Embed Size (px)
Citation preview
HIPAA in the Land HIPAA in the Land Of RHIOsOf RHIOs
1818thth Annual Summer Institute in Annual Summer Institute in Nursing InformaticsNursing Informatics
University at MarylandUniversity at Maryland
School of NursingSchool of Nursing
Presented by Presented by Tak NobumotoTak Nobumoto
Director of Operations, UB|MDDirector of Operations, UB|MD
Privacy and Security Officer, UB|MD Privacy and Security Officer, UB|MD
Who am I?Who am I?
IT backgroundIT background MSO – billing and accountingMSO – billing and accounting HIPAA complianceHIPAA compliance
EDI complianceEDI compliance Privacy Privacy SecuritySecurity NPINPI
UB practice plan operationsUB practice plan operations
What You Will LearnWhat You Will Learn
HIPAA history and fundamentalsHIPAA history and fundamentals Real world HIPAA incidentsReal world HIPAA incidents Health Information Exchange(HIE) in Health Information Exchange(HIE) in
Western New York (WNY)Western New York (WNY) Privacy and Security concerns with HIEPrivacy and Security concerns with HIE
Topics of DiscussionTopics of Discussion
HIPAA ComponentsHIPAA Components Privacy RulePrivacy Rule Security RuleSecurity Rule Penalties for disclosurePenalties for disclosure Who implements HIPAAWho implements HIPAA Examples of what you will encounterExamples of what you will encounter Other laws that may applyOther laws that may apply
Clinical Data ExchangeClinical Data Exchange
Purpose of HIPAAPurpose of HIPAA
Portability of health insurancePortability of health insurance Streamline the healthcare system Streamline the healthcare system Reduce costsReduce costs Encourage the use of electronic Encourage the use of electronic
technology technology Protect the security, confidentiality and Protect the security, confidentiality and
integrity of health information integrity of health information Protect against threats or hazards that Protect against threats or hazards that
jeopardize patient care jeopardize patient care
HIPAA’s VisionHIPAA’s Vision
Single set of information for all payersSingle set of information for all payers Standard coding rulesStandard coding rules Standard responses from payersStandard responses from payers Little reliance on human intervention for Little reliance on human intervention for
billing, remittance, posting, eligibility billing, remittance, posting, eligibility inquiries, coordination of benefitsinquiries, coordination of benefits
Secure data-privacy protectedSecure data-privacy protected Medical records securely exchanged Medical records securely exchanged
between providersbetween providers
What is HIPAA?What is HIPAA?
Transactions
Health Insurance Portability and Accountability Act of 1996
Administrative Simplification
National Prov ID
Privacy
Security
•Standardize healthcare transactions
•400 formats into 1 std
•1 std with 400 interpretations
•Unique provider ID
•ID available in 2005
•Compliance by 2007
•Compliance by 4/2005
Who is Covered under HIPAA?Who is Covered under HIPAA?
Covered Entities (CE’s)Covered Entities (CE’s) ProvidersProviders Health PlansHealth Plans ClearinghousesClearinghouses
Who Implements HIPAA?Who Implements HIPAA?
Covered entity (hospital, practice plan, physician Covered entity (hospital, practice plan, physician office, health plan) in possession of Protected office, health plan) in possession of Protected Health Information is responsible for:Health Information is responsible for: Developing policies/procedures and full Developing policies/procedures and full
implementation to meet all requirements of HIPAA implementation to meet all requirements of HIPAA regulationsregulations
Training of its workforce (anyone conducting Training of its workforce (anyone conducting treatment, payment or operations activities on its treatment, payment or operations activities on its behalf).behalf).
Sanctioning violators and responding to complaints Sanctioning violators and responding to complaints from the public of the Secretary of health and Human from the public of the Secretary of health and Human ServicesServices
What is PHI?What is PHI?
PHI is defined as individually identifiable health PHI is defined as individually identifiable health information transmitted or maintained in any information transmitted or maintained in any form or medium.form or medium.
PHI relates to a past, present, or future physical PHI relates to a past, present, or future physical or mental condition of a person, the provision of or mental condition of a person, the provision of healthcare to a person or the payment for health healthcare to a person or the payment for health care of a person.care of a person.
PHI excludes health information in school PHI excludes health information in school education records and health records held by an education records and health records held by an employer.employer.
HIPAA continuedHIPAA continued
Privacy- Individual’s right to ensure that personal Privacy- Individual’s right to ensure that personal information is kept confidentialinformation is kept confidential Requires policies, procedures, and practicesRequires policies, procedures, and practices
Security-Protection of a system from Security-Protection of a system from unauthorized access by external and internal unauthorized access by external and internal users users Security is viewed as a subset of privacySecurity is viewed as a subset of privacy
““A covered entity must A covered entity must reasonablyreasonably safeguard protected health information safeguard protected health information from any intentional or unintentional use or from any intentional or unintentional use or disclosure that is in violation of the disclosure that is in violation of the standards, implementation specifications standards, implementation specifications or other requirements of this subpart.” or other requirements of this subpart.”
PrivacyPrivacy
Protects individual’s right to ensure that Protects individual’s right to ensure that personal information is kept confidentialpersonal information is kept confidential
Requires policies, procedures, and Requires policies, procedures, and practicespractices
Privacy violation as a standard of care for Privacy violation as a standard of care for negligence negligence ((http://www.duanemorris.com/alerts/alert2417.htmlhttp://www.duanemorris.com/alerts/alert2417.html))
Privacy RulePrivacy Rule
Applies to protected health information in Applies to protected health information in any format (oral, written, electronic)any format (oral, written, electronic)
Gives patients control over their health Gives patients control over their health informationinformation
Sets boundaries on use and releaseSets boundaries on use and release Establishes safeguards to protect privacyEstablishes safeguards to protect privacy Holds violators accountableHolds violators accountable Balances public responsibilityBalances public responsibility
HIPAA Privacy: Uses and HIPAA Privacy: Uses and DisclosuresDisclosures
General Rule: A covered entity may not use or General Rule: A covered entity may not use or disclose protected health information…disclose protected health information…
EXCEPT:EXCEPT: To the individual in compliance with NYS lawsTo the individual in compliance with NYS laws For treatment, payment or operation (164.506)For treatment, payment or operation (164.506) Pursuant to valid authorization (164.508)Pursuant to valid authorization (164.508) Required by law/abuse/judicial/law enforcementRequired by law/abuse/judicial/law enforcement Research (7 release mechanisms)Research (7 release mechanisms)
HIPAA Privacy: Patient RightsHIPAA Privacy: Patient Rights
Access to protected health informationAccess to protected health information Request a copy of their health recordRequest a copy of their health record Request an amendment of PHIRequest an amendment of PHI Accounting of disclosuresAccounting of disclosures Notice of privacy practicesNotice of privacy practices
SecuritySecurity
Protection of a system from unauthorized Protection of a system from unauthorized access by external and internal users access by external and internal users - Viewed as a subset of privacy- Viewed as a subset of privacy
Three Components of Three Components of SecuritySecurity
Technical securityTechnical security
Physical securityPhysical security
Administrative safeguardsAdministrative safeguards
Top Security IssuesTop Security Issues
User authenticationUser authentication Username and passwordUsername and password
EncryptionEncryption Audit trailsAudit trails Email and other internet usageEmail and other internet usage Remote accessRemote access
PenaltiesPenalties General Penalty: Each violation- $100. General Penalty: Each violation- $100.
Maximum penalty for each violation $25,000. Maximum penalty for each violation $25,000. Over 50 distinct violations possible under Over 50 distinct violations possible under Privacy alone.Privacy alone.
Wrongful disclosure: $50,000 and/or Wrongful disclosure: $50,000 and/or imprisonment for 1 yearimprisonment for 1 year
Offense under false pretenses: $100,000 and/or Offense under false pretenses: $100,000 and/or 5 year imprisonment5 year imprisonment
Offenses with intent to derive personal benefit Offenses with intent to derive personal benefit (sell) information: $250,000 and/or 10 years (sell) information: $250,000 and/or 10 years imprisonmentimprisonment
Laws, Rules and RegulationsLaws, Rules and Regulations
Education lawEducation law Title VIII Title VIII Article 193 – NursingArticle 193 – Nursing
Rules of the Board of RegentsRules of the Board of Regents Part 29 – Unprofessional conductPart 29 – Unprofessional conduct
Commissioner's RegulationsCommissioner's Regulations Part 52.12 – Registration of CurriculaPart 52.12 – Registration of Curricula Part 64 – NursingPart 64 – Nursing
http:/www.op.nysed.gov/nurse.htmhttp:/www.op.nysed.gov/nurse.htm
Laws, Rules and RegulationsLaws, Rules and Regulations The definition of Unprofessional Conduct in NYS The definition of Unprofessional Conduct in NYS
Regents Rules, Part 29, includes, “revealing of Regents Rules, Part 29, includes, “revealing of personally identifiable facts, data or information obtained personally identifiable facts, data or information obtained in a professional capacity without the prior consent of the in a professional capacity without the prior consent of the patient or client, except as authorized or required by law”patient or client, except as authorized or required by law”
The definition of Professional Misconduct in NYS The definition of Professional Misconduct in NYS Education Law, Article 130, Subarticle 3, includes, Education Law, Article 130, Subarticle 3, includes, “committing unprofessional conduct, as defined by the “committing unprofessional conduct, as defined by the board of regents in its rules”board of regents in its rules”
Article 28 New York State facilities (these include Article 28 New York State facilities (these include hospitals and nursing homes) are required to report as hospitals and nursing homes) are required to report as professional misconduct licensed health care professional misconduct licensed health care professionals who do not protect the confidentiality of professionals who do not protect the confidentiality of patient information . No intent of malice or to do harm is patient information . No intent of malice or to do harm is required.required.
Other NYS laws and rulesOther NYS laws and rules New York State Public Health Law Section 18, Access to Patient New York State Public Health Law Section 18, Access to Patient
Information - §18(3)(b) – states, in part, “Upon receipt of a written Information - §18(3)(b) – states, in part, “Upon receipt of a written request by a qualified person to inspect patient information request by a qualified person to inspect patient information maintained by a facility, the facility shall inform the treating maintained by a facility, the facility shall inform the treating practitioner of the request. The treating practitioner may review the practitioner of the request. The treating practitioner may review the information requested.”information requested.”
10 New York Codes, Rules and Regulations Section 58-1.8 , states, 10 New York Codes, Rules and Regulations Section 58-1.8 , states, in part, “No person shall report the result of any test, examination or in part, “No person shall report the result of any test, examination or analysis of a specimen submitted for evidence of human disease or analysis of a specimen submitted for evidence of human disease or medical condition except to a physician, his agent, or other person medical condition except to a physician, his agent, or other person authorized by law . . . Reports shall not be issued to the patients authorized by law . . . Reports shall not be issued to the patients concerned except with the written consent of the physician or other concerned except with the written consent of the physician or other authorized person . . .“authorized person . . .“
Information Subject of Special Information Subject of Special ProtectionsProtections
1.1. HIV-related Information – New York State Public Health Law, HIV-related Information – New York State Public Health Law, Article 27-FArticle 27-F
Disclosures must be accompanied by the confidentiality notice Disclosures must be accompanied by the confidentiality notice required by §2782(5)(a).required by §2782(5)(a).
2.2. Mental Health InformationMental Health Information A patient’s clinical mental health record at a New York State, Office of A patient’s clinical mental health record at a New York State, Office of
Mental Health (OMH)-licensed “facility” or an Office of Mental Mental Health (OMH)-licensed “facility” or an Office of Mental Retardation and Developmental Disabilities (OMRDD)-licensed Retardation and Developmental Disabilities (OMRDD)-licensed “facility” must not be released without the patient’s consent except “facility” must not be released without the patient’s consent except under limited circumstances. (MHL §33.13(c))under limited circumstances. (MHL §33.13(c))
3.3. Alcohol and Substance Abuse InformationAlcohol and Substance Abuse Information Federal regulations govern the confidentiality of alcohol and Federal regulations govern the confidentiality of alcohol and
substance records. (42 CFR Part 2)substance records. (42 CFR Part 2) Substance abuse treatment programs may not use or disclose any Substance abuse treatment programs may not use or disclose any
information about any patient unless the patient has consented in information about any patient unless the patient has consented in writing (on a form that meets the requirements established by the writing (on a form that meets the requirements established by the regulations) or unless another very limited exception specified in the regulations) or unless another very limited exception specified in the regulations applies.regulations applies. (42 CFR §§2.31 and 2.33)(42 CFR §§2.31 and 2.33)
HIPAA: Reality?HIPAA: Reality?
Minimum necessary: …limit PHI to the Minimum necessary: …limit PHI to the minimum necessary to accomplish the minimum necessary to accomplish the intended purpose of the use, disclosure or intended purpose of the use, disclosure or request…request…
Does not apply to treatment or disclosures to Does not apply to treatment or disclosures to individual to which it pertains.individual to which it pertains.
Examples of violations: Examples of violations: 1.1. Staff discuss a patient they know other than for Staff discuss a patient they know other than for
treatment purposes.treatment purposes.2.2. Look up friend/family/self on HISLook up friend/family/self on HIS3.3. Disclose sensitive PHI not requiredDisclose sensitive PHI not required
HIPAA Reality?HIPAA Reality?
HIPAA will not impede healthcareHIPAA will not impede healthcare1.1. PatientPatient
2.2. Personal representativePersonal representative
3.3. Professional judgmentProfessional judgment
4.4. Privacy regulationsPrivacy regulations T(reatment) – P(ayment) – O(perations)T(reatment) – P(ayment) – O(perations) Exceptions as outlinedExceptions as outlined
HIPAA in the NewsHIPAA in the NewsNEW YORK (CNN)NEW YORK (CNN) -- More than two dozen employees at Palisades Medical -- More than two dozen employees at Palisades Medical Center have been suspended after accessing the personal medical records of Center have been suspended after accessing the personal medical records of actor George Clooney, who was taken to the North Bergen, N.J., hospital last actor George Clooney, who was taken to the North Bergen, N.J., hospital last month after a motorcycle accident.month after a motorcycle accident. George Clooney was injured when his motorcycle was in collision with a car.George Clooney was injured when his motorcycle was in collision with a car. Clooney was injured, along with his companion Sarah Larson, when theClooney was injured, along with his companion Sarah Larson, when themotorcycle they were riding collided with a car in Weehawken, N.J. Clooneymotorcycle they were riding collided with a car in Weehawken, N.J. Clooneysuffered a broken rib and skin abrasions and Larson broke her foot.suffered a broken rib and skin abrasions and Larson broke her foot.
Hospital spokesman Eurice Rojas said late Tuesday that 27 employees were Hospital spokesman Eurice Rojas said late Tuesday that 27 employees were suspended for a month without pay, after an internal investigation. Accessing a suspended for a month without pay, after an internal investigation. Accessing a person's medical records without authorization is a violation of the Health person's medical records without authorization is a violation of the Health Insurance Portability and Accountability Act (HIPAA) -- a federal law that Insurance Portability and Accountability Act (HIPAA) -- a federal law that protects the privacy of patients.protects the privacy of patients.
HIPAA in the newsHIPAA in the news
HIPAA in the local newsHIPAA in the local news
InfoClique is a web-based system designed to InfoClique is a web-based system designed to provide the staff of Kaleida Health and provide the staff of Kaleida Health and referring/consulting physician offices a secure referring/consulting physician offices a secure central access point for patient information. central access point for patient information. Patient information available through InfoClique Patient information available through InfoClique includes:includes: Demographics – basic patient infoDemographics – basic patient info Dictated reports (H&P, Op reports, Discharge Dictated reports (H&P, Op reports, Discharge
summary and consultations)summary and consultations) Results (lab/rad/orders)Results (lab/rad/orders) MedicationsMedications
HIPAA in the local newsHIPAA in the local news
Kevin Everett of the Buffalo Bills was a patient at Kevin Everett of the Buffalo Bills was a patient at Kaleida Health from September 9 through 21. Kaleida Health from September 9 through 21. During his 12 day admission, 60 individuals During his 12 day admission, 60 individuals accessed his InfoClique record. Of those, 32 accessed his InfoClique record. Of those, 32 individuals accessed it without an authorized individuals accessed it without an authorized reason to do so. These individuals included reason to do so. These individuals included physicians, nurses and office support staff. Two physicians, nurses and office support staff. Two individuals had their employment terminated by individuals had their employment terminated by their employers as a result of their unauthorized their employers as a result of their unauthorized access.access.
Examples of Privacy Examples of Privacy ComplaintsComplaints
Patient asked caregiver a question. Caregiver Patient asked caregiver a question. Caregiver responded in front of patient’s family. Response responded in front of patient’s family. Response included reference to patients HIV status. Some included reference to patients HIV status. Some family members did not know about patient’s family members did not know about patient’s HIV diagnosis.HIV diagnosis.
Caregiver spoke about an interesting patient Caregiver spoke about an interesting patient with her daughter, who told her friend, who told with her daughter, who told her friend, who told her cousin, who was the daughter of the patient. her cousin, who was the daughter of the patient. Patient called the Privacy Officer.Patient called the Privacy Officer.
How Can We Comply?How Can We Comply?
Violations will be subject to disciplinary Violations will be subject to disciplinary action up to and including termination of action up to and including termination of employment or contract.employment or contract.
Anyone who knows or has reason to Anyone who knows or has reason to believe that another person has violated believe that another person has violated the confidentiality of a patient’s PHI should the confidentiality of a patient’s PHI should report the matter to a supervisor. report the matter to a supervisor.
What can we do?What can we do?
Report violations, incidents and bad Report violations, incidents and bad practices to your clinical instructor or practices to your clinical instructor or someone in chargesomeone in charge
Exercise good professional judgment and Exercise good professional judgment and seek expert adviceseek expert advice
Remind others of privacy and security Remind others of privacy and security responsibilitiesresponsibilities
Take HIPAA seriouslyTake HIPAA seriously
HIPAA: The final wordHIPAA: The final word
It’s all about peopleIt’s all about people
Right to privacyRight to privacy
Use good judgmentUse good judgment
Seek good adviceSeek good advice
Speak upSpeak up
HealthHealth Information Information TechnologyTechnology
__________________________________________________
Clinical Data ExchangeClinical Data Exchange
National Health Information National Health Information NetworkNetwork
““A set of technologies, standards, A set of technologies, standards, applications, systems, values and laws applications, systems, values and laws that support all facets of individual health, that support all facets of individual health, healthcare, and public health.”healthcare, and public health.”
National Health Information National Health Information Network (NHIN)Network (NHIN)
National frameworkNational framework Statewide networksStatewide networks Regional networksRegional networks Local networksLocal networks Institutional networksInstitutional networks
WNY clinical data exchange WNY clinical data exchange projectsprojects
WNY HealtheNetWNY HealtheNet WNY HealtheLinkWNY HealtheLink BAPHIEBAPHIE Lifetime Care – Hospice – Advanced Lifetime Care – Hospice – Advanced
Directives NetworkDirectives Network UNYTSUNYTS
NYS Information Security and NYS Information Security and Privacy CollaborationPrivacy Collaboration
Issued White Paper to address privacy Issued White Paper to address privacy and security for emerging RHIOs in NYSand security for emerging RHIOs in NYS
Comment periodComment period Awaiting finalizationAwaiting finalization
RHIO responsibilitiesRHIO responsibilities
Access and use policiesAccess and use policies Authentication of identityAuthentication of identity Authorization for accessAuthorization for access Consumer and provider identificationConsumer and provider identification Transmission securityTransmission security Date integrityDate integrity Audit trails for clinicians and consumersAudit trails for clinicians and consumers Administrative and physical securityAdministrative and physical security Enforcement and protectionsEnforcement and protections
Affirmative ConsentAffirmative Consent
Each participant in a RHIO must obtain an Each participant in a RHIO must obtain an
affirmative consent from the consumer prioraffirmative consent from the consumer prior
to accessing his/her personal healthto accessing his/her personal health
informationinformation ‘‘one-to-one’ exceptionone-to-one’ exception ‘‘break the glass’ with attestationbreak the glass’ with attestation Providers may upload without consentProviders may upload without consent
Uses of Health InformationUses of Health Information
Level One – benefit to the consumerLevel One – benefit to the consumer TreatmentTreatment Quality improvementQuality improvement Disease managementDisease management
Level Two Level Two ResearchResearch MarketingMarketing
Sensitive InformationSensitive Information
Single consent to access all PHI (exceptionSingle consent to access all PHI (exception
for substance abuse covered under Fed)for substance abuse covered under Fed) Filter data to exchangeFilter data to exchange Consumer awareness of exchange accessConsumer awareness of exchange access
Data trustworthinessData trustworthiness
What is the authoritative source?What is the authoritative source? How to reconcile data conflicts?How to reconcile data conflicts? Do we trust all providers?Do we trust all providers?
Data integrityData integrity Baseline privacy and securityBaseline privacy and security
Other pointsOther points
Durability and revocabilityDurability and revocability Consumer engagement and accessConsumer engagement and access Audit and transparencyAudit and transparency Impact to malpracticeImpact to malpractice
One final, final thought…One final, final thought…
Patient centricityPatient centricityMarket drivenMarket drivenConsumer focusConsumer focus
QuestionsQuestions
??????
Tak NobumotoTak Nobumoto
[email protected]@buffalo.edu
(716)929-4682(716)929-4682
