Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2016 Health Information Management Technology: An Applied Approach Chapter 9 Data Privacy and Confidentiality.

Published byLeslie Lewis Modified over 8 years ago

Similar presentations

Presentation on theme: "© 2016 Health Information Management Technology: An Applied Approach Chapter 9 Data Privacy and Confidentiality."— Presentation transcript:

1 © 2016 Health Information Management Technology: An Applied Approach Chapter 9 Data Privacy and Confidentiality

2 Privacy and Confidentiality Privacy: “right to be let alone” o No constitutional right to privacy Confidentiality: stems from sharing of private information in confidence with someone else

3 Use and Disclosure Use: how an organization avails itself of information internally Disclosure: how information is disseminated outside an organization

4 Legal Process Discovery – pretrial stage; parties obtain information from each other Types of discovery: o Deposition o Interrogatories Information can be compelled through a: o Subpoena (ad testificandum or duces tecum) with authorization o Court order o Warrant

5 E-Discovery Parties obtain and review electronically stored data Governed in federal court by the Federal Rules of Civil Procedure Considerations: o Discoverable data Metadata o Legal hold o Spoliation

6 Testimony Federal Rules of Evidence govern admissibility in federal courts o Hearsay: out-of-court statement used to prove the truth of the matter Not admissible unless it meets an exception Medical records often admitted through the business records exception to the hearsay rule

7 HIPAA Definition Health Insurance Portability and Accountability Act (HIPAA) of 1996 o Focus of Title II (1 of 5 titles) Medical liability reform Health care fraud and abuse prevention Administrative simplification o Privacy standards o Security standards o Transactions, identifiers, and code set standards o National provider identifiers o Enforcement

8 ARRA and HITECH American Recovery and Reinvestment Act (ARRA) signed into law February 17, 2009 o Health Information Technology for Economic and Clinical Health (HITECH) Act is a component of ARRA o ARRA and HITECH provides important changes to the HIPAA Privacy Rule

9 Office of the National Coordinator for Health Information Technology (ONC) Within the Department of Health and Human Services Responsible for o Coordinating national efforts to implement and use health information technology o Promoting exchange of electronic health information

10 HIPAA Applicability Covered entities o Healthcare providers that conduct financial or administrative transactions electronically o Health plans o Healthcare clearinghouses

11 HIPAA Applicability Business associates (BAs) o Perform functions or activities on behalf of or for a covered entity that involve use or disclosure of protected health information o Business Associate Agreements (BAAs) o BAA content must be complete o ARRA and HITECH applied more stringent requirements and penalties to BAs and the BAs’ subcontractors

12 HIPAA Applicability Workforce members o Employees, volunteers, student interns, trainees, employees of outsourced vendors working routinely on-site o Are contractors working in a covered entity considered workforce members or business associates?

13 HIPAA Applicability Protected health information (PHI) o Individually identifiable o Relates to one’s past, present or future physical or mental health condition; provision of healthcare; or payment for provision of healthcare o Held or transmitted by a covered entity or BA PHI applies to all forms or media (paper, electronic, oral)

14 HIPAA Applicability Deidentified information o Does not identify the individual o Not subject to the HIPAA privacy rule o 18 elements must be removed to deidentify an individual

15 HIPAA Applicability: ARRA and HITECH Change Individually identifiable health information of deceased persons is no longer be protected by HIPAA (for example, is no longer PHI) after the individual has been deceased more than 50 years.

16 HIPAA Applicability Individual – the person who is the subject of PHI Personal representative – a person with legal authority to act on another’s behalf

17 HIPAA Applicability Designated record set (DRS) o Includes health records, billing records, and various claims records used to make decisions about an individual o HIPAA applies to the DRS

18 HIPAA: Minimum Necessary Is a standard established by HIPAA Exceptions to minimum necessary Standard: Must limit uses, disclosures and requests to only the amount needed to accomplish and intended purposes ARRA and HITECH: seeks to clarify its definition (still pending)

19 HIPAA: Treatment, Payment and Operations The Privacy Rule provides a number of exceptions to its requirements for PHI that is being used or disclosed for treatment, payment or operations (TPO)

20 HIPAA: Individual Rights The HIPAA privacy rule provides individuals with rights to provide some control over their health information. o Right of access (affected by ARRA and HITECH) o Right to request amendment o Right to accounting of disclosures (affected by ARRA and HITECH) o Right to request restrictions (affected by ARRA and HITECH) o Right to request confidential communications o Right to complain of privacy rule violations

21 HIPAA: Individual Rights—Access Right of access o Own PHI contained in a designated record set o ARRA and HITECH: covered entities with EHRs must make PHI available or send electronically if individual requests o Exceptions to access Psychotherapy notes Information compiled for civil or criminal actions Denial of access o Not subject to review o Subject to review

22 HIPAA: Individual Rights—Access (continued) Access request o Provide request in writing (if previously informed of this) o Timely response is required by the covered entity 30 days from receipt of request Extension of time period o 30-day extension o Must provide individual with written statement within original 30- day time period o Written statement must include reason for delay and date covered entity will complete its action Time period for records not maintained on site o Must produce in format requested if readily producible

23 HIPAA: Individual Rights—Access (continued) Charges o Reasonable fee may be imposed Copying, including supplies and labor Postage, when individual has requested information to be mailed Preparation of an explanation summary, if agreed to by the individual in advance Retrieval fee not permitted for patient requests

24 HIPAA: Individual Rights—Request Amendment Right to request amendment o May require the amendment request to be in writing o Allowed reasons for denial of amendment request o Facility may accept or deny request o Timely response to the request by the covered entity o Process for denial of requests for amendment

25 HIPAA: Individual Rights—Accounting of Disclosures Right to accounting of disclosures Disclosures that do not require an accounting o Disclosures for TPO purposes ARRA and HITECH exception: Covered entities that use or maintain an electronic health record must account for TPO disclosures New (2011) proposal: Uses and TPO excluded from accounting (both paper and electronic) due to proposed “access report” o Individuals provided their own PHI o Incidental or otherwise permitted or required

26 HIPAA: Individual Rights—Accounting of Disclosures (continued) Disclosures that do not require an accounting (continued) o Pursuant to an authorization o Use in a facility directory o To meet national security or intelligence requirements o To correctional institutions or law enforcement officials o Disclosures that occurred before the HIPAA privacy compliance date

27 ARRA and HITECH Change (proposed) Access Report o Proposed in 2011 subsequent to (but as part of) HITECH o Separate from accounting of disclosures o Applicable to EHRs o Would allow individuals to see every person who has viewed the individual’s DRS in the previous three years o Some TPO disclosure information moved from disclosure report to access report o Status pending

28 HIPAA: Individual Rights—Accounting of Disclosures (continued) Information included in an accounting o Date of disclosure o Name and address of entity or person who received the information o Brief statement of the purpose of the disclosure or copy of individual’s written authorization or request Timely response to request for accounting o ARRA/HITECH: Response requirements for BAs Fees for accounting of disclosures Required documentation

29 HIPAA: Individual Rights—Request Restrictions Right to request restrictions on uses and disclosures of PHI to carry out TPO o Covered entity must permit such a request, but does not have to agree to the requested restriction ARRA and HITECH exception: Must agree if disclosure would be to a health plan for payment or operations, but individual paid for service or item completely out of pocket o Termination of requested restrictions Covered entity’s responsibilities

30 HIPAA: Individual Rights—Confidential Communications Right to request confidential communications o Alternative routing or destination or by alternative method o Requests may be refused if information is not provided as to how payment will be handled

31 HIPAA: Individual Rights—Complain of Violations Right to complain of privacy rule violations o Must inform individuals of right to complain at covered entity level and to the US Department of Health and Human Services

32 HIPAA Privacy Rule Documents: Notice of Privacy Practices Notice of Privacy Practices o Purpose o Availability of the notice o Required content o Acknowledgement by individual

33 ARRA and HITECH Change Notice of Privacy Practices must be updated to o State that uses and disclosures not described in the Notice will require an authorization o Address ARRA marketing update (discussed later) o Address the right to opt out of fundraising communications (discussed later) o Covered entity’s obligation to comply with restriction request if item or service is paid in full out of pocket

34 HIPAA Privacy Rule Documents: Consent Consent o To use or disclose PHI for treatment, payment, and operations (TPO) o Optional document o Required content o Revocation

35 HIPAA Privacy Rule Documents: Authorization Authorization o Definition o Purpose o Content o Situations requiring an authorization

36 Authorization Not Required Required uses and disclosures without authorization o Access or accounting of disclosures requested by individual or personal representative o US Department of Health and Human Services investigation, review, or enforcement action

37 Authorization Not Required (continued) Permitted uses and disclosures without authorization (patient HAS opportunity to informally agree or object) o Directory of patients o Notification of family or friends

38 Authorization Not Required (continued) Permitted uses and disclosures without authorization (patient does not have opportunity to agree or object). These uses and disclosures are permissive only and must not violate a stricter or more protective state law. o Treatment, payment, and operations o To the individual o Incidental disclosures o Limited data set o 12 public interest and benefit purposes

39 Authorization Not Required (continued) Twelve public interest and benefit purposes: 1.As required by law (such as reporting specified wounds) 2.Public health activities 3.Victims of abuse, neglect, or domestic violence 4.Healthcare oversight activities 5.Judicial and administrative proceedings 6.Law enforcement purposes 7.Decedents 8.Cadaveric organ, eye or tissue donation 9.Research 10.Threat to health or safety 11.Specialized government functions 12.Workers’ compensation

40 Authorization Not Required (continued) ARRA and HITECH changes o Disclosure of students’ immunization records would be considered a public health disclosure (one of the 12 public interest and benefit purposes) Written authorization would not be required Oral agreement would be required o Research: covered entity may combine conditioned authorizations and unconditioned authorizations as long as each is clearly marked and the individual is able to opt out of unconditioned research activities

41 HIPAA: Breach Notification Required under ARRA and HITECH Previously, mitigation was required in the event of a breach Covered entities and BAs: subject to HHS regulations Others (including PHR vendors): subject to FTC regulations

42 HIPAA: Breach Notification Breach: “Unauthorized acquisition, access, use or disclosure of PHI that compromises the security or privacy of such information” o Applies to unsecured PHI only (encrypted PHI is an exception)

43 HIPAA: Breach Notification Exceptions to breach definition: o Unintentional acquisition, access or use of PHI by workforce member acting under authority of a covered entity or BA (information cannot be further used or disclosed in impermissible manner) o Inadvertent disclosure of PHI from a person authorized to access PHI at a covered entity or BA to another person authorized to access PHI at the covered entity or BA (information cannot be further used or disclosed in impermissible manner) o If the covered entity or BA has good faith belief the unauthorized individual who received the PHI would not be able to retain the information

44 HIPAA: Breach Notification Must notify affected individuals without unreasonable delay, and no more than 60 days from when first known or should have known 500 affected: Media outlets must be used to notify public; Secretary of HHS must be notified All breaches < 500 affected are reported to HHS using an online tool, submitted no later than 60 days after the end of the calendar year

45 HIPAA: Marketing Definition General rule: Use or disclosure of PHI for marketing requires authorization Marketing activities that do not require an authorization o Occurs face-to-face with the individual o Concerns products or services of nominal value

46 HIPAA: Marketing Activities not defined as marketing per HIPAA (authorization not required) o Communications by covered entity about health-related products and services provided by or covered as a benefit by the covered entity or a third party (must meet requirements) o Communications for treatment of individual o Communications for case management or care coordination or alternative treatments Remuneration to the covered entity must be disclosed

47 HIPAA: Marketing Per ARRA and HITECH: o Unless a communication fits in one of the previous categories, it is not a healthcare operation o The previous categories are not healthcare operations if the covered entity was paid for making it o Exceptions (these are considered healthcare operations): Communication re. a currently prescribed drug Payment was reasonable and the covered entity received an authorization Communication was made by a BA consistent with BAA despite payment o Any remuneration for a communication must be prominently stated

48 HIPAA: Sale of Information Addressed specifically by ARRA and HITECH A covered entity or BA is prohibited from receiving direct or indirect compensation in exchange for an individual’s PHI without that individual’s authorization o Authorization must state whether receiving entity can further exchange the PHI for compensation. o Exceptions exist

49 HIPAA: Fundraising Must inform individuals in Notice of Privacy Practices that PHI may be used for fundraising Instructions on opting out in future are required o ARRA and HITECH specifically requires opt-out ability for fundraising communications that meet the definition of “healthcare operations” Prior authorization required if fundraiser targets individuals based on diagnosis, for instance, kidney patients targeted to raise funds for new kidney dialysis center

50 HIPAA: Administrative Requirements Designation of privacy officer Workforce training Process for establishing privacy safeguards Process for handling privacy complaints Standards for policies and procedures

51 HIPAA: Penalties Revised per ARRA and HITECH o Individuals can now be prosecuted o Penalties now apply to BAs o Tiered penalties based on: o Unknowing violations o Due to reasonable cause o Willful neglect (corrected) o Willful neglect (uncorrected)

52 HIPAA: Penalties State attorneys general may bring civil actions based on alleged HIPAA violations HHS audits, removing enforcement on a complaint-based system only

53 Release of Information (ROI) The process of providing PHI access to individuals or entities deemed authorized to receive or review it Steps in the process: o Enter request in ROI database o Determine validity of authorization o Verify patient’s identity o Process the request

54 ROI Quality Control Productivity: turnaround times tracked o Continuity of care requests processed first Accuracy: information released appropriately o Confirm the signer o Confirm signer is legally competent and signed voluntarily Use of HIPAA-compliant authorization forms

55 Medical Identity Theft Includes financial fraud and identity theft Victims include patients, providers, and payers Types: o Use of person’s identity to obtain medical services or goods Victim may be unknowing or unaware of consequences o Use of person’s identity to obtain money by falsifying claims for medical services

56 Medical Identity Theft Also categorized as: o Internal (more prevalent) o External o Patient verification is necessary Fair and Accurate Credit Transactions Act (FACTA) o Red Flags Rule to identify, detect and respond to identity theft indicators

57 Patient Advocacy and Compliance Patient advocacy: o Steward of patient record o Patient empowerment o Health literacy o Legal access to health record Compliance: o With laws that regulate the privacy of information o With all laws applicable to an organization

Download ppt "© 2016 Health Information Management Technology: An Applied Approach Chapter 9 Data Privacy and Confidentiality."

Similar presentations

HIPAA Privacy Practices. Notice A copy of the current DMH Notice must be posted at each service site where persons seeking DMH services will be able to.

HIPAA Privacy Practices. Notice A copy of the current DMH Notice must be posted at each service site where persons seeking DMH services will be able to.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
HIPAA Basics November 1, 2014.

HIPAA Basics November 1, 2014.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
HIPAA Privacy Rule Training

HIPAA Privacy Rule Training
Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.

Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.
The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.

The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.
P E N N S Y L V A N I A C O A L I T I O N A G A I N S T D O M E S T I C V I O L E N C E P E N N S Y L V A N I A C O A L I T I O N A G A I N S T RAPE HIPAA.

P E N N S Y L V A N I A C O A L I T I O N A G A I N S T D O M E S T I C V I O L E N C E P E N N S Y L V A N I A C O A L I T I O N A G A I N S T RAPE HIPAA.
Changes to HIPAA (as they pertain to records management) Health Information Technology for Economic Clinical Health Act (HITECH) – federal regulation included.

Changes to HIPAA (as they pertain to records management) Health Information Technology for Economic Clinical Health Act (HITECH) – federal regulation included.
1 Navigating the Privacy and Security Issues: HITECH Overview Rebecca L. Williams, RN, JD Partner Co-chair of HIT/HIPAA Practice Davis Wright Tremaine.

1 Navigating the Privacy and Security Issues: HITECH Overview Rebecca L. Williams, RN, JD Partner Co-chair of HIT/HIPAA Practice Davis Wright Tremaine.
North Carolina State University Health Information Privacy 4/16/03.

North Carolina State University Health Information Privacy 4/16/03.
COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.

COMPLYING WITH HIPAA PRIVACY RULES Presented by: Larry Grudzien, Attorney at Law.
HIPAA THE PRIVACY RULE Reviewed December 2012 2 HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti-

HIPAA THE PRIVACY RULE Reviewed December HISTORY In 2000, many patients that were newly diagnosed with depression received free samples of anti-
2014 HIPAA Refresher Omnibus Rule & HIPAA Security.

2014 HIPAA Refresher Omnibus Rule & HIPAA Security.
Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.

Jill Moore April 2013 HIPAA Update: New Rules, New Challenges.
Are you ready for HIPPO??? Welcome to HIPAA

Are you ready for HIPPO??? Welcome to HIPAA
Privacy, Security and Compliance Concerns for Management and Boards November 15, 2013 Carolyn Heyman-Layne, Esq. 1.

Privacy, Security and Compliance Concerns for Management and Boards November 15, 2013 Carolyn Heyman-Layne, Esq. 1.
Health Insurance Portability Accountability Act of 1996 HIPAA for Researchers: IRB Related Issues HSC USC IRB.

Health Insurance Portability Accountability Act of 1996 HIPAA for Researchers: IRB Related Issues HSC USC IRB.
Health Insurance Portability & Accountability Act (HIPAA)

Health Insurance Portability & Accountability Act (HIPAA)
March 19, 2009 Changes to HIPAA Privacy and Security Requirements Joel T. Kopperud Scott A. Sinder Rhonda M. Bolton.

March 19, 2009 Changes to HIPAA Privacy and Security Requirements Joel T. Kopperud Scott A. Sinder Rhonda M. Bolton.

Similar presentations

Ads by Google