Download presentation
Presentation is loading. Please wait.
Published byAlexis Johns Modified over 9 years ago
1
Configuring Electronic Health Records Privacy and Security in the US Lecture c This material (Comp11_Unit7c) was developed by Oregon Health & Science University funded by the Department of Health and Human Services, Office of the National Coordinator for Health Information Technology under Award Number IU24OC000015.
2
Privacy and Security in the US Learning Objectives Compare and contrast the concepts of privacy and security (Lecture a) List the regulatory frameworks for an EHR (Lecture b, c) Describe the concepts and requirements for risk management (Lecture d) Describe authentication, authorization and accounting (Lecture d) Describe passwords and multi-factor authentication and their associated issues (Lecture d) Describe issues with mobile devices (Lecture d) Describe elements of disaster preparedness and disaster recovery (Lecture e) Describe issues of physical security (Lecture e) Describe malware concepts (Lecture f) 2 Health IT Workforce Curriculum Version 3.0/Spring 2012 Configuring Electronic Health Records Privacy and Security in the US Lecture c
3
Privacy and Security in the US Breach notification Other Federal laws State laws Institutional policy 3 Health IT Workforce Curriculum Version 3.0/Spring 2012 Configuring Electronic Health Records Privacy and Security in the US Lecture c
4
Definition: Breach (1) BREACH.— (A) IN GENERAL.—The term ‘‘breach’’ means the unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information. 4 Health IT Workforce Curriculum Version 3.0/Spring 2012 Configuring Electronic Health Records Privacy and Security in the US Lecture c
5
Definition: Breach (continued) (B) EXCEPTIONS.—The term ‘‘breach’’ does not include— (i) any unintentional acquisition, access, or use of protected health information by an employee or individual acting under the authority of a covered entity or business associate if— (I) such acquisition, access, or use was made in good faith and within the course and scope of the employment or other professional relationship of such employee or individual, respectively, with the covered entity or business associate; and (II) such information is not further acquired, accessed, used, or disclosed by any person; or (ii) any inadvertent disclosure from an individual who is otherwise authorized to access protected health information at a facility operated by a covered entity or business associate to another similarly situated individual at same facility; and (iii) any such information received as a result of such disclosure is not further acquired, accessed, used, or disclosed without authorization by any person. 5 Health IT Workforce Curriculum Version 3.0/Spring 2012 Configuring Electronic Health Records Privacy and Security in the US Lecture c
6
Breach Notification SEC. 13402. NOTIFICATION IN THE CASE OF BREACH. (a) IN GENERAL.—A covered entity that accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses unsecured protected health information (as defined in subsection (h)(1)) shall, in the case of a breach of such information that is discovered by the covered entity, notify each individual whose unsecured protected health information has been, or is reasonably believed by the covered entity to have been, accessed, acquired, or disclosed as a result of such breach. 6 Health IT Workforce Curriculum Version 3.0/Spring 2012 Configuring Electronic Health Records Privacy and Security in the US Lecture c
7
Public Notification (2) MEDIA NOTICE.—Notice shall be provided to prominent media outlets serving a State or jurisdiction, following the discovery of a breach described in subsection (a), if the unsecured protected health information of more than 500 residents of such State or jurisdiction is, or is reasonably believed to have been, accessed, acquired, or disclosed during such breach. (3) NOTICE TO SECRETARY.—Notice shall be provided to the Secretary by covered entities of unsecured protected health information that has been acquired or disclosed in a breach. If the breach was with respect to 500 or more individuals than such notice must be provided immediately. If the breach was with respect to less than 500 individuals, the covered entity may maintain a log of any such breach occurring and annually submit such a log to the Secretary documenting such breaches occurring during the year involved. (4) POSTING ON HHS PUBLIC WEBSITE.—The Secretary shall make available to the public on the Internet website of the Department of Health and Human Services a list that identifies each covered entity involved in a breach described in subsection (a) in which the unsecured protected health information of more than 500 individuals is acquired or disclosed. 7 Health IT Workforce Curriculum Version 3.0/Spring 2012 Configuring Electronic Health Records Privacy and Security in the US Lecture c
8
Sample Breaches Individuals AffectedType of BreachLocation of Breach 1220000TheftLaptop 1023209TheftHard Drives 19222LossOther Portable Electronic Device 2850Improper DisposalPaper 8 Health IT Workforce Curriculum Version 3.0/Spring 2012 Configuring Electronic Health Records Privacy and Security in the US Lecture c 4.1 Table: Sample breaches
9
Other Federal Laws and Regulations From ONC: Summary of selected federal laws and regulations addressing confidentiality, privacy and security Nearly 50 laws and regulations identified Note disclaimer: –“This information was prepared as an educational resource and should not be relied on or construed as legal advice. Use of this table alone will not ensure compliance with applicable Federal and State law.” 9 Health IT Workforce Curriculum Version 3.0/Spring 2012 Configuring Electronic Health Records Privacy and Security in the US Lecture c
10
Example Laws and Regulations Law or RegulationDescription The Privacy Act of 1974Prohibits the disclosure of personally identifiable information maintained by agencies is a system of records without the consent of the subject individual, subject to twelve codified exceptions Statutory Authority for Certificates of Confidentiality May be issued by the National Institutes of Health (NIH) and other HHS agencies to protect identifiable research information Right to Financial Privacy Act (1978)Protects the confidentiality of personal financial records Electronic Communications Privacy Act (1986) Protects wire, oral, and electronic communications while in transit Federal Trade Commission Identify Theft Rule Requires written program that identifies and detects the relevant warning signs – or “red flags” – of identity theft 10 Health IT Workforce Curriculum Version 3.0/Spring 2012 Configuring Electronic Health Records Privacy and Security in the US Lecture c 4.2 Table: Examples of laws and regulations
11
State Laws Stricter state laws apply under HIPAA and HITECH: –SEC. 13421. RELATIONSHIP TO OTHER LAWS. (a) APPLICATION OF HIPAA STATE PREEMPTION.— Section 1178 of the Social Security Act (42 U.S.C. 1320d–7) shall apply to a provision or requirement under this subtitle in the same manner that such section applies to a provision or requirement under part C of title XI of such Act or a standard or implementation specification adopted or established under sections 1172 through 1174 of such Act. 11 Health IT Workforce Curriculum Version 3.0/Spring 2012 Configuring Electronic Health Records Privacy and Security in the US Lecture c
12
Effect on State Law (1) GENERAL RULE.—Except as provided in paragraph (2), a provision or requirement under this part, or a standard or implementation specification adopted or established under sections 1172 through 1174, shall supersede any contrary provision of State law … ‘‘(2) EXCEPTIONS.—A provision or requirement under this part, or a standard or implementation specification adopted or established under sections 1172 through 1174, shall not supersede a contrary provision of State law, if the provision of State law— … ‘‘(B) subject to section 264(c)(2) of the Health Insurance Portability and Accountability Act of 1996, relates to the privacy of individually identifiable health information. 12 Health IT Workforce Curriculum Version 3.0/Spring 2012 Configuring Electronic Health Records Privacy and Security in the US Lecture c
13
Section 264(c)(2) (2) PREEMPTION.—A regulation promulgated under paragraph (1) shall not supercede a contrary provision of State law, if the provision of State law imposes requirements, standards, or implementation specifications that are more stringent than the requirements, standards, or implementation specifications imposed under the regulation. 13 Health IT Workforce Curriculum Version 3.0/Spring 2012 Configuring Electronic Health Records Privacy and Security in the US Lecture c
14
Disclosure for Treatment States may: –Allow provider to disclose health information without patient permission –Sometimes allow provider to disclose health information without patient permission –Not allow provider to disclose health information without patient permission –Be unclear From ONCHIT “Report on State Law Requirements for Patient Permission to Disclose Health Information” 14 Health IT Workforce Curriculum Version 3.0/Spring 2012 Configuring Electronic Health Records Privacy and Security in the US Lecture c
15
State Laws Authoritative information is provided by state Some state laws include additional requirements for mental health and genetic information 15 Health IT Workforce Curriculum Version 3.0/Spring 2012 Configuring Electronic Health Records Privacy and Security in the US Lecture c
16
Institutional Policy May be crafted by privacy and security officers Must comply with Federal and State laws and regulations Responsible parties must be aware of changes to laws and regulations and revise appropriately 16 Health IT Workforce Curriculum Version 3.0/Spring 2012 Configuring Electronic Health Records Privacy and Security in the US Lecture c
17
Privacy and Security in the US Summary – Lecture c Breach notification requirements Additional Federal laws and regulations State laws and regulations Legal framework for institutional policy 17 Health IT Workforce Curriculum Version 3.0/Spring 2012 Configuring Electronic Health Records Privacy and Security in the US Lecture c
18
Privacy and Security in the US References – Lecture c References Health Information Technology for Economic and Clinical Health Act, Title XIII of Public Law 111-5, 123 Stat. 115 (2009). Health Insurance Portability and Accountability Act of 1996, Public Law 104–191, 110 Stat. 1936 (1996). The Office of the National Coordinator for Health Information Technology. (2010). Summary of Selected Federal Laws and Regulations Addressing Confidentiality, Privacy and Security. Retrieved from http://healthit.hhs.gov/portal/server.pt/gateway/PTARGS_0_11113_911059_0_0_18/Federal%20Privacy%20Laws %20Table%202%2026%2010%20Final.pdf http://healthit.hhs.gov/portal/server.pt/gateway/PTARGS_0_11113_911059_0_0_18/Federal%20Privacy%20Laws %20Table%202%2026%2010%20Final.pdf U.S. Department of Health & Human Services. (2011). Breaches Affecting 500 or More Individuals, from http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html White, J., Daniel, J., & Posnack, S. (2009). Privacy and Security Solutions for Interoperable Health Information Exchange: Report on State Law Requirements for Patient Permission to Disclose Health Information, from http://healthit.hhs.gov/portal/server.pt?open=18&objID=910326&parentname=CommunityPage&parentid=6&mode =2&in_hi_userid=11113&cached=true http://healthit.hhs.gov/portal/server.pt?open=18&objID=910326&parentname=CommunityPage&parentid=6&mode =2&in_hi_userid=11113&cached=true Charts, Tables, Figures 4.1 Table: Sample breaches 4.2 Table: Examples of laws and regulations 18 Health IT Workforce Curriculum Version 3.0/Spring 2012 Configuring Electronic Health Records Privacy and Security in the US Lecture c
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.