Privacy, Confidentiality, and Security Lecture 2_slides

Editor's Notes

• #2: No audio. Recording preparation.
• #3: Welcome to The Culture of Health Care: Privacy, Confidentiality, and Security. This is Lecture c. The component, The Culture of Health Care, addresses job expectations in health care settings. It discusses how care is organized within a practice setting, privacy laws, and professional and ethical issues encountered in the workplace.
• #4: The objectives for Privacy, Confidentiality, and Security are to: Define and discern the differences between privacy, confidentiality, and security Discuss methods for using information technology to protect privacy and confidentiality Describe and apply privacy, confidentiality, and security under the tenets of the HIPAA Privacy and Security rules Discuss the intersection of a patient’s right to privacy with the need to share and exchange patient information
• #5: This lecture discusses the Health Insurance Portability and Accountability Act (HIPAA) [hip-uh] Privacy Rule, which was signed into effect in 2006. In 2008, the Genetic Information Nondiscrimination Act specifically addressed genetic information under the HIPAA Privacy Rule, prohibiting health plans from using or disclosing genetic information for underwriting purposes. The 2009 Health Information Technology for Economic and Clinical Health Act, or HITECH [high-tech] legislation, provided updates to the rules. Since the 2009 rule publication and HITECH, additional updates have been made through the federal rule-making process regarding the meaningful use program stages. In 2013, the HIPAA rule that focused on increasing the public’s privacy protections and rights regarding their health information was updated and strengthened the government’s ability to enforce the law regardless of where the information is held, whether by a health plan, a health care provider, or one of their business associates. There are also ongoing attempts to ensure that federal and state privacy laws are in agreement with each other. Aligning these laws is a significant work effort, since all state laws are not the same. The benefit of this effort results in not only protection of personal health information but also support in addressing the various issues involved in interstate commerce.
• #6: There are many summaries available on the HIPAA rules, several of which are listed on this slide. The paper by ID Experts presents a relatively concise overview of the HIPAA omnibus law. BridgeFront focuses on some of the legal implications, and the Leyva [lay-vat] summary is focused more on the clinical side of the original law. The Health IT government website has many publicly available resources, such as “HIPAA and Health IT,” which contain information regarding the Privacy Rule and ways it facilitates electronic data exchange. This site also has a Security Information Series, which has resources designed for HIPAA-covered entities, including guidelines for implementation. The Health Information and Management Systems Society (HIMSS) has the Privacy and Security Toolkit, which contains an analysis of the HIPAA law as well as tools and resources for understanding and implementing various elements of the law. This toolkit, like many other industry resources, provides HIPAA information on how the rule applies to specific areas, such as mobile devices, health information exchange organizations, public health, and cloud computing. Many industry resources focus on a specific health care professional, such as physicians, nurses, business associates, and human resources, for example. The National Institutes of Health (NIH) provides information on the HIPAA Privacy Rule specifically for the research community. Many organizations, such as the American Health Information Management Association (AHIMA), offer online HIPAA privacy and security courses with some offering certification. The Department of Health and Human Services (HHS) offers publicly available materials, called “Helping Entities Implement Privacy and Security Protections,” to support providers with HIPAA employee training. In addition, HHS offers “HIPAA for Individuals,” which provides information and resources for U.S. citizens to assist them in understanding their rights under HIPAA.
• #7: Those who work in a health care setting in the United States are probably familiar with the HIPAA Privacy Rule. Patients receiving care in the United States also are exposed to the HIPAA Privacy Rule. The HIPAA Privacy Rule applies to covered entities, which are essentially any entities that electronically bill or are involved in the billing process for patient care services. One category of covered entities is health care providers, such as clinicians, hospitals, and clinics. Another category is health plans, such as health maintenance organizations (HMOs), insurance companies, and others, including business associates. This rule also applies to health care clearinghouses that deal with sensitive health information usually concerning billing services. A key point about HIPAA that leads to a lot of misconceptions is that the HIPAA Privacy Rule doesn’t require patient authorization to disclose information for treatment, payments, or operations, sometimes called TPO [tee-pee-oh]. Probably the biggest misconception is that when a patient is transferred from one institution to another, the referring institution would be in violation of the HIPAA Privacy Rule by sending the patient’s information to the second institution. Not true! When a patient is transferred, it’s within the legal rights of everyone involved in the patient’s health care to disclose information to each other for the care of the patient.
• #8: The Notice of Privacy Practices is essentially an oath of privacy. An interesting Web page devoted to oaths of privacy in health care notes that physicians have been taking privacy seriously for quite some time. The Hippocratic Oath, or the Oath of Hippocrates, developed in the fifth century BC, requires the physician to state, “All that may come to my knowledge in the exercise of my profession or outside of my profession or in daily commerce with men, which ought not to be spread abroad I will keep secret and never reveal.” Likewise, the Declaration of Geneva, usually considered to be the modern-day replacement of the Hippocratic Oath, states, “I will respect the secrets which are confided in me even after the patient has died.”
• #9: What is covered by the HIPAA privacy regulations? The privacy regulations cover protected health information, or PHI [P-H-I]. This is information that is collected from the patient and created by a covered entity, such as a health care provider, clearinghouse, or health plan. It’s individually identifiable and electronically transmitted information. HIPAA regulations extend to covered entities and business associates of the covered entities. For example, if a business works with a health care institution for whom the HIPAA regulations apply, then those regulations apply to that business as well. De-identified information is not covered; issues with so-called de-identified information were discussed in a previous lecture. There are various levels of pre-emption: HIPAA trumps state law if state law is less protective of privacy and security, but state laws that go beyond the HIPAA protections are not nullified by HIPAA and must be followed.
• #10: What types of identifiers fall under PHI? The HIPAA definition of PHI is broad and comprehensive. The regulations define nineteen different types of patient data that can be PHI. Obviously, this includes information such as name and address, but it also includes ZIP code, employer’s e-mail address and telephone numbers, photographic images, Social Security number, medical record number, and any web URLs associated with the patient. Finally, any other unique identifying number, characteristic, or code is also considered PHI.
• #11: What are the key compliance areas for the HIPAA Privacy Rule? Health care organizations must post and inform patients of their Notice of Privacy Practices. HIPAA address issues related to authorization of the use of PHI. There are rules that apply to business associates and subcontractors. There are allowable disclosures, rules around marketing, and rules around physician and staff training. Finally, there are penalties for noncompliance with the privacy rules. These areas are discussed in the slides that follow.
• #12: One of the cornerstones of the HIPAA Privacy Rule is the Notice of Privacy Practices, or NPP [N-P-P]. People who have obtained health care in the United States in the last decade or so will have come across an NPP and probably had to sign it. The NPP states what the patient rights are. Under the HIPAA Privacy Rule, the patient has the right to know the privacy practices of a covered entity, such as a physician practice or hospital. The notice should contain the uses and disclosures of personal health information, including those that extend beyond TPO. The NPP should also describe individual rights as well as the legal duties of the covered entities. Part of the problem with these documents is that their readability is comparable to what is seen in medical journal articles. In other words, they are highly technical and are probably beyond the readability of eighty percent of the U.S. adult population. The 2013 HIPAA update strengthened the patient’s rights with increased protection and control of personal health information. There are many publicly available industry resources to assist in compliance with NPP requirements, including resources and tools available on the HHS website “Notice of Privacy Practices for Protected Health Information.”
• #13: Some other aspects of privacy practices are that they must be written in plain language, although later slides will show that this is somewhat of an issue. Practices and organizations have to state that they reserve the right to change the NPP. There must be some sort of complaint process by which a patient can challenge whether the privacy practices have been inappropriate. Every practice organization must designate a privacy official, essentially a chief privacy officer. In smaller practices, this role may be filled by the office manager or perhaps one of the physicians in the practice. Listed on this slide is the link to the Oregon Health & Science University’s NPP, which has been translated into numerous languages. There are many publicly available resources that provide NPP template forms and tools.
• #14: The HIPAA Privacy Rule requires that an authorization be obtained for the use of PHI for purposes other than for TPO. The covered entity is not allowed to condition treatments of the patient on whether or not an individual gives authorization for use of PHI beyond TPO. When covered entities release PHI, reasonable safeguards must be in place to limit the use to the minimum necessary standard, as defined by the statute from the HHS Office for Civil Rights.
• #15: Authorizations must include the following: The names of authorized persons making use of or disclosing the information The description of the information An expiration date so the authorization does not last into perpetuity Instructions on the patient’s right to revoke the authorization and how to do so A statement of the specific purpose of use or disclosure, and A signature and date by the patient Additional information may be required for designated restricted or sensitive health information, as described by federal and state law, such as with behavioral health and mental health information and records, developmental disability patient health information, and records on alcohol or other substance abuse patient health information or records.
• #16: HIPAA defines business associates and sets rules for their interactions with covered entities. These have been strengthened or updated since the original rule. A “business associate” is [quote] “a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or in providing services to, a covered entity.” [end quote] Business associates are directly accountable to HHS for compliance and are subject to breach notification rules. Covered entities must have signed agreements with all of their business associates. Examples of a provider’s business associates include billing companies, vendors, software vendors, personal health record vendors, health information exchange organizations, e-prescribing gateways, and other persons or entities that provide data transmission services with respect to PHI to a covered entity and that require access on a routine basis to such PHI. Also included is any subcontractor that creates, receives, maintains, or transmits PHI on behalf of the business associate, such as those involved in claims processing and administration, data analysis, utilization review, quality assurance, patient safety activities, and benefits management. In the original HIPAA legislation, covered entities were only required to obtain what was called satisfactory assurances of privacy protections from business associates. Business associates are now required to meet the same rules that covered entities must meet. For example, each business associate must sign an agreement with the covered entity, stating that it will adhere to all of the HIPAA privacy rules. When business associates undergo a breach of information, the associated subcontractors are also subject to the same HIPAA breach notification rules that may include investigation and remediation.
• #17: What are some of the allowable disclosures outside of TPO? One area is research. HHS has a publication that describes what is and isn’t allowed under the HIPAA Privacy Rule. In general, authorization by the patient is required, and the NPP usually contains a clause that allows information to be used for research purposes. However, some waivers can be granted without the patient’s explicit approval by either an institutional review board, also known as an IRB [I-R-B], or a privacy board. The Privacy Rule states that when this authorization waiver is used, there must be no more than a minimal risk of disclosure of information and that the research could not be practically conducted without the waiver and without access to personal health information. Some public health disclosures are allowed so that information gathered by public health agencies can be released. Information in specific areas such as child abuse, exposure to communicable diseases, and workforce surveillance can also be disclosed. Some other areas where disclosure is permitted include information related to law enforcement, issues related to decedents’ [dih-seed-ents] and cadaveric [ka-duh-vehr-ihk] tissue donation.
• #18: Using health information for marketing, defined in HIPAA as a communication about a product or service that encourages recipients of the communication to purchase or use the product or service, requires authorization of the individual. Activities such as a health care provider recommending a treatment to a patient or encouraging a patient to keep an appointment or to refill a prescription have been defined as outside the scope of marketing for providers. So when a provider recommends a treatment, it’s not considered to be marketing; likewise, notifying patients about appointments and prescription refills is not marketing.
• #19: Another aspect of the HIPAA privacy regulations is physician and staff training, which has been a substantial expense to health care organizations. The regulation states that practices and organizations must designate a privacy officer, develop policies and procedures, provide privacy training to the workforce, and develop a system of sanctions for employees who violate the privacy law. There’s sometimes frustration when individuals have to complete HIPAA training at each and every organization they are associated with. For example, a researcher would have to complete similar HIPAA training at all of the institutions that he or she collaborates with, resulting in a lot of repetition.
• #20: Obviously, the HIPAA Privacy Rule must have teeth. In fact, the original HIPAA Privacy Rule was criticized for the relatively modest penalties and minimal prosecutions that took place when the rule was launched. HIPAA has a tiered penalty structure that is administered in line with the nature and circumstances of the violation. This ranges from a violation in which the individual did not know (and by exercising reasonable diligence would not have known) that HIPAA was violated all the way to the extreme circumstance in which a HIPAA violation resulted from willful neglect and with no correction implemented. The assessed penalty relates to the level of culpability characterizing the violation, which can range from twenty-five-thousand dollars up to a maximum penalty of one-point-five million dollars. If multiple HIPAA violations occur, penalties could surpass one-point-five million dollars. The OCR enforces the privacy standards, while the Centers for Medicare & Medicaid Services (CMS) enforces both the transaction and code set standards and the security standards of the HIPAA regulation.
• #21: One question that’s often asked is whether the HIPAA Privacy Rule truly protects privacy. There has been a lot of work on different aspects of the HIPAA Privacy Rule: how well it works, how it can be strengthened, and so forth. Reviews in 2000, after the privacy rule was launched, by the Government Accountability Office, and in 2007 by the National Committee on Vital and Health Statistics (NCVHS), found that adherence was actually less problematic than many had anticipated. The HIPAA Privacy Rule has now become part of health care delivery. One area where there have been many concerns is in the impact of HIPAA on clinical research. Some studies have documented, for example, that finding and accessing patients to participate in research has become more difficult. Researchers report more difficulty in doing their work, and at the same time, they report that they don’t believe privacy is being substantially enhanced. This concern has led some organizations, in particular, the Association of Academic Health Centers and the Institute of Medicine, to argue for revisions to the HIPAA Privacy Rule to make research easier. There also have been some assessments of the HIPAA Privacy Rule with regard to public health. In general, public health authorities are relatively satisfied with HIPAA and don’t find it too onerous [on-er-uhs]. One approach that has been advocated is for less emphasis on patient consent and more emphasis on a framework that makes it easier to share appropriate TPO, with some modifications of how operations is defined, coupled with more rigorous restrictions on other uses, particularly marketing.
• #22: There are other modifications to the HIPAA Privacy Rule under the HITECH legislation. One area concerns breach notification. Obviously, patients must be informed, but when the breach exceeds five hundred patients, the OCR as well as the local media or local press, must be notified. In fact, the OCR maintains a web page that lists all breaches of more than five hundred patients, which can be accessed through the URL on this slide. There are also some modifications that allow patients to put more restrictions on disclosures. For example, when patients pay for medical care out-of-pocket instead of through their insurance, they can stipulate that information not be sent to payers. There are also stricter rules for appropriate disclosures of TPO. These disclosures must be tracked and records maintained for three years. In addition, covered entities that have electronic health records have to either provide or, if the patient requests, transmit PHI in electronic format as the patient directs. Finally, one other clause allows patients to opt out of fundraising appeals.
• #23: This concludes Lecture c of Privacy, Confidentiality, and Security. In summary, the HIPAA Privacy Rule restricts disclosure of information not authorized by a patient. It has been enhanced by the HITECH Act. It’s important to remember that patient authorization for disclosure is not required for treatment, payment, or operations. Finally, the HIPAA Privacy Rule defines covered entities and business associates of those entities that also must adhere to the privacy regulations.
• #24: No audio.
• #25: No audio.
• #26: No audio.
• #27: No audio.
• #28: No audio.