Privacy Trends TRICARE Management Activity HEALTH AFFAIRS 2009 Data Protection Seminar TMA Privacy Office.

Privacy Trends

TRICARE Management ActivityHEALTH AFFAIRS

2009 Data Protection Seminar

TMA Privacy Office

Privacy Trends



3

Privacy Trends

Purpose

The purpose of this presentation is to provide awareness and insight into current privacy initiatives and activities that could one day potentially impact operations


4

Privacy Trends

Objectives Upon completion of this presentation, you should be able to:

− Identify Department of Health and Human Services (HHS) Office for Civil Rights (OCR) Privacy and Security Framework principles

− Explain recent Health Insurance Portability and Accountability Act (HIPAA) enforcement examples

− Describe applicable provisions of the American Recovery and Reinvestment Act of 2009 (ARRA)


5

Privacy and Security Framework & Toolkit


6

Privacy Trends

Privacy and Security Framework In December 2008, OCR published the “Nationwide Privacy

and Security Framework for Electronic Exchange of Individually Identifiable Health Information” (the framework)

− Establishes privacy and security principles for health care stakeholders engaged in the electronic exchange of information

− Designed to complement and work with existing federal, state, territorial, local and tribal laws and regulations

− Provides a single, consistent approach to address the privacy and security challenges related to electronic health information exchange


7

Privacy Trends

Privacy and Security Framework (continued)

The framework consists of eight guiding principles

− Individual access

− Correction

− Openness and transparency

− Individual choice

− Collection, use & disclosure limitation

− Data quality & integrity

− Safeguards

− Accountability


8

Privacy Trends


Individual access: Individuals should be provided with a simple and timely means to access and obtain their individually identifiable health information in a readable form and format

Correction: Individuals should be provided with a timely means to dispute the accuracy or integrity of their individually identifiable health information, and to have erroneous information corrected or to have a dispute documented if their requests are denied


9

Privacy Trends


Openness and transparency: There should be openness and transparency about policies, procedures, and technologies that directly affect individuals and/or their individually identifiable health information

Individual choice: Individuals should be provided a reasonable opportunity and capability to make informed decisions about the collection, use, and disclosure of their individually identifiable health information


10

Privacy Trends


Collection, use & disclosure limitation: Individually identifiable health information should be collected, used, and/or disclosed only to the extent necessary to accomplish a specified purpose(s) and never to discriminate inappropriately

Data quality & integrity: Persons and entities should take reasonable steps to ensure that individually identifiable health information is complete, accurate, and up-to-date to the extent necessary for the person’s or entity’s intended purposes and has not been altered or destroyed in an unauthorized manner


11

Privacy Trends


Safeguards: Individually identifiable health information should be protected with reasonable administrative, technical, and physical safeguards to ensure its confidentiality, integrity, and availability and to prevent unauthorized or inappropriate access, use, or disclosure

Accountability: This principle should be implemented, and adherence assured, through appropriate monitoring and other means and methods should be in place to report and mitigate non-adherence and breaches


12

Privacy Trends

Privacy and Security Toolkit OCR also published the “Privacy and Security Toolkit to Implement

the Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information” (the toolkit)

The toolkit is a series of documents that clarify how the HIPAA Privacy Rule applies to, and can be used to help structure the privacy policies behind, electronic health information exchange in a networked environment

− How HIPAA covered entities can utilize the Privacy Rule’s established baseline of privacy protections and individual rights with respect to elicit greater consumer confidence, trust, and participation

− Includes Frequently Asked Questions (FAQs), fact sheets, and information papers relating to each of the framework principles


13

Privacy Trends

Privacy and Security Framework & Toolkit No new rules, regulations, or mandates have been made as a

result of the framework that was issued by OCR on December 15, 2008

Staff can utilize the fine points provided within the framework and toolkit for informational purposes


14

Privacy Trends

Recent HIPAA Enforcement


15

Privacy Trends

Providence Health and Services

Resolution Agreement

− Includes OCR and Centers for Medicare & Medicaid Services (CMS)

− Terms and conditions include a fine of $100,000 and a Corrective Action Plan (CAP)

− Covered incidents refer to Providence Health and Services (PHS) of Seattle, Washington loss of electronic backup media containing records of 386,000+ PHS patients and laptop computers containing individually identifiable health information in 2005 and 2006


16

Privacy Trends

Providence Health and Services (continued)

· Corrective Action Plan− Policies and Procedures: Consistent with federal standards that

govern Protected Health Information (PHI) and electronic Protected Health Information (ePHI); submit policies and procedures to HHS for approval

− Training: Within 90 days of HHS approval of policies, PHS shall provide evidence that training has been provided to all members of PHS workforce

− Monitoring (quarterly): Ensures understanding of policies and procedures, may include unannounced site visits

− Implementation and Annual Reports: Within 120 days after receiving HHS approval of policies and procedures, a written report summarizing status of PHS implementation of CAP requirements must be submitted to HHS


17

Privacy Trends

CVS

Resolution Agreement− Agreement includes OCR and CVS Pharmacy, Inc. (CVS

Entities)− Covered conduct includes disposing of PHI in dumpsters, lack

of policies and procedures, lack of sanctions policy, and insufficient HIPAA Privacy Rule training

− CVS Entities must designate a compliance representative that will be responsible for ensuring compliance with the Resolution Agreement and CAP (including providing policies, procedures, training, and internal monitoring services)

− CVS Entities must pay HHS $2,250,000 − Execute and comply with the CAP


18

Privacy Trends

CVS (continued)

Corrective Action Plan− Policies and procedures: Develop, maintain, and revise uniform,

written privacy policies and procedures and submit to OCR for review and approval. Each member of workforce must submit a compliance certification acknowledging receipt and understanding

− Training: Provide to all workforce members with access to PHI

− Monitoring Internal: Written internal monitoring plan describing plan to

monitor compliance with policies and procedures Assessments: Annual third party assessments on compliance

with CAP obligations

− Internal reporting: Procedure for reporting violation of policies and procedures


19

Privacy Trends

American Recovery and Reinvestment Act


20

Privacy Trends

American Recovery and Reinvestment Act HIPAA Privacy & Security Rules extended to business associates

− Requirements, as well as civil and criminal penalties, now apply to business associates in the same manner as covered entities

− Business associate contracts must include new requirements Breaches

− Current DoD breach notification requirements are MORE stringent− Covered entities must notify individuals whose unsecured PHI has

been breached within 60 days of discovery − Notification to HHS based on number of individuals affected− Business associates must notify covered entities of a breach and

provide each individual’s name− Methods and content of notification are specified


21

Privacy Trends

ARRA (continued)

Health Information Technology (HIT)− Appropriates approximately $20 billion to HIT− HHS will appoint a National Coordinator for HIT responsible for

Coordinating HIT policies and programs Developing a voluntary HIT certification program Setting milestones for electronic health records by 2014

Accounting of disclosures − Covered entities that maintain ePHI must include routine

disclosures for treatment, payment, or health care operations (TPO) in its accounting list

− Limited to three years (other accounting of disclosures remain for six years)


22

Privacy Trends

ARRA (continued)

Remuneration for the exchange of PHI

− Prohibits direct or indirect exchange of remuneration for any exchange of PHI, unless authorized by individual

Disclosure restrictions for payment and health care operations

− Covered entities must agree to an individual’s request to restrict disclosure to a health plan when payments have been paid out of pocket in full


23

Privacy Trends

Summary You should now be able to:

− Identify OCR Privacy and Security Framework principles

− Explain recent HIPAA enforcement examples

− Describe applicable provisions of ARRA


24

Privacy Trends

Resources http://www.hhs.gov for further information on Privacy and

Security Framework and Toolkits and HIPAA enforcement actions

http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname =111_cong_bills&docid=f:h1enr.pdf for a link to the complete ARRA

[email protected] for subject matter questions

Privacy Trends TRICARE Management Activity HEALTH AFFAIRS 2009 Data Protection Seminar TMA Privacy Office.

Documents

privacy trends privacy

nationwide privacy

privacy policies

privacy rules

privacy trends objectives

department of health

hipaa privacy rule

current privacy initiatives