Health IT Privacy and Security Policy Jodi Daniel, J.D., M.P.H. Director, Office of Policy and Research, Office of the National Coordinator for Health.

Slides:



Advertisements
Similar presentations
Todd Frech Ocius Medical Informatics 6650 Rivers Ave, Suite 137 North Charleston, SC Health Insurance Portability.
Advertisements

The Department has declared itself to be a single covered entity. Thus, each and every one of our divisions is a covered entity and must comply with.
“Reaching across Arizona to provide comprehensive quality health care for those in need” Our first care is your health care Arizona Health Care Cost Containment.
Headaches and Pitfalls in Business Associate Contract Management © 2013 Christiansen IT Law American Bar Association Health Law Section eHealth, Privacy.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,
1 Navigating the Privacy and Security Issues: HITECH Overview Rebecca L. Williams, RN, JD Partner Co-chair of HIT/HIPAA Practice Davis Wright Tremaine.
HIPAA CHANGES: HITECH ACT AND BREACH NOTIFICATION RULES February 3, 2010 Kristen L. Gentry, Esq. Catherine M. Stowers, Esq.
Thank You For Your Participation Kansas City   Omaha  Overland Park St. Louis  Jefferson City This Employer.
Davis Wright Tremaine LLP Non-HIPAA Governmental Regulation of Healthcare Privacy and Security Sixteenth HIPAA Summit/The Privacy Symposium August 21,
HIPAA Update: So what’s new with HIPAA?? And, what does it have to do with you? Ellen Cannon, WV DHHR HIPAA Privacy Officer WV Attorney General’s Office.
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.
NCVHS: Privacy and Confidentiality Leslie P. Francis, Ph.D., J.D. Distinguished Professor of Law and Philosophy Alfred C. Emery Professor of Law University.
To improve the quality and efficiency of health care for all stakeholders in the Santa Cruz community. To deliver technology assistance, guidance and.
Health Insurance Portability & Accountability Act (HIPAA)
1 HIT Standards Committee Privacy and Security Workgroup: Recommendations Dixie Baker, SAIC Steven Findlay, Consumers Union August 20, 2009.
March 19, 2009 Changes to HIPAA Privacy and Security Requirements Joel T. Kopperud Scott A. Sinder Rhonda M. Bolton.
Your HIPAA rules Ben Burton, JD, MBA, RHIA, CHP, CHC Notice of Privacy Practices.
2 HIPAA, HITECH, and Medical Records. Learning Outcomes When you finish this chapter, you will be able to: 2.1Discuss the importance of medical records.
Connecting Health and Care for the Nation: A Shared Nationwide Interoperability Roadmap – DRAFT Version 1.0 Joint FACA Meeting Chartese February 10, 2015.
HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.
Office of the Secretary Office for Civil Rights (OCR) HIPAA Privacy and Security Rules Updates HIPAA COW 2010 Spring Conference April 16, 2010.
COMPLYING WITH HIPAA BUSINESS ASSOCIATE REQUIREMENTS Quick, Cost Effective Solutions for HIPAA Compliance: Business Associate Agreements.
1 HIT Policy Committee HIT Standards Committee Privacy and Security Workgroup: Status Report Dixie Baker, SAIC July 16, 2009.
Health Information Technology Nationwide Activities and Issues Roy H. Wyman, Jr. May 7, 2009.
California :: Delaware :: Florida :: New Jersey :: New York :: Pennsylvania :: Virginia :: Washington, D.C. :: 1 NEW OBLIGATIONS.
HIPAA and HITECH The Latest Developments Presented By: Michele Madison Partner, Healthcare Practice Morris, Manning & Martin, LLP
PricewaterhouseCoopers Transaction Compliance Date Extension & Privacy Standards NPRM Audioconference April 19, 2002 HIPAA Administrative Simplification.
LAW SEMINARS INTERNATIONAL CLOUD COMPUTING: LAW, RISKS AND OPPORTUNITIES Developing Effective Strategies for Compliance With the HITECH Act and HIPAA’s.
Update on Federal HIT Legislation Kirsten Beronio Mental Health America.
Computerized Networking of HIV Providers Workshop Data Security, Privacy and HIPAA: Focus on Privacy Joy L. Pritts, J.D. Assistant Research Professor Health.
Nationwide Health Information Network: Conditions for Trusted Exchange Request For Information (RFI) Steven Posnack, MHS, MS, CISSP Director, Federal Policy.
HITECH Act and HIPAA: Important Compliance Update Susan E. Ziel Gerald “Jud” DeLoss.
HIT Standards Committee Privacy and Security Workgroup: Initial Reactions Dixie Baker, SAIC Steven Findlay, Consumers Union June 23, 2009.
HIPAA Michigan Cancer Registrars Association 2005 Annual Educational Conference Sandy Routhier.
Office of the Secretary Office for Civil Rights (OCR) The HITECH NPRM: Overview of Research Comments October 19, 2010 Christina Heide, JD HHS Office for.
HIT Policy Committee NHIN Workgroup Recommendations Phase 2 David Lansky, Chair Pacific Business Group on Health Danny Weitzner, Co-Chair Department of.
Privacy and Security Risks to Rural Hospitals John Hoyt, Partner December 6, 2013.
HIT Policy Committee Privacy & Security Workgroup Update Deven McGraw Center for Democracy & Technology Rachel Block Office of Health Information Technology.
Health Insurance Portability and Accountability Act (HIPAA) CCAC.
Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. McGraw-Hill Chapter 6 The Privacy and Security of Electronic Health Information.
PricewaterhouseCoopers 1 Administrative Simplification: Privacy Audioconference April 14, 2003 William R. Braithwaite, MD, PhD “Doctor HIPAA” HIPAA Today.
HIPAA BASIC TRAINING Presented by Anderson Health Information Systems, Inc.
The American Recovery and Reinvestment Act of 2009: Changes to HIPAA Privacy and Security Requirements And its Impact on Hospitals Presented By: Michele.
1 HIPAA Administrative Simplification Standards Yesterday, Today, and Tomorrow Stanley Nachimson CMS Office of HIPAA Standards.
HealthBridge is one of the nation’s largest and most successful health information exchange organizations. Tri-State REC: Privacy and Security Issues for.
Rhonda Anderson, RHIA, President  …is a PROCESS, not a PROJECT 2.
Copyright ©2014 by Saunders, an imprint of Elsevier Inc. All rights reserved 1 Chapter 02 Compliance, Privacy, Fraud, and Abuse in Insurance Billing Insurance.
HITECH and HIPAA Presented by Rhonda Anderson, RHIA Anderson Health Information Systems, Inc
HIPAA History March 3, HIPAA Ruling Health Insurance Portability Accountability Act Health Insurance Portability Accountability Act Passed by Congress.
1 Overview of HIT Policy Committee’s Privacy Hearing Jodi Daniel, JD, MPH Director, Office of Policy and Research Office of the National Coordinator for.
1 Changes to Privacy Regulations under ARRA May 4, 2009 Melissa Goldstein, J.D. The George Washington University School of Public Health and Health Services.
Top 10 Series Changes to HIPAA Devon Bernard AOPA Reimbursement Services Coordinator.
Configuring Electronic Health Records Privacy and Security in the US Lecture b This material (Comp11_Unit7b) was developed by Oregon Health & Science University.
Roundtable on Privacy in Transition: Is Privacy Policy Working in the Healthcare Sector?
Final PRIVACY RULE Presentation by Richard Campanelli, Director OCR/HHS at 5 th National HIPAA Summit Washington, D.C. October 31, 2002.
HIT Policy Committee Privacy & Security Workgroup Update Deven McGraw Center for Democracy & Technology Rachel Block Office of Health Information Technology.
AND CE-Prof, Inc. January 28, 2011 The Greater Chicago Dental Academy 1 Copyright CE-Prof, Inc
1 Kansas Health Solutions July 9, 2009 HIPAA Goes HITECH Martie Ross Lathrop & Gage LLP (913)
Health Insurance Portability and Accountability Act of 1996
HIPAA CONFIDENTIALITY
HIPAA Administrative Simplification
Concerns of a Privacy Advocate – and How to Respond
HITECH’s Impact on Research
National Congress on Health Care Compliance
THE 13TH NATIONAL HIPAA SUMMIT HEALTH INFORMATION PRIVACY & SECURITY IN SHARED HEALTH RECORD SYSTEMS SEPTEMBER 26, 2006 Paul T. Smith, Esq. Partner,
Presentation transcript:

Health IT Privacy and Security Policy Jodi Daniel, J.D., M.P.H. Director, Office of Policy and Research, Office of the National Coordinator for Health IT, HHS HIT Policy Committee Meeting September 18, 2009

2 HITPC 9/18/2009 Health IT Privacy and Security Success of health information technology and exchange rests on consumer and provider confidence in privacy and security protections Privacy and security are fundamental building blocks for Meaningful Use Leverage technology to improve protections

3 HITPC 9/18/2009 ARRA Builds On Privacy and Security Foundation Federal Privacy Laws State Privacy Laws Guidance Policy Development Efforts

ARRA Changes the Game

5 HITPC 9/18/2009 ARRA Privacy and Security Related Provisions Business Associates (OCR) –Certain HIPAA Privacy & Security Rule requirements apply to business associates (BAs) –Entity that provides data transmission of personal health information (PHI) to a covered entity (CE) or BA, and requires routine access, and vendor that provides PHR as part of an EHR, must have a BA agreement New breach notification requirements –For covered entities and business associates (OCR) –For vendors of PHRs and other non-covered entities (FTC) –Guidance on technologies/methodologies for rendering PHI unusable, unreadable, or indecipherable (ONC/OCR)

6 HITPC 9/18/2009 ARRA Privacy and Security Related Provisions Provides individual right to restrict disclosures to a health plan for payment or health operations or for items and services paid “out of pocket” Requires CE to limit use, disclosure and requests for PHI to limited data sets, as possible, or minimum necessary –Guidance on minimum necessary CEs and BAs to provide accounting of disclosures through EHRs for for treatment, payment, operations CE must provide copy of PHI in electronic format to individual or other designees if CE has an EHR

7 HITPC 9/18/2009 ARRA Privacy and Security Related Provisions Prohibits CE/BA from remuneration for PHI without authorization (with some exceptions for exchanges) Limits other CE/BA communication about products or services when entity received remuneration Regulations to require clear opt-out for CE fundraising communication with individual Study and recommendations to Congress for privacy and security (P&S) requirements for non-CE PHR vendors (ONC/FTC)

8 HITPC 9/18/2009 ARRA Privacy and Security Related Provisions Enforcement: –Extends HIPAA civil and criminal penalties to BAs –Changes civil penalty structure –Provides State Attorneys General (AGs) with authority to enforce HIPAA –Provides that employees/individuals can be criminally liable –Requires periodic audits to ensure compliance

9 HITPC 9/18/2009 ARRA Privacy and Security Related Provisions Studies and reports: –Annual report on compliance with HIPAA Rules (OCR) –Report on protections for non-HIPAA CEs (ONC) –Report on best practices related to the disclosure among health care providers of PHI for treatment (Comptroller General) –Guidance on implementation of de-identification provisions (OCR/ONC) –Study definition of “psychotherapy notes” (SAMHSA) Education –Regional privacy advisors to provide education (OCR) –National outreach and education (OCR/ONC)

10 HITPC 9/18/2009 HHS Regulations to Implement ARRA Privacy Provisions Breach Notification –RFI in April 2009 –IFR published in August 2009 –Effective September 23, 2009 –Comment period ends October 23, 2009 Enforcement HIPAA Modifications Effective Dates vary: –February 2010 for most provisions –Enforcement February 2009

11 HITPC 9/18/2009 ARRA P&S Topics for HITPC Technologies that protect the privacy of health information and promote security in an EHR, including: –Segmentation and protection from disclosure of specific and sensitive IIHI with the goal of minimizing the reluctance of patients to seek care –Use and disclosure of limited data sets Infrastructure that allows for accurate exchange Technologies for an accounting of TPO disclosures Technologies that allow IIHI to be rendered unusable, unreadable, or indecipherable to unauthorized individuals Methods to facilitate security access to PHI by an individual or person assisting in care

12 HITPC 9/18/2009 Role of Privacy and Security Standards Enablers to protect information Must be part of a comprehensive approach

13 HITPC 9/18/2009 HIT Standards Committee: Privacy and Security Recommendations Product Standards – domains 1.Access control 2.Encryption and decryption 3.Accounting and audit 4.Authentication 5.Consent management 6.Consumer EHR 7.HIPAA de-identification 8.Data integrity 9.Transmission Security Infrastructure Standards – areas 1.Consistent time 2.Document exchange 3.Service access 4.Domain name service 5.Directory access

P&S Policy Input and Guidance Beyond ARRA Reports on State laws Privacy white papers Further development of Nationwide Privacy and Security Framework 14 HITPC 9/18/2009

Today’s Hearing