Safety and Security of Electronic Health Records Kathy Burkhardt, RHIA Director, Health Information Management Facility Privacy Officer Largo Medical Center

Overview of Presentation Provide information regarding HIPAA and HITECH rules and regulations. Rights of patients to access medical records. Rights of patients to request amendments and restrictions to medical records. Patient Portals Security and Risk Analysis.

Privacy and Security – Separate but Related Not possible to have Privacy without Security. Privacy rules set boundaries on use and disclosure of Health Records and the Protected Health Information they Contain. Security rules are defined as protecting the integrity, availability, confidentiality and accountability of information system resources. .

HIPAA and Its Purpose Purpose: What is HIPAA? Protect health insurance coverage, improve access to healthcare Reduce fraud and abuse Improve quality of healthcare in general Reduce healthcare administrative costs (electronic transactions) What is HIPAA? Health Insurance Portability and Accountability Act of 1996 Title II – Administrative Simplification It’s a federal law HIPAA is mandatory, penalties for failure to comply

HITECH and Its Purpose What is HITECH? Purpose: Health Information Technology for Economic and Clinical Health Act Subtitle D of the American Recovery and Reinvestment Act of 2009 (ARRA) It’s a federal law Purpose: Makes massive changes to privacy and security laws Applies to covered entities and business associates Creates a nationwide electronic health record Increases penalties for privacy and security violations

Key HITECH Changes Breach Notification requirements AOD for treatment, payment, and healthcare operations in electronic health record (EHR) environment Business Associate Agreements Restrictions Right to access Criminal provisions Penalties OCR Privacy Audits Copy charges for providing copies from EHR Private cause of action Sharing of civil monetary penalties with harmed individuals

Civil Penalties for Non-Compliance* Violation Category Each Violation All such violations of an identical provision in a calendar year Did Not Know $100 - $50,000 $1,500,000 Reasonable Cause $1,000 – $50,000 Willful Neglect – Corrected $10,000 - $50,000 Willful Neglect – Not Corrected $50,000 *As of 2/17/09

Criminal Penalties for Non-compliance For health plans, providers, clearinghouses and business associates that knowingly and improperly disclose information or obtain information under false pretenses. These penalties can apply to any “person”. Penalties are higher for actions designed for monetary gain up to $50,000 and one year in prison for obtaining or disclosing protected health information up to $100,000 and up to 5 years in prison for obtaining protected health information under "false pretenses" up to $250,000 and up to 10 years in prison for obtaining or disclosing protected health information with the intent to sell, transfer or use it for commercial advantage, personal gain or malicious harm

How will HIPAA and HITECH affect you? Patients are given a Notice of Privacy Practices by their health care provider. Health Care providers are required to post a Notice of Privacy Practices in a clear and prominent location in their facility. Patients have a right to a copy of their medical record but an authorization is required to be obtained from the patient to release information for reasons other than for treatment, payment or healthcare operations (TPO).

What is Protected by HIPAA (PHI)? Name Address including street, city, county, zip code and equivalent geocodes Names of relatives Name of employers Birth date Telephone numbers Fax Numbers Electronic e-mail addresses Social Security Number Medical record number Health plan beneficiary number Account number Certificate/license number Any vehicle or other device serial number Web Universal Resource Locator (URL) Internet Protocol (IP) address number Finger or voice prints Photographic images Any other unique identifying number, characteristic, code

Patient’s Right to Access Patients have the right to inspect or obtain copies of their Medical and Billing Records. Facility must be able to provide access and/or a paper copy of record requested. Facility can provide PHI in an electronic format such as encrypted CD or e-mail where available. Facility should perform risk analysis related to potential risk of accepting external portable media into their system (thumb drives)

Exceptions to Access Rule Psychotherapy Notes – notes recorded by a mental health professional and maintained separately from the rest of the medical record. These notes document or analyze conversations during private or group counseling sessions. A licensed healthcare professional has determined that access to the documentation requested is likely to endanger the life or physical safety of the individual or another person referenced in the record.

Exceptions to Access Rule If the patient is an inmate and obtaining a copy of the health record would jeopardize the health, safety, security or custody of individual or other inmates or the safety of an officer or employee at the correctional institution. The protected health information was obtained from someone other than a healthcare provider under a promise of confidentiality and access would likely reveal the source of information. Records not originated from the healthcare provider that is being asked to provide access to records. (Redisclosure)

Authorization to Release Valid authorization signed by the patient to release records for any purpose other than Treatment, Payment or Healthcare Operations. Authorization may be signed by patient’s designee with proper paperwork. Durable Power of Attorney Health Care Power of Attorney – not the same as a Living Will. POA becomes invalid upon death of principal. Death certificate naming signee as next of kin. Guardianship papers designating health care responsibilities. Subpoena or Court Order to release records.

Patient Portals Healthcare providers now offering ‘Patient Portals’ for patients to obtain parts of medical records electronically. Creates transparent health record. Patients have right to e-mail, download to removable media or mail portal information to those they choose. Patients can designate proxy and choose others to have access to records through portal. Portals contain such things as upcoming appointments, medication information, health records. Patients can upload information into portal but this does not become part of the medical record.

Patient’s Right to Amend Patients have the right to request an amendment to their records. Request must be in writing to facility privacy officer. Cannot change or omit documentation already in the medical record. Amendment may be denied upon physician authorization.

Right to Privacy Restrictions Patients have the right to request a privacy restriction of their PHI for payment and operations purposes only. As of 2/17/2010, requests may be denied except when a patient pays out of pocket, in full, and requests a restriction to the health plan. Patients need to realize that other parts of treatment such as prescriptions should be restricted at pharmacies as well.

Accounting of Disclosures (AOD) Patient has a right to an accounting of disclosures of protected health information Facility must provide documentation of certain disclosures of the designated record set for up to 6 years for such things as: Medical and Billing Records All required state reporting Births and Deaths Tumor registry Domestic/Child abuse suspect reporting This DOES NOT include TPO, disclosures authorized by the patient, directory purposes, law enforcement / correctional institutions or for national security, released as part of a limited data set prior to April 14, 2013

Breach Notification/Sanctions HITECH provisions require the following be notified when breaches (as defined in the regulations) occur: To the patient To the Department of Health and Human Services To the media when the breach involves more than 500 individuals in the same state or jurisdiction Two categories of privacy and security violations Negligent Accidental/inadvertent and/or due to lack of proper education or an unacceptable number of previous violations Intentional Purposeful or deliberate violation of privacy or information security policies or an unacceptable number of previous violations

Breach Determination Nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification. The unauthorized person who used the PHI or to whom the disclosure was made. Whether the PHI was actually acquired or viewed. The extent to which the risk to the PHI has been mitigated.

Security Rules Physical safeguards required. Limitations on physical access to equipment and locations containing of using PHI. Physical attributes of where workstations with access to PHI are located. Device and media controls to include receipt and removal of hardware and electronic media that contain PHI. Define use, reuse and disposal of electronic media such as copy machines, fax machines and back-up tapes.

Security Rules Technical safeguards required. Access control limiting access to PHI to persons or software programs requiring PHI to adequately perform their job. Audit controls performed that examine user activity in systems containing PHI. Policies and Procedures required that protect integrity of PHI from alteration in any way. Implementation of measures to prevent unauthorized users from accessing PHI.

Security and Risk Analysis Inventory information systems to verify security controls and identify vulnerabilities. Identify threats in environment. Implement preventive and deterrent controls to reduce risk. Proactively having a means to respond to threats by having system tests periodically. Having a system to retrieve or recreate data or applications that could be destroyed.

Questions? Thank You

References Florida Legal Manual – 2013 AHIMA HIM Products and Services Team. (2009)HIPAA in Practice. Chicago, IL, AHIMA.