Empfohlen
Empfohlen
Weitere ähnliche Inhalte
Was ist angesagt?
Was ist angesagt? (19)
Ăhnlich wie Privacy, Confidentiality, and Security Lecture 2_slides
Ăhnlich wie Privacy, Confidentiality, and Security Lecture 2_slides (20)
Mehr von ZakCooper1
Mehr von ZakCooper1 (16)
KĂźrzlich hochgeladen
KĂźrzlich hochgeladen (20)
Privacy, Confidentiality, and Security Lecture 2_slides
- 2. The Culture of Health Care Privacy, Confidentiality, and Security Lecture c This material (Comp 2 Unit 9) was developed by Oregon Health & Science University, funded by the Department of Health and Human Services, Office of the National Coordinator for Health Information Technology under Award Number IU24OC000015. This material was updated in 2016 by Bellevue College under Award Number 90WT0002. This work is licensed under the Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-sa/4.0/.
- 3. Privacy, Confidentiality, and Security Learning Objectives ⢠Define and discern the differences between privacy, confidentiality, and security (Lecture a). ⢠Discuss methods for using information technology to protect privacy and confidentiality (Lecture b). ⢠Describe and apply privacy, confidentiality, and security under the tenets of HIPAA Privacy and Security rules (Lectures c and d). ⢠Discuss the intersection of a patientâs right to privacy with the need to share and exchange patient information (Lecture d). 3
- 4. HIPAA Privacy and Security ⢠2006 HIPAA Rule â Privacy Rule: http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary â Security Rule: www.hhs.gov/ocr/privacy/hipaa/understanding/srsummary.html ⢠2008 Genetic Information Nondiscrimination Act (GINA) â Genetic information is protected under the HIPAA Privacy Rule â Prohibits most health plans from using/disclosing genetic information for underwriting purposes â www.eeoc.gov/laws/statutes/gina.cfm ⢠2009 ARRA/HITECH legislation enhanced both rules â http://www.hhs.gov/ocr/privacy ⢠2013 HIPAA Rule updated â Strengthens privacy protections, new rights for individuals to their health information, strengthens the governmentâs ability to enforce the law â www.hhs.gov/about/news/2013/01/17/new-rule-protects-patient-privacy-secures- health-information.html 4
- 5. HIPAA Privacy and Security Continued â Original rule summaries available (ID Experts, 2014; BridgeFront, 2009; Leyva, 2011) â HHS resources such as HIPAA & Health IT â Various HIPAA tool kits â NIHâs research entities guides â Employee training resources â HIPAA certificates and training courses â HHSâs consumer resources for the public 5
- 6. HIPAA Privacy Rule ⢠Applies to âcovered entitiesâ (CEs)âany entity that bills electronically â Health care providers o Clinicians, hospitals, clinics, etc. â Health plans o HMOs, insurance companies, etc. â Healthcare clearinghouses o Billing services â Business associates ⢠Patient must authorize any disclosure, with the exception of âtreatment, payment, or operationsâ (TPO); does not preclude health care providers from sharing data for patient care, a common misunderstanding (Houser, Houser, & Shewchuk, 2007) 6
- 7. Physician Oaths of Privacy Are Not New ⢠Oath of Hippocrates, fifth century BC â âAll that may come to my knowledge in the exercise of my profession or outside of my profession or in daily commerce with men, which ought not to be spread abroad, I will keep secret and never reveal.â ⢠Declaration of Geneva, 20th century â âI will respect the secrets which are confided in me, even after the patient has died.â AAPS, n.d.
- 8. What Is Covered? ⢠Protected health information (PHI) â Collected from patient and created by covered entity â Individually identifiable â Electronically transmittedâin reality, all information ⢠Extends to covered entities and business associates ⢠De-identified information is not covered ⢠Pre-emption â HIPAA trumps state law if state law is less protective of privacy and security, but state laws that go beyond the HIPAA protections are not nullified by HIPAA and must be followed 8
- 9. Identifiers Contained in Protected Health Information (PHI) ⢠Name ⢠Address (street address, city, county, ZIP code) ⢠Names of relatives ⢠Names of employers ⢠E-mail address ⢠Fax number ⢠Telephone number ⢠Birth date ⢠Finger or voice prints ⢠Photographic images ⢠Social Security number ⢠Internet protocol (IP) address ⢠Any vehicle or device serial number ⢠Medical record number ⢠Health plan beneficiary number ⢠Account number ⢠Certificate/license number ⢠Web URL ⢠Any other unique identifying number, characteristic, or code 9
- 10. Key Privacy Compliance Areas ⢠Notice of privacy practices ⢠Authorization ⢠Business associates and subcontractors ⢠Allowable disclosures ⢠Marketing ⢠Physician and staff training ⢠Penalties 10
- 11. Notice of Privacy Practices ⢠Patient has right to â Adequate notice of privacy practices â Uses and disclosures of PHI â Description of individual rights â Covered entitiesâ legal duties ⢠One problem is readability of Notice of Privacy Practices (NPP) forms comparable to medical journal articles and beyond 80% of U.S. adults (Breese & Burman, 2005) ⢠Physiciansâ requirements for obtaining NPP consent include â âGood faith effortâ to obtain acknowledgment during first provision of in- person service â Failure to obtain is not penalized (per Bush administration revision) ⢠Many publicly available industry resources 11
- 12. Other Aspects of Privacy Practices ⢠Must be written in plain language ⢠Practices/organizations must state they preserve the right to change NPP ⢠There must be a complaint process ⢠Practices/organizations must designate a privacy official in the office ⢠See Oregon Health & Science Universityâs examples of NPP: http://www.ohsu.edu/xd/about/services/integrity/i ps/npp.cfm 12
- 13. Authorizations ⢠Providers must obtain authorization before using PHI for purposes other than TPO ⢠They may not condition treatment on an individualâs authorization ⢠Covered entities must make âreasonable safeguardsâ to limit the use or disclosure of PHI to the minimum amount necessary â Non-treatment disclosure governed by âMinimum Necessaryâ standard (HHS, 2003) 13
- 14. Authorizations Must Include ⢠Names of authorized persons making use of disclosure ⢠Description of information ⢠Expiration of date of event ⢠Patientâs right to revoke and instructions on how to do so ⢠Purpose of use or disclosure ⢠Signature and date 14
- 15. Business Associates ⢠Business associate (BA) â Does work on behalf of a covered entity using or disclosing PHI o Anyone who comes in contact with and uses PHI â Must sign agreement with covered entity â Is directly accountable to HHS for compliance and subject to breach notification rules â Includes all subcontractors to business associates 15
- 16. Allowable Non-TPO Disclosures ⢠Research â Overview: HHS, 2004 â Authorization by patient is generally required â Authorization waiver can be provided by an institutional review board (IRB) or privacy board approval o Must involve âno more than a minimal riskâ o Research could not be practically conducted without waiver and without access to PHI ⢠Public Health â Can be disclosed to public health agencies for public health activities â Also allowed for child abuse reporting, exposure to communicable diseases, and workforce surveillance ⢠Other â Law enforcement â Decedents â Cadaveric tissue donation 16
- 17. Marketing ⢠Defined as âa communication about a product/service that encourages recipients of the communication to purchase/use the product/serviceâ ⢠Using PHI for marketing requires authorization from the individual ⢠Is not marketing for providers if treatment is â Therapy recommendation â Appointment notification â Prescription refill reminder 17
- 18. Physician and Staff Training ⢠Practices/organizations must â Designate a privacy Officer â Develop policies and procedures â Provide privacy training to workforce â Develop a system of sanctions for employees who violate privacy laws 18
- 19. Penalties ⢠Enforced by HHS Office for Civil Rights http://www.hhs.gov/ocr/index.html ⢠Penalties higher for âwillful neglectâ (i.e., offender knew about violation or was recklessly indifferent) ⢠Original HIPAA criticized for modest penalties and minimal prosecutions ⢠HITECH increased severity of penalties: â Tiered penalty structure ranging from $25,000 to $1.5 million per year, with $100 to $50,000 per violation (for each record) 19
- 20. Does HIPAA Privacy Rule Protect Privacy? ⢠Reviews by GAO (2004) and NCVHS (Kanaan, 2007) found adherence less problematic than anticipated ⢠Major concerns relate to difficulty in performing clinical research â Finding and accessing patients for research more difficult (Armstrong et al., 2005) â Two-thirds of researchers surveyed reported more difficulty in work; only one-quarter believed privacy enhanced (Ness, 2007) â Reports from AAHC (Steinberg, & Rubin, 2009) and Institute of Medicine (2009) argue for revision to make research easier ⢠Also concerns with implications for public health (Kamoie & Hodge, 2004) ⢠Another view calls for less emphasis on consent and more on a framework that makes for easier sharing of TPO (with some modifications of âOâ) with more rigorous restrictions on other uses, such as marketing (McGraw, 2009; McGraw et al., 2009) 20
- 21. Other Modifications in HITECH ⢠Breach notification: When 500 or more patients affected, breach must be reported to local media and OCR â www.hhs.gov/hipaa/for-professionals/breach- notification/index.html â Restrictions on disclosures â Information about services paid for out of pocket must be withheld from payers upon request â TPO disclosures must be tracked and records maintained for three years â Covered entities with EHRs must provide or transmit PHI in electronic format as directed by patient ⢠Patients can opt out of fundraising appeals 21
- 22. Privacy, Confidentiality, and Security Summary â Lecture c ⢠HIPAA Privacy Rule restricts disclosure of information not authorized by a patient ⢠Privacy Rule is enhanced in HITECH Act ⢠Patient authorization is not required for treatment, payment, or operations (TPO) ⢠HIPAA Privacy Rule defines covered entities that must adhere and defines business associates of those entities that also must adhere 22
- 23. Privacy, Confidentiality, and Security References â Lecture c References AAPS (Association of American Physicians and Surgeons). (n.d.). Physician oaths. Retrieved from http://www.aapsonline.org/ethics/oaths.htm AHIMA (American Health Information Management Association). (2016). AHIMA introduces new online HIPAA privacy and security course. Retrieved from http://www.ahima.org/education/onlineed/Programs/hipaa Armstrong, D., Kline-Rogers, E., Jani, S. M., et al. (2005). Potential impact of the HIPAA privacy rule on data collection in a registry of patients with acute coronary syndrome. Archives of Internal Medicine, 165, 1125â1129. Breese, P., & Burman, W. (2005). Readability of notice of privacy forms used by major health care institutions. JAMA, 293, 1593â1594. BridgeFront. (2009). Impact of the American Recovery & Reinvestment Act of 2009 on HIPAA privacy & security. Retrieved from http://www.hipaarx.net/downloads/ARRA_HIPAA_White_Paper.pdf Centers for Medicare and Medicaid Services (CMS). (2007). Security 101 for covered entities. Baltimore, MD: CMS. Retrieved from http://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/security101.pdf GAO (Government Accounting Office). (2004). Health information: First-year experiences under the federal privacy rule. Retrieved from http://www.gao.gov/new.items/d04965.pdf HealthIT.gov. (2016). HIPAA and health IT. Retrieved from https://www.healthit.gov/policy-researchers- implementers/hipaa-and-health-it 23
- 24. Privacy, Confidentiality, and Security References â Lecture c Continued HealthIT.gov. (2016). Health IT privacy and security resources. Retrieved from https://www.healthit.gov/providers-professionals/ehr-privacy-security/resources HHS (Department of Health and Human Services). (n.d.) Covered Entities and Business associates. Retrieved from http://www.hhs.gov/hipaa/for-professionals/covered-entities/index.html HHS. (n.d.). Helping entities implement privacy and security protections. Retrieved from http://www.hhs.gov/hipaa/for-professionals/training/index.html HHS. (n.d.). HIPAA for individuals. Retrieved from http://www.hhs.gov/hipaa/for-individuals/index.html HHS. (2003). Minimum necessary requirement. Retrieved from http://www.hhs.gov/hipaa/for- professionals/privacy/guidance/minimum-necessary-requirement/index.html HHS. (n.d.). Notice of privacy practices for protected health information. Retrieved from http://www.hhs.gov/hipaa/for-professionals/privacy/guidance/privacy-practices-for-protected- health-information/index.html HHS. (2013). New rule protects patient privacy, secures health information. HHS Press Office. Retrieved from http://www.hhs.gov/about/news/2013/01/17/new-rule-protects-patient-privacy- secures-health-information.html HIMSS (Health Information and Management Systems Society). (2016). HIMSS privacy and security toolkit. Retrieved from http://www.himss.org/library/healthcare-privacy-security/toolkit HIMSS. (2009). 2009 HIMSS analytics report: Evaluating HITECHâs impact on healthcare privacy and security. Chicago, IL: HIMSS Analytics. Retrieved from http://app.himssanalytics.org/docs/ID_Experts_111509.pdf 24
- 25. Privacy, Confidentiality, and Security References â Lecture c Continued 2 Hirsch, R., and Deixler, H. (2013). Final HIPAA Omnibus Rule brings sweeping changes to health care privacy law: HIPAA privacy and security obligations extended to business associates and subcontractors. Privacy & Security Law Report, 12 PVLR 168. Retrieved from http://www.trideapartners.com/blog/wp-content/uploads/2013/09/HIPAAFinal-Rule.pdf Houser, S., Houser, H., & Shewchuk, R. (2007). Assessing the effects of the HIPAA privacy rule on release of patient information by healthcare facilities. Perspectives in Health Information Management, 23(4), 1. ID Experts. (2014). The HIPAA Final Omnibus Rule. Portland, OR: ID Experts. Retrieved from http://lpa.idexpertscorp.com/acton/attachment/6200/f-002d/1/-/-/-/-/file.pdf IOM (Institute of Medicine). (2009). Beyond the HIPAA Privacy Rule: Enhancing privacy, improving health through research. Report Brief. Retrieved from http://www.nationalacademies.org/hmd/ ~/media/Files/Report%20Files/2009/Beyond-the-HIPAA-Privacy-Rule-Enhancing-Privacy- Improving-Health-Through-Research/HIPAA%20report%20brief%20FINAL.ashx Kamoie, B., & Hodge, J. (2004). HIPAA's implications for public health policy and practice: guidance from the CDC. Public Health Reports, 119, 216â219. Kanaan, S. (2007). NCVHS Report 2005â2006. Retrieved from http://www.cdc.gov/nchs/data/ncvhs/ncvhs05-06.pdf Leyva, C., & Leyva, D. (2011). HIPAA survival guide for providers: Privacy & security rules, 3rd ed. Largo, FL: HITECH Survival Guide. 25
- 26. Privacy, Confidentiality, and Security References â Lecture c Continued 3 McGraw, D. (2009). Rethinking the role of consent in protecting health information privacy. Washington, DC: Center for Democracy & Technology. Retrieved from http://www.cdt.org/healthprivacy/20090126Consent.pdf McGraw, D., Dempsey, J., Harris, L., & Goldman, J. (2009). Privacy as an enabler, not an impediment: Building trust into health information exchange. Health Affairs, 28, 416â427. Nass, S., Levit, L., & Gostin, L. (Eds.). (2009). Beyond the HIPAA privacy rule: Enhancing privacy, improving health through research. Washington, DC: National Academies Press. National Institutes of Health (2007). HIPAA privacy rule. Retrieved from https://privacyruleandresearch.nih.gov Ness, R. (2007). Influence of the HIPAA privacy rule on health research. JAMA, 298, 2164â2170. Oregon Health and Science University. OHSU notice of privacy practices. Retrieved from http://www.ohsu.edu/xd/about/services/integrity/ips/npp.cfm Steinberg, M., & Rubin, E. (2009). The HIPAA Privacy Rule: Lacks patient benefit, impedes research growth. Association of Academic Health Centers (AAHC). Retrieved from http://http://www.aahcdc.org/Portals/41/Series/Issue- Briefs/HIPAA_Privacy_Rule_Impedes_Research_Growth.pdf?ver=2017-02-17-141347-363 Terry, N. (2014). Health privacy is difficult but not impossible in a post-HIPAA data-driven world. Chest, 146(3), 835â840. 26
- 27. The Culture of Health Care Privacy, Confidentiality, and Security Lecture c This material was developed by Oregon Health & Science University, funded by the Department of Health and Human Services, Office of the National Coordinator for Health Information Technology under Award Number IU24OC000015. This material was updated in 2016 by Bellevue College under Award Number 90WT0002. 27
Hinweis der Redaktion
- No audio. Recording preparation.
- Welcome to The Culture of Health Care: Privacy, Confidentiality, and Security. This is Lecture c. The component, The Culture of Health Care, addresses job expectations in health care settings. It discusses how care is organized within a practice setting, privacy laws, and professional and ethical issues encountered in the workplace.
- The objectives for Privacy, Confidentiality, and Security are to: Define and discern the differences between privacy, confidentiality, and security Discuss methods for using information technology to protect privacy and confidentiality Describe and apply privacy, confidentiality, and security under the tenets of the HIPAA Privacy and Security rules Discuss the intersection of a patientâs right to privacy with the need to share and exchange patient information
- This lecture discusses the Health Insurance Portability and Accountability Act (HIPAA) [hip-uh] Privacy Rule, which was signed into effect in 2006. In 2008, the Genetic Information Nondiscrimination Act specifically addressed genetic information under the HIPAA Privacy Rule, prohibiting health plans from using or disclosing genetic information for underwriting purposes. The 2009 Health Information Technology for Economic and Clinical Health Act, or HITECH [high-tech] legislation, provided updates to the rules. Since the 2009 rule publication and HITECH, additional updates have been made through the federal rule-making process regarding the meaningful use program stages. In 2013, the HIPAA rule that focused on increasing the publicâs privacy protections and rights regarding their health information was updated and strengthened the governmentâs ability to enforce the law regardless of where the information is held, whether by a health plan, a health care provider, or one of their business associates. There are also ongoing attempts to ensure that federal and state privacy laws are in agreement with each other. Aligning these laws is a significant work effort, since all state laws are not the same. The benefit of this effort results in not only protection of personal health information but also support in addressing the various issues involved in interstate commerce.
- There are many summaries available on the HIPAA rules, several of which are listed on this slide. The paper by ID Experts presents a relatively concise overview of the HIPAA omnibus law. BridgeFront focuses on some of the legal implications, and the Leyva [lay-vat] summary is focused more on the clinical side of the original law. The Health IT government website has many publicly available resources, such as âHIPAA and Health IT,â which contain information regarding the Privacy Rule and ways it facilitates electronic data exchange. This site also has a Security Information Series, which has resources designed for HIPAA-covered entities, including guidelines for implementation. The Health Information and Management Systems Society (HIMSS) has the Privacy and Security Toolkit, which contains an analysis of the HIPAA law as well as tools and resources for understanding and implementing various elements of the law. This toolkit, like many other industry resources, provides HIPAA information on how the rule applies to specific areas, such as mobile devices, health information exchange organizations, public health, and cloud computing. Many industry resources focus on a specific health care professional, such as physicians, nurses, business associates, and human resources, for example. The National Institutes of Health (NIH) provides information on the HIPAA Privacy Rule specifically for the research community. Many organizations, such as the American Health Information Management Association (AHIMA), offer online HIPAA privacy and security courses with some offering certification. The Department of Health and Human Services (HHS) offers publicly available materials, called âHelping Entities Implement Privacy and Security Protections,â to support providers with HIPAA employee training. In addition, HHS offers âHIPAA for Individuals,â which provides information and resources for U.S. citizens to assist them in understanding their rights under HIPAA.
- Those who work in a health care setting in the United States are probably familiar with the HIPAA Privacy Rule. Patients receiving care in the United States also are exposed to the HIPAA Privacy Rule. The HIPAA Privacy Rule applies to covered entities, which are essentially any entities that electronically bill or are involved in the billing process for patient care services. One category of covered entities is health care providers, such as clinicians, hospitals, and clinics. Another category is health plans, such as health maintenance organizations (HMOs), insurance companies, and others, including business associates. This rule also applies to health care clearinghouses that deal with sensitive health information usually concerning billing services. A key point about HIPAA that leads to a lot of misconceptions is that the HIPAA Privacy Rule doesnât require patient authorization to disclose information for treatment, payments, or operations, sometimes called TPO [tee-pee-oh]. Probably the biggest misconception is that when a patient is transferred from one institution to another, the referring institution would be in violation of the HIPAA Privacy Rule by sending the patientâs information to the second institution. Not true! When a patient is transferred, itâs within the legal rights of everyone involved in the patientâs health care to disclose information to each other for the care of the patient.
- The Notice of Privacy Practices is essentially an oath of privacy. An interesting Web page devoted to oaths of privacy in health care notes that physicians have been taking privacy seriously for quite some time. The Hippocratic Oath, or the Oath of Hippocrates, developed in the fifth century BC, requires the physician to state, âAll that may come to my knowledge in the exercise of my profession or outside of my profession or in daily commerce with men, which ought not to be spread abroad I will keep secret and never reveal.â Likewise, the Declaration of Geneva, usually considered to be the modern-day replacement of the Hippocratic Oath, states, âI will respect the secrets which are confided in me even after the patient has died.â
- What is covered by the HIPAA privacy regulations? The privacy regulations cover protected health information, or PHI [P-H-I]. This is information that is collected from the patient and created by a covered entity, such as a health care provider, clearinghouse, or health plan. Itâs individually identifiable and electronically transmitted information. HIPAA regulations extend to covered entities and business associates of the covered entities. For example, if a business works with a health care institution for whom the HIPAA regulations apply, then those regulations apply to that business as well. De-identified information is not covered; issues with so-called de-identified information were discussed in a previous lecture. There are various levels of pre-emption: HIPAA trumps state law if state law is less protective of privacy and security, but state laws that go beyond the HIPAA protections are not nullified by HIPAA and must be followed.
- What types of identifiers fall under PHI? The HIPAA definition of PHI is broad and comprehensive. The regulations define nineteen different types of patient data that can be PHI. Obviously, this includes information such as name and address, but it also includes ZIP code, employerâs e-mail address and telephone numbers, photographic images, Social Security number, medical record number, and any web URLs associated with the patient. Finally, any other unique identifying number, characteristic, or code is also considered PHI.
- What are the key compliance areas for the HIPAA Privacy Rule? Health care organizations must post and inform patients of their Notice of Privacy Practices. HIPAA address issues related to authorization of the use of PHI. There are rules that apply to business associates and subcontractors. There are allowable disclosures, rules around marketing, and rules around physician and staff training. Finally, there are penalties for noncompliance with the privacy rules. These areas are discussed in the slides that follow.
- One of the cornerstones of the HIPAA Privacy Rule is the Notice of Privacy Practices, or NPP [N-P-P]. People who have obtained health care in the United States in the last decade or so will have come across an NPP and probably had to sign it. The NPP states what the patient rights are. Under the HIPAA Privacy Rule, the patient has the right to know the privacy practices of a covered entity, such as a physician practice or hospital. The notice should contain the uses and disclosures of personal health information, including those that extend beyond TPO. The NPP should also describe individual rights as well as the legal duties of the covered entities. Part of the problem with these documents is that their readability is comparable to what is seen in medical journal articles. In other words, they are highly technical and are probably beyond the readability of eighty percent of the U.S. adult population. The 2013 HIPAA update strengthened the patientâs rights with increased protection and control of personal health information. There are many publicly available industry resources to assist in compliance with NPP requirements, including resources and tools available on the HHS website âNotice of Privacy Practices for Protected Health Information.â
- Some other aspects of privacy practices are that they must be written in plain language, although later slides will show that this is somewhat of an issue. Practices and organizations have to state that they reserve the right to change the NPP. There must be some sort of complaint process by which a patient can challenge whether the privacy practices have been inappropriate. Every practice organization must designate a privacy official, essentially a chief privacy officer. In smaller practices, this role may be filled by the office manager or perhaps one of the physicians in the practice. Listed on this slide is the link to the Oregon Health & Science Universityâs NPP, which has been translated into numerous languages. There are many publicly available resources that provide NPP template forms and tools.
- The HIPAA Privacy Rule requires that an authorization be obtained for the use of PHI for purposes other than for TPO. The covered entity is not allowed to condition treatments of the patient on whether or not an individual gives authorization for use of PHI beyond TPO. When covered entities release PHI, reasonable safeguards must be in place to limit the use to the minimum necessary standard, as defined by the statute from the HHS Office for Civil Rights.
- Authorizations must include the following: The names of authorized persons making use of or disclosing the information The description of the information An expiration date so the authorization does not last into perpetuity Instructions on the patientâs right to revoke the authorization and how to do so A statement of the specific purpose of use or disclosure, and A signature and date by the patient Additional information may be required for designated restricted or sensitive health information, as described by federal and state law, such as with behavioral health and mental health information and records, developmental disability patient health information, and records on alcohol or other substance abuse patient health information or records.
- HIPAA defines business associates and sets rules for their interactions with covered entities. These have been strengthened or updated since the original rule. A âbusiness associateâ is [quote] âa person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or in providing services to, a covered entity.â [end quote] Business associates are directly accountable to HHS for compliance and are subject to breach notification rules. Covered entities must have signed agreements with all of their business associates. Examples of a providerâs business associates include billing companies, vendors, software vendors, personal health record vendors, health information exchange organizations, e-prescribing gateways, and other persons or entities that provide data transmission services with respect to PHI to a covered entity and that require access on a routine basis to such PHI. Also included is any subcontractor that creates, receives, maintains, or transmits PHI on behalf of the business associate, such as those involved in claims processing and administration, data analysis, utilization review, quality assurance, patient safety activities, and benefits management. In the original HIPAA legislation, covered entities were only required to obtain what was called satisfactory assurances of privacy protections from business associates. Business associates are now required to meet the same rules that covered entities must meet. For example, each business associate must sign an agreement with the covered entity, stating that it will adhere to all of the HIPAA privacy rules. When business associates undergo a breach of information, the associated subcontractors are also subject to the same HIPAA breach notification rules that may include investigation and remediation.
- What are some of the allowable disclosures outside of TPO? One area is research. HHS has a publication that describes what is and isnât allowed under the HIPAA Privacy Rule. In general, authorization by the patient is required, and the NPP usually contains a clause that allows information to be used for research purposes. However, some waivers can be granted without the patientâs explicit approval by either an institutional review board, also known as an IRB [I-R-B], or a privacy board. The Privacy Rule states that when this authorization waiver is used, there must be no more than a minimal risk of disclosure of information and that the research could not be practically conducted without the waiver and without access to personal health information. Some public health disclosures are allowed so that information gathered by public health agencies can be released. Information in specific areas such as child abuse, exposure to communicable diseases, and workforce surveillance can also be disclosed. Some other areas where disclosure is permitted include information related to law enforcement, issues related to decedentsâ [dih-seed-ents] and cadaveric [ka-duh-vehr-ihk] tissue donation.
- Using health information for marketing, defined in HIPAA as a communication about a product or service that encourages recipients of the communication to purchase or use the product or service, requires authorization of the individual. Activities such as a health care provider recommending a treatment to a patient or encouraging a patient to keep an appointment or to refill a prescription have been defined as outside the scope of marketing for providers. So when a provider recommends a treatment, itâs not considered to be marketing; likewise, notifying patients about appointments and prescription refills is not marketing.
- Another aspect of the HIPAA privacy regulations is physician and staff training, which has been a substantial expense to health care organizations. The regulation states that practices and organizations must designate a privacy officer, develop policies and procedures, provide privacy training to the workforce, and develop a system of sanctions for employees who violate the privacy law. Thereâs sometimes frustration when individuals have to complete HIPAA training at each and every organization they are associated with. For example, a researcher would have to complete similar HIPAA training at all of the institutions that he or she collaborates with, resulting in a lot of repetition.
- Obviously, the HIPAA Privacy Rule must have teeth. In fact, the original HIPAA Privacy Rule was criticized for the relatively modest penalties and minimal prosecutions that took place when the rule was launched. HIPAA has a tiered penalty structure that is administered in line with the nature and circumstances of the violation. This ranges from a violation in which the individual did not know (and by exercising reasonable diligence would not have known) that HIPAA was violated all the way to the extreme circumstance in which a HIPAA violation resulted from willful neglect and with no correction implemented. The assessed penalty relates to the level of culpability characterizing the violation, which can range from twenty-five-thousand dollars up to a maximum penalty of one-point-five million dollars. If multiple HIPAA violations occur, penalties could surpass one-point-five million dollars. The OCR enforces the privacy standards, while the Centers for Medicare & Medicaid Services (CMS) enforces both the transaction and code set standards and the security standards of the HIPAA regulation.
- One question thatâs often asked is whether the HIPAA Privacy Rule truly protects privacy. There has been a lot of work on different aspects of the HIPAA Privacy Rule: how well it works, how it can be strengthened, and so forth. Reviews in 2000, after the privacy rule was launched, by the Government Accountability Office, and in 2007 by the National Committee on Vital and Health Statistics (NCVHS), found that adherence was actually less problematic than many had anticipated. The HIPAA Privacy Rule has now become part of health care delivery. One area where there have been many concerns is in the impact of HIPAA on clinical research. Some studies have documented, for example, that finding and accessing patients to participate in research has become more difficult. Researchers report more difficulty in doing their work, and at the same time, they report that they donât believe privacy is being substantially enhanced. This concern has led some organizations, in particular, the Association of Academic Health Centers and the Institute of Medicine, to argue for revisions to the HIPAA Privacy Rule to make research easier. There also have been some assessments of the HIPAA Privacy Rule with regard to public health. In general, public health authorities are relatively satisfied with HIPAA and donât find it too onerous [on-er-uhs]. One approach that has been advocated is for less emphasis on patient consent and more emphasis on a framework that makes it easier to share appropriate TPO, with some modifications of how operations is defined, coupled with more rigorous restrictions on other uses, particularly marketing.
- There are other modifications to the HIPAA Privacy Rule under the HITECH legislation. One area concerns breach notification. Obviously, patients must be informed, but when the breach exceeds five hundred patients, the OCR as well as the local media or local press, must be notified. In fact, the OCR maintains a web page that lists all breaches of more than five hundred patients, which can be accessed through the URL on this slide. There are also some modifications that allow patients to put more restrictions on disclosures. For example, when patients pay for medical care out-of-pocket instead of through their insurance, they can stipulate that information not be sent to payers. There are also stricter rules for appropriate disclosures of TPO. These disclosures must be tracked and records maintained for three years. In addition, covered entities that have electronic health records have to either provide or, if the patient requests, transmit PHI in electronic format as the patient directs. Finally, one other clause allows patients to opt out of fundraising appeals.
- This concludes Lecture c of Privacy, Confidentiality, and Security. In summary, the HIPAA Privacy Rule restricts disclosure of information not authorized by a patient. It has been enhanced by the HITECH Act. Itâs important to remember that patient authorization for disclosure is not required for treatment, payment, or operations. Finally, the HIPAA Privacy Rule defines covered entities and business associates of those entities that also must adhere to the privacy regulations.
- No audio.
- No audio.
- No audio.
- No audio.
- No audio.