Privacy and SecurityPast, Present, & Future Danika E. Brinda, MA, RHIA, CHPS Assistant Professor/REACH HIT Consultant The College of St. Scholastica September 27, 2013
Objectives • Understand the Security Rule and how it relates to you • Understand the Privacy Rule and how it relates to you • Understand where privacy regulations have been, where they are at, and where they are going • Understand big changes and challenges with compliance
The transition of Privacy and Security in Healthcare • First attempt at development of federal rules and regulations to protect the privacy and security of Protected Health Information (PHI)
HIPAA in the News Feds Go to Court to Collect First‐Ever Fine for HIPAA Violations Featured in Health Business Daily, Aug. 18, 2011, and in Government News of the Week, In February, the Office for Civil Rights imposed a $4.3 million fine on a Maryland medical group that had refused to honor 41 patients’ requests for their medical records…” Medical Billing Firm Says Personal Information Leaked to Theft Ringwww.ihealthbeat.org, December 3, 2012 “Advanced Data Processing said that an employee improperly accessed individual account data in the company's ambulance billing system and leaked the information to a theft ring. The worker has admitted to the crime and has been fired…”Read more: http://www.ihealthbeat.org/articles/2012/12/3/medical-billing-firm-says-personal-information-leaked-to-theft-ring.aspx#ixzz2LMpz9bx2…” Text Message Use Among Providers Raise HIPAA Concerns Written by Joyce McLaughlin, JD, Senior Counsel, Davis & Wilkerson ,August 11, 2011,http://www.beckershospitalreview.com “As the possibilities for electronic communication continue to expand with great speed, use of the technology by hospital employees and physicians without adequate security can expose your facility to HIPAA violations. The increasing use of cell phones and texting …” 9 Patients' Identities Stolen in Emory Healthcare Data Breach Written by Sabrina Rodak| October 25, 2011 | http://www.beckershospitalreview.com “Nine patients of Emory Healthcare's orthopedic clinic in Tucker, Ga., have had fraudulent tax returns filed in their name, according to a Channel 2 report. The nine patients were among 32 Emory orthopedic clinic patients whose hospital bills were stolen in April…”
Hippocratic Oath • Original Translation (5th Century BCE): “…All that may come to my knowledge in the exercise of my profession or in daily commerce with men, which ought not to be spread abroad, I will keep secret and will never reveal.” • Classic Translation (A long time ago): : “…What I may see or hear in the course of treatment or even outside of the treatment in regard to the life of men, which on no account one must spread abroad, I will keep myself holding such things shameful to be spoken about.” • Modern Version – 1964: “…I will respect the privacy of my patients, for their problems are not disclosed to me that the world may know. Most especially must I tread with care in matters of life and death. ”
What is Protected Health Information? • Protected Health Information (PHI) • Health information that identifies an individual, or could create a reasonable basis to believe the information could be used to identify an individual • Can be past, present, or future information • Electronic Protected Health Information (ePHI) • Health Information that is transmitted or maintained in electronic format
Examples of Protected Health Information • Patient’s Name • Age / Date of Birth • Address • Telephone Numbers • Medical Record Number • Social Security Number • Account Number • Health History or Conditions • Treatment of Medications • Dates of Treatments and Hospitalizations • Hospital or Clinic Bill • Biometric Identifiers
Total People Impacted 22,199,751
Security Breaches Source: http://www.hipaasecurenow.com/index.php/blog/
Top 2012 Data Breaches Source: http://www.dolbey.com/uncategorized/redspin-2012-health-data-breach-report-breakdown/
What are the Major HIPAA Compliance Areas? • Privacy Requirements • Notices, Authorizations and Consents • Accounting of Disclosures • Business Associates • Breach Notification • Security Requirements and • Administrative, Physical, and Technical Safeguards • Business Associates • Risk Assessment and Compliance Programming
HIPAA – The Privacy Rule • Published on December 28, 2000 • Final Rule published on August 14, 2002 • Effective Date – April 14, 2003
HIPAA – The Privacy Rule • The Final HIPAA Privacy Rule (45 CFR Parts 160 and 164) focused on three major purposes: • protect and enhance the rights of consumers by providing them access to their health information and controlling the inappropriate use of that information; • to improve the quality of health care in the U.S. by restoring trust in the health care system, and • To improve the efficiency and effectiveness of health care delivery by creating a national framework for health privacy protection that builds on efforts by states, health systems, and individual organizations and individuals.
High Level Overview: Privacy Practices • Appointment of Chief Privacy Officer • Notice of Privacy Practices • Disclosures • Minimum Necessary • Authorizations • Accounting of Disclosures (extended through ARRA IFR) • Request Restrictions on where PHI is sent • Designated Record Set • Business Associate Agreements (extended through ARRA IFR) • Medical Record Amendments • Alternative forms of Communication with Patients • Training of the Workforce • Privacy/Breach Investigations and Notifications (extended through ARRA IFR)
Designated Record Set Components • Defined by HIPAA to include: • patient medical records • billing records • Enrollment, payment, claims, adjudication, and cases • medical management record systems maintained by or for a health plan • information used in whole or in part to make care-related decisions
HIPAA – The Security Rule • Final Rule Published February 20, 2003 • Effective Date – April 20, 2005 • The Final HIPAA Security Rule defines administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of electronic PHI.
What’s the Focus of the Security Rule There are 4 distinct parts to the Security Rule: • Administrative Safeguards are administrative actions, including the establishment of policies and procedures, to manage the activities needed to establish security measures that protect ePHI. • Physical Safeguards are physical measures and policies and procedures, including policies and procedures, to protect electronic information systems and related buildings and equipment from natural and environmental hazards and unauthorized intrusion. • Technical Safeguards are the technology, including policies and procedures for its use, that protect ePHI and control access to it. • Organizational Safeguards are arrangements made between organizations to protect ePHI, including Business Associate Agreements. One Size Does Not Fit All!!
HIPAA and Confidentiality, Integrity, Accessibility (CIA) Source: http://www.hipaaacademy.net/consulting/hipaaSecurityRuleOverview.html
Addressable v. Required • Standards are broken up into two categories (45 CRF 164.306(d)) • Addressable– the covered entity must assess the reasonableness and appropriateness of the safeguard to protect the entity’s ePHI • The size, complexity and capability of the covered entity • The covered entity technical infrastructure, hardware, and software security capabilities • The costs of security measures • The probability and criticality of potential risks to ePHI. • Required – the covered entity must comply with the standard and implement policies and/or procedures that meet the requirement
American Recovery and Reinvestment Act (ARRA) of 2009 • February 2009, President Obama signed ARRA • ARRA defines the Health Information Technology for Economic and Clinical Health (HITECH) Act, Title XIII • Strengthens HIPAA Privacy and Security Rules • Affects both Covered Entities and their Business Associates • Published draft privacy regulations on July 14, 2010 in the Federal Register • Responses to the draft regulations were due by September 13, 2010
Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rule 2013 • February 17, 2009 President Obama signed the American Recovery and Reinvestment Act (ARRA) of 2009 • Title XIII, The Health Information Technology for Economical and Clinical Health Act (HITECH) included provisions on HIPAA Privacy, Security and Enforcement. • Interim Rules were established to address HITECH Privacy Requirements for Breach Notification and Enforcement • On January 25, 2013 the Federal Register published Part II, 45 CFR Parts 160 and 164 • Most of the interim rules that were in the ARRA act are moving from Interim Rules to Final Rules • Effective Date: March 26, 2013 • Compliance Date: September 23, 2013 (180 Days)
What’s Still Missing that Keeps Us Waiting… • Some components of the Interim Rule are still missing. The hopes is that these will be published later in 2013 • Accounting of Disclosures/Access Reports • Minimum Necessary Guidance • Distribution of penalties and settlements to harmed individuals
Breach Notification 2013 • Most of the components remained the same except: • Removed the Risk of Harm analysis and replaced with a more objective Risk Assessment analysis • The objective risk analysis needs to show evidence of evaluating: • The nature and extent of PHI involved – types & likelihood of re-identification • The unauthorized person(s) who use the PHI or whom it was disclosed to • If the PHI was acquired, viewed or disclosed (re-disclosed) • The extent to which the risk to the PHI has been mitigated • Eliminates the exception in the interim rule that limited data sets were not included in breach investigation
HITECH Definition 2009 Defined as the “unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.”
New Breach Definition An impermissible use or disclosure of PHI is “presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised.” **A Comment to interim final rule suggesting compromise standard indicates that it is whether PHI is “inappropriately viewed, re-identified, re-disclosed, or otherwise misused” (Adam Greene)
What Did NOT Change from IFR to Final Rule • Definition of “Unsecured Protected Health Information” • When a breach is treated as “discovered” • Timeline for notifications – clock starts at Date of Discovery • Content of notification • Methods of notification • Notification to the media and the Secretary (minor modification – counting from year of discovery) • Notification by Business Associate • Delay requested by law enforcement • Documentation and burden of proof • Pre-emption standard regarding state laws
Breach Definitions “Exceptions” • Unintentional acquisition, access, or use of protected health information by a workforce member acting under the authority of a covered entity or business associate. • Example: A staff member receives a fax intended for a nurse on a different nursing unit. She quickly forwards the information to the correct location within her healthcare facility. • Inadvertent disclosure of protected health information from a person authorized to access protected health information at a covered entity or business associate to another person authorized to access protected health information at the covered entity or business associate. • Example: A nurse call a physician to discuss a patient’s case. After the nurse finishes that conversation, she realizes that she contact the incorrect patient information to the physician. As long as the physician doesn’t do anything else with the information, it is not considered a breach.
Breach Definitions “Exceptions” • Good faith by the covered entity or business associate that the unauthorized individual, to whom the impermissible disclosure was made, would not have been able to retain the information. • Example: A fax was sent to the incorrect recipient. The recipient of the information calls to inform the facility and returns the documents in its original condition. As long as the information is returned and assumed that the incorrect recipient couldn’t have retained the information, it is not considered a breach.
Examples of Potential Breaches • An Employee inappropriately accesses a co-workers chart • A fax is sent to the incorrect fax number • A release of information is sent to the incorrect recipient • An employee blogs about their work day which included specific patient diagnosis that can link to a patient • Someone has hacked into your EHR and obtained SSN for multiple patients • A physician/employee inappropriately access a chart of a celebrity • An e-mail with PHI in the context was sent to the incorrect e-mail recipient
Patient Access to Electronic Health Records • If PHI held electronically, individual entitled to an electronic copy if in a “designated record set” (not just the • information in an “EHR”) • Must be in the format requested if “readily producible;” if not, in a readable electronic form and format agreed upon by the entity and the individual • Not required to buy new software to do this – but must have capability to provide some electronic copy • If individual declines to accept electronic formats entity makes available, can default to hard copy • Not required to accept patient’s device – but can’t require individuals to purchase a device from you if they don’t want to
Patient Access – Technical Safeguards • Must have reasonable safeguards in place to protect transmission of ePHI – but… • If an individual wants information by unencrypted email, entity can send if they advise the individual that such transmission is risky • Must have a secure mechanism – can’t force individuals to accept unsecure • Omnibus Rule allows up to 60 days (30 days less); preamble urges entities to make information available sooner when possible
Fundraising and PHI • Added 4 new categories that can be released for fundraising: Department of Service, Treating Physician, Outcome Information, and Health Insurance Status • Strengthens and Defines Opt-Out For Fundraising • Clearly Defined • Must not require undue burden (writing a letter) • May not effect treatment or payment • If opt out – CE MUST not make fundraising communications to patient • CE can also provide a method for opting back in
Changes to Research • Covered entities are now allowed to combine conditioned and unconditioned authorizations for research; however, they must differentiate between the two. • Conditioned: required to participate in this study • Unconditioned: optional use/disclosure for other studies/tissue banking/registries • NOTE: Unconditioned MUST be opt in such as a check box or additional signature line. • Can include future studies if it is adequately described
Changes to Access to Immunizations • Covered Entities may now release immunization records to schools without an authorization IF: • State law requires the school to have the immunization record • The CE received written or oral documentation (it must be documented)
Changes to Accessed to Deceased Patient’s Records • PHI of a deceased patient is no longer considered protected health information after 50 years from death • CE may disclose PHI to person(s) involved in decedent’s care or payment if not contrary to prior expressed preference
Marketing and PHI • In the Omnibus Rule, marketing is defined as “a communication about a product or service that encourage recipients to purchase or use the product or service.” – Federal Register, January 25, 2013 • Under the new regulation, CE must obtain authorization to use PHI to make any treatment and healthcare operations communications IFthe CE receives financial remuneration for making the communication from a third party that product is being promoted
Marketing and PHI • Excluded • Refill Requests • Can be reimbursed for actual costs • Generic Equivalents • Adherence communication reminding patients to take medication • Costs can only be collected for labor, supplies and postage