BH07 - Protecting Privacy in an Interoperable World John Leipold, DBA, MBA, COO Valley Hope Association, SATVA Board Member, Former Chair Frances Loshin-Turso,

Slides:



Advertisements
Similar presentations
HIPAA Privacy Practices. Notice A copy of the current DMH Notice must be posted at each service site where persons seeking DMH services will be able to.
Advertisements

1 The HIPAA Privacy Rule and Research This presentation will probably involve audience discussion, which will create action items. Use PowerPoint to keep.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
Confidentiality and HIPAA
HIPAA Privacy Rule Training
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.
P E N N S Y L V A N I A C O A L I T I O N A G A I N S T D O M E S T I C V I O L E N C E P E N N S Y L V A N I A C O A L I T I O N A G A I N S T RAPE HIPAA.
HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) ; Victoria Nemerson.
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
Ethics, Confidentiality, and HIPAA! 2006 ASAC Drug Court Confidentiality FMJ Multi- County November 8, 2006.
NAU HIPAA Awareness Training
1 Louisiana Department of Health and Hospitals Basic HIPAA Privacy Training: Policies and Procedures 01/09/
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
HIPAA Privacy Rule Compliance Training for YSU April 9, 2014.
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
Are you ready for HIPPO??? Welcome to HIPAA
HIPAA HIPAA Health Insurance Portability and Accountability Act of 1996.
Privacy, Security and Compliance Concerns for Management and Boards November 15, 2013 Carolyn Heyman-Layne, Esq. 1.
Information Sharing and Cross-System Collaboration John Petrila, J.D., LL.M. Professor, University of South Florida
Project Proposal to IHE: Implementation Guide for Data Segmentation For Privacy (DS4P) over REST Submitted by S&I Framework Data Segmentation for Privacy.
6.04 The Interaction Between 42 CFR Part 2 and HIPAA Privacy
Who Must Comply? ProgramProgram General Medical Facility EmergencyEmergency Qualified Service Organization Communication EmergencyEmergency ResearchResearch.
Code of Federal Regulations Title 42, Chapter 1, Subchapter A Part 2 – CONFIDENTIALITY OF ALCOHOL AND DRUG ABUSE PATIENTS BRYANT D. MILLER CAC II, MAC,
Version 6.0 Approved by HIPAA Implementation Team April 14, HIPAA Learning Module The following is an educational Powerpoint presentation on the.
2 H. Westley Clark, M.D., J.D., M.P.H., CAS, FASAM Director Center for Substance Abuse Treatment Substance Abuse Mental Health Services Administration.
The University of Kansas Medical Center Shadow Experience Training.
HIPAA PRIVACY AND SECURITY AWARENESS.
Confidentiality, Consents and Disclosure Recent Legal Changes and Current Issues Presented by Pam Beach, Attorney at Law.
Confidentiality in Your TEAP Program By Diane A. Tennies, Ph.D., LADC Lead TEAP Health Specialist October 20,
Colorado Children and Youth Information Sharing (CCYIS) Educational Stability Summit April 10, 2015.
Confidentiality and Security Issues in ART & MTCT Clinical Monitoring Systems Meade Morgan and Xen Santas Informatics Team Surveillance and Infrastructure.
Copyright ©2011 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved. Health Information Technology and Management Richard.
Confidentiality and Drug Courts Carson Fox Esq. Steve Hanson M.S. Ed.
Update on Federal HIT Legislation Kirsten Beronio Mental Health America.
Computerized Networking of HIV Providers Workshop Data Security, Privacy and HIPAA: Focus on Privacy Joy L. Pritts, J.D. Assistant Research Professor Health.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Nationwide Health Information Network: Conditions for Trusted Exchange Request For Information (RFI) Steven Posnack, MHS, MS, CISSP Director, Federal Policy.
State Alliance for e-Health Conference Meeting January 26, 2007.
ATR Recovery Coach Learning Community Facilitated by: Haner Hernandez, Ph.D., CADCII, LADCI Beth Fraster, LICSW, December 19, 2013.
Privacy and the Civil Commitment Process Allyson K. Tysinger Assistant Attorney General June 4-5, 2008.
HIT Policy Committee NHIN Workgroup Recommendations Phase 2 David Lansky, Chair Pacific Business Group on Health Danny Weitzner, Co-Chair Department of.
Privacy in Healthcare Challenges Associated with Implementing Privacy in an Electronic Health Records Environment John P. Houston, J.D. Vice President,
Medical Law and Ethics, Third Edition Bonnie F. Fremgen Copyright ©2009 by Pearson Education, Inc. Upper Saddle River, New Jersey All rights reserved.
Privacy and Confidentiality. Definitions n Privacy - having control over the extent, timing, and circumstances of sharing oneself (physically, behaviorally,
Health Insurance Portability and Accountability Act (HIPAA) CCAC.
Copyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. McGraw-Hill Chapter 6 The Privacy and Security of Electronic Health Information.
© 2013 The McGraw-Hill Companies, Inc. All rights reserved. Ch 8 Privacy Law and HIPAA.
FleetBoston Financial HIPAA Privacy Compliance Agnes Bundy Scanlan Managing Director and Chief Privacy Officer FleetBoston Financial.
HIPAA THE PRIVACY RULE. 2 HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti- depressant medications.
Rhonda Anderson, RHIA, President  …is a PROCESS, not a PROJECT 2.
Welcome….!!! CORPORATE COMPLIANCE PROGRAM Presented by The Office of Corporate Integrity 1.
HIT Policy Committee NHIN Workgroup HIE Trust Framework: HIE Trust Framework: Essential Components for Trust April 21, 2010 David Lansky, Chair Farzad.
Copyright © 2015 by Saunders, an imprint of Elsevier Inc. All rights reserved. Chapter 3 Privacy, Confidentiality, and Security.
HIPAA Training Workshop #1 Council of Community Clinics – San Diego February 7, 2003 by Kaye L. Rankin Rankin Healthcare Consultants, Inc.
1 Changes to Privacy Regulations under ARRA May 4, 2009 Melissa Goldstein, J.D. The George Washington University School of Public Health and Health Services.
HIPAA Overview Why do we need a federal rule on privacy? Privacy is a fundamental right Privacy can be defined as the ability of the individual to determine.
Confidentiality of Substance Use Disorder Treatment Information in an Era of Integration and Health Information Exchanges Ellen Weber University of Maryland.
HIPAA TRIVIA Do you know HIPAA?. HIPAA was created by?  The Affordable Care Act  Health Insurance companies  United States Congress  United States.
HIPAA Training. What information is considered PHI (Protected Health Information)  Dates- Birthdays, Dates of Admission and Discharge, Date of Death.
COMMUNITY-WIDE HEALTH INFORMATION EXCHANGE: HIPAA PRIVACY AND SECURITY ISSUES Ninth National HIPAA Summit September 14, 2004 Prepared by: Robert Belfort,
Disclaimer This presentation is intended only for use by Tulane University faculty, staff, and students. No copy or use of this presentation should occur.
1 HIPAA’s Impact on Depository Financial Institutions 2 nd National Medical Banking Institute Rick Morrison, CEO Remettra, Inc.
Juvenile Legislative Update 2013 Confidential Records and Protected Disclosures.
HIPAA Training Workshop #3 Individual Rights Kaye L. Rankin Rankin Healthcare Consultants, Inc.
Our pledge: reliability, integrity and trust
HIPAA and 42 C.F.R. Part 2 Confidentiality
Disability Services Agencies Briefing On HIPAA
Enforcement and Policy Challenges in Health Information Privacy
THE 13TH NATIONAL HIPAA SUMMIT HEALTH INFORMATION PRIVACY & SECURITY IN SHARED HEALTH RECORD SYSTEMS SEPTEMBER 26, 2006 Paul T. Smith, Esq. Partner,
Presentation transcript:

BH07 - Protecting Privacy in an Interoperable World John Leipold, DBA, MBA, COO Valley Hope Association, SATVA Board Member, Former Chair Frances Loshin-Turso, President and Co-Founder, Defran Systems, Inc., SATVA Board Member, Current Chair Bryan Griffiths, Vice President of Sales, Anasazi Software

Software and Technology Vendors’ Association  The Software and Technology Vendors’ Association (SATVA) is a trade organization for vendors of behavioral health and human services software and information technology. Its members have a genuine concern for promoting the use of effective information technology in behavioral health and human services; helping to formulate and support quality improvement for the highest industry standards; and facilitating the delivery of more efficient and effective consumer services through use of information technology.

Healthcare Information Management Systems Interoperability  “Interoperability” means the ability to communicate and exchange data accurately, effectively, securely, and consistently with different information technology systems, software applications, and networks in various settings, and exchange data such that clinical or operational purpose and meaning of the data are preserved and unaltered. Source: The 2006 White House executive order (section 2 paragraph c)

Healthcare Information Management Systems Interoperability  Various types of Interoperability… - Technical Interoperability ensures that systems can send and receive data successfully. It defines the degree to which the information can be successfully “transported” between systems. - Semantic Interoperability ensures that the information sent and received between systems is unaltered in its meaning. It is understood in exactly the same way by both the sender and receiver.

Health Care Interoperability… INCENTIVES…  Interoperability incentives are focused on: - Primary medical care… Eligible health care providers can receive incentive payments for implementing electronic health records and participating in electronic health information exchange (Interoperability). Meaningful Use

Health Care Interoperability… INCENTIVES…  Interoperability incentives are focused  on: - Implementation of Regional Health Information Organizations (RHIOs)… - Point to Point data exchange using a mechanism called “DIRECT.” -

The Theory…  Public policy initiatives to implement an interoperable health record are fundamentally based on the assumptions that an interoperable health record can improve care and decrease costs.  The Software and Technology Vendors’ Association agrees with these assumptions…

Privacy in an Interoperable Health Care World…  Privacy and confidentiality of highly sensitive health information is complicated.  Integrating privacy in the beginning stages of interoperability may have paralyzed early development.  As a result, RHIOs typically use an “Opt-In/Out-Out” model and are currently typically unable to give patients DISCRETIONARY control over their own highly sensitive health information…

Privacy in an Interoperable Health Care World…  The “Opt-In/Opt-Out” problem is addressed by the DIRECT model which provides for DISCRETIONARY control over highly sensitive health information.  However, RHIOs are working on this problem…

The “Federated” RHIO Model…  Health data is stored at each individual provider location in the “federated” RHIO model.  Uses a record Locator Service (RLS)  Opt-In/Opt-Out privacy controls versus discretionary privacy controls. Source: Promoting Health Information Technology in California

The “Repository” RHIO Model…  The repository RHIO model stores patient data at a regional central authority.  Uses record Locator Service (RLS)  Patient information in the repository is OUTSIDE the provider’s EHR.  Implications for provider and patient control over personal health information.

Understanding Privacy Risks in an Interoperable Health Care World…  Both the letter and the spirit of the regulatory environment intend for patients to have control over their personal health information. - This is certainly true for the privacy and confidentiality of substance use treatment records.  Risks to patient control include: - Repository databases. - Record locator services.

42 CFR Part 2…  The federal regulations relating to the privacy and confidentiality of substance use treatment records are commonly known as 42 CFR Part 2.  Part 2 only regulates substance use treatment information disclosures for “covered” providers.  Generally speaking, a provider is a “covered” provider if the provider holds itself out as primarily providing substance use treatment and the provider receives federal money (e.g., Medicare or grant funding).

Why 42 CFR Part 2?  Stigma interferes with the willingness that alcohol/drug dependent persons may have to seek treatment.  The need to address stigma is so powerful that congress extended legal protection to anonymity through the law… 42 CFR Part 2

Specific Requirements… … Substantial Risks  42 CFR Part 2 has specific requirements covering substance abuse treatment records and there are risks associated with failure to comply.  42 CFR Part 2 protects any information (including referral and intake) about alcohol and drug abuse patients obtained by a covered program.  Sanctions include possible action against an offending provider by the U.S. Attorney General.

The Most Important Risk Factor…  Compliance with 42 CFR Part 2 makes sure that an alcohol or drug abuse patient is not made more vulnerable by reason of the availability of his or her patient record than an individual who has an alcohol or drug problem and who does not seek treatment.  The most important risk is the risk of undermining the confidence the recovery community has that substance use treatment providers can and will protect patient information.  Even providers not technically covered by Part 2 should consider following the regulations.

The Power of Part 2…  The power of 42 CFR Part 2 isn’t threat of legal action under Part 2 by patients against covered providers.  Patients cannot bring action under 42 CFR Part 2 against a covered provider for gratuitous release of substance use treatment information in violation of the Part 2 regulations. - Patients can take civil legal action for any harm that may come as a result of the violation.

The Power of Part 2…  The power of Part 2 is the authority the regulations give to covered providers to protect a substance use patient’s treatment information.  This includes: - Treatment inquiries. - Patient identity. - Everything in the patient’s record.  Without a properly executed court order, lawyers cannot get the record with a subpoena nor can law enforcement simply compel disclosure by showing up at the treatment facility.

Disclosure is Prohibited!  A covered program is permitted to disclose identifying information on learning of suspected child abuse or neglect. The regulations limit this exception to initial reports of child abuse or neglect (no other kinds of abuse or neglect).  A covered program is required to disclose information when a proper court order exists compelling the disclosure. There are specific court order requirements under 42 CFR Part 2.  Regulations under CFR 42 Part 2 prohibit the disclosure and use of patient records, with a few exceptions. Disclosure may occur if an exception exists but it does not require the disclosure unless a court order compels the disclosure.  The regulations permit disclosure when the patient provides written authorization in the form of a properly executed release of information form.  Employees within an organization bound to 42 CFR Part 2 (covered program) may exchange patient information on a need to know basis.  The regulations permit limited disclosures for medical emergencies; such disclosures are limited to medical personnel only.  Covered programs may disclose information to qualified service organizations (QSO) on execution of an appropriate Qualified Service Organization Agreement (QSOA). A proper QSOA will include language binding the QSO to 42 CFR Part 2 in the same way the organization itself is already bound to 42 CRF Part 2. (The QSO is then a “covered program.”)  There are limited disclosures permitted for program audit and evaluation and for research purposes if no patient identifying information is released.  A covered program is permitted to disclose identifying information if a crime or threat of a crime has occurred on program premises or against program personnel.

The Rules Apply…  The rules apply even if the person seeking the information already has it or has other ways to obtain it. It applies to law enforcement or other officials, even with a subpoena. Indeed, covered programs are compelled to resist information disclosure based on presentation of a subpoena. Disclosing even the presence of a patient at a facility or unit which is identified as a place where only drug/alcohol services are provided requires written authorization from the patient. Furthermore, the memories and impressions of program staff are considered “records” protected by the regulations even if they are never recorded in any form. A payer or funding source that maintains records of a recipient of drug/alcohol treatment becomes subject to 42 CFR Part 2 to the same extent as the program from which the information came.  When records are released, 42 CFR Part 2 requires that a statement prohibiting re-disclosure accompanies the disclosed patient information. If the entity receiving the disclosures wishes to re-disclose the information then the entity must comply with the requirements of 42 CFR Part 2 to do so. Generally this would result in the receiving entity obtaining another properly executed release of information from the patient.  For public health administration HIPAA permits disclosure to a public health authority for disease prevention or control or to a person who may have been exposed to or is at risk of spreading a disease or condition. However, 42 CFR Part 2 prohibits these disclosures unless there is an authorization, court order, or the disclosure is done without revealing patient identifying information.  In addition to the disclosure limitations already discussed, 42 CFR Part 2 also further limits permitted disclosures to the minimum information necessary. Covered programs must limit all disclosures to the specific information necessary to carry out the purpose of the disclosure. The exception to this rule is when the disclosure is made to the patient him/herself.

How Does 42 CFR Part 2 Relate to Interoperability?  42 CFR Part 2 regulates releasing the information that a federated or repository RHIO is designed to exchange.  There is no language in the regulations under 42 CFR Part 2 that grants unique exceptions for a RHIO to the requirement for a properly executed release of information before disclosure is made.

Discretionary Privacy controls are difficult to implement in an Interoperable world…  With limited exceptions, 42 CFR Part 2 requires a release of information (consent).  Therefore, and with the same limited exceptions, once records are disclosed to an HIE (health information exchange) or RHIO then 42 CFR Part 2 constrains the HIE or RHIO from further releasing the records without a specific and properly executed consent.  At a practical level, this makes interoperability difficult and requires an HIE or RHIO to have additional privacy capabilities in addition to the capability of complying with HIPAA requirements.

The “Point-to-Point” Data Exchange… … The “DIRECT” Model…  The Direct Project develops specifications for a secure, scalable, standards-based way to establish universal health addressing and transport for participants (including providers, laboratories, hospitals, pharmacies and patients) to send encrypted health information directly to known, trusted recipients over the Internet.

The “Point-to-Point” Data Exchange… … The “DIRECT” Model…  Electronic point-to-point data exchange occurs between a data provider (e.g., addiction treatment facility) and a data consumer (e.g., hospital, continuing care provider, pharmacy, etc.).  This exchange is mutually agreed by both parties.  There is no shared database.

Virtual Information Exchange… Healthcares-Present-and-Future-HIE-Solution/  Virtual information exchange could enable the entire U.S. as an integrated HIO.  Good model for privacy and confidentiality.

Summary and Conclusions… (1)  First of all… There is a need to comply with all state and federal regulations (not just 42 CFR Part 2) relating to the electronic disclosure of highly sensitive health information (e.g., mental health, HIV, genetic information, etc.).  Part 2 is a well constructed regulatory example and provides a robust foundation for interoperability standards and methodologies. - Part 2 is a great place to start…

Summary and Conclusions… (2)  42 CFR Part 2 covers the entire substance use treatment record including all data elements, even those data elements not directly related to substance use. - Treating the entire record as covered information greatly simplifies the standards and methodologies required for patients to retain control over their personal health information.

Summary and Conclusions… (3)  A few practices will simplify privacy and confidentiality in an Interoperable world… - Never “Re-disclose.” In an interoperable world information can always comes from the original source. - Do not use highly sensitive health information for uses other than treatment.  Following these two practices facilitates compliance with virtually all privacy law.

Summary and Conclusions… (4)  Patient information maintained external to the actual treatment provider makes it much more difficult to set standards and build methods that keep personal health information under the control of the patient.  Record locator services must respect the regulatory environment. - For substance use patients, that might mean “can neither confirm nor deny…”

Summary and Conclusions… (5) … A possible VISION for the future…  Evolving technology may eventually enable virtual health information exchange where… - Health information can reside only at the provider that created the information, and where… - A virtual health record will render in real-time when a composite EHR across multiple providers is needed. A “virtual” health record won’t need to get stored on any external database… There won’t be any need to do so.

Summary and Conclusions… (6)  Regardless of what the mature Nationwide Health Information Network (NwHIN) looks like, solutions for privacy and confidentiality of highly sensitive health information cannot wait. - Opt-In/Opt-Out ONLY doesn’t work for substance use treatment information Opt-In/Opt-Out asks SU patients to trade privacy for the benefits of Interoperability.  Substance use patients need discretionary control over their health information AND get the benefits of Interoperability.

Summary and Conclusions… (7)  SATVA has focused on the interoperable health record and the related regulatory environment for privacy and confidentiality of behavioral health information with specific emphasis on 42 CFR Part 2 since Interoperability Work Group. - Collaboration with HHS through SAMHSA and ONC. - Collaboration with industry stakeholders through: National Association of Addiction Treatment Providers (NAATP). Mental Health Corporations of America (MHCA). The National Council for Community Behavioral Healthcare.

Summary and Conclusions… (8)  SATVA has developed technology for exchanging highly sensitive health information. - Technology is based on point-to-point exchange from provider controlled patient information databases using the DIRECT model. - Technology provides patient control over any disclosure of patient information.  Technology addresses the requirements of 42 CFR Part 2.

Demonstration…  Several members of the Software and Technology Vendors’ Association will now demonstrate 42 CFR Part 2 compliant substance use information disclosure.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.