Privacy Issues and the Children’s Hospital EMR Privacy Issues and the Children’s Hospital EMR This roundtable discussion is brought to you by the Children’s Hospital Affinity Group of the In-House Counsel (In- House) and Teaching Hospitals and Academic Medical Centers (THAMC) Practice Groups, and is co-sponsored by the Health Information and Technology (HIT) Practice Group. Privacy Issues and the Children’s Hospital EMR February 15, :00-1:15 pm Eastern Presenters Robin L. Canowitz, EsquireRobin L. Canowitz, Esquire, Senior Attorney, Vorys Sater Seymour & Pease LLP, Columbus, OH, Daniel F. Gottlieb, EsquireDaniel F. Gottlieb, Esquire, Partner, McDermott Will & Emery LLP, Chicago, IL, Moderator: Jessica Braunstein, Associate General Counsel, Children’s Healthcare of Atlanta, Atlanta, GA, 1
About CHAG AG Children’s Hospital Affinity Group (CHAG AG) provides a unique and focused forum for discussion and networking about the legal and practical issues that affect children’s hospitals and other providers that furnish pediatric care. CHAG AG is affiliated with the In-House Counsel Practice Group (In-House) and Teaching Hospital and Academic Medical Center Practice Group (THAMC). If you are a member of either of those PG Groups, you may join CHAG AG by simple ing Otherwise, become a member of either or both the In-House of THAMC Practice Groups, and ask to also join CHAG AG at the same time by contacting The In-House and THAMC Practice Groups provide a wealth of information and address issues important to all hospitals, healthcare institutions, academic medical centers, and related entities. Children’s hospitals and the care of pediatric patients, however, present some distinctive legal issues that are not often shared by the adult hospitals and adult academic medical centers. Join CHAG AG to receive and receive the benefit of its focus on children’s hospital and pediatric provider issues. 2
Agenda Data elements requiring special treatment Internal access and external release to other providers, health information exchange, etc. Patient portals and patient/parent access to information Programs to create appropriate levels of access for hospital personnel Tools for monitoring access and disclosure of information 3
Data elements requiring special treatment The HIPAA regulations provide a base line of protection for all Protected Health Information (PHI) State law and the federal alcohol and drug abuse confidentiality rules provide additional protections for sensitive subcategories of PHI Privacy and security policies should be revised to reflect: More stringent state and federal laws Different access rights of parents and children for different categories of information at different ages of the child 4
Sensitive Categories of PHI Sensitive categories of PHI vary from state to state, but often include: Substance abuse treatment program information Mental health and developmental disability information HIV/AIDs test results Sexually transmitted diseases Genetic testing information 5
Sensitive Categories of PHI (cont’d) In many states, unemancipated minor has the right to consent to diagnosis and treatment for and control PHI about sensitive conditions such as: Pregnancy Abortion HIV/AIDs and other sexually transmitted diseases Sexual assault or any condition resulting from the assault Mental illness or psychiatric condition Alcohol consumption or drug use and/or their addiction Some states grant physician discretion to share information and/or encourage parental involvement 6
Sensitive Categories of PHI (cont’d) EHR technology presents technical challenges to management of sensitive information Psychiatric drugs in the medication list HIV-positive or mental health diagnosis in the problem list HIV test result in the structured lab data Free text field in progress notes Parent and child access to patient portal Quality of care and tort law may conflict with health information privacy law How should the conflict be navigated? 7
Internal Access and External Release Access Controls for Internal Usage Policies on Use of records for Research Use of technology to deter people from looking at records they don’t have a need to view Are there categories of information that only certain people can see? Some institutions have “walled off” records from their substance abuse treatment programs 8
External Release of Records Releases – to allow information to be shared? Issues with patient name changes – birth hospital to specialty hospital. Confirming who has the right to allow release of information. 9
Patient Portals and Patient/Parent Access Proxy Access – who do you allow to have access to the portal? Patient/Parent/Legal Guardian – all have their own access. Can all see the same information. What do you do with proxy access when the patient becomes an adult? Do you allow minor patients to have direct access to the portal? If so, at what age, and for what purposes? How do you turn access on and off? 10
Patient Portals What do you allow to be posted? At NCH – no information on AIDS, STDs and Mental Health because of state law issues If the site does not have complete information, there should be a disclaimer about that. NCH decided not to post inpatient test results because it could create confusion. When do you post test results? At NCH – physicians given 72 hours to review test results before they are automatically posted. 11
Patient Portals (cont’d) communication tools – how to implement? Who will respond? What is the expectation of the patient? 12
Appropriate Levels of Access The HIPAA minimum necessary standard requires a hospital or other covered health care provider to limit a request, use or disclosure of PHI to the minimum amount of PHI necessary for disclosure unless it is For Treatment Required by Law Pursuant to patient or parent’s authorization Within another limited exception Hospital should develop role-based access policies for PHI that correspond to technical capabilities of its EHR Send periodic reminders about appropriate access 13
Appropriate Levels of Access (cont’d) PHI may be used and disclosed for academic purposes within hospital subject to the minimum necessary standards Faculty and students should receive training on appropriate use of PHI for educational purposes 14
Tools for Monitoring Access and Disclosure HIPAA Security Rule requires “reasonable” procedures: Log-in monitoring Regular review of records of information system activity, such as audit logs, access reports, and security incident tracking reports. Develop reasonable and practical practices to monitor EHR’s activity logs to identify inappropriate access Rely upon technical, automated auditing where possible Cisco and other vendors offer sophisticated monitoring tools that identify deviations from baseline activity 15
Privacy Issues and the Children’s Hospital EMR © 2013 is published by the American Health Lawyers Association. All rights reserved. No part of this publication may be reproduced in any form except by prior written permission from the publisher. Printed in the United States of America. Any views or advice offered in this publication are those of its authors and should not be construed as the position of the American Health Lawyers Association. “This publication is designed to provide accurate and authoritative information in regard to the subject matter covered. It is provided with the understanding that the publisher is not engaged in rendering legal or other professional services. If legal advice or other expert assistance is required, the services of a competent professional person should be sought”—from a declaration of the American Bar Association 16