Presentation is loading. Please wait.

Presentation is loading. Please wait.

Office of the Secretary Office for Civil Rights (OCR) Enforcement and Policy Challenges in Health Information Privacy Linda Sanches HIPAA Summit Special.

Published byAnna Oliver Modified over 8 years ago

Similar presentations

Presentation on theme: "Office of the Secretary Office for Civil Rights (OCR) Enforcement and Policy Challenges in Health Information Privacy Linda Sanches HIPAA Summit Special."— Presentation transcript:

1 Office of the Secretary Office for Civil Rights (OCR) Enforcement and Policy Challenges in Health Information Privacy Linda Sanches HIPAA Summit Special Edition December 14, 2007

2 OCR 2 Topics Privacy Rule enforcement Other challenges –Nationwide Health Information Network –Protecting Genetic Information –Patient Safety Act –Emergency Preparedness –Technical Assistance

3 OCR 3 Complaint Investigations Every complaint received by OCR is reviewed An investigation is conducted where warranted by the facts and circumstances presented by the complaint Privacy investigations have resulted in changes in privacy practices and other corrective actions in over 5,299 cases since April 2003 Corrective action obtained by HHS from covered entities has resulted in systemic change that affects all the individuals they serve

4 OCR

5 5 Pie Chart: All Complaints

6 OCR 6 Pie Chart: Total Investigated

7 OCR 7 Investigated Resolutions

8 OCR 8 Issues in Enforcement Actions (April 14, 2003 to October 31, 2007) The compliance issues investigated most frequently, in order, are: Impermissible use or disclosure of an individual’s identifiable health information The lack of adequate safeguards to protect identifiable health information Refusal or failure to provide the individual with access to or a copy of his/her records The disclosure of more information than is minimally necessary to satisfy a particular request for information Failure to have the individual’s valid authorization for a disclosure that requires one

9 OCR 9 Covered Entities in Enforcement Actions (April 14, 2003 to October 31, 2007) The most common types of covered entities that have been required to take corrective actions and voluntarily comply, in order of frequency, are: Private physician practices General hospitals Outpatient facilities Health plans (Group Health Plans and Health Insurance Issuers) Pharmacies

10 OCR 10 Case Example An employee of a major health insurer impermissibly disclosed the protected health information of one of its members without following the insurer’s authorization and verification procedures. Among other corrective actions to resolve the specific issues in the case, OCR required the health insurer to –train its staff on the applicable policies and procedures and to –mitigate the harm to the individual –apply sanctions to employee who made the disclosure

11 OCR 11 Case Example (2) A national health maintenance organization sent explanation of benefits (EOB) by mail to a complainant’s unauthorized family member. OCR’s investigation determined that a flaw in the health plan’s computer system put the protected health information of approximately 2,000 families at risk of disclosure in violation of the Rule. Among the corrective actions required to resolve this case, OCR required the insurer to –correct the flaw in its computer system, –review all transactions for a six month period and –correct all corrupted patient information.

12 OCR 12 Other Avenues of Enforcement The Department has other enforcement tools, such as resolution agreements and imposition of civil money penalties (CMP’s), which it will use in appropriate cases HHS also obtains privacy compliance through outreach and education efforts OCR has reached hundreds of thousands of covered entities and consumers through educational conferences, a toll-free call line, and an interactive website

13 Office of the Secretary Office for Civil Rights (OCR) Other Challenges

14 OCR 14 Nationwide Health Information Network Privacy and Security Are Integral to NHIN Necessary for Public Trust Public Participation Is Engine for Adoption HIPAA Levels Playing Field Nationally Accepted Standards for Privacy and Security Already in Place Uniform National Baseline of Protection – More Is Still Good

15 OCR 15 NHIN & Privacy HIPAA Privacy Rule as Facilitator – Not Obstacle to Health IT adoption –Standards Reflect Many Hard Choices Balancing Privacy and Access in Healthcare Setting –Narrows Privacy Debate to New Areas of Risk and Opportunity for Consumers –Flexibility Allows Rules to Adapt to HIE Needs without Lowering Baseline for All Personal Health Record (PHR) Good Illustration for Assessing New Risks and Opportunities

16 OCR 16 Opportunities for PHR Personal Health Record (PHR) = Opportunities for the Consumer to Engage in NHIN and Take Advantage of Health IT –24/7 Access to Their Health Information –Ability to Migrate Information into PHR to Create a Longitudinal Health Record –Ability to Consolidate Health Information from Multiple Providers to Better Manage Their Own Care –Capability to Control Access by Others Requires Interoperable, Portable, Secure PHR

17 OCR 17 Gaps for Privacy & NHIN Accountability –New Players Typically Not Covered by HIPAA Certain Health Care Providers Providers of Network Services Providers of Data Management Services Providers of PHR Services –Can Business Associate Contracts Work and Provide Adequate Accountability in the NHIN?

18 OCR 18 Gaps for Privacy & NHIN Uniformity – How Much Is Really Needed –Preemption Harmonizing Federal and State Laws Ex: Consents –“Flexible and Scalable” Standards Harmonizing Business Practices Example: Minimum Necessary –Privacy and Security Solutions for Interoperable Health Information Exchange Looking for Answers

19 OCR 19 Genetic Information HHS Personalized Health Care Initiative –Creating privacy foundation for genomic research to advance gene based medicine & health care –American Health Information Community working on recommendations for genetic info on EHR Subgroup on privacy and confidentiality Genetic Information Non-Discrimination Act –To protect individuals from discrimination in health insurance and employment on the basis of genetic information

20 OCR 20 Patient Safety and Quality Improvement Act Establishes voluntary reporting system to enhance the data available to assess and resolve patient safety and quality issues Provides Federal privilege & confidentiality protections for "patient safety work product” OCR to enforce confidentiality provisions In close coordination with AHRQ, OCR will develop and operate the Act's enforcement program

21 OCR 21 Emergency Preparedness Emergency preparedness and recovery planners are interested in the availability of protected health information (PHI) Emergency preparedness and recovery planners are interested in the availability of protected health information (PHI) Disasters and emergencies Disasters and emergencies National Disaster Medical System National Disaster Medical System Pandemic and All-Hazards Preparedness Act implementation Pandemic and All-Hazards Preparedness Act implementation The HIPAA Privacy Rule permits covered entities to disclose PHI for a variety of public health and other purposes The HIPAA Privacy Rule permits covered entities to disclose PHI for a variety of public health and other purposes OCR providing technical assistance OCR providing technical assistance Web tool addresses avenues of information flow that could apply to emergency preparedness activities Web tool addresses avenues of information flow that could apply to emergency preparedness activities

22 OCR 22 Getting out the message Targeting outreach Assisting entities with compliance through technical assistance Informing the public about how the Privacy Rule applies in emerging issues

23 OCR 23 Other Program Challenges Strategic management of enforcement portfolio Policy development—balanced & workable Rule

24 OCR 24 OCR Web Site http://www.hhs.gov/ocr/hipaa/ Privacy Rule text & summary Covered entity "decision tool" Over 200 frequently asked questions Fact sheets Information about the OCR enforcement program

Download ppt "Office of the Secretary Office for Civil Rights (OCR) Enforcement and Policy Challenges in Health Information Privacy Linda Sanches HIPAA Summit Special."

Similar presentations

Tamtron Users Group April 2001 Preparing Your Laboratory for HIPAA Compliance.

Tamtron Users Group April 2001 Preparing Your Laboratory for HIPAA Compliance.
H = P = A = HIPAA DEFINED HIPAA … A Federal Law Created in 1996 Health

H = P = A = HIPAA DEFINED HIPAA … A Federal Law Created in 1996 Health
HIPAA Privacy Practices. Notice A copy of the current DMH Notice must be posted at each service site where persons seeking DMH services will be able to.

HIPAA Privacy Practices. Notice A copy of the current DMH Notice must be posted at each service site where persons seeking DMH services will be able to.
Presented by Elena Chan, UCSF Pharm.D. Candidate Tiffany Jew, USC Pharm.D. Candidate March 14, 2007 P HARMACEUTICAL C ONSULTANTS, I NC. P RO P HARMA HIPAA.

Presented by Elena Chan, UCSF Pharm.D. Candidate Tiffany Jew, USC Pharm.D. Candidate March 14, 2007 P HARMACEUTICAL C ONSULTANTS, I NC. P RO P HARMA HIPAA.
Confidentiality and HIPAA

Confidentiality and HIPAA
National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.

National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.

Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) 252-9321; Victoria Nemerson.

HIPAA PRIVACY REQUIREMENTS Dana L. Thrasher Constangy, Brooks & Smith, LLC (205) ; Victoria Nemerson.
Changes to HIPAA (as they pertain to records management) Health Information Technology for Economic Clinical Health Act (HITECH) – federal regulation included.

Changes to HIPAA (as they pertain to records management) Health Information Technology for Economic Clinical Health Act (HITECH) – federal regulation included.
What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,

What is HIPAA? This presentation was created by The University of Arizona Privacy Office, The Office for the Responsible Conduct of Research on March 5,
Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna 412-396-4419.

Managing Access to Student Health Information per Federal HIPAA Guidelines Joan M. Kiel, Ph.D., CHPS Duquesne University Pittsburgh, Penna
NAU HIPAA Awareness Training

NAU HIPAA Awareness Training
1 Louisiana Department of Health and Hospitals Basic HIPAA Privacy Training: Policies and Procedures 01/09/2009 0.

1 Louisiana Department of Health and Hospitals Basic HIPAA Privacy Training: Policies and Procedures 01/09/
WHAT IS HIPAA? The Health Insurance Portability and Accountability Act of 1996 (HIPAA) provides certain protections for any of your health information.

WHAT IS HIPAA? The Health Insurance Portability and Accountability Act of 1996 (HIPAA) provides certain protections for any of your health information.
Reviewing the World of HIPAA Stephanie Anderson, CPC October 2006.

Reviewing the World of HIPAA Stephanie Anderson, CPC October 2006.
Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.

Topics Rule Changes Skagit County, WA HIPAA Magic Bullet HIPAA Culture of Compliance Foundation to HIPAA Privacy and Security Compliance Security Officer.
HIPAA Privacy Rule Compliance Training for YSU April 9, 2014.

HIPAA Privacy Rule Compliance Training for YSU April 9, 2014.
HIPAA THE PRIVACY RULE Reviewed December 2012 2 HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti-

HIPAA THE PRIVACY RULE Reviewed December HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti-
Are you ready for HIPPO??? Welcome to HIPAA

Are you ready for HIPPO??? Welcome to HIPAA
HIPAA HIPAA Health Insurance Portability and Accountability Act of 1996.

HIPAA HIPAA Health Insurance Portability and Accountability Act of 1996.

Similar presentations

Ads by Google