© 2016 Health Information Management Technology: An Applied Approach Chapter 9 Data Privacy and Confidentiality

Privacy and Confidentiality Privacy: “right to be let alone” o No constitutional right to privacy Confidentiality: stems from sharing of private information in confidence with someone else

Use and Disclosure Use: how an organization avails itself of information internally Disclosure: how information is disseminated outside an organization

Legal Process Discovery – pretrial stage; parties obtain information from each other Types of discovery: o Deposition o Interrogatories Information can be compelled through a: o Subpoena (ad testificandum or duces tecum) with authorization o Court order o Warrant

E-Discovery Parties obtain and review electronically stored data Governed in federal court by the Federal Rules of Civil Procedure Considerations: o Discoverable data Metadata o Legal hold o Spoliation

Testimony Federal Rules of Evidence govern admissibility in federal courts o Hearsay: out-of-court statement used to prove the truth of the matter Not admissible unless it meets an exception Medical records often admitted through the business records exception to the hearsay rule

HIPAA Definition Health Insurance Portability and Accountability Act (HIPAA) of 1996 o Focus of Title II (1 of 5 titles) Medical liability reform Health care fraud and abuse prevention Administrative simplification o Privacy standards o Security standards o Transactions, identifiers, and code set standards o National provider identifiers o Enforcement

ARRA and HITECH American Recovery and Reinvestment Act (ARRA) signed into law February 17, 2009 o Health Information Technology for Economic and Clinical Health (HITECH) Act is a component of ARRA o ARRA and HITECH provides important changes to the HIPAA Privacy Rule

Office of the National Coordinator for Health Information Technology (ONC) Within the Department of Health and Human Services Responsible for o Coordinating national efforts to implement and use health information technology o Promoting exchange of electronic health information

HIPAA Applicability Covered entities o Healthcare providers that conduct financial or administrative transactions electronically o Health plans o Healthcare clearinghouses

HIPAA Applicability Business associates (BAs) o Perform functions or activities on behalf of or for a covered entity that involve use or disclosure of protected health information o Business Associate Agreements (BAAs) o BAA content must be complete o ARRA and HITECH applied more stringent requirements and penalties to BAs and the BAs’ subcontractors

HIPAA Applicability Workforce members o Employees, volunteers, student interns, trainees, employees of outsourced vendors working routinely on-site o Are contractors working in a covered entity considered workforce members or business associates?

HIPAA Applicability Protected health information (PHI) o Individually identifiable o Relates to one’s past, present or future physical or mental health condition; provision of healthcare; or payment for provision of healthcare o Held or transmitted by a covered entity or BA PHI applies to all forms or media (paper, electronic, oral)

HIPAA Applicability Deidentified information o Does not identify the individual o Not subject to the HIPAA privacy rule o 18 elements must be removed to deidentify an individual

HIPAA Applicability: ARRA and HITECH Change Individually identifiable health information of deceased persons is no longer be protected by HIPAA (for example, is no longer PHI) after the individual has been deceased more than 50 years.

HIPAA Applicability Individual – the person who is the subject of PHI Personal representative – a person with legal authority to act on another’s behalf

HIPAA Applicability Designated record set (DRS) o Includes health records, billing records, and various claims records used to make decisions about an individual o HIPAA applies to the DRS

HIPAA: Minimum Necessary Is a standard established by HIPAA Exceptions to minimum necessary Standard: Must limit uses, disclosures and requests to only the amount needed to accomplish and intended purposes ARRA and HITECH: seeks to clarify its definition (still pending)

HIPAA: Treatment, Payment and Operations The Privacy Rule provides a number of exceptions to its requirements for PHI that is being used or disclosed for treatment, payment or operations (TPO)

HIPAA: Individual Rights The HIPAA privacy rule provides individuals with rights to provide some control over their health information. o Right of access (affected by ARRA and HITECH) o Right to request amendment o Right to accounting of disclosures (affected by ARRA and HITECH) o Right to request restrictions (affected by ARRA and HITECH) o Right to request confidential communications o Right to complain of privacy rule violations

HIPAA: Individual Rights—Access Right of access o Own PHI contained in a designated record set o ARRA and HITECH: covered entities with EHRs must make PHI available or send electronically if individual requests o Exceptions to access Psychotherapy notes Information compiled for civil or criminal actions Denial of access o Not subject to review o Subject to review

HIPAA: Individual Rights—Access (continued) Access request o Provide request in writing (if previously informed of this) o Timely response is required by the covered entity 30 days from receipt of request Extension of time period o 30-day extension o Must provide individual with written statement within original 30- day time period o Written statement must include reason for delay and date covered entity will complete its action Time period for records not maintained on site o Must produce in format requested if readily producible

HIPAA: Individual Rights—Access (continued) Charges o Reasonable fee may be imposed Copying, including supplies and labor Postage, when individual has requested information to be mailed Preparation of an explanation summary, if agreed to by the individual in advance Retrieval fee not permitted for patient requests

HIPAA: Individual Rights—Request Amendment Right to request amendment o May require the amendment request to be in writing o Allowed reasons for denial of amendment request o Facility may accept or deny request o Timely response to the request by the covered entity o Process for denial of requests for amendment

HIPAA: Individual Rights—Accounting of Disclosures Right to accounting of disclosures Disclosures that do not require an accounting o Disclosures for TPO purposes ARRA and HITECH exception: Covered entities that use or maintain an electronic health record must account for TPO disclosures New (2011) proposal: Uses and TPO excluded from accounting (both paper and electronic) due to proposed “access report” o Individuals provided their own PHI o Incidental or otherwise permitted or required

HIPAA: Individual Rights—Accounting of Disclosures (continued) Disclosures that do not require an accounting (continued) o Pursuant to an authorization o Use in a facility directory o To meet national security or intelligence requirements o To correctional institutions or law enforcement officials o Disclosures that occurred before the HIPAA privacy compliance date

ARRA and HITECH Change (proposed) Access Report o Proposed in 2011 subsequent to (but as part of) HITECH o Separate from accounting of disclosures o Applicable to EHRs o Would allow individuals to see every person who has viewed the individual’s DRS in the previous three years o Some TPO disclosure information moved from disclosure report to access report o Status pending

HIPAA: Individual Rights—Accounting of Disclosures (continued) Information included in an accounting o Date of disclosure o Name and address of entity or person who received the information o Brief statement of the purpose of the disclosure or copy of individual’s written authorization or request Timely response to request for accounting o ARRA/HITECH: Response requirements for BAs Fees for accounting of disclosures Required documentation

HIPAA: Individual Rights—Request Restrictions Right to request restrictions on uses and disclosures of PHI to carry out TPO o Covered entity must permit such a request, but does not have to agree to the requested restriction ARRA and HITECH exception: Must agree if disclosure would be to a health plan for payment or operations, but individual paid for service or item completely out of pocket o Termination of requested restrictions Covered entity’s responsibilities

HIPAA: Individual Rights—Confidential Communications Right to request confidential communications o Alternative routing or destination or by alternative method o Requests may be refused if information is not provided as to how payment will be handled

HIPAA: Individual Rights—Complain of Violations Right to complain of privacy rule violations o Must inform individuals of right to complain at covered entity level and to the US Department of Health and Human Services

HIPAA Privacy Rule Documents: Notice of Privacy Practices Notice of Privacy Practices o Purpose o Availability of the notice o Required content o Acknowledgement by individual

ARRA and HITECH Change Notice of Privacy Practices must be updated to o State that uses and disclosures not described in the Notice will require an authorization o Address ARRA marketing update (discussed later) o Address the right to opt out of fundraising communications (discussed later) o Covered entity’s obligation to comply with restriction request if item or service is paid in full out of pocket

HIPAA Privacy Rule Documents: Consent Consent o To use or disclose PHI for treatment, payment, and operations (TPO) o Optional document o Required content o Revocation

HIPAA Privacy Rule Documents: Authorization Authorization o Definition o Purpose o Content o Situations requiring an authorization

Authorization Not Required Required uses and disclosures without authorization o Access or accounting of disclosures requested by individual or personal representative o US Department of Health and Human Services investigation, review, or enforcement action

Authorization Not Required (continued) Permitted uses and disclosures without authorization (patient HAS opportunity to informally agree or object) o Directory of patients o Notification of family or friends

Authorization Not Required (continued) Permitted uses and disclosures without authorization (patient does not have opportunity to agree or object). These uses and disclosures are permissive only and must not violate a stricter or more protective state law. o Treatment, payment, and operations o To the individual o Incidental disclosures o Limited data set o 12 public interest and benefit purposes

Authorization Not Required (continued) Twelve public interest and benefit purposes: 1.As required by law (such as reporting specified wounds) 2.Public health activities 3.Victims of abuse, neglect, or domestic violence 4.Healthcare oversight activities 5.Judicial and administrative proceedings 6.Law enforcement purposes 7.Decedents 8.Cadaveric organ, eye or tissue donation 9.Research 10.Threat to health or safety 11.Specialized government functions 12.Workers’ compensation

Authorization Not Required (continued) ARRA and HITECH changes o Disclosure of students’ immunization records would be considered a public health disclosure (one of the 12 public interest and benefit purposes) Written authorization would not be required Oral agreement would be required o Research: covered entity may combine conditioned authorizations and unconditioned authorizations as long as each is clearly marked and the individual is able to opt out of unconditioned research activities

HIPAA: Breach Notification Required under ARRA and HITECH Previously, mitigation was required in the event of a breach Covered entities and BAs: subject to HHS regulations Others (including PHR vendors): subject to FTC regulations

HIPAA: Breach Notification Breach: “Unauthorized acquisition, access, use or disclosure of PHI that compromises the security or privacy of such information” o Applies to unsecured PHI only (encrypted PHI is an exception)

HIPAA: Breach Notification Exceptions to breach definition: o Unintentional acquisition, access or use of PHI by workforce member acting under authority of a covered entity or BA (information cannot be further used or disclosed in impermissible manner) o Inadvertent disclosure of PHI from a person authorized to access PHI at a covered entity or BA to another person authorized to access PHI at the covered entity or BA (information cannot be further used or disclosed in impermissible manner) o If the covered entity or BA has good faith belief the unauthorized individual who received the PHI would not be able to retain the information

HIPAA: Breach Notification Must notify affected individuals without unreasonable delay, and no more than 60 days from when first known or should have known 500 affected: Media outlets must be used to notify public; Secretary of HHS must be notified All breaches < 500 affected are reported to HHS using an online tool, submitted no later than 60 days after the end of the calendar year

HIPAA: Marketing Definition General rule: Use or disclosure of PHI for marketing requires authorization Marketing activities that do not require an authorization o Occurs face-to-face with the individual o Concerns products or services of nominal value

HIPAA: Marketing Activities not defined as marketing per HIPAA (authorization not required) o Communications by covered entity about health-related products and services provided by or covered as a benefit by the covered entity or a third party (must meet requirements) o Communications for treatment of individual o Communications for case management or care coordination or alternative treatments Remuneration to the covered entity must be disclosed

HIPAA: Marketing Per ARRA and HITECH: o Unless a communication fits in one of the previous categories, it is not a healthcare operation o The previous categories are not healthcare operations if the covered entity was paid for making it o Exceptions (these are considered healthcare operations): Communication re. a currently prescribed drug Payment was reasonable and the covered entity received an authorization Communication was made by a BA consistent with BAA despite payment o Any remuneration for a communication must be prominently stated

HIPAA: Sale of Information Addressed specifically by ARRA and HITECH A covered entity or BA is prohibited from receiving direct or indirect compensation in exchange for an individual’s PHI without that individual’s authorization o Authorization must state whether receiving entity can further exchange the PHI for compensation. o Exceptions exist

HIPAA: Fundraising Must inform individuals in Notice of Privacy Practices that PHI may be used for fundraising Instructions on opting out in future are required o ARRA and HITECH specifically requires opt-out ability for fundraising communications that meet the definition of “healthcare operations” Prior authorization required if fundraiser targets individuals based on diagnosis, for instance, kidney patients targeted to raise funds for new kidney dialysis center

HIPAA: Administrative Requirements Designation of privacy officer Workforce training Process for establishing privacy safeguards Process for handling privacy complaints Standards for policies and procedures

HIPAA: Penalties Revised per ARRA and HITECH o Individuals can now be prosecuted o Penalties now apply to BAs o Tiered penalties based on: o Unknowing violations o Due to reasonable cause o Willful neglect (corrected) o Willful neglect (uncorrected)

HIPAA: Penalties State attorneys general may bring civil actions based on alleged HIPAA violations HHS audits, removing enforcement on a complaint-based system only

Release of Information (ROI) The process of providing PHI access to individuals or entities deemed authorized to receive or review it Steps in the process: o Enter request in ROI database o Determine validity of authorization o Verify patient’s identity o Process the request

ROI Quality Control Productivity: turnaround times tracked o Continuity of care requests processed first Accuracy: information released appropriately o Confirm the signer o Confirm signer is legally competent and signed voluntarily Use of HIPAA-compliant authorization forms

Medical Identity Theft Includes financial fraud and identity theft Victims include patients, providers, and payers Types: o Use of person’s identity to obtain medical services or goods Victim may be unknowing or unaware of consequences o Use of person’s identity to obtain money by falsifying claims for medical services

Medical Identity Theft Also categorized as: o Internal (more prevalent) o External o Patient verification is necessary Fair and Accurate Credit Transactions Act (FACTA) o Red Flags Rule to identify, detect and respond to identity theft indicators

Patient Advocacy and Compliance Patient advocacy: o Steward of patient record o Patient empowerment o Health literacy o Legal access to health record Compliance: o With laws that regulate the privacy of information o With all laws applicable to an organization