Privacy and Security In an Evolving Environment Dialogue on Diversity May 15th, 2013 Laura E. Rosas, JD, MPH Office of the Chief Privacy Officer
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Privacy and SecurityIn an Evolving Environment
Dialogue on Diversity
May 15th, 2013 Laura E. Rosas, JD, MPH
Office of the Chief Privacy Officer
2
Privacy and Security:A Shared Responsibility
Government: Establish, enforce, coordinate, and communicate affordable and workable Privacy & Security regulations
Providers: Understand Privacy & Security requirements, establish and promote Privacy & Security policies and practices, train and monitor staff, and manage risk
Vendors: Integrate easy-to-use Privacy & Security features into products and provide updates as regulations evolve
Patients: Understand rights and basic means used to secure PHI
Origins of Medical Privacy
“What I may see or hear in the course of the treatment or even outside of the treatment in regard to the life of men, which on no account one must spread abroad, I will keep to myself, holding such things shameful to be spoken about.”
3
Hippocrates , c. 460 BC - 370 BC
Patient Privacy and Patient Safety
“The treatment that a patient receives can be greatly affected by what the patient chooses to disclose to their physician.”
- Annals of Family Medicine, 2008
Medical confidentiality protections are meant to
encourage disclosure…”- Archives of Internal Medicine, 2005
4
5
Privacy and Security in Practice
Use technology that has privacy and security built into the technology
Privacy and Security are considered as part of physical environment, patient care, and all communications
Have Privacy and Security checkups and communicate results to all
Training, is regular updated and an essential part of the overall strategic plan
Key Federal Health Information Privacy Laws
• HIPAA Privacy and Security Rules– Health Insurance Portability and Accountability Act
of 1996, as amended by. . .
• Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009
• State Laws that are more restrictive are not pre-empted by HIPAA
6
HIPAA Privacy Rule: General Overview
• Set a federal floor for protecting health information
• Apply to many, but not all, key actors in health care system
• Limit how key actors may use and disclose individually identifiable health information they receive or create (“protected health information”)
• Give individuals rights with respect to their protected health information (right to request restriction if paid in full)
• Impose administrative requirements• Require breach notification• Establish civil and criminal penalties
7
http://www.acpinternist.org/archives/2003/09/privacy.htm
Who Must Comply with HIPAA Privacy Rule?
• Covered entities– Health plans– Health care clearinghouses
• Process health information into and/or out of HIPAA standard format
– Health care providers that electronically transmit health information in connection with a HIPAA-specified covered transaction
• Essentially those related to processing claims for health care
• Business associates (certain provisions)
8
Who Is a Business Associate (BA)?
• Perform certain functions or activities on behalf of a covered entity that involve the use or disclosure of PHI including:
– Data analysis– Data aggregation – Claims processing– Quality assurance– Legal services – Accounting– Others specified
9
Mobile Health Research & Education
10
Provider Adoption of Mobile Devices in the U.S. Health Care Community
Scenario #1
You are a physician consulting on the case of a 79 year-old woman with recent surgery for a broken hip and
suspected dementia. After seeing the patient, her daughter-in-law wishes to speak with you about her
condition. 11
In Response….
In response you:a) Ask to have the patient’s son, her spouse contact youb) Speak with the patient and check the patient’s EHR for
any restrictions on speaking to particular family members. If not, use your professional judgment in discussing the patient’s condition with the daughter-in-law.
c) Tell the patient that you appreciate her concern, however due to the HIPAA Privacy Rule you cannot share any information with her
d) Consult with the patient first, and if the patient provides written authorization, then you can speak with the daughter-in-law
12
Answer: Scenario #1
In response you:a) Ask to have the patient’s son, her spouse contact youb) Speak with the patient and check the patient’s EHR for
any restrictions on speaking to particular family members. If not, use your professional judgment in discussing the patient’s condition with the daughter-in-law.
c) Tell the patient that you appreciate her concern, however due to the HIPAA Privacy Rule you cannot share any information with her
d) Consult with the patient first, and if the patient provides written authorization, then you can speak with the daughter-in-law
13
Scenario #2
A 26 year-old male patient has come to see you for a suspected sexually transmitted infection. After reaching a diagnosis and
writing a prescription, the patient tells you that he will pay for the visit in full and requests that the
information related to the visit not be disclosed to his insurance
company.
14
In Response…
a) “I’m sorry but the HIPAA Privacy Rule requires the information be transmitted to the insurance company regardless of whether you pay in full.”
b) “Yes, but for each related transaction you will need to inform those organizations separately. For example, if you do not want the pharmacy to bill your insurance company you will need to inform them separately.”
c) “No, state law requires that we inform your insurance company”
d) “Yes, and we will ensure that any other information related to this visit, for example, your pharmacy, is also informed to ensure that the information is not sent to your insurance company.
15
Answer: Scenario #2
a) “I’m sorry but the HIPAA Privacy Rule requires the information be transmitted to the insurance company regardless of whether you pay in full.”
b) “Yes, but for each related transaction you will need to inform those organizations separately. For example, if you do not want the pharmacy to bill your insurance company you will need to inform them separately.”
c) “No, state law requires that we inform your insurance company”
d) “Yes, and we will ensure that any other information related to this visit, for example, your pharmacy, is also informed to ensure that the information is not sent to your insurance company.
16
Scenario #3
You are a pediatrician seeing a 16 year-old girl for a physical. Just as
you are finishing the exam, she informs you that she is sexually
active, and requests a prescription for birth control pills. However, she does not want her parents to know and she requests that you keep this
information and the prescription confidential.
You practice in a jurisdiction that allows minors to consent to their care for the
purposes of family planning.
17
In Response:
a) You provide the prescription but tell her that you are required by law to inform her parents of the prescription
b) You provide the prescription and note in the EHR that this information should not be disclosed to the parents without the patient’s authorization.
c) You provide the prescription, but tell the patient that you will need to inform the parents due to the practice’s liability insurance
d) You do not provide the prescription as it is against the practice’s policy to provide minor care without the parent’s consent.
18
Answer: Scenario #3
a) You provide the prescription but tell her that you are required by law to inform her parents of the prescription
b) You provide the prescription and note in the EHR that this information should not be disclosed to the parents without the patient’s authorization.
c) You provide the prescription, but tell the patient that you will need to inform the parents due to the practice’s liability insurance
d) You do not provide the prescription as it is against the practice’s policy to provide minor care without the parent’s consent.
19
20
Take the Steps to Protect and Secure Health Information When Using a Mobile Device
The resource center HealthIT.gov/mobiledevices was created to help providers and professionals:
• Protect and Secure health information when using mobile devices regardless of whether the mobile device is personally owned, bring your own device (BYOD) or provided by an organization
Mobile Health Research & Education
Helping Providers Integrate Privacy and Security into Their Culture
• Designed to help health care practitioners and practice staff understand the importance of privacy and security of health information at various implementation stages
• Developed with assistance from the American Health Information Management Association (AHIMA) Foundation, with input from OCR and OGC
• Available at: http://www.healthit.gov/providers-professionals/ehr-privacy-security
21
Training Materials: Security Video Game Released September 2012
22
HHS Office for Civil Rights (OCR):Policy Guidance/Compliance ToolsWhat’s in the Works:
• Fact Sheets/Q&A on new provisions
• Breach Risk Assessment Tool
• Minimum Necessary Guidance
• Better Compliance Tools for Small Entities
• Adaptation of SAG Training for Covered Entities
• Expanded Consumer Materials/Videos23
24
We are all responsible for creating a culture where privacy and security are
respected and valued.
Conclusion
Questions?
25
Related Documents
