Presentation is loading. Please wait.

Presentation is loading. Please wait.

Configuring Electronic Health Records Privacy and Security in the US Lecture b This material (Comp11_Unit7b) was developed by Oregon Health & Science University.

Similar presentations


Presentation on theme: "Configuring Electronic Health Records Privacy and Security in the US Lecture b This material (Comp11_Unit7b) was developed by Oregon Health & Science University."— Presentation transcript:

1 Configuring Electronic Health Records Privacy and Security in the US Lecture b This material (Comp11_Unit7b) was developed by Oregon Health & Science University funded by the Department of Health and Human Services, Office of the National Coordinator for Health Information Technology under Award Number IU24OC000015.

2 Privacy and Security in the US Learning Objectives Compare and contrast the concepts of privacy and security (Lecture a) List the regulatory frameworks for an EHR (Lecture b, c) Describe the concepts and requirements for risk management (Lecture d) Describe authentication, authorization and accounting (Lecture d) Describe passwords and multi-factor authentication and their associated issues (Lecture d) Describe issues with portable devices (Lecture d) Describe elements of disaster preparedness and disaster recovery (Lecture e) Describe issues of physical security (Lecture e) Describe malware concepts (Lecture f) 2 Health IT Workforce Curriculum Version 3.0/Spring 2012 Configuring Electronic Health Records Privacy and Security in the US Lecture b

3 Legal and Regulatory Framework Federal laws Federal regulations State laws State regulations Institutional policy 3 Health IT Workforce Curriculum Version 3.0/Spring 2012 Configuring Electronic Health Records Privacy and Security in the US Lecture b

4 Use Primary Sources Do not depend on secondary sources Government Printing Office: http://www.gpo.gov/about/strategicplan.htm http://www.gpo.gov/about/strategicplan.htm –“…produce, protect, preserve, and distribute documents of our democracy.” (GPO, n.d.) 4 Health IT Workforce Curriculum Version 3.0/Spring 2012 Configuring Electronic Health Records Privacy and Security in the US Lecture b

5 Federal Laws “Health Insurance Portability and Accountability Act of 1996” –Public Law 104–191—Aug. 21, 1996 “American Recovery and Reinvestment Act of 2009” –Public Law 111–5—Feb. 17, 2009 5 Health IT Workforce Curriculum Version 3.0/Spring 2012 Configuring Electronic Health Records Privacy and Security in the US Lecture b

6 HITECH Title XIII—Health Information Technology “Health Information Technology for Economic and Clinical Health Act’’ or the ‘‘HITECH Act’’ Established the Office of the National Coordinator for Health Information Technology Established Meaningful Use Established training grants 6 Health IT Workforce Curriculum Version 3.0/Spring 2012 Configuring Electronic Health Records Privacy and Security in the US Lecture b

7 HIPAA Privacy From SEC. 264. Recommendations with respect to privacy of certain health information. (b) SUBJECTS FOR RECOMMENDATIONS.—The recommendations under subsection (a) shall address at least the following: (1) The rights that an individual who is a subject of individually identifiable health information should have. (2) The procedures that should be established for the exercise of such rights. (3) The uses and disclosures of such information that should be authorized or required. 7 Health IT Workforce Curriculum Version 3.0/Spring 2012 Configuring Electronic Health Records Privacy and Security in the US Lecture b

8 HITECH Subtitle D—Privacy PART 1—IMPROVED PRIVACY PROVISIONS AND SECURITY PROVISIONS –Sec. 13401. Application of security provisions and penalties to business associates of covered entities; annual guidance on security provisions. –Sec. 13402. Notification in the case of breach. –Sec. 13403. Education on health information privacy. –Sec. 13404. Application of privacy provisions and penalties to business associates of covered entities. –Sec. 13405. Restrictions on certain disclosures and sales of health information; accounting of certain protected health information disclosures; access to certain information in electronic format. –Sec. 13406. Conditions on certain contacts as part of healthcare operations. –Sec. 13407. Temporary breach notification requirement for vendors of personal health records and other non-HIPAA covered entities. –Sec. 13408. Business associate contracts required for certain entities. –Sec. 13409. Clarification of application of wrongful disclosures criminal penalties. –Sec. 13410. Improved enforcement. –Sec. 13411. Audits. 8 Health IT Workforce Curriculum Version 3.0/Spring 2012 Configuring Electronic Health Records Privacy and Security in the US Lecture b

9 Federal Regulations Code of Federal Regulations –The Code of Federal Regulations (CFR) annual edition is the codification of the general and permanent rules published in the Federal Register by the departments and agencies of the Federal Government. It is divided into 50 titles that represent broad areas subject to Federal regulation. http://www.gpo.gov/searchwebapp/browse/collec tionCfr.action?collectionCode=CFRhttp://www.gpo.gov/searchwebapp/browse/collec tionCfr.action?collectionCode=CFR Title 45: Public Welfare 9 Health IT Workforce Curriculum Version 3.0/Spring 2012 Configuring Electronic Health Records Privacy and Security in the US Lecture b

10 Privacy Rule “ The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, healthcare clearinghouses, and those healthcare providers that conduct certain healthcare transactions electronically. The Rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections. The Privacy Rule is located at 45 CFR Part 160 and Subparts A and E of Part 164.” (US Department of Health & Human Services, 2008) 10 Health IT Workforce Curriculum Version 3.0/Spring 2012 Configuring Electronic Health Records Privacy and Security in the US Lecture b

11 Security Rule “The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information. The Security Rule is located at 45 CFR Part 160 and Subparts A and C of Part 164.” (US Department of Health & Human Services,2009) 11 Health IT Workforce Curriculum Version 3.0/Spring 2012 Configuring Electronic Health Records Privacy and Security in the US Lecture b

12 Definitions: Covered Entity (1) A health plan. (2) A healthcare clearinghouse. (3) A healthcare provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter. 12 Health IT Workforce Curriculum Version 3.0/Spring 2012 Configuring Electronic Health Records Privacy and Security in the US Lecture b

13 Definitions: Business Associate (1) Except as provided in paragraph (2) of this definition, business associate means, with respect to a covered entity, a person who: (i) On behalf of such covered entity or of an organized healthcare arrangement (as defined in §164.501 of this subchapter) in which the covered entity participates, but other than in the capacity of a member of the workforce of such covered entity or arrangement, performs, or assists in the performance of: (A) A function or activity involving the use or disclosure of individually identifiable health information …; or (B) Any other function or activity regulated by this subchapter; or (ii) Provides … management, administrative, accreditation, or financial services to or for such covered entity, or to or for an organized healthcare arrangement in which the covered entity participates, where the provision of the service involves the disclosure of individually identifiable health information from such covered entity or arrangement, or from another business associate of such covered entity or arrangement, to the person. 13 Health IT Workforce Curriculum Version 3.0/Spring 2012 Configuring Electronic Health Records Privacy and Security in the US Lecture b

14 Protected Health Information From HITECH SEC. 13400 Definitions: Protected Health Information. –The term ‘‘protected health information’’ has the meaning given such term in section 160.103 of title 45, Code of Federal Regulations. 14 Health IT Workforce Curriculum Version 3.0/Spring 2012 Configuring Electronic Health Records Privacy and Security in the US Lecture b

15 PHI From CFR Protected health information means individually identifiable health information: (1) Except as provided in paragraph (2) of this definition, that is: (i) Transmitted by electronic media; (ii) Maintained in electronic media; or (iii) Transmitted or maintained in any other form or medium. (2) Protected health information excludes individually identifiable health information in: (i) Education records covered by the Family Educational Rights and Privacy Act, as amended, 20 USC. 1232g; (ii) Records described at 20 USC. 1232g(a)(4)(B)(iv); and (iii) Employment records held by a covered entity in its role as employer. 15 Health IT Workforce Curriculum Version 3.0/Spring 2012 Configuring Electronic Health Records Privacy and Security in the US Lecture b

16 Specific Items Items are listed in §164.514(a): –Standard: de-identification of protected health information. Health information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual is not individually identifiable health information. 16 Health IT Workforce Curriculum Version 3.0/Spring 2012 Configuring Electronic Health Records Privacy and Security in the US Lecture b

17 Specific Items (continued) (2)(i) The following identifiers of the individual or of relatives, employers, or household members of the individual, are removed: (A) Names; (B) All geographic subdivisions smaller than a State …; (C) All elements of dates (except year) for dates directly related to an individual, …; (D) Telephone numbers; (E) Fax numbers; (F) Electronic mail addresses; (G) Social security numbers; (H) Medical record numbers; (I) Health plan beneficiary numbers; (J) Account numbers; (K) Certificate/license numbers; (L) Vehicle identifiers and serial numbers, including license plate numbers; (M) Device identifiers and serial numbers; (N) Web Universal Resource Locators (URLs); (O) Internet Protocol (IP) address numbers; (P) Biometric identifiers, including finger and voice prints; (Q) Full face photographic images and any comparable images; and (R) Any other unique identifying number, characteristic, or code... 17 Health IT Workforce Curriculum Version 3.0/Spring 2012 Configuring Electronic Health Records Privacy and Security in the US Lecture b

18 Privacy and Security in the US Summary – Lecture b Primary sources of Federal legislation and regulations Federal Privacy and Security in the US Legislation –HIPAA –HITECH –Code of Federal Regulations 18 Health IT Workforce Curriculum Version 3.0/Spring 2012 Configuring Electronic Health Records Privacy and Security in the US Lecture b

19 Privacy and Security in the US References – Lecture b References American Recovery and Reinvestment Act of 2009, Public Law 111-5, 123 Stat. 115 (2009). Health Information Technology for Economic and Clinical Health Act, Title XIII of Public Law 111-5, 123 Stat. 115 (2009). Health Insurance Portability and Accountability Act of 1996, Public Law 104–191, 110 Stat. 1936 (1996). US Department of Health & Human Services. (2008). The Privacy Rule, from http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/index.html http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/index.html US Department of Health & Human Services. (2009). The Security Rule, from http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/index.html http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/index.html US Government Printing Office (2011-2015). Strategic Plan; Mission. Retrieved Jan 2012 from http://www.gpo.gov/about/strategicplan.htm. http://www.gpo.gov/about/strategicplan.htm 19 Health IT Workforce Curriculum Version 3.0/Spring 2012 Configuring Electronic Health Records Privacy and Security in the US Lecture b


Download ppt "Configuring Electronic Health Records Privacy and Security in the US Lecture b This material (Comp11_Unit7b) was developed by Oregon Health & Science University."

Similar presentations


Ads by Google