The Culture of Health Care Privacy, Confidentiality, and Security Lecture c This material (Comp 2 Unit 9) was developed by Oregon Health & Science University, funded by the Department of Health and Human Services, Office of the National Coordinator for Health Information Technology under Award Number IU24OC000015. This material was updated in 2016 by Bellevue College under Award Number 90WT0002. This work is licensed under the Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-sa/4.0/.
Privacy, Confidentiality, and SecurityLearning Objectives • Define and discern the differences between privacy, confidentiality, and security (Lecture a). • Discuss methods for using information technology to protect privacy and confidentiality (Lecture b). • Describe and apply privacy, confidentiality, and security under the tenets of HIPAA Privacy and Security rules (Lectures c and d). • Discuss the intersection of a patient’s right to privacy with the need to share and exchange patient information (Lecture d).
HIPAA Privacy and Security • 2006 HIPAA Rule • Privacy Rule: http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary • Security Rule: www.hhs.gov/ocr/privacy/hipaa/understanding/srsummary.html • 2008 Genetic Information Nondiscrimination Act (GINA) • Genetic information is protected under the HIPAA Privacy Rule • Prohibits most health plans from using/disclosing genetic information for underwriting purposes • www.eeoc.gov/laws/statutes/gina.cfm • 2009 ARRA/HITECH legislation enhanced both rules • http://www.hhs.gov/ocr/privacy • 2013 HIPAA Rule updated • Strengthens privacy protections, new rights for individuals to their health information, strengthens the government’s ability to enforce the law • www.hhs.gov/about/news/2013/01/17/new-rule-protects-patient-privacy-secures-health-information.html
HIPAA Privacy and Security Continued • Original rule summaries available (ID Experts, 2014; BridgeFront, 2009; Leyva, 2011) • HHS resources such as HIPAA & Health IT • Various HIPAA tool kits • NIH’s research entities guides • Employee training resources • HIPAA certificates and training courses • HHS’s consumer resources for the public
HIPAA Privacy Rule • Applies to “covered entities” (CEs)—any entity that bills electronically • Health care providers • Clinicians, hospitals, clinics, etc. • Health plans • HMOs, insurance companies, etc. • Healthcare clearinghouses • Billing services • Business associates • Patient must authorize any disclosure, with the exception of “treatment, payment, or operations” (TPO); does not preclude health care providers from sharing data for patient care, a common misunderstanding (Houser, Houser, & Shewchuk, 2007)
Physician Oaths of PrivacyAre Not New • Oath of Hippocrates, fifth century BC • “All that may come to my knowledge in the exercise of my profession or outside of my profession or in daily commerce with men, which ought not to be spread abroad, I will keep secret and never reveal.” • Declaration of Geneva, 20th century • “I will respect the secrets which are confided in me, even after the patient has died.” AAPS, n.d.
What Is Covered? • Protected health information (PHI) • Collected from patient and created by covered entity • Individually identifiable • Electronically transmitted—in reality, all information • Extends to covered entities and business associates • De-identified information is not covered • Pre-emption • HIPAA trumps state law if state law is less protective of privacy and security, but state laws that go beyond the HIPAA protections are not nullified by HIPAA and must be followed
Identifiers Contained in Protected Health Information (PHI) • Name • Address (street address, city, county, ZIP code) • Names of relatives • Names of employers • E-mail address • Fax number • Telephone number • Birth date • Finger or voice prints • Photographic images • Social Security number • Internet protocol (IP) address • Any vehicle or device serial number • Medical record number • Health plan beneficiary number • Account number • Certificate/license number • Web URL • Any other unique identifying number, characteristic, or code
Key Privacy Compliance Areas • Notice of privacy practices • Authorization • Business associates and subcontractors • Allowable disclosures • Marketing • Physician and staff training • Penalties
Notice of Privacy Practices • Patient has right to • Adequate notice of privacy practices • Uses and disclosures of PHI • Description of individual rights • Covered entities’ legal duties • One problem is readability of Notice of Privacy Practices (NPP) forms comparable to medical journal articles and beyond 80% of U.S. adults (Breese & Burman, 2005) • Physicians’ requirements for obtaining NPP consent include • “Good faith effort” to obtain acknowledgment during first provision of in-person service • Failure to obtain is not penalized (per Bush administration revision) • Many publicly available industry resources
Other Aspects of Privacy Practices • Must be written in plain language • Practices/organizations must state they preserve the right to change NPP • There must be a complaint process • Practices/organizations must designate a privacy official in the office • See Oregon Health & Science University’s examples of NPP:http://www.ohsu.edu/xd/about/services/integrity/ips/npp.cfm
Authorizations • Providers must obtain authorization before using PHI for purposes other than TPO • They may not condition treatment on an individual’s authorization • Covered entities must make “reasonable safeguards” to limit the use or disclosure of PHI to the minimum amount necessary • Non-treatment disclosure governed by “Minimum Necessary” standard (HHS, 2003)
Authorizations Must Include • Names of authorized persons making use of disclosure • Description of information • Expiration of date of event • Patient’s right to revoke and instructions on how to do so • Purpose of use or disclosure • Signature and date
Business Associates • Business associate (BA) • Does work on behalf of a covered entity using or disclosing PHI • Anyone who comes in contact with and uses PHI • Must sign agreement with covered entity • Is directly accountable to HHS for compliance and subject to breach notification rules • Includes all subcontractors to business associates
Allowable Non-TPO Disclosures • Research • Overview: HHS, 2004 • Authorization by patient is generally required • Authorization waiver can be provided by an institutional review board (IRB) or privacy board approval • Must involve “no more than a minimal risk” • Research could not be practically conducted without waiver and without access to PHI • Public Health • Can be disclosed to public health agencies for public health activities • Also allowed for child abuse reporting, exposure to communicable diseases, and workforce surveillance • Other • Law enforcement • Decedents • Cadaveric tissue donation
Marketing • Defined as “a communication about a product/service that encourages recipients of the communication to purchase/use the product/service” • Using PHI for marketing requires authorization from the individual • Is not marketing for providers if treatment is • Therapy recommendation • Appointment notification • Prescription refill reminder
Physician and Staff Training • Practices/organizations must • Designate a privacy Officer • Develop policies and procedures • Provide privacy training to workforce • Develop a system of sanctions for employees who violate privacy laws
Penalties • Enforced by HHS Office for Civil Rights http://www.hhs.gov/ocr/index.html • Penalties higher for “willful neglect” (i.e., offender knew about violation or was recklessly indifferent) • Original HIPAA criticized for modest penalties and minimal prosecutions • HITECH increased severity of penalties: • Tiered penalty structure ranging from $25,000 to $1.5 million per year, with $100 to $50,000 per violation (for each record)
Does HIPAA Privacy RuleProtect Privacy? • Reviews by GAO (2004) and NCVHS (Kanaan, 2007) found adherence less problematic than anticipated • Major concerns relate to difficulty in performing clinical research • Finding and accessing patients for research more difficult (Armstrong et al., 2005) • Two-thirds of researchers surveyed reported more difficulty in work; only one-quarter believed privacy enhanced (Ness, 2007) • Reports from AAHC (Steinberg, & Rubin, 2009) and Institute of Medicine (2009) argue for revision to make research easier • Also concerns with implications for public health (Kamoie & Hodge, 2004) • Another view calls for less emphasis on consent and more on a framework that makes for easier sharing of TPO (with some modifications of “O”) with more rigorous restrictions on other uses, such as marketing (McGraw, 2009; McGraw et al., 2009)
Other Modifications in HITECH • Breach notification: When 500 or more patients affected, breach must be reported to local media and OCR • www.hhs.gov/hipaa/for-professionals/breach-notification/index.html • Restrictions on disclosures • Information about services paid for out of pocket must be withheld from payers upon request • TPO disclosures must be tracked and records maintained for three years • Covered entities with EHRs must provide or transmit PHI in electronic format as directed by patient • Patients can opt out of fundraising appeals
Privacy, Confidentiality, and SecuritySummary – Lecture c • HIPAA Privacy Rule restricts disclosure of information not authorized by a patient • Privacy Rule is enhanced in HITECH Act • Patient authorization is not required for treatment, payment, or operations (TPO) • HIPAA Privacy Rule defines covered entities that must adhere and defines business associates of those entities that also must adhere
Privacy, Confidentiality, and SecurityReferences – Lecture c References AAPS (Association of American Physicians and Surgeons). (n.d.). Physician oaths. Retrieved from http://www.aapsonline.org/ethics/oaths.htm AHIMA (American Health Information Management Association). (2016). AHIMA introduces new online HIPAA privacy and security course. Retrieved from http://www.ahima.org/education/onlineed/Programs/hipaa Armstrong, D., Kline-Rogers, E., Jani, S. M., et al. (2005). Potential impact of the HIPAA privacy rule on data collection in a registry of patients with acute coronary syndrome. Archives of Internal Medicine, 165, 1125–1129. Breese, P., & Burman, W. (2005). Readability of notice of privacy forms used by major health care institutions. JAMA, 293, 1593–1594. BridgeFront. (2009). Impact of the American Recovery & Reinvestment Act of 2009 on HIPAA privacy & security. Retrieved from http://www.hipaarx.net/downloads/ARRA_HIPAA_White_Paper.pdf Centers for Medicare and Medicaid Services (CMS). (2007). Security 101 for covered entities. Baltimore, MD: CMS. Retrieved from http://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/securityrule/security101.pdf GAO (Government Accounting Office). (2004). Health information: First-year experiences under the federal privacy rule. Retrieved from http://www.gao.gov/new.items/d04965.pdf HealthIT.gov. (2016). HIPAA and health IT. Retrieved from https://www.healthit.gov/policy-researchers-implementers/hipaa-and-health-it
Privacy, Confidentiality, and SecurityReferences – Lecture c Continued HealthIT.gov. (2016). Health IT privacy and security resources. Retrieved from https://www.healthit.gov/providers-professionals/ehr-privacy-security/resources HHS (Department of Health and Human Services). (n.d.) Covered Entities and Business associates. Retrieved from http://www.hhs.gov/hipaa/for-professionals/covered-entities/index.html HHS. (n.d.). Helping entities implement privacy and security protections. Retrieved from http://www.hhs.gov/hipaa/for-professionals/training/index.html HHS. (n.d.). HIPAA for individuals. Retrieved from http://www.hhs.gov/hipaa/for-individuals/index.html HHS. (2003). Minimum necessary requirement. Retrieved from http://www.hhs.gov/hipaa/for-professionals/privacy/guidance/minimum-necessary-requirement/index.html HHS. (n.d.). Notice of privacy practices for protected health information. Retrieved from http://www.hhs.gov/hipaa/for-professionals/privacy/guidance/privacy-practices-for-protected-health-information/index.html HHS. (2013). New rule protects patient privacy, secures health information. HHS Press Office. Retrieved from http://www.hhs.gov/about/news/2013/01/17/new-rule-protects-patient-privacy-secures-health-information.html HIMSS (Health Information and Management Systems Society). (2016). HIMSS privacy and security toolkit. Retrieved from http://www.himss.org/library/healthcare-privacy-security/toolkit HIMSS. (2009). 2009 HIMSS analytics report: Evaluating HITECH’s impact on healthcare privacy and security. Chicago, IL: HIMSS Analytics. Retrieved from http://app.himssanalytics.org/docs/ID_Experts_111509.pdf
Privacy, Confidentiality, and SecurityReferences – Lecture c Continued 2 Hirsch, R., and Deixler, H. (2013). Final HIPAA Omnibus Rule brings sweeping changes to health care privacy law: HIPAA privacy and security obligations extended to business associates and subcontractors. Privacy & Security Law Report, 12 PVLR 168. Retrieved from http://www.trideapartners.com/blog/wp-content/uploads/2013/09/HIPAAFinal-Rule.pdf Houser, S., Houser, H., & Shewchuk, R. (2007). Assessing the effects of the HIPAA privacy rule on release of patient information by healthcare facilities. Perspectives in Health Information Management, 23(4), 1. ID Experts. (2014). The HIPAA Final Omnibus Rule. Portland, OR: ID Experts. Retrieved from http://lpa.idexpertscorp.com/acton/attachment/6200/f-002d/1/-/-/-/-/file.pdf IOM (Institute of Medicine). (2009). Beyond the HIPAA Privacy Rule: Enhancing privacy, improving health through research. Report Brief. Retrieved from http://www.nationalacademies.org/hmd/ ~/media/Files/Report%20Files/2009/Beyond-the-HIPAA-Privacy-Rule-Enhancing-Privacy-Improving-Health-Through-Research/HIPAA%20report%20brief%20FINAL.ashx Kamoie, B., & Hodge, J. (2004). HIPAA's implications for public health policy and practice: guidance from the CDC. Public Health Reports, 119, 216–219. Kanaan, S. (2007). NCVHS Report 2005–2006. Retrieved from http://www.cdc.gov/nchs/data/ncvhs/ncvhs05-06.pdf Leyva, C., & Leyva, D. (2011). HIPAA survival guide for providers: Privacy & security rules, 3rd ed. Largo, FL: HITECH Survival Guide.
Privacy, Confidentiality, and SecurityReferences – Lecture c Continued 3 McGraw, D. (2009). Rethinking the role of consent in protecting health information privacy. Washington, DC: Center for Democracy & Technology. Retrieved from http://www.cdt.org/healthprivacy/20090126Consent.pdf McGraw, D., Dempsey, J., Harris, L., & Goldman, J. (2009). Privacy as an enabler, not an impediment: Building trust into health information exchange. Health Affairs, 28, 416–427. Nass, S., Levit, L., & Gostin, L. (Eds.). (2009). Beyond the HIPAA privacy rule: Enhancing privacy, improving health through research. Washington, DC: National Academies Press. National Institutes of Health (2007). HIPAA privacy rule. Retrieved from https://privacyruleandresearch.nih.gov Ness, R. (2007). Influence of the HIPAA privacy rule on health research. JAMA, 298, 2164–2170. Oregon Health and Science University. OHSU notice of privacy practices. Retrieved from http://www.ohsu.edu/xd/about/services/integrity/ips/npp.cfm Steinberg, M., & Rubin, E. (2009). The HIPAA Privacy Rule: Lacks patient benefit, impedes research growth. Association of Academic Health Centers (AAHC). Retrieved from http://http://www.aahcdc.org/Portals/41/Series/Issue-Briefs/HIPAA_Privacy_Rule_Impedes_Research_Growth.pdf?ver=2017-02-17-141347-363 Terry, N. (2014). Health privacy is difficult but not impossible in a post-HIPAA data-driven world. Chest, 146(3), 835–840.
The Culture of Health CarePrivacy, Confidentiality, and SecurityLecture c This material was developed by Oregon Health & Science University, funded by the Department of Health and Human Services, Office of the National Coordinator for Health Information Technology under Award Number IU24OC000015. This material was updated in 2016 by Bellevue College under Award Number 90WT0002.