Copyright © 2015 by Saunders, an imprint of Elsevier Inc. All rights reserved. Chapter 3 Privacy, Confidentiality, and Security

Copyright © 2015 by Saunders, an imprint of Elsevier Inc. All rights reserved. Privacy, Confidentiality, and Security 1. Discuss privacy as both a philosophic and legal concept. 2. Explore the history and scope of HIPAA. 3. List the four implementation specifications required by the administrative safeguards outlined in the HIPAA Security Rule, and explore ways in which they might apply to a small to medium-size medical practice. 4. Assess and complete forms related to patient privacy and security in the electronic health record (EHR). 2 Lesson 3.1

Copyright © 2015 by Saunders, an imprint of Elsevier Inc. All rights reserved. Privacy, Confidentiality, and Security 5. Become familiar with patients' rights under HIPAA, and explore how they affect the EHR. 6. Identify organizations aimed at securing EHR systems. 7. Identify who is allowed access to the information in a patient's EHR and under what circumstances. 8. Describe the role of consumer reporting agencies and prescription database tools, and explain how they are regulated. 9. Discuss ways patients can protect their health information. 3 Lesson 3.1

Copyright © 2015 by Saunders, an imprint of Elsevier Inc. All rights reserved. What Is Privacy?  Ethics  Set of the rules and standards of conduct that grow out of our shared understanding of right and wrong and govern our professional behavior  Laws  Formal, enforceable rules and policies based on community standards of conduct  Privacy  Patient’s freedom to determine when, how much, and under what circumstances his or her medical information may be disclosed 4

Copyright © 2015 by Saunders, an imprint of Elsevier Inc. All rights reserved. Confidential versus Anonymous  Confidentiality  Refers to how the recipient of the information handles information that a patient does not wish to share  Anonymity  Information cannot be linked back to the patient Example: Performing lab tests using an ID number instead of a patient name 5

Copyright © 2015 by Saunders, an imprint of Elsevier Inc. All rights reserved. Health Insurance Portability & Accountability Act  Privacy Rule  Security Rule  Portability of insurance 6

Copyright © 2015 by Saunders, an imprint of Elsevier Inc. All rights reserved. Privacy Rule  Establishes privacy standards for use of IIHI  Helps patients control ways their health information is disclosed  Requires disclosure of health information to be logged 7

Copyright © 2015 by Saunders, an imprint of Elsevier Inc. All rights reserved. Disclosures Documentation  Patients are permitted to request a log of disclosures of their PHI, which must include the following for each disclosure:  The date of the disclosure  The name and address, if known, of the entity or person who received the IIHI  A description of the IIHI disclosed  An explanation of the purpose of the disclosure or a copy of the patient’s written authorization  A copy of a written request for a disclosure 8

Copyright © 2015 by Saunders, an imprint of Elsevier Inc. All rights reserved. Disclosures Documentation (Cont.)  Entities/providers are required to:  Distribute NPP  Designate a privacy officer  Provider authorization forms for release of PHI  Implement policies to protect PHI  Develop procedures for correcting errors in the EHR  Provide privacy training for staff 9

Copyright © 2015 by Saunders, an imprint of Elsevier Inc. All rights reserved. Covered Entities and Business Associates  Healthcare provider  Health plan  Healthcare clearinghouse 10

Copyright © 2015 by Saunders, an imprint of Elsevier Inc. All rights reserved. Minimum Necessary Standard  When a covered entity makes an allowed disclosure, it should include only a minimum necessary amount of information to accomplish the purpose 11

Copyright © 2015 by Saunders, an imprint of Elsevier Inc. All rights reserved. Consent  Individual choice principle  Patients should have a reasonable opportunity to make informed decisions about the collection, use, and disclosure of their PHI  In order for records to be released, an authorization form must be completed 12

Copyright © 2015 by Saunders, an imprint of Elsevier Inc. All rights reserved. Authorization Forms 13

Copyright © 2015 by Saunders, an imprint of Elsevier Inc. All rights reserved. Security Rule  The HIPAA Security Rule gives each covered entity four broad goals to meet:  Protect the integrity and confidentiality of electronic healthcare information created, received, maintained, or transmitted  Shield against anticipated security threats  Shelter PHI against unauthorized use and disclosure  Ensure that all employees comply with the provisions of the Security Rule 14

Copyright © 2015 by Saunders, an imprint of Elsevier Inc. All rights reserved. Security Safeguards in the Medical Practice  Designed to avert security breaches  Provide contingency plans  Safeguards fall into three areas:  Administrative  Physical  Technical 15

Copyright © 2015 by Saunders, an imprint of Elsevier Inc. All rights reserved. Administrative Safeguards  Four implementation specifications:  Risk analysis  Risk management  Sanction (penalties) policy  Information system activity review 16

Copyright © 2015 by Saunders, an imprint of Elsevier Inc. All rights reserved. Physical Safeguards  Ensure security of:  Electronic data  Buildings  Equipment  Sample methods:  Screen saver  Login and password 17

Copyright © 2015 by Saunders, an imprint of Elsevier Inc. All rights reserved. Tips for Choosing a Strong Password 18

Copyright © 2015 by Saunders, an imprint of Elsevier Inc. All rights reserved. Technical Safeguards  Performed to protect and control access of technology  Controlled access of employees  Automatic logoff  Encryption  Decryption 19

Copyright © 2015 by Saunders, an imprint of Elsevier Inc. All rights reserved. Assigning Employee Privileges 20

Copyright © 2015 by Saunders, an imprint of Elsevier Inc. All rights reserved. Designing Auditing Procedures  Systems link a person’s username to reveal an electronic breadcrumb trail  Required as part of security procedures 21

Copyright © 2015 by Saunders, an imprint of Elsevier Inc. All rights reserved. Patient's Rights Under HIPAA  View or receive copies  Have inaccurate information corrected  Receive NPP  Opt out of sharing certain information  Have certain information withheld from certain payers  Receive list of disclosures  File a complaint 22

Copyright © 2015 by Saunders, an imprint of Elsevier Inc. All rights reserved. The Office for Civil Rights Complaint Process 23

Copyright © 2015 by Saunders, an imprint of Elsevier Inc. All rights reserved. Other Security Initiatives  The Certification Commission for Healthcare Information Technology (CCHIT) accelerates EHR certifications for:  EHRs for office-based ambulatory care providers and specialists (particularly cardiovascular and emergency medicine)  Inpatient EHRs  Health networks that exchange EHR data  EHRs within specific populations (such as behavioral health) in a range of care settings 24

Copyright © 2015 by Saunders, an imprint of Elsevier Inc. All rights reserved. Access to Protected Health Information  Financial institutions  Insurance companies  Government agencies  Consumer reporting  Medical Information Bureau  Prescription database  Schools  Employers  Family and friends  Internet communities  Researchers  Direct marketing firms 25

Copyright © 2015 by Saunders, an imprint of Elsevier Inc. All rights reserved. How Can Patients Protect Themselves?  Review medical, dental, and prescription drug records for accuracy  Request a disclosure log  Request restrictions on disclosure of sensitive information  Ask to receive correspondence at alternative locations  Pay out-of-pocket  Opt for online versus paper statements and read them carefully 26

Copyright © 2015 by Saunders, an imprint of Elsevier Inc. All rights reserved. Questions? 27