Privacy in a Healthcare Environment David S. Muntz, SVP-IS/CIO For Baylor Health Care System November 19, 2007

Privacy in a Healthcare EnvironmentDavid S. Muntz, SVP-IS/CIO For Baylor Health Care System

November 19, 2007

http://www.smu.edu/

10/28/2007 Baylor Health Care System2

© 2007 Baylor Health Care System

Founding Statement

“Is it not now time to build a great humanitarian hospital, one to which men of all creeds and those of none may come with equal confidence?”

Dr. George W. Truett, 1903 Co-founder of Texas Baptist Memorial

Sanitarium, predecessor of Baylor Health Care System



Guided by

Baylor Values IntegrityServanthoodQuality InnovationStewardship

Circle of Care



Baylor Health Care System

• 2007 Preliminary and Unaudited Financial Performance• $2.7 Billion Net Patient Revenue• $318 Million Net Operating Income (all sources)

• 16,600 employees• 13 hospitals

• Significant teaching and research programs• No health plan• 3,500 physicians including 450 employed

• 128+ access points • 130 mile diameter, all in Texas



Confluence of Factors Impacting Healthcare Information Systems

• Quality indicators are universally available. Top quality is BHCS’ only option.

• The Board required “extraordinary” performance.• The future demands a fundamental change in the underlying

processes related to delivery of health care.• There are limited resources and a high demand for new

products, processes, and services.• The healthcare consumer will have more choices



Other Influential Factors• Quality

• Institute of Medicine’s Study of Medication Errors (national and state implications)

• Leapfrog Group both nationally and locally• Finance

• Increasing pressures from Managed Care• Health Insurance Portability and Accountability Act of 1996• Balanced Budget Act of 1997• P4P (Pay for Performance)

• People• Nursing shortage including other qualified and registered

clinical personnel• Technology

• Tolerance of complex systems• Universal access

(Microsoft) (Microsoft)



• 2 primary data centers• 12 satellite remote campus

communication centers• 1 mainframe with 2 processors • 44 midrange platforms• 3 robotic tape silos

• Two with 6000 tapes per silo and 120 terabytes of spinning disk

• One with 50 tapes per silo• 200 to 800 GB per tape

• 24 actual tape drives In the two primary silo’s.

• Disk capacity with some form of RAID• 2 Storage Area Networks (80

Terabytes)• Total DAS and NAS (140

terabytes)• 1.1 terabytes of storage on the

Mainframe

• 800+ application servers• 22,000+ data nodes, 19,500+ voice

nodes• 243 FON closets with 285+ UPS,

2000+ switches and routers, 1000+ WAPs

• Approximately 10,000 workstations and 4,100 printers

• Speeds of transmission: 10/100/1000 megabits per second

• WAN – T1, DS-3, Optiman, GigaMAN, dedicated fiber

• 2 connections to our ISP scaleable to 155 megabits total on demand

• Nine SL-100 phone switches centrally managed

• 5,030 centralized voice mail users• 40,000+ biomedical devices

Infrastructure: Responsive & Reliable

GOAL: Create the equivalent of dial tone - 6 Sigma reliability.



Portal StrategyUniversal Access

• Internet based, web enabled applications• Physicians – myBaylorEMR.com• Trustees – BaylorBoard.com• Employees – myBaylor.com• Consumers – www.BaylorHealth.com• Education – www.BaylorHealth.edu

• Create virtual integration• Pass user’s context to applications to avoid

multiple logins• Pass patient context where possible• Use desktop metaphor and place Icons for all

available applications on desktop• Allow personalization of desktop to encourage

portal utilization • Make security design and administration

independent of application coding

What are Baylor’s next steps?



Productive Interactions

& Safe

Patient Centered

Timely & Efficient

CommunityHealth System

Resources & Policies

Self-Management

& Support Delivery System Design

Clinical Decision Support

Clinical Information

Systems

Organization of Health Care

Informed, Empowered Patient and

Family

Prepared, Proactive

Practice Team

Improved Outcomes

Coordinated

Evidence-based

Care Model Graphic



clinical transformation

EHR

AncillaryServices

Eclipsys& GE Suites

FinancialSystems

AdministrativeSystems

...more than 400 applications...

Relationship between clinical transformation, electronic health record (EHR), and information systems

revision: April 24, 2007

Enterprise Project Management, Application Portfolio Management, Security, Customer Support (Help Desk, Super User, System Administrator Recruitment, Post-implementation Support Model development), Operations, IT Infrastructure, Unified Data Strategy

Evidence, Clinical Decision Support, Process Redesign, Change Management, Governance, Customer Involvement, Training and EducationCommunication, Coordination, Collaboration

· This chart shows the relationship between functions, not departments. CT and BIS, the departments, are not represented here.· The applications are simply illustrative, not complete. The application groupings are also representative, not complete.· The dimensions are not to scale, but used to demonstrate relationships only.· Financial decision support is not shown, but does not necessarily span all activities. It is omitted from the chart.· The goal of all activities is to improve adherence to STEEEP (safe, timely, effective, efficient, equitable, patient centered care)

which can be summarized as “hardwiring STEEEP.”· There are other applications, for example payroll, which do not fit under the “clinical transformation” arc, but are important to

BHCS.· The number of applications will be reduced through a concerted effort to achieve Systemness with broad stakeholder involvement.

Clinical and Other Systems

Baylor Health Care System Mission, Vision, Values, Strategy, and The Care Model

The Framework for the EHR

Radiology & PACS

Laboratory Systems

Common Registratio

n

Patient Accounting & Patient

Management

Scheduling & Surgical

Management

Medication Manageme

nt

Contract Manageme

nt

Supply Chain

ManagedCare

Respiratory Therapy

others...

FoundationFoundation

Business Business OperationsOperations

Clinical Clinical ApplicationsApplications

Knowledge Knowledge Based Based

MedicineMedicine

Safety and Satisfaction

Clinical Documentatio

n

Governance

Electronic HealthRecord

ClinicalDecision Support

Computerized Physician Order Entry

Efficacious and Efficient Continuous

Improvement Processes

Information Technology Infrastructure

Knowledge



A Simple Definition

• People People

• ProcessesProcesses

• TechnologyTechnology

• People People



Integrating clinical and non-clinical process improvements with enabling technologies

Hardwiring STEEEP*

*IOM Model: Safe, Timely, Effective, Efficient, Equitable, Patient-centered care.

• People People



• People People



*IOM Model: Safe, Timely, Effective, Efficient, Equitable, Patient-centered care.

HIPAA

A Framework for Privacy in Healthcare



HIPAA – The Intent

• HIPAA was designed to:• Ensure health insurance portability• Reduce health care fraud and abuse• Guarantee privacy and security of health information• Provide standards for electronic exchange of health information

• Examples of HIPAA’s impact include:• Portability.

• Guarantees medical coverage renewal, prohibits discrimination based on health status, and eliminates some preexisting conditions exclusions.

• Transaction Standards and Unique Identifiers • Creates standard formats and code sets for all major transactions that

are processed electronically provides national identifiers for providers, employers, and health plans.

• Security Rule.• Provides a uniform level of protection of all electronic health

information.• Privacy Rule.

• Addresses the rights of an individual, the procedures for exercising these rights and the uses and disclosures of health information. Ensure confidential treatment of patient data.



Evolution of The Privacy Rule

1999 2000 2001 2002 2003

Proposed RuleOctober, 1999

“Final” RuleDecember, 2000

Proposed ChangesMarch, 2002

Final ChangesAugust, 2002

DeadlineApril, 2003



Processes. HIPAA standardizes how procedures are coded and electronic bills are submitted. It also prompts health care organizations to examine processes and change how patient information is:

• communicated,• shared,• disclosed, and• protected.

Processes. HIPAA standardizes how procedures are coded and electronic bills are submitted. It also prompts health care organizations to examine processes and change how patient information is:

• communicated,• shared,• disclosed, and• protected.

People. HIPAA touches everyone in our organization. It requires our employees, physicians, volunteers, and contractors to be trained and follow new policies, procedures, and processes.

People. HIPAA touches everyone in our organization. It requires our employees, physicians, volunteers, and contractors to be trained and follow new policies, procedures, and processes.

Timeline. HIPAA sets rules for how we should act and penalties should we fail to meet the new standards. Compliance with HIPAA occurs in phases, starting in April 2003.

Timeline. HIPAA sets rules for how we should act and penalties should we fail to meet the new standards. Compliance with HIPAA occurs in phases, starting in April 2003.

Baylor Health Care System’s (BHCS) Response:People, processes, and timelines



National Versus State Regulation – How do we approach that?

• Many states, including Texas, passed their own versions of HIPAA.

• HIPAA resolved this issue by instructing that when state and federal versions differ, the more restrictive version applies.

• BHCS has reconciled state and federal law, and the more restrictive law is reflected in our privacy policies, which are the basis for our training.



Providers. BHCS is a health care provider. As a physician, you are a provider. Providers range from large hospital systems to individual nursing homes, labs, and pharmacies. Health care providers are also doctors, nurses, dentists, psychotherapists, and others who care for patients.

Providers. BHCS is a health care provider. As a physician, you are a provider. Providers range from large hospital systems to individual nursing homes, labs, and pharmacies. Health care providers are also doctors, nurses, dentists, psychotherapists, and others who care for patients.

Plans or insurers. Examples include Cigna, United Health Care, Blue Cross/Blue Shield, and Aetna.

Plans or insurers. Examples include Cigna, United Health Care, Blue Cross/Blue Shield, and Aetna.

Clearinghouses These are systems that process information for other companies such as most billing services like WebMD Envoy® .

Clearinghouses These are systems that process information for other companies such as most billing services like WebMD Envoy® .

Who Is “Covered?”



HIPAA protects the rights of individuals, not just patients. An individual is the subject of health information. This can include patients and health plan participants and their covered dependents. These same rights extend to legally authorized representatives.

A covered entity's workforce includes employees, volunteers, people whose conduct is under the direct control of a covered entity, and people involved in a covered entity's training programs.

Individually Identifiable Health Information (IIHI) is health information that either identifies an individual or provides a reasonable basis for identifying an individual, by virtue of containing one or more of 18 identifiers.

PHI stands for Protected Health Information. This is health information—in any form—that can identify an individual. HIPAA and Texas state law defines how PHI may be used and disclosed.

More terminology



Protected Health Information: 18 elements

• Identifies the individual• With respect to which there is a reasonable basis to believe that the information can be

used to identify the individual• If the following information is removed, it is presumed to be non-identifiable information: -Name -Names of Relatives -Street Name -Names of Employers -City -Date of Birth -County -Telephone Numbers -Zip Code -Fax Numbers -Equivalent Geocodes -E-Mail Addresses -Social Security # -Medical Record # -Health Plan # -Account # -Certificate/License # -Vehicle or Device Serial # -Finger & Voice Prints -Internet Protocol Address -Photo Images



System• Create Program Management Office to coordinate all HIPAA efforts.• Appoint System Privacy Officer.LocalAppoint Entity Privacy Officer to ensure Privacy Program implementation at entity.

SystemDevelop and maintain training materials for the workforce.• Develop courses• HIPAA web site •LocalTrain existing and new workforce members.

SystemDevelop system-level privacy-related policies through entity collaboration.LocalCreate entity-specific procedures and implementation plans.

SystemOversee standard reporting and investigation process. LocalContact manager or Entity Privacy Officer.

Staffing Policies and Procedures

Training Reporting Concerns

Implementation: System and Entity Level



2.0 Acceptable Use Policy

1.0 Asset Management

Policy

3.0 Asset Protection Policy

5.0 Threat Assessment & Management

Policy

4.0 Asset Identification &

Classification Policy

6.0 Vulnerability Assessment & Management

Policy

7.0 Security Awareness Policy

2.1 Internet Acceptable Use

Standard

2.2 Email Acceptable Use

Standard

2.3 Telecommunicati

on Acceptable Use

2.4 Software Acceptable Use

Standard

1.2 Configuration Management

Standard

1.3 Change Control Standard

3.1 Access Control Standard

3.2 Physical Access Standard

3.3 Encryption Standard

3.5 Anti-Virus Standard

3.6 Auditing Standard

4.1 Data Classification

Standard

5.1 Threat Assessment Standard

5.2 Threat Monitoring Standard

5.3 Incident Management

Standard

6.1 Vulnerability Assessment Standard

6.2 Vulnerability Management

Standard

7.1 Management SA Standard

3.7 Remote Access Standard

3.8 Wireless LAN Standard

9.0 Risk Management

Policy

2.5 Misuse Reporting Standard

9.1 Risk Assessment Standard

3.9 Network Standard

8.0 Business Continuity

Management Program Policy

9.2 Risk Management

Standard

0.1 Security Governance Charter

8.1 Business Impact Analysis Standard

8.2 Business Continuity Plan

Availability Strategy Standard

8.3 BCP Maintenance &

Exercise Standard

8.4 BCP Training Standard

4.2 Data Handling Standard

8.5 EDCS Data Backup Standard

8.6 EDCS Availability Standard

Information Security Policies



Privacy Policies

Consent Policy

Retention & Destruction

Policy

Faxing PHI Policy

Complaint Policy

Confidential Communications

Policy

Use & Disclosure

Policy

Consent Procedure

Retention Procedure

Destruction Procedure

Document & Records

Retention & Destruction

Schedule

Complaint Procedure

Faxing PHI Procedure

Confidential Communications

Procedure

Use & Disclosure Procedure

HIPAA Compliance

Monitoring Policy

HIPAA Compliance Monitoring Procedure

Privacy Policies



Patient Rights

• Confidentiality is one of many patient's rights. Other rights include being able to:• read and obtain copies of their health information• request restrictions of the use and disclosure of PHI• request that we communicate with an individual about his/her health

information • in a specific way or at a specific location• request changes to health information, if an individual believes it's

incorrect or incomplete• receive an accounting of outside disclosures• file a complaint if an individual believes his/her confidentiality has

been violated• These rights have exceptions and specific procedures that need

to be followed. BHCS has developed the procedures and processes necessary to respond to patients when exercising these rights.

• Privacy notices must be posted.



Organized Health Care Arrangement (OHCA)

• Establish a mechanism for free exchange of PHI between each BHCS entity and its respective medical staff for a hospital-based episode of care. When a patient presents to a BHCS entity, the Notice they receive is applicable to the entity medical staff as well as the entity’s workforce.

Hospital-based Episode of Care

Services jointly provided to patients by a BHCS entity and members of the entity medical staff, whether it be for inpatient or outpatient services. Does not relate to services provided by the physician in his/her private practice setting.

Hospital-based Episode of Care

Services jointly provided to patients by a BHCS entity and members of the entity medical staff, whether it be for inpatient or outpatient services. Does not relate to services provided by the physician in his/her private practice setting.



Ask questions…if you see someone unfamiliar to you accessing PHI.

Take precautions when discussing PHI over the telephone or voicemail…make sure that you are leaving messages for the right person.

Conceal or secure PHI…so that it can’t be viewed on desks, door pockets, or in hallways. When not in use, ensure chart holders are closed.

Control access…to areas that contain PHI. This means that doors will be locked, card access systems and other physical access controls will be used as necessary. The number of designated entrances will be minimized after normal business hours.

Exercise care…when you have to discuss PHI in public areas such as waiting rooms or over the phone in public areas, so that others don’t accidentally hear you.

Wear your badge…so that you can be easily identified as an employee, volunteer, contractor, or physician.

Safeguarding PHI



Overhead Paging

…should be limited to the patient name and specific instructions. These instructions should not identify any PHI.

Waiting Rooms

Only use the minimal information necessary to locate the patient or patient's family members.

Message boards should contain only the patient's last name and initial of first name.

Other options

for locating the patient or patient’s family include using:

• Electronic pagers.

• A ‘take a number’ system.

Safeguarding PHI



Whiteboards Should be out of public view as much as possible. When in public view, boards will only display patient last name, location, and last name of attending physician and caregivers.

Patient Sign-In Sheets

should not be left out for viewing by other patients

Instead of sign-in sheets, consider using:

• Individual labels that can be removed and transferred to another sheet after each patient signs in.

• Individual sheets of paper that can be removed

• A ‘take a number’ system

Patient Information Lists

Include medical tests, diagnostic procedures, surgery schedule or lab tests. These lists should be protected from public view. When using clipboards, the list should be covered with a plain sheet of paper.

Distribution lists will be reviewed periodically to verify that recipients have a need to know.

Safeguarding PHI



Patient Identification on Door

May contain only the patient last name, initial of first name, location, and physician name. Care-related instructions and advisories are allowable.

Paper Records

…must be secured in storage bins until destroyed.

Methods include:

•Document destruction services with onsite destruction (for High Volume Areas)

• Onsite shredding machines (for Low Volume Areas)

• Destruction of documents by offsite service providers—Vendors should follow BHCS’ criteria for secure disposal and destruction

Safeguarding PHI



Safeguarding PHI

• Faxes• Place fax machines in secure locations• Monitor fax machines that send and receive PHI• Remove PHI from fax machines immediately after transmission• Verify fax numbers and identity of recipients before faxing PHI• Follow specific procedures when receiving or sending misdirected

faxes• Voicemail

• Listen to the entire greeting• Internet

• Secure sites• Encryption for e-mails



Safeguarding PHI

• Electronic Health Records• Encrypted databases• Automated inputs• Controlled access

• Security challenges• Biometrics• Quick timeouts• Role-based security• Audit trails for every screen• Active review of audit records



Individual

The subject of health information.

Individual

The subject of health information.

Information Breach

• Information breaches can result in the violation of an individual's privacy. An information breach occurs when PHI is:• accessed by unauthorized individuals.• discussed without a legitimate business purpose.• revealed to those who don't have a need to know.



• Fines up to $25,000• Administering corrective action as called for by severity of the impact• Requiring repeat of applicable privacy/security training

Examples include:• Leaving documents with sensitive information on fax machines or printers• Failing to completely remove information that could lead to an individual’s identity from a document• Accidentally modifying or altering data

Level-1: Carelessness

Possible civil and criminal penalties include…

Minimum BHCS corrective or disciplinary action includes…

Severity level…

Information Breaches



• Fines up to $25,000• Administering corrective action as called for by severity of the impact• Requiring repeat of applicable privacy/security training

Examples include accessing or viewing health information on a family member, neighbor or co-worker when there is no need to know.

Level-2: Curiosity or Concern



Severity level…




• Fines up to $250,000• Up to 10 years in prison

• Termination of employment• External reporting as necessary in compliance with federal and state regulations and statutory requirements• External reporting to boards, professional associations, and certification bodies as required

Examples include:• Unauthorized access and use to health information for personal gain or malicious intent• Compiling mailing lists for personal use or to be sold or releasing celebrity information to the media

Level-3: Personal Gain or Malice



Severity level…




It Really Happens

• Level 2: A psychiatrist from New Hampshire was fined $1,000 for repeatedly looking at the medical records of an acquaintance without permission. Because there was no state law making it a crime to breach the confidentially of medical records, the case was brought under a law against misusing a computer. (“Psychiatrist Convicted of Snooping in Records,” The Associated Press State & Local Wire, May 5, 1999)

• Level 3: Country singer Tammy Wynette's medical records were sold to the National Enquirer and Star tabloids by a hospital employee for $2,610. William Cox's position at the hospital entitled him to authorized access to several medical record databases. He retrieved medical information about Tammy Wynette and faxed it to the tabloids without her consent. In the end, Cox pleaded guilty to one count of wire fraud and was sentenced to six months in prison. ("Selling Singer's Files Gets Man Six Months," Houston Chronicle, December 2, 2000, p. A2)



General Approach:Minimum Necessary

• Minimum necessary guidelines apply to almost all uses, disclosures and requests of PHI, including:

• Health care operations and payment purposes.• Treatment purposes (other than the provider exception as described

next).• Other disclosures and requests to external third parties.

• However, every rule does have its exceptions. Exceptions to the minimum necessary requirement include disclosures:

• to and requests by providers for treatment.• to the individual.• authorized by the individual.• required by law.• to HHS for compliance with the Privacy Rule.• to HHS for compliance with other HIPAA requirements.



Unanticipated Impacts

• Fundraising• If patient demographic data is to be used for fundraising, the Privacy Notice must state

as such• No special authorization is required if only use demographic data• May use business associates for fundraising but ensure business associate

agreement is in place• With materials sent to individuals, must include opt-out information • If individual opts-out, must be able to ensure compliance • Grateful patient referrals – problematic

• Marketing• For marketing, authorizations are required; there are exceptions:

• If communication is face to face• If communication involving products or services are of nominal value, i.e., pens, calendars• Business Associate may help with marketing but ensure a Business Associate Agreement is

in place• Materials sent to individuals must include opt out clause• If individual opts-out, must be able to ensure compliance • May not sell patient’s list

• HIPAA allows communication of alternative services/treatment to patients.• Does this apply to “mass mailings”?• Not clear if Texas law offers the same latitude

• Places of worship• Challenges from the pulpit• Challenges from the congregations



Privacy Standards:Permissible Uses and Disclosures without Patient Authorization

•Public Health•Reporting abuse, neglect or domestic violence•Health oversight activities•Judicial and administrative proceedings•Law enforcement•Decedents (coroners and funeral directors)

•Cadaveric organ, eye or tissue donation•Certain research•Emergency circumstances•Special categories (e.g., intelligence, military)

Privacy Program Organization

System Compliance(System Privacy Officer)

System Privacy/Security

Committee

Entity Privacy Officers

Entity Privacy Committees

Design & Develop

Coordinate &Collaborate

Implement &

Monitor



Acknowledgements

• BHCS• Donna Bowers, JD, RHIA

• VP of Health Information Management, Baylor Health Care System

• Office of Information Security

• Texas Health Resources• Patricia Johnston, CHP, FHIMSS

• System Privacy Officer for Texas Health Resources

• The Center For Learning

Discussion

Documents

Privacy in a Healthcare Environment David S. Muntz, SVP-IS/CIO For Baylor Health Care System November 19, 2007