA privacy rules. When business associates undergo a breach of information, the associated subcontractors are also subject to the same HIPAA breach notification rules that may include investigation and remediation.
What are some of the allowable disclosures outside of TPO? One area is research. HHS has a publication that describes what is and isnât allowed under the HIPAA Privacy Rule. In general, authorization by the patient is required, and the NPP usually contains a clause that allows information to be used for research purposes. However, some waivers can be granted without the patientâs explicit approval by either an institutional review board, also known as an IRB [I-R-B], or a privacy board. The Privacy Rule states that when this authorization waiver is used, there must be no more than a minimal risk of disclosure of information and that the research could not be practically conducted without the waiver and without access to personal health information.
Some public health disclosures are allowed so that information gathered by public health agencies can be released. Information in specific areas such as child abuse, exposure to communicable diseases, and workforce surveillance can also be disclosed. Some other areas where disclosure is permitted include information related to law enforcement, issues related to decedentsâ [dih-seed-ents] and cadaveric [ka-duh-vehr-ihk] tissue donation.
Using health information for marketing, defined in HIPAA as a communication about a product or service that encourages recipients of the communication to purchase or use the product or service, requires authorization of the individual.
Activities such as a health care provider recommending a treatment to a patient or encouraging a patient to keep an appointment or to refill a prescription have been defined as outside the scope of marketing for providers. So when a provider recommends a treatment, itâs not considered to be marketing; likewise, notifying patients about appointments and prescription refills is not marketing.
Another aspect of the HIPAA privacy regulations is physician and staff training, which has been a substantial expense to health care organizations. The regulation states that practices and organizations must designate a privacy officer, develop policies and procedures, provide privacy training to the workforce, and develop a system of sanctions for employees who violate the privacy law. Thereâs sometimes frustration when individuals have to complete HIPAA training at each and every organization they are associated with. For example, a researcher would have to complete similar HIPAA training at all of the institutions that he or she collaborates with, resulting in a lot of repetition.
Obviously, the HIPAA Privacy Rule must have teeth. In fact, the original HIPAA Privacy Rule was criticized for the relatively modest penalties and minimal prosecutions that took place when the rule was launched.
HIPAA has a tiered penalty structure that is administered in line with the nature and circumstances of the violation. This ranges from a violation in which the individual did not know (and by exercising reasonable diligence would not have known) that HIPAA was violated all the way to the extreme circumstance in which a HIPAA violation resulted from willful neglect and with no correction implemented. The assessed penalty relates to the level of culpability characterizing the violation, which can range from twenty-five-thousand dollars up to a maximum penalty of one-point-five million dollars. If multiple HIPAA violations occur, penalties could surpass one-point-five million dollars.
The OCR enforces the privacy standards, while the Centers for Medicare & Medicaid Services (CMS) enforces both the transaction and code set standards and the security standards of the HIPAA regulation.
One question thatâs often asked is whether the HIPAA Privacy Rule truly protects privacy. There has been a lot of work on different aspects of the HIPAA Privacy Rule: how well it works, how it can be strengthened, and so forth. Reviews in 2000, after the privacy rule was launched, by the Government Accountability Office, and in 2007 by the National Committee on Vital and Health Statistics (NCVHS), found that adherence was actually less problematic than many had anticipated.
The HIPAA Privacy Rule has now become part of health care delivery. One area where there have been many concerns is in the impact of HIPAA on clinical research. Some studies have documented, for example, that finding and accessing patients to participate in research has become more difficult. Researchers report more difficulty in doing their work, and at the same time, they report that they donât believe privacy is being substantially enhanced. This concern has led some organizations, in particular, the Association of Academic Health Centers and the Institute of Medicine, to argue for revisions to the HIPAA Privacy Rule to make research easier.
There also have been some assessments of the HIPAA Privacy Rule with regard to public health. In general, public health authorities are relatively satisfied with HIPAA and donât find it too onerous [on-er-uhs]. One approach that has been advocated is for less emphasis on patient consent and more emphasis on a framework that makes it easier to share appropriate TPO, with some modifications of how operations is defined, coupled with more rigorous restrictions on other uses, particularly marketing.
There are other modifications to the HIPAA Privacy Rule under the HITECH legislation. One area concerns breach notification. Obviously, patients must be informed, but when the breach exceeds five hundred patients, the OCR as well as the local media or local press, must be notified. In fact, the OCR maintains a web page that lists all breaches of more than five hundred patients, which can be accessed through the URL on this slide. There are also some modifications that allow patients to put more restrictions on disclosures. For example, when patients pay for medical care out-of-pocket instead of through their insurance, they can stipulate that information not be sent to payers. There are also stricter rules for appropriate disclosures of TPO. These disclosures must be tracked and records maintained for three years. In addition, covered entities that have electronic health records have to either provide or, if the patient requests, transmit PHI in electronic format as the patient directs. Finally, one other clause allows patients to opt out of fundraising appeals.
This concludes Lecture c of Privacy, Confidentiality, and Security. In summary, the HIPAA Privacy Rule restricts disclosure of information not authorized by a patient. It has been enhanced by the HITECH Act. Itâs important to remember that patient authorization for disclosure is not required for treatment, payment, or operations. Finally, the HIPAA Privacy Rule defines covered entities and business associates of those entities that also must adhere to the privacy regulations.