Privacy and Security Tiger Team Today’s Discussion: Virtual Hearing on Accounting of Disclosures August 8, 2013.

Slides:



Advertisements
Similar presentations
Todd Frech Ocius Medical Informatics 6650 Rivers Ave, Suite 137 North Charleston, SC Health Insurance Portability.
Advertisements

HIPAA Privacy Practices. Notice A copy of the current DMH Notice must be posted at each service site where persons seeking DMH services will be able to.
Presented by Elena Chan, UCSF Pharm.D. Candidate Tiffany Jew, USC Pharm.D. Candidate March 14, 2007 P HARMACEUTICAL C ONSULTANTS, I NC. P RO P HARMA HIPAA.
HIPAA: Privacy, Security, and HITECH, Oh My! Presented by Stephanie L. Ganucheau, Special Assistant Attorney General.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
Confidentiality and HIPAA
HIPAA Privacy Rule Training
Copyright Eastern PA EMS Council February 2003 Health Information Portability and Accountability Act It’s the law.
National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.
WHAT IS HIPAA? The Health Insurance Portability and Accountability Act of 1996 (HIPAA) provides certain protections for any of your health information.
TM The HIPAA Privacy Rule: Safeguarding Health Information in Research and Public Health Practice Centers for Disease Control and Prevention Beverly A.
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
2014 HIPAA Refresher Omnibus Rule & HIPAA Security.
Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.
Are you ready for HIPPO??? Welcome to HIPAA
HIPAA HIPAA Health Insurance Portability and Accountability Act of 1996.
NCVHS Panel 6 WEDI Testimony on Health Plan Identifier June 10, 2014 Laurie Darst, Mayo Clinic, Revenue Cycle Regulatory Advisor WEDI Board of Directors.
Health Insurance Portability and Accountability Act (HIPAA)
Privacy & Security Tiger Team: Accounting of Disclosures Recommendations November 18, 2013 Office of the National Coordinator for Health Information Technology.
Health Insurance Portability Accountability Act of 1996 HIPAA for Researchers: IRB Related Issues HSC USC IRB.
Health IT Privacy and Security Policy Jodi Daniel, J.D., M.P.H. Director, Office of Policy and Research, Office of the National Coordinator for Health.
August 10, 2001 NESNIP PRIVACY WORKGROUP HIPAA’s Minimum Necessary Standard Presented by: Mildred L. Johnson, J.D.
March 19, 2009 Changes to HIPAA Privacy and Security Requirements Joel T. Kopperud Scott A. Sinder Rhonda M. Bolton.
Version 6.0 Approved by HIPAA Implementation Team April 14, HIPAA Learning Module The following is an educational Powerpoint presentation on the.
Privacy & Security Tiger Team: Accounting of Disclosures Recommendations December 4, 2013.
Notice of Privacy Practices Nebraska SNIP Privacy Subgroup July 18, 2002 Michael J. Brown, MHA, CPA Vice-President, Administrative & Regulatory Affairs,
HIPAA PRIVACY AND SECURITY AWARENESS.
“ Technology Working For People” Intro to HIPAA and Small Practice Implementation.
HIPAA The Privacy Rule Health Insurance Portability and Accountability Act of 1996 (HIPAA) The 104 th Congress passed the Act, Public Law ,
1 Disclosures © HIPAA Pros 2002 All rights reserved.
PricewaterhouseCoopers Transaction Compliance Date Extension & Privacy Standards NPRM Audioconference April 19, 2002 HIPAA Administrative Simplification.
1 HIPAA OVERVIEW ETSU. 2 What is HIPAA? Health Insurance Portability and Accountability Act.
Computerized Networking of HIV Providers Workshop Data Security, Privacy and HIPAA: Focus on Privacy Joy L. Pritts, J.D. Assistant Research Professor Health.
Privacy & Security Tiger Team: Accounting of Disclosures Recommendations December 2, 2013 Office of the National Coordinator for Health Information Technology.
HIPAA TRANSACTIONS 2002 UPDATE. HHS Office of General Counsel l Donna Eden l Office of the General Counsel l Department of Health and Human Services.
HIPAA Michigan Cancer Registrars Association 2005 Annual Educational Conference Sandy Routhier.
Office of the Secretary Office for Civil Rights (OCR) The HITECH NPRM: Overview of Research Comments October 19, 2010 Christina Heide, JD HHS Office for.
Privacy and Security Tiger Team Today’s Discussion: Query/Response Scenarios for Health Information Exchange February 21, 2013.
HIT Policy Committee Privacy & Security Workgroup Update Deven McGraw Center for Democracy & Technology Rachel Block Office of Health Information Technology.
Health Insurance Portability and Accountability Act (HIPAA) CCAC.
Health Insurance Portability and Accountability Act of 1996 HIPAA Privacy Training for County Employees.
Understanding HIPAA (Health Insurandce Portability and Accountability Act)
HIPAA BASIC TRAINING Presented by Anderson Health Information Systems, Inc.
HIPAA BASIC TRAINING MODULE 1C – Overview (For staff who do not generally create Protected Health Information) Anderson Health Information Systems, Inc.
HIPAA PRACTICAL APPLICATION WORKSHOP Orientation Module 1B Anderson Health Information Systems, Inc.
HIPAA THE PRIVACY RULE. 2 HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti- depressant medications.
C HAPTER 34 Code Blue Health Sciences Edition 4. Confidentiality of sensitive information is an important issue in healthcare. Breaches of confidentiality.
© 2004 Moses & Singer LLP HIPAA and Patient Privacy Issues Raised by the New Medicare Prescription Drug Program National Medicare Prescription Drug Congress.
HIPAA History March 3, HIPAA Ruling Health Insurance Portability Accountability Act Health Insurance Portability Accountability Act Passed by Congress.
Copyright © 2015 by Saunders, an imprint of Elsevier Inc. All rights reserved. Chapter 3 Privacy, Confidentiality, and Security.
HIPAA Overview Why do we need a federal rule on privacy? Privacy is a fundamental right Privacy can be defined as the ability of the individual to determine.
HIPAA Privacy Rule Positive Changes Affecting Hospitals’ Implementation of the Rule.
AAMC Contact: Ivy Baer Accounting for Disclosures Under HIPAA Proposed Rule: 76 Federal Register 31426, May 31, 2011.
AND CE-Prof, Inc. January 28, 2011 The Greater Chicago Dental Academy 1 Copyright CE-Prof, Inc
HIPAA TRIVIA Do you know HIPAA?. HIPAA was created by?  The Affordable Care Act  Health Insurance companies  United States Congress  United States.
HIPAA Training. What information is considered PHI (Protected Health Information)  Dates- Birthdays, Dates of Admission and Discharge, Date of Death.
The Medical College of Georgia HIPAA Privacy Rule Orientation.
New Hire HIPAA Orientation. HIPAA Overview HIPAA is an acronym that stands for the Health Insurance Portability and Accountability Act of HIPAA.
HIPAA Yesterday, Today and Tomorrow? Dianne S. Faup Office of HIPAA Standards Centers for Medicare & Medicaid Services.
Final HIPAA Privacy Rule: The Research Provisions Julie Kaneshiro DHHS Office for Human Research Protections Phone: Fax:
HIPAA Privacy Rule Positive Changes Affecting Hospitals’ Implementation of the Rule Melinda Hatton -- Oct. 31, 2002.
HIPAA Training Workshop #3 Individual Rights Kaye L. Rankin Rankin Healthcare Consultants, Inc.
What is HIPAA? HIPAA stands for “Health Insurance Portability & Accountability Act” It was an Act of Congress passed into law in HEALTH INSURANCE.
The HIPAA Privacy Rule: Implications for Medical Research
HIPAA Administrative Simplification
HIPAA Pros - Disclosures
Disability Services Agencies Briefing On HIPAA
National Congress on Health Care Compliance
THE 13TH NATIONAL HIPAA SUMMIT HEALTH INFORMATION PRIVACY & SECURITY IN SHARED HEALTH RECORD SYSTEMS SEPTEMBER 26, 2006 Paul T. Smith, Esq. Partner,
Objectives Describe the purposes of the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 Explore how the HITECH Act.
Presentation transcript:

Privacy and Security Tiger Team Today’s Discussion: Virtual Hearing on Accounting of Disclosures August 8, 2013

Agenda Planning for Virtual Hearing on Accounting of Disclosures. The HHS Office of Civil Rights (OCR) has been investigating the accounting of disclosures issue and has asked the Tiger Team to conduct a hearing on the matter, soliciting feedback from various stakeholders. 2

Purpose Explore realistic ways to provide patients with greater transparency about the uses and disclosures of their digital, identifiable health information. Such exploration should also help facilitate implementation of the HITECH requirement that a patient’s right under the HIPAA Privacy Rule to an “accounting” of disclosures include disclosures for “treatment, payment and operations” when such disclosures are made through “an electronic health record.” 3

Regulatory Background HIPAA Privacy Rule required covered entities to make available, upon request, an accounting of certain disclosures of an individual’s PHI made during the six years prior to the request. –Accounting should include date, name of requester, brief description of the PHI disclosed and purpose of disclosure. –Original Privacy Rule provisions applied to disclosures of both paper and electronic PHI, regardless of whether such information was in a designated record set (DRS). –A DRS is a group of records maintained for or by the covered entity to make decisions about the individual, such as medical bills and billing records. 4

Regulatory Background Exemptions included disclosures to carry out treatment, payment or operations (TPO), to the individuals who the PHI is about, under an authorization, as part of a limited data set under a data use agreement and disclosures made prior to the compliance date. 5

Regulatory Background The HITECH Act brought changes to the Accounting of Disclosures provisions: –The exemption for disclosures to carry out TPO no longer applied if made through an EHR. –Individuals now have a right to receive an accounting of disclosures made during the three years prior to the request, as opposed to six. –Covered entities must provide either an accounting of a business associate’s disclosures or a list and contact information of all business associates to the individual requesting the accounting. –Also requires the adoption of an initial set of standards, implementation specifications and certification criteria for accounting of disclosures in EHR technology. 6

2010 HHS Request for Information (RFI) On May 3, 2010, HHS published an RFI seeking further information on people’s interests in learning of disclosures, burdens on covered entities and technological capabilities. Nine questions were asked requesting information on potential benefits, burdens, awareness of rights, uses, information in the disclosures, technological capabilities and timing. (Refer to backup slides for questions and responses) 7

OCR Notice of Proposed Rulemaking (NPRM) After receiving the feedback from the RFI, the HHS Office of Civil Rights (OCR) released an NPRM to change the Privacy Rule’s Accounting of Disclosures requirement. Proposed regulation provides individuals with two rights: An accounting of disclosures and an “access report”. 8

OCR Notice of Proposed Rulemaking (NPRM) An accounting of disclosures made of an individual’s PHI in both paper and electronic form by covered entities and business associates. The NPRM provides a list of disclosures to be included in the accounting. These include disclosures public health, judicial and administrative proceedings, law enforcement activities, military and veterans activities, situations to avert a serious threat to health or safety, State Department medical suitability determination, Government programs providing public benefits and workers’ compensation. Right to an “access report” that indicates who accessed an individual’s PHI maintained in a DRS. Proposed rule requires revisions to Notice of Privacy Practices to inform individuals about their right to an access report. Must contain the following: Date and time of access Name of person or entity accessing PHI Description of information and user action (creation, modification, deletion). 9

HIPAA Omnibus Rule and Certification OCR did not address accounting of disclosures in the final HIPAA Omnibus Rule, issued in January Regarding certification, ONC has made accounting of disclosures as an optional certification criteria for EHRs in its 2014 edition of the criteria. Intention is to leave complete EHR and EHR module developers with the flexibility to innovate in this area and to develop new solutions to address the needs of their customers. Certification capability will not be required**. 10 **Test Procedure for § (d)(9) Optional – Accounting of disclosures

Goals Gain a greater understanding of : 1)What patients would like to know about uses and disclosures of their electronic protected health information (PHI). 2)The capabilities of currently available, affordable technology that could be leveraged to provide patients with greater transparency re: access/disclosure of PHI. 3)How record access transparency technologies are currently being deployed by health care providers, health plans, and their business associates (for example, HIEs). 4)Other issues raised as part of the initial proposed rule to implement HITECH changes. 5)The difficulty in making the distinction between “uses” and “disclosures”. 11

Hearing Date, Time and Format September 6, 2013 Scheduled for 11:30am to 5:30pm EST Panel format, divided into functional groups Will ask panelists to testify based on questions they will receive ahead of time. Followed by Q&A period. They have the option to submit written testimony and a slide presentation prior to the hearing. Would like to invite HITSC Privacy and Security Workgroup to take part in the Q&A. 12

Possible Testifiers Providers –Johns Hopkins Health System –John Muir Health –Henry Ford Health System –Health Partners –Kaiser Permanente (can also provide a payer’s perspective) –Health Information Exchanges –AHIMA (representing health information professionals in provider organizations) Vendors –FairWarning –Meditech –Athena Health –Siemens –WEDI –Health IT Now Coalition 13

Possible Testifiers Patients or Patient Advocacy Groups –E-Patient Dave Payers –Blue Cross Blue Shield –UnitedHealth Group –Magellan Health Services 14

BACK-UP Query/Response 15

2010 HHS Request for Information (RFI) 1)What are the potential benefits to individuals from receiving an accounting of disclosures, particularly an accounting that included disclosures for treatment, payment and health care operations? Majority said little or no benefit, while incurring substantial administrative, staffing and monetary burden. 2)How aware are individuals of their rights to receive an accounting of disclosure, how do covered entities ensure individuals are aware of their accounting rights and what is the number of accounting requests? (rule lists this as both questions 2 and 3.) Most covered entities responded that individuals are aware of their accounting right from the notices of privacy practices covered entities provide to individuals. 16

2010 HHS Request for Information (RFI) 3)What are the individual uses and satisfaction with the information they received in accountings of disclosures? Most covered entities that received accounting requests were not aware of how they were actually used by individuals or if it was useful to them. Consumer advocates were divided on this topic. 4)Should accounting for treatment, payment and healthcare operations disclosure include the following elements; to whom the disclosure was made and the reason or purpose for the disclosure. If yes, then why? 60% (Covered entities and industry) said recipient information should not be included, citing concerns about employee privacy, security and safety. Also stated the purpose should not be included. The other 40% (consumers, covered entities and industry) felt information would be vital in addressing inappropriate disclosures. 20% said purpose should be included, as the accounting would be useless without that information. 17

2010 HHS Request for Information (RFI) 5)Is EHR technology capable at this time is able to distinguish between use and disclosure at this time? Majority stated that current EHR systems are unable to distinguish between “use” and a “disclosure”, are decentralized and cannot automatically generate accountings. 6)What is your feeling about the feasibility of the HITECH act compliance timelines? Most commenters stated that the January 1, 2011 deadline was impossible to meet. Fewer than 10 early adopters of EHRs (before 2009) stated they would need longer than 2014 for compliance. 7)What is the feasibility of an E.H.R. modules that is exclusively dedicated to accounting for disclosures? Not an ideal solution, given the low number of requests for an accounting for disclosures 8)Any info that would be helpful. Commenters expressed concern about burden over the requirement, citing increased health care costs, reducing patient care time, etc. There were requests for clarification on the scope of EHRS, disclosures and disclosures through an EHR. 18

Other Accounting of Disclosure provisions The following are accounting of disclosure provisions found outside the domain of healthcare: Privacy Act of 1974: –Each agency must keep a record of the date, nature and purpose of each disclosure of a record to any person or another agency and the name and address of the person or agency to whom the disclosure is made. Not needed for intra- agency or FOIA disclosures. –Must be kept for five years and available to the individual upon request. 19

Other Accounting of Disclosure provisions Fair Credit Report Act –Requires that consumer reporting agencies (CRA) provide consumers with a free credit report per year, which was amended to allow consumers to request and obtain a free credit report once every twelve months from each of the three nationwide credit reporting agencies. –CRAs required to provide a central source website for consumers to request reports. –If medical information is provided in a credit report, should be limited to transactions, accounts or balances related to debts arising from the receipt of medical services, products or devices. This information is restricted or only reporting using coding to not identify specific healthcare services. 20

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.