630 likes | 785 Vues
HIPAA. Health Insurance Portability and Accountability Act of 1996 Adam Cushner. Outline. Overview of HIPAA Specifics of HIPAA Suggestions for implementation Effects Problems Questions. An Act.
E N D
HIPAA Health Insurance Portability and Accountability Act of 1996 Adam Cushner
Outline • Overview of HIPAA • Specifics of HIPAA • Suggestions for implementation • Effects • Problems • Questions
An Act • To amend the Internal Revenue Code of 1986 to improve portability and continuity of health insurance coverage in the group and individual markets, to combat waste, fraud, and abuse in health insurance and health care delivery, to promote the use of medical savings accounts, to improve access to long-term care services and coverage, to simplify the administration of health insurance, and for other purposes.
Signed by President Bill Clinton on July 21, 1996 • Named because it was originally about, well, the portability of health insurance. Focus, however, is on privacy of medical records • Passed partly because of the failure of congress to pass comprehensive health insurance legislation earlier in the decade
General Objectives • Increase number of employees who have health insurance • Reduce health care fraud and abuse • Introduce/implement administrative simplifications in order to augment effectiveness of health care in the US • Protect the health information of individuals against access without consent or authorization
Even More General Objectives • Give patients more rights over their private data • Set better boundaries for the use of medical information • Hold people accountable for misuse • Encourage administrative simplification (in the form of digitalization of information) to help reduce costs
General Objectives for Information • Ensure privacy and security of health information by designating Protected Health Information (PHI) • PHI, for example, must be treated in the same way in which you would treat someone’s tissue (with regard to Privacy) • Set standard for data using Electronic Data Interchange (EDI)
Dynamically HIPAA • HIPAA’s goals, in a sense, are aimed to hit a moving target: • Technologies to help implement HIPAA are constantly changing • Attitudes towards privacy are changing • Also, not much empirical evidence to show if HIPAA is doing what it set out to do (e.g. reduce costs)
Outline • Overview of HIPAA • Specifics of HIPAA • Suggestions for implementation • Effects • Problems • Questions
What HIPAA Directly Affects • Covered Entities • Health plans • Health care clearinghouses • Health care providers who transmit health information in electronic form for certain standard • Pending ideas: • National Provider IDs • National Employer IDs • National Health Care IDs • National Individual IDs
Security Regulations • Contingency Plan • Access Control • Audit Control • Person or Entity Authentication
Contingency Plan (A) Data backup plan. Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information. (B) Disaster recovery plan. Establish (and implement as needed) procedures to restore any loss of data. (C) Emergency mode operation plan. Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode.
Access Control • Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in [164.308(a)(4)]. • Difficulties in implementation. • Too much or too little access.
Audit Control • Allow reviews of usage statistics to check for potential misuse
Person or Entity Authentication • Procedures to identify users seeking information
Security Regulations Wrap-up • Essentially, use rules that any good company would use to protect its data • Difficult in health care profession because so many people need access to patients’ information • The rules and ideas for data protection are also mandated on the human side of things • E.g. Training of employees, physical protection of data storage facilities.
Privacy Rule • Different types of protected data: • Protected Health Information (PHI) • Previously defined • Individually Identifiable Health Information (IIHI) • De-identified Health Information • Limited Data Sets
Privacy Rule (cont) • IIHI • includes any subset of health information, including demographic information collected from an individual, that: • Identifies the individual (or there is a reasonable basis to believe that the information can be used to identify the individual.)
Privacy Rule (cont) • De-identified Health Information: • Health information is considered de-identified when it does not identify an individual and the covered entity has no reasonable basis to believe that the information can be used to identify an individual. Information is considered de-identified if 17 identifiers are removed from the health information and if the remaining health information could not be used alone, or in combination, to identify a subject of the information. Identifiers include:
Privacy Rule (cont) • names, • geographic subdivisions smaller than a state, including street address, city, county, precinct, zip code and equivalent geocodes, except for the initial three digits of a zip code to 000, • all elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death, and all ages over 89, • telephone numbers, • fax numbers, • electronic mail addresses, • Social Security numbers,
Privacy Rule (cont) • medical record numbers, • health plan beneficiary numbers, • account numbers, • certificate/license numbers, • vehicle identifiers and serial numbers, including license plate numbers, • device identifiers and serial numbers, (14) Web Universal Resource Locator (URL), • biometric identifiers, including finger or voice prints, • full face photographic images and any comparable images, • Internet Protocol address numbers • any other unique identifying number characteristic or code
Privacy Rule (cont) • Limited Data Sets may contain certain types of direct identifiers, while others must be removed:
Limited Data Sets Direct identifiers that must be removed from the information for a limited data set are: (1) name, (2) address information (other than city, State, and zip code), (3) telephone and fax numbers, (4) e-mail address, (5) Social Security number, (6) certificate/license number, (7) vehicle identifiers and serial numbers, (8) URLs and IP addresses, (9) full face photos and other comparable images, (10) medical record numbers, health plan beneficiary numbers, and other account numbers, (11) device identifiers and serial numbers, (12) biometric identifiers including finger and voice prints.
Limited Data Sets Identifiers that are allowed in the limited data set are: (1) admission, discharge and service dates, (2) birth date, (3) date of death, (4) age (including age 90 or over), (5) geographical subdivisions such as state, county, city, precinct and five digit zip code.
Privacy Rule (cont) • Deals with Individually Identifiable Health Information (IIHI) and Protected Health Information (PHI) • Provides, for the first time ever, Federal protections for the privacy of protected health information • Sets only a lower bound on protection – stricter state laws would not be trumped by this, but weaker ones would • Requires notification of information practices
Privacy Rule (cont) • Gives patients more control over their information • Sets boundaries on the release of information • Holds violators accountable with civil and criminal penalties • Allows for data to be released if it aides public health (e.g. statistics about a disease, de-identified patient data)
Privacy Rule (cont) • Compliance date of April 14th, 2003 (2004 for certain small covered entities) • Designed entirely to control the propagation and dissemination of electronic information
Privacy Rule (cont) • Basically, data is allowed to be accessed on a need-to-know basis • E.g. use for health-care specific operations • Fundraising, marketing, and research usually require separate and specific patient authorizations
Privacy Standards • Must have a procedure for complaints to be filed • Covered Entities cannot require individuals to waive their rights regarding HIPAA • Deceased patients’ information still protected by HIPAA
Minimum Necessary • When using or disclosing protected health information or when requesting protected health information from another covered entity, a covered entity must make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request • Does not apply to: • Health care providers • Individuals concerning their own information • Certain legal needs
Disclosures to Business Associates • A covered entity may disclose protected health information to a business associate and may allow a business associate to create or receive protected health information on its behalf, if the covered entity obtains satisfactory assurance that the business associate will appropriately safeguard the information
Disclosures to Business Associates (cont) • A contract between a CE and a business associate must ensure that the associate will essentially comply with HIPAA.
Whistleblower Protection • Disclosures by whistleblowers: • (i) The workforce member or business associate believes in good faith that the covered entity has engaged in conduct that is unlawful or otherwise violates professional or clinical standards, or that the care, services, or conditions provided by the covered entity potentially endangers one or more patients, workers, or the public; and
Whistleblower Protection (cont) • (ii) The disclosure is to: • (A) A health oversight agency or public health authority authorized by law to investigate or otherwise oversee the relevant conduct or conditions of the covered entity or to an appropriate health care accreditation organization for the purpose of reporting the allegation of failure to meet professional standards or misconduct by the covered entity; or • (B) An attorney retained by or on behalf of the workforce member or business associate for the purpose of determining the legal options of the workforce member or business associate with regard to the conduct.
Research Privacy Rules • Based on HHS regulations from the 1970’s that are now known as the “Common Rule” • Because HIPAA applies to care and not to research, this rule is still largely in effect • De-identified information can still be used widely, but research databases with large amounts of identifiable patient data cannot
Research Privacy Rules (cont) • Requirements for tracking and accounting of disclosures of patient data used in research where no patient authorization is obtained • Restrictions on recruitment of patients for clinical studies • Restrictions on the creation and maintenance of databases containing identifiable individual health data for research use
Research Privacy Rules (cont) • A requirement for a separate patient authorization for the use of health data for research • A consent for treatment cannot be combined with consent for research • Creates substantial burden on conduct and oversight of human studies • Authorizations for research data must specify exactly which data can be used by whom and for what purposes • May be time-limited • Can be rescinded at any time, although not retroactively • Low-risk studies might not require authorization
Requirements of Authorizations • a description of the information to be used for research purposes; • who may use or disclose the information • who may receive the information • purpose of the use or disclosure • expiration date of authorization • how long the data will be retained with identifiers • individual’s signature and date • right to revoke authorization • right to refuse to sign authorization (if this happens, the individual may be excluded from the research and any treatment associated with the research) • if relevant, that the research subject’s access rights are to be suspended while the clinical trial is in progress, and thatthe right to access PHI will be reinstated at the conclusion of the clinical trial. • that information disclosed to another entity in accord with an authorization may no longer be protected by the rule
Dept. of Health and Human Services (HHS) • Privacy and security regulations created by HHS • Done so because of a key provision in HIPAA which said that if congress did not specify these regulations by 1999, HHS had to do it • Final privacy regulations issued in late 2000; final security regulations issued in February 2003
Punishments for Wrongful Use or Disclosure of PHI • Up to $50,000 and 1 year in jail • If under false pretenses, $100,000 and 5 years in jail • If with intent to sell, up to $250,000 and 10 years in jail
Outline • Overview of HIPAA • Specifics of HIPAA • Suggestions for implementation • Effects of HIPAA • Problems • Questions
Technologies • Application Service Providers (ASPs) • Virtual Private Networks (VPNs) • Biometrics • Information Lifecycle Management (ILM)* • Actually, a collection of technologies
ASPs • Provide backend hardware and software • Rent their services, usually on a monthly or yearly schedule, as opposed to licensing their software • They take the responsibility of upgrading their software and hardware • Many in the health care field rely on ASPs. As a result, they are affected by HIPAA because covered entities must ensure that ASPs are HIPAA compliant.
ASPs and HIPAA • Must be cautious about scalability of security • Because information is transmitted between the covered entities and the ASPs, it must be protected (by some sort of cryptography) • Good solution: use a VPN
VPNs • Basically, a temporary, secure link over a public network (e.g. the internet) • Cheaper than having a dedicated line
Biometrics • Good way to uniquely identify people or entities • Unfortunately, many current biometric technologies are easily fooled • Not currently used very much
Information Lifecycle Management • A system for assessing the use of data and, based on usage, classifying data for efficiency of access and storage • Basic principles of ILM: • Assessment • Classification • Automation
Outline • Overview of HIPAA • Specifics of HIPAA • Suggestions for implementation • Effects of HIPAA • Problems • Questions
Dates of Compliance • 10/16/2002 - Transactions and code sets • 4/14/2003 – Privacy Rule • 4/14/2003 – Business Associates • 4/20/2005 – Security Rule
Effects • HIPAA caused a large number of commercial products supporting HIPAA to proliferate. • Large financial strain on CE’s to implement changes to infrastructure capable of supporting HIPAA