1 / 43

Privacy in a Healthcare Environment David S. Muntz, SVP-IS/CIO For Baylor Health Care System November 19, 2007

Privacy in a Healthcare Environment David S. Muntz, SVP-IS/CIO For Baylor Health Care System November 19, 2007. Founding Statement. “Is it not now time to build a great humanitarian hospital, one to which men of all creeds and those of none may come with equal confidence?” .

rolf
Télécharger la présentation

Privacy in a Healthcare Environment David S. Muntz, SVP-IS/CIO For Baylor Health Care System November 19, 2007

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Privacy in a Healthcare EnvironmentDavid S. Muntz, SVP-IS/CIO For Baylor Health Care SystemNovember 19, 2007

  2. Founding Statement “Is it not now time to build a great humanitarian hospital, one to which men of all creeds and those of none may come with equal confidence?” Dr. George W. Truett, 1903 Co-founder of Texas Baptist Memorial Sanitarium, predecessor of Baylor Health Care System Baylor Health Care System

  3. Circle of Care • Guided by • Baylor Values • Integrity • Servanthood • Quality • Innovation • Stewardship Baylor Health Care System

  4. Baylor Health Care System • 2007 Preliminary and Unaudited Financial Performance • $2.7 Billion Net Patient Revenue • $318 Million Net Operating Income (all sources) • 16,600 employees • 13 hospitals • Significant teaching and research programs • No health plan • 3,500 physicians including 450 employed • 128+ access points • 130 mile diameter, all in Texas Baylor Health Care System

  5. Confluence of Factors Impacting Healthcare Information Systems • Quality indicators are universally available. Top quality is BHCS’ only option. • The Board required “extraordinary” performance. • The future demands a fundamental change in the underlying processes related to delivery of health care. • There are limited resources and a high demand for new products, processes, and services. • The healthcare consumer will have more choices Baylor Health Care System

  6. Other Influential Factors • Quality • Institute of Medicine’s Study of Medication Errors (national and state implications) • Leapfrog Group both nationally and locally • Finance • Increasing pressures from Managed Care • Health Insurance Portability and Accountability Act of 1996 • Balanced Budget Act of 1997 • P4P (Pay for Performance) • People • Nursing shortage including other qualified and registered clinical personnel • Technology • Tolerance of complex systems • Universal access (Microsoft) Baylor Health Care System

  7. Infrastructure: Responsive & Reliable • 2 primary data centers • 12 satellite remote campus communication centers • 1 mainframe with 2 processors • 44 midrange platforms • 3 robotic tape silos • Two with 6000 tapes per silo and 120 terabytes of spinning disk • One with 50 tapes per silo • 200 to 800 GB per tape • 24 actual tape drives In the two primary silo’s. • Disk capacity with some form of RAID • 2 Storage Area Networks (80 Terabytes) • Total DAS and NAS (140 terabytes) • 1.1 terabytes of storage on the Mainframe • 800+ application servers • 22,000+ data nodes, 19,500+ voice nodes • 243 FON closets with 285+ UPS, 2000+ switches and routers, 1000+ WAPs • Approximately 10,000 workstations and 4,100 printers • Speeds of transmission: 10/100/1000 megabits per second • WAN – T1, DS-3, Optiman, GigaMAN, dedicated fiber • 2 connections to our ISP scaleable to 155 megabits total on demand • Nine SL-100 phone switches centrally managed • 5,030 centralized voice mail users • 40,000+ biomedical devices GOAL: Create the equivalent of dial tone - 6 Sigma reliability. Baylor Health Care System

  8. Portal StrategyUniversal Access • Internet based, web enabled applications • Physicians – myBaylorEMR.com • Trustees – BaylorBoard.com • Employees – myBaylor.com • Consumers – www.BaylorHealth.com • Education – www.BaylorHealth.edu • Create virtual integration • Pass user’s context to applications to avoid multiple logins • Pass patient context where possible • Use desktop metaphor and place Icons for all available applications on desktop • Allow personalization of desktop to encourage portal utilization • Make security design and administration independent of application coding Baylor Health Care System

  9. What are Baylor’s next steps?

  10. Health System Organization of Health Care Community Self-Management & Support Clinical Information Systems Resources & Policies Delivery System Design Clinical Decision Support Productive Interactions Informed, Empowered Patient and Family Prepared, Proactive Practice Team Coordinated Evidence-based Patient Centered Timely & Efficient & Safe Improved Outcomes Care Model Graphic Baylor Health Care System

  11. Baylor Health Care System

  12. Clinical Documentation Safety and Satisfaction The Framework for the EHR Knowledge Based Medicine Efficacious and Efficient Continuous Improvement Processes ClinicalDecision Support Electronic HealthRecord Clinical Applications Respiratory Therapy others... Computerized Physician Order Entry Laboratory Systems Medication Management Radiology & PACS Patient Accounting & Patient Management Supply Chain Business Operations Common Registration Contract Management ManagedCare Scheduling & Surgical Management Foundation Information Technology Infrastructure Governance Knowledge

  13. People • Processes • Technology • People • Processes • Technology Integrating clinical and non-clinical process improvements with enabling technologies Hardwiring STEEEP* A Simple Definition *IOM Model: Safe, Timely, Effective, Efficient, Equitable, Patient-centered care. *IOM Model: Safe, Timely, Effective, Efficient, Equitable, Patient-centered care. Baylor Health Care System

  14. HIPAA A Framework for Privacy in Healthcare

  15. HIPAA – The Intent • HIPAA was designed to: • Ensure health insurance portability • Reduce health care fraud and abuse • Guarantee privacy and security of health information • Provide standards for electronic exchange of health information • Examples of HIPAA’s impact include: • Portability. • Guarantees medical coverage renewal, prohibits discrimination based on health status, and eliminates some preexisting conditions exclusions. • Transaction Standards and Unique Identifiers • Creates standard formats and code sets for all major transactions that are processed electronically provides national identifiers for providers, employers, and health plans. • Security Rule. • Provides a uniform level of protection of all electronic health information. • Privacy Rule. • Addresses the rights of an individual, the procedures for exercising these rights and the uses and disclosures of health information. Ensure confidential treatment of patient data. Baylor Health Care System

  16. Evolution of The Privacy Rule 1999 2000 2001 2002 2003 Deadline April, 2003 Final Changes August, 2002 Proposed Changes March, 2002 “Final” Rule December, 2000 Proposed Rule October, 1999 Baylor Health Care System

  17. Baylor Health Care System’s (BHCS) Response:People, processes, and timelines • Processes. HIPAA standardizes how procedures are coded and electronic bills are submitted. It also prompts health care organizations to examine processes and change how patient information is: • communicated, • shared, • disclosed, and • protected. Timeline. HIPAA sets rules for how we should act and penalties should we fail to meet the new standards. Compliance with HIPAA occurs in phases, starting in April 2003. People. HIPAA touches everyone in our organization. It requires our employees, physicians, volunteers, and contractors to be trained and follow new policies, procedures, and processes. Baylor Health Care System

  18. National Versus State Regulation – How do we approach that? • Many states, including Texas, passed their own versions of HIPAA. • HIPAA resolved this issue by instructing that when state and federal versions differ, the more restrictive version applies. • BHCS has reconciled state and federal law, and the more restrictive law is reflected in our privacy policies, which are the basis for our training. Baylor Health Care System

  19. Who Is “Covered?” Providers. BHCS is a health care provider. As a physician, you are a provider. Providers range from large hospital systems to individual nursing homes, labs, and pharmacies. Health care providers are also doctors, nurses, dentists, psychotherapists, and others who care for patients. Plans or insurers. Examples include Cigna, United Health Care, Blue Cross/Blue Shield, and Aetna. Clearinghouses These are systems that process information for other companies such as most billing services like WebMD Envoy® . Baylor Health Care System

  20. More terminology HIPAA protects the rights of individuals, not just patients. An individual is the subject of health information. This can include patients and health plan participants and their covered dependents. These same rights extend to legally authorized representatives. PHI stands for Protected Health Information. This is health information—in any form—that can identify an individual. HIPAA and Texas state law defines how PHI may be used and disclosed. A covered entity's workforce includes employees, volunteers, people whose conduct is under the direct control of a covered entity, and people involved in a covered entity's training programs. Individually Identifiable Health Information (IIHI) is health information that either identifies an individual or provides a reasonable basis for identifying an individual, by virtue of containing one or more of 18 identifiers. Baylor Health Care System

  21. Protected Health Information: 18 elements • Identifies the individual • With respect to which there is a reasonable basis to believe that the information can be used to identify the individual • If the following information is removed, it is presumed to be non-identifiable information: -Name -Names of Relatives -Street Name -Names of Employers -City -Date of Birth -County -Telephone Numbers -Zip Code -Fax Numbers -Equivalent Geocodes -E-Mail Addresses -Social Security # -Medical Record # -Health Plan # -Account # -Certificate/License # -Vehicle or Device Serial # -Finger & Voice Prints -Internet Protocol Address -Photo Images Baylor Health Care System

  22. Implementation: System and Entity Level Policies and Procedures Reporting Concerns Staffing Training • System • Create Program • Management Office • to coordinate all • HIPAA efforts. • Appoint System • Privacy Officer. • Local • Appoint Entity Privacy Officer to ensure Privacy Program implementation at entity. System Develop system-level privacy-related policies through entity collaboration. Local Create entity-specific procedures and implementation plans. • System • Develop and maintain training materials for the workforce. • Develop courses • HIPAA web site • Local • Train existing and new workforce members. System Oversee standard reporting and investigation process. Local Contact manager or Entity Privacy Officer. Baylor Health Care System

  23. Information Security Policies Baylor Health Care System

  24. Privacy Policies Baylor Health Care System

  25. Patient Rights • Confidentiality is one of many patient's rights. Other rights include being able to: • read and obtain copies of their health information • request restrictions of the use and disclosure of PHI • request that we communicate with an individual about his/her health information • in a specific way or at a specific location • request changes to health information, if an individual believes it's incorrect or incomplete • receive an accounting of outside disclosures • file a complaint if an individual believes his/her confidentiality has been violated • These rights have exceptions and specific procedures that need to be followed. BHCS has developed the procedures and processes necessary to respond to patients when exercising these rights. • Privacy notices must be posted. Baylor Health Care System

  26. Organized Health Care Arrangement (OHCA) • Establish a mechanism for free exchange of PHI between each BHCS entity and its respective medical staff for a hospital-based episode of care. When a patient presents to a BHCS entity, the Notice they receive is applicable to the entity medical staff as well as the entity’s workforce. Hospital-based Episode of Care Services jointly provided to patients by a BHCS entity and members of the entity medical staff, whether it be for inpatient or outpatient services. Does not relate to services provided by the physician in his/her private practice setting. Baylor Health Care System

  27. Safeguarding PHI Exercise care…when you have to discuss PHI in public areas such as waiting rooms or over the phone in public areas, so that others don’t accidentally hear you. Conceal or secure PHI…so that it can’t be viewed on desks, door pockets, or in hallways. When not in use, ensure chart holders are closed. Ask questions…if you see someone unfamiliar to you accessing PHI. Control access…to areas that contain PHI. This means that doors will be locked, card access systems and other physical access controls will be used as necessary. The number of designated entrances will be minimized after normal business hours. Take precautions when discussing PHI over the telephone or voicemail…make sure that you are leaving messages for the right person. Wear your badge…so that you can be easily identified as an employee, volunteer, contractor, or physician. Baylor Health Care System

  28. Safeguarding PHI Overhead Paging …should be limited to the patient name and specific instructions. These instructions should not identify any PHI. Waiting Rooms Only use the minimal information necessary to locate the patient or patient's family members. Message boards should contain only the patient's last name and initial of first name. • Other options • for locating the patient or patient’s family include using: • Electronic pagers. • A ‘take a number’ system. Baylor Health Care System

  29. Safeguarding PHI • Whiteboards • Should be out of public view as much as possible. • When in public view, boards will only display patient last name, location, and last name of attending physician and caregivers. Patient Information Lists Include medical tests, diagnostic procedures, surgery schedule or lab tests. These lists should be protected from public view. When using clipboards, the list should be covered with a plain sheet of paper. Distribution lists will be reviewed periodically to verify that recipients have a need to know. • Patient Sign-In Sheets • should not be left out for viewing by other patients • Instead of sign-in sheets, consider using: • Individual labels that can be removed and transferred to another sheet after each patient signs in. • Individual sheets of paper that can be removed • A ‘take a number’ system Baylor Health Care System

  30. Safeguarding PHI • Paper Records • …must be secured in storage bins until destroyed. • Methods include: • Document destruction services with onsite destruction (for High Volume Areas) • Onsite shredding machines (for Low Volume Areas) • Destruction of documents by offsite service providers—Vendors should follow BHCS’ criteria for secure disposal and destruction Patient Identification on Door May contain only the patient last name, initial of first name, location, and physician name. Care-related instructions and advisories are allowable. Baylor Health Care System

  31. Safeguarding PHI • Faxes • Place fax machines in secure locations • Monitor fax machines that send and receive PHI • Remove PHI from fax machines immediately after transmission • Verify fax numbers and identity of recipients before faxing PHI • Follow specific procedures when receiving or sending misdirected faxes • Voicemail • Listen to the entire greeting • Internet • Secure sites • Encryption for e-mails Baylor Health Care System

  32. Safeguarding PHI • Electronic Health Records • Encrypted databases • Automated inputs • Controlled access • Security challenges • Biometrics • Quick timeouts • Role-based security • Audit trails for every screen • Active review of audit records Baylor Health Care System

  33. Information Breach Individual The subject of health information. • Information breaches can result in the violation of an individual's privacy. An information breach occurs when PHI is: • accessed by unauthorized individuals. • discussed without a legitimate business purpose. • revealed to those who don't have a need to know. Baylor Health Care System

  34. Severity level… Minimum BHCS corrective or disciplinary action includes… Possible civil and criminal penalties include… Level-1: Carelessness Examples include: • Leaving documents with sensitive information on fax machines or printers • Failing to completely remove information that could lead to an individual’s identity from a document • Accidentally modifying or altering data • Administering corrective action as called for by severity of the impact • Requiring repeat of applicable privacy/security training • Fines up to $25,000 Information Breaches Baylor Health Care System

  35. Severity level… Minimum BHCS corrective or disciplinary action includes… Possible civil and criminal penalties include… Level-2: Curiosity or Concern Examples include accessing or viewing health information on a family member, neighbor or co-worker when there is no need to know. • Administering corrective action as called for by severity of the impact • Requiring repeat of applicable privacy/security training • Fines up to $25,000 Information Breaches Baylor Health Care System

  36. Severity level… Minimum BHCS corrective or disciplinary action includes… Possible civil and criminal penalties include… Level-3: Personal Gain or Malice Examples include: • Unauthorized access and use to health information for personal gain or malicious intent • Compiling mailing lists for personal use or to be sold or releasing celebrity information to the media • Termination of employment • External reporting as necessary in compliance with federal and state regulations and statutory requirements • External reporting to boards, professional associations, and certification bodies as required • Fines up to $250,000 • Up to 10 years in prison Information Breaches Baylor Health Care System

  37. It Really Happens • Level 2: A psychiatrist from New Hampshire was fined $1,000 for repeatedly looking at the medical records of an acquaintance without permission. Because there was no state law making it a crime to breach the confidentially of medical records, the case was brought under a law against misusing a computer. (“Psychiatrist Convicted of Snooping in Records,” The Associated Press State & Local Wire, May 5, 1999) • Level 3: Country singer Tammy Wynette's medical records were sold to the National Enquirer and Star tabloids by a hospital employee for $2,610. William Cox's position at the hospital entitled him to authorized access to several medical record databases. He retrieved medical information about Tammy Wynette and faxed it to the tabloids without her consent. In the end, Cox pleaded guilty to one count of wire fraud and was sentenced to six months in prison. ("Selling Singer's Files Gets Man Six Months," Houston Chronicle, December 2, 2000, p. A2) Baylor Health Care System

  38. General Approach:Minimum Necessary • Minimum necessary guidelines apply to almost all uses, disclosures and requests of PHI, including: • Health care operations and payment purposes. • Treatment purposes (other than the provider exception as described next). • Other disclosures and requests to external third parties. • However, every rule does have its exceptions. Exceptions to the minimum necessary requirement include disclosures: • to and requests by providers for treatment. • to the individual. • authorized by the individual. • required by law. • to HHS for compliance with the Privacy Rule. • to HHS for compliance with other HIPAA requirements. Baylor Health Care System

  39. Unanticipated Impacts • Fundraising • If patient demographic data is to be used for fundraising, the Privacy Notice must state as such • No special authorization is required if only use demographic data • May use business associates for fundraising but ensure business associate agreement is in place • With materials sent to individuals, must include opt-out information • If individual opts-out, must be able to ensure compliance • Grateful patient referrals – problematic • Marketing • For marketing, authorizations are required; there are exceptions: • If communication is face to face • If communication involving products or services are of nominal value, i.e., pens, calendars • Business Associate may help with marketing but ensure a Business Associate Agreement is in place • Materials sent to individuals must include opt out clause • If individual opts-out, must be able to ensure compliance • May not sell patient’s list • HIPAA allows communication of alternative services/treatment to patients. • Does this apply to “mass mailings”? • Not clear if Texas law offers the same latitude • Places of worship • Challenges from the pulpit • Challenges from the congregations Baylor Health Care System

  40. Public Health Reporting abuse, neglect or domestic violence Health oversight activities Judicial and administrative proceedings Law enforcement Decedents (coroners and funeral directors) Cadaveric organ, eye or tissue donation Certain research Emergency circumstances Special categories (e.g., intelligence, military) Privacy Standards:Permissible Uses and Disclosures without Patient Authorization Baylor Health Care System

  41. Privacy Program Organization System Compliance (System Privacy Officer) Design & Develop System Privacy/ Security Committee Coordinate & Collaborate Entity Privacy Officers Implement & Monitor Entity Privacy Committees

  42. Acknowledgements • BHCS • Donna Bowers, JD, RHIA • VP of Health Information Management, Baylor Health Care System • Office of Information Security • Texas Health Resources • Patricia Johnston, CHP, FHIMSS • System Privacy Officer for Texas Health Resources • The Center For Learning Baylor Health Care System

  43. Discussion

More Related