Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Shared Responsibility

Published byElmer Malson Modified over 9 years ago

Similar presentations

Presentation on theme: "A Shared Responsibility"— Presentation transcript:

0 Privacy and Security In an Evolving Environment Dialogue on Diversity May 15th, 2013
Laura E. Rosas, JD, MPH Office of the Chief Privacy Officer

1 A Shared Responsibility
Privacy and Security: A Shared Responsibility Government: Establish, enforce, coordinate, and communicate affordable and workable Privacy & Security regulations Providers: Understand Privacy & Security requirements, establish and promote Privacy & Security policies and practices, train and monitor staff, and manage risk Vendors: Integrate easy-to-use Privacy & Security features into products and provide updates as regulations evolve Patients: Understand rights and basic means used to secure PHI

2 Origins of Medical Privacy
“What I may see or hear in the course of the treatment or even outside of the treatment in regard to the life of men, which on no account one must spread abroad, I will keep to myself, holding such things shameful to be spoken about.” Hippocrates , c. 460 BC BC

3 Patient Privacy and Patient Safety
“The treatment that a patient receives can be greatly affected by what the patient chooses to disclose to their physician.” - Annals of Family Medicine, 2008 Medical confidentiality protections are meant to encourage disclosure…” - Archives of Internal Medicine, 2005

4 Privacy and Security in Practice
Use technology that has privacy and security built into the technology Privacy and Security are considered as part of physical environment, patient care, and all communications Have Privacy and Security checkups and communicate results to all Training, is regular updated and an essential part of the overall strategic plan

5 Key Federal Health Information Privacy Laws
HIPAA Privacy and Security Rules Health Insurance Portability and Accountability Act of 1996, as amended by. . . Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 State Laws that are more restrictive are not pre-empted by HIPAA 5

6 HIPAA Privacy Rule: General Overview
Set a federal floor for protecting health information Apply to many, but not all, key actors in health care system Limit how key actors may use and disclose individually identifiable health information they receive or create (“protected health information”) Give individuals rights with respect to their protected health information (right to request restriction if paid in full) Impose administrative requirements Require breach notification Establish civil and criminal penalties 6

7 Who Must Comply with HIPAA Privacy Rule?
Covered entities Health plans Health care clearinghouses Process health information into and/or out of HIPAA standard format Health care providers that electronically transmit health information in connection with a HIPAA-specified covered transaction Essentially those related to processing claims for health care Business associates (certain provisions) Business Associates – Post HITECH Business associates must follow administrative, physical and technical safeguards of HIPAA Security Rule Follow use and disclosure limitations of HIPAA Privacy Rule Subject to same civil and criminal penalties as covered entities

8 Who Is a Business Associate (BA)?
Perform certain functions or activities on behalf of a covered entity that involve the use or disclosure of PHI including: Data analysis Data aggregation Claims processing Quality assurance Legal services Accounting Others specified claims processing, data analysis, quality assurance, billing, and benefit management

9 Mobile Health Research & Education
Provider Adoption of Mobile Devices in the U.S. Health Care Community

10 Scenario #1 You are a physician consulting on the case of a 79 year-old woman with recent surgery for a broken hip and suspected dementia. After seeing the patient, her daughter-in-law wishes to speak with you about her condition.

11 In Response…. In response you:
Ask to have the patient’s son, her spouse contact you Speak with the patient and check the patient’s EHR for any restrictions on speaking to particular family members. If not, use your professional judgment in discussing the patient’s condition with the daughter-in-law. Tell the patient that you appreciate her concern, however due to the HIPAA Privacy Rule you cannot share any information with her Consult with the patient first, and if the patient provides written authorization, then you can speak with the daughter-in-law

12 Answer: Scenario #1 In response you:
Ask to have the patient’s son, her spouse contact you Speak with the patient and check the patient’s EHR for any restrictions on speaking to particular family members. If not, use your professional judgment in discussing the patient’s condition with the daughter-in-law. Tell the patient that you appreciate her concern, however due to the HIPAA Privacy Rule you cannot share any information with her Consult with the patient first, and if the patient provides written authorization, then you can speak with the daughter-in-law

13 Scenario #2 A 26 year-old male patient has come to see you for a suspected sexually transmitted infection. After reaching a diagnosis and writing a prescription, the patient tells you that he will pay for the visit in full and requests that the information related to the visit not be disclosed to his insurance company.

14 In Response… “I’m sorry but the HIPAA Privacy Rule requires the information be transmitted to the insurance company regardless of whether you pay in full.” “Yes, but for each related transaction you will need to inform those organizations separately. For example, if you do not want the pharmacy to bill your insurance company you will need to inform them separately.” “No, state law requires that we inform your insurance company” “Yes, and we will ensure that any other information related to this visit, for example, your pharmacy, is also informed to ensure that the information is not sent to your insurance company.

15 Answer: Scenario #2 “I’m sorry but the HIPAA Privacy Rule requires the information be transmitted to the insurance company regardless of whether you pay in full.” “Yes, but for each related transaction you will need to inform those organizations separately. For example, if you do not want the pharmacy to bill your insurance company you will need to inform them separately.” “No, state law requires that we inform your insurance company” “Yes, and we will ensure that any other information related to this visit, for example, your pharmacy, is also informed to ensure that the information is not sent to your insurance company.

16 Scenario #3 You are a pediatrician seeing a 16 year-old girl for a physical. Just as you are finishing the exam, she informs you that she is sexually active, and requests a prescription for birth control pills. However, she does not want her parents to know and she requests that you keep this information and the prescription confidential. You practice in a jurisdiction that allows minors to consent to their care for the purposes of family planning.

17 In Response: You provide the prescription but tell her that you are required by law to inform her parents of the prescription You provide the prescription and note in the EHR that this information should not be disclosed to the parents without the patient’s authorization. You provide the prescription, but tell the patient that you will need to inform the parents due to the practice’s liability insurance You do not provide the prescription as it is against the practice’s policy to provide minor care without the parent’s consent.

18 Answer: Scenario #3 You provide the prescription but tell her that you are required by law to inform her parents of the prescription You provide the prescription and note in the EHR that this information should not be disclosed to the parents without the patient’s authorization. You provide the prescription, but tell the patient that you will need to inform the parents due to the practice’s liability insurance You do not provide the prescription as it is against the practice’s policy to provide minor care without the parent’s consent.

19 Mobile Health Research & Education
Take the Steps to Protect and Secure Health Information When Using a Mobile Device The resource center HealthIT.gov/mobiledevices was created to help providers and professionals: Protect and Secure health information when using mobile devices regardless of whether the mobile device is personally owned, bring your own device (BYOD) or provided by an organization Mobile devices offer tremendous convenience and accessibility, but also present security issues – secure your devices and access our resources at healthit.gov/mobile devices

20 Helping Providers Integrate Privacy and Security into Their Culture
Designed to help health care practitioners and practice staff understand the importance of privacy and security of health information at various implementation stages Developed with assistance from the American Health Information Management Association (AHIMA) Foundation, with input from OCR and OGC Available at: 20 20

21 Security Video Game Released September 2012
Training Materials: Security Video Game Released September 2012 We are working on other activities to assist providers… 21 21

22 HHS Office for Civil Rights (OCR): Policy Guidance/Compliance Tools What’s in the Works:
Fact Sheets/Q&A on new provisions Breach Risk Assessment Tool Minimum Necessary Guidance Better Compliance Tools for Small Entities Adaptation of SAG Training for Covered Entities Expanded Consumer Materials/Videos

23 We are all responsible for creating a culture where privacy and security are respected and valued.

24 Conclusion Questions?

Download ppt "A Shared Responsibility"

Similar presentations

Tamtron Users Group April 2001 Preparing Your Laboratory for HIPAA Compliance.

Tamtron Users Group April 2001 Preparing Your Laboratory for HIPAA Compliance.
H = P = A = HIPAA DEFINED HIPAA … A Federal Law Created in 1996 Health

H = P = A = HIPAA DEFINED HIPAA … A Federal Law Created in 1996 Health
Component 1: Introduction to Health Care and Public Health in the U.S. Unit 6: Regulating Health Care Lecture 4 This material was developed by Oregon Health.

Component 1: Introduction to Health Care and Public Health in the U.S. Unit 6: Regulating Health Care Lecture 4 This material was developed by Oregon Health.
JCAHO –A HIPAA Business Associate National HIPAA Summit

JCAHO –A HIPAA Business Associate National HIPAA Summit
The HIPAA Privacy Rule And Its Impact On Agents And Employers National Association of Health Underwriters Capitol Conference March 23, 2003 Joseph T. Holahan,

The HIPAA Privacy Rule And Its Impact On Agents And Employers National Association of Health Underwriters Capitol Conference March 23, 2003 Joseph T. Holahan,
1 Targeted Case Management (TCM) Changes Iowa Medicaid Enterprise October 14, 2008.

1 Targeted Case Management (TCM) Changes Iowa Medicaid Enterprise October 14, 2008.
HIPAA Privacy Practices. Notice A copy of the current DMH Notice must be posted at each service site where persons seeking DMH services will be able to.

HIPAA Privacy Practices. Notice A copy of the current DMH Notice must be posted at each service site where persons seeking DMH services will be able to.
HIPAA AWARENESS TRAINING

HIPAA AWARENESS TRAINING
The Legal Foundation TRICARE Management Activity HEALTH AFFAIRS 2009 Data Protection Seminar TMA Privacy Office.

The Legal Foundation TRICARE Management Activity HEALTH AFFAIRS 2009 Data Protection Seminar TMA Privacy Office.
Minimum Necessary Standard Version 1.0

Minimum Necessary Standard Version 1.0
An Overview for In-Home Service Providers Legal advice must be tailored to specific circumstances. Information provided in this presentation should not.

An Overview for In-Home Service Providers Legal advice must be tailored to specific circumstances. Information provided in this presentation should not.
Presented by Elena Chan, UCSF Pharm.D. Candidate Tiffany Jew, USC Pharm.D. Candidate March 14, 2007 P HARMACEUTICAL C ONSULTANTS, I NC. P RO P HARMA HIPAA.

Presented by Elena Chan, UCSF Pharm.D. Candidate Tiffany Jew, USC Pharm.D. Candidate March 14, 2007 P HARMACEUTICAL C ONSULTANTS, I NC. P RO P HARMA HIPAA.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
HIPAA: Privacy, Security, and HITECH, Oh My! Presented by Stephanie L. Ganucheau, Special Assistant Attorney General.

HIPAA: Privacy, Security, and HITECH, Oh My! Presented by Stephanie L. Ganucheau, Special Assistant Attorney General.
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.

Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.
HIPAA Privacy Rule Training

HIPAA Privacy Rule Training
Copyright Eastern PA EMS Council February 2003 Health Information Portability and Accountability Act It’s the law.

Copyright Eastern PA EMS Council February 2003 Health Information Portability and Accountability Act It’s the law.
National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.

National Health Information Privacy and Security Week Understanding the HIPAA Privacy and Security Rule.
The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.

The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.

Similar presentations

Ads by Google