Health Information Privacy & Security LIS 4785 Introduction to Health Informatics Fall 2015, Week 10-1 Instructor: Dr. Sanghee Oh
Incoming Course Schedule Week 10 (10/27, 10/29) Health information privacy & security; Telehealth; mhealth Week 11 (11/3, 11/5) Project Application Template Demo; Consumer health informatics Week 12 (11/10, 11/12) No classes; Self study; Group meetings Week 13 (11/17, 11/19) Topic reviews; Midterm exam 2 (11/19) Week 14 (11/24, 11/26) Thanksgiving Holidays No classes Week 15 (12/1, 12/3) Final Presentations Week 16 (12/8, 12/10) No classes; Final report submission
Show and Tell
Health Information Privacy & Security
Health Insurance Portability and Accountability Act (HIPAA)
Health Insurance Portability and Accountability Act (1996) History HIPAA Health Insurance Portability and Accountability Act (1996) HITECH American Recovery and Reinvestment Act - Health Information Technology for Economic and Clinical Health (2009) Meaningful Use Guidelines for EHR (2010) http://www.secureworks.com/compliance/hipaa/
Health Insurance Portability and Accountability Act (1996) (HIPPA) HIPAA Health Insurance Portability and Accountability Act (1996) Before HIPPA, there was no universally recognized security standard or basic mandates for Protected Health Information (PHI) The goal of HIPAA was to _____________________ while enabling healthcare organizations to pursue initiatives that further innovation and patient care. However, enforcement was very limited.
Health Insurance Portability and Accountability Act (1996) Health Information Technology for Economic and Clinical Health (2009) (HITECH) HIPAA Health Insurance Portability and Accountability Act (1996) HITECH American Recovery and Reinvestment Act - Health Information Technology for Economic and Clinical Health (2009) HITECH, as part of ARRA, contains __________________ designed to accelerate the adoption of electronic health record (EHR)systems among providers. It broadens ______________________ listed under HIPAA and also increases ___ _____________________________. HIPAA gets some teeth! ____________ for violations Covered entities and business associates must __________. _________________ obligation enforcement
Health Insurance Portability and Accountability Act (1996) Health Information Technology for Economic and Clinical Health (2009) (HITECH) HIPAA Health Insurance Portability and Accountability Act (1996) HITECH American Recovery and Reinvestment Act - Health Information Technology for Economic and Clinical Health (2009) CMS’s Meaningful Use incentives program provides incentive payouts to eligible professionals, hospitals, and CHAs (Community Health Alliances) that meet criteria for efficient and patient-centered use of EHR. The program provides incentives to further ___________________ set fourth in HITECH and HIPAA, including conducting a risk analysis. Meaningful Use Guidelines for EHR (2010)
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) The primary goal of HIPPA is __________________ and ________________________.
Electronic Health Records: Privacy and Security https://www.youtube.com/watch?v=SMUFa5amPKs
What Information Must Be Protected?
____________________________________ HIPAA protects an individual’s health information and his/her demographic information. This is called “_____________________________” or “PHI”. Information meets the definition of PHI if, even without the patient’s name, if you look at certain information and ___________________________ then it is PHI. The PHI can relate to ____________________ physical or mental health of the individual. PHI describes a disease, diagnosis, procedure, prognosis, or condition of the individual and can exist in _____________ – files, voice mail, email, fax, or verbal communications. These rules apply ____________ you view, use, and share PHI.
What Does PHI Include? HIPAA defines information as protected health information (18 items in PHI) if it contains the following information about the patient, the patient’s household members, or the patient’s employers: ________________ Dates relating to a patient , i.e. birthdates, dates of medical treatment, admission and discharge dates, and dates of death Telephone numbers, addresses (including city, county, or zip code) fax numbers and other contact information Medical records numbers Any other unique identifying number
HIPAA Rules If you’re a covered entity (a health care plan, a health care clearinghouse or a health care provider that electronically transmits medical information), then you must comply with: _______________, which regulates the use and disclosure of Protected Health Information (PHI) held by covered entities, and protects individuals’ rights to understand and control how their health information is used. _______________, which complements the Privacy Rule and deals specifically with Electronic Protected Health Information (ePHI). It states that covered entities must ensure the confidentiality, integrity and availability of all ePHI they create, receive, maintain or transmit. _______________, which relates to the standardization of electronic transactions. _______________, which states that all HIPAA covered healthcare providers using electronic communications must use a unique ten-digit identification number National Provider Identifier (NPI). _______________, which establishes procedures for compliance and investigations, and sets civil money penalties for violations of the HIPAA AS Rules
HIPAA Privacy Rule
HIPAA Privacy Rule
HIPAA Privacy Rule The HIPAA Privacy Rule establishes national standards to _______________________ and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. Health plan An individual or group plan that provides, or pays the cost of, medical care. Healthcare clearinghouses A public or private entity, including a billing service, repricing company, community health management information system or community health information system, and “value-added” networks and switches
HIPAA Privacy Rule The HIPAA Privacy Rule establishes a set of national standards for the _______________ of individually identifiable health information – often called _____________________– by covered entities, as well as standards for providing individuals’ with health information privacy rights and helping individuals understand and control how their health information is used.
A PATIENT’S RIGHTS HIPAA stipulates the following patient’s right under its privacy rule: Patients have a right to receive a ___________________ of any health care provider health clearing house, or health plan. Patients have a right to _______________ and _______________of their PHI (paper or electronic formats). Patients have a right to request _______________ to information, that changes be made to correct errors in their records or to add information that ha been omitted. Patients have a right to request _______________ of PHI uses and disclosures. Patients have a right to request that you give _______________ to their PHI. Patients have a right to request _______________. Patients have a right to _______________.
Notice of Privacy Practices Describes to patients how their protected health information may be _______________ Details _______________in regards to their PHI and how to exercise these rights Details _______________of covered entity to protect PHI
Notice of Privacy Practices (NPP) for PHI The NPP allows PHI to be used and disclosed for purposes of TPO (_______________, _______________, and _______________) Examples The patient’s referring physician calls and asks for a copy of the patient’s recent exam at a healthcare setting. A patient’s insurance company calls and requests a copy of the patient’s medical record for a specific service date The Quality Improvement office calls and asks for a copy of an Operative Report TPO includes teaching, medical staff/peer review, legal, auditing, quality reviews, customer service, business management, and releases mandated by law.
Minimum Necessary Minimum Necessary applies: When using or disclosing PHI or when requesting PHI from another covered entity or business associate, a covered entity or business associate must make reasonable efforts to _________________________________________ to accomplish the intended purpose of the use, disclosure, or request.
HIPAA Snippets: Social Media Compliance https://www.youtube.com/watch?v=n6WMGg26ljA
Use of Social Media An example guideline regarding use of social media at the UCSF Healthcare Facility. Do not share on social media any patient information acquired through your work, even if the information is public. Information obtained from your patient/provider relationship is confidential. Posting patient information without authorization is a violation of the patient’s right to privacy and confidentiality. Even if you think you’ve de‐identified the information, it still might be identifiable to others. NOTE: De‐identification of PHI requires removal of all 18 PHI identifiers, which includes “Any other unique identifying number, code, or characteristic” (e.g., photo of a wound; description of a patient’s condition)
HIPAA Security Rule
HIPAA Security Rule e-PHI The HIPAA Security Rule establishes national standards to protect individuals’ _______________________________ that is created, received, used, or maintained by a HIPPA covered entity. e-PHI
HIPAA Security Rule The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the _______________, _______________, and _______________ of ePHI.
HIPAA Security Rule The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of ePHI. Confidentiality a set of rules or a promise that limits access or places restrictions on certain types of information Integrity the state of being whole and undivided Security the state of being free from danger or threat Confidentiality e-PHI Integrity Security
Security of ePHI Good security standards follow the “90/10” Rule: 10% of security safeguards are _______________ 90% of security safeguards rely on _______________ to adhere to good practices
HIPAA Violations
HIPAA Violations Bring More Than Minimal Fines https://www.youtube.com/watch?v=U0-FQQetEzY
A Breach of Unsecured PHI A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of PHI such that the use or disclosure poses a significant risk of financial, reputational, or other harm to the affected individual. The Breach Notification Rule requires covered providers to promptly notify individuals and the Secretary of the HHS (Department of Health and Human Services) of the loss, theft, or certain other impermissible uses or disclosures of unsecured PHI. Health care providers must also promptly notify the Secretary of HHS if there is any breach of unsecured protected health information if the breach affects 500 or more individuals, and notify the media if the breach affects more than 500 individuals of a State or jurisdiction.
Type of HIPAA Breach
Penalties Failure to comply with the HIPAA Rules can result in civil and criminal penalties ($100 per violations to millions) . Civil Penalties The U.S. Department of Health and Human Services (HHS)’ Office for Civil Rights (OCR) is responsible for administering and enforcing the HIPAA Privacy and Security Rules and conducts associated complaint investigations, compliance reviews, and audits. OCR may impose fines on covered providers for failure to comply with the HIPAA Rules. State Attorneys General may also enforce provisions of the HIPAA Rules. Criminal Penalties The U.S. Department of Justice (DOJ) may enforce criminal penalties for HIPAA violations.